How to boost communications security in EV charging systems
As with any attack surface, there are multiple security considerations. For an electric vehicle (EV), an adversary may exploit security vulnerabilities to take over command of vehicle control systems, everything from the steering, brakes and sensors.
Since most of us typically connect our smartphones to the vehicle's infotainment system to make hands-free calls, play music and navigate, this connection is also interesting to a hacker. Our smartphone is more likely to contain personal information such as banking passwords, confidential records and government IDs.
One particular attack vector of increasing concern is through the vehicle's charging infrastructure.
EV charging standards
Since the advent of the modern electric vehicle, charging standards have evolved considerably. Initially introduced in 2014, ISO 15118 is an international standard that defines the vehicle-to-grid interface for AC and DC charging and encompasses parts that stipulate use cases, network protocols (-2), and physical and data link layers (-8). In 2022, Part 20 added enhanced, second-generation network and application protocol requirements. From scratch, ISO 15118 included transport layer security (TLS) authentication between the charging station and the vehicle for the first time. The availability of TLS also created the opportunity to incorporate a seamless plug-and-charge capability.
The table shows the evolution of EV charging standards from IEC 61851-1 to ISO 15118-20. (Source: NXP)
As illustrated, ISO 15118 evolved as a standard to suit all types of EV charging infrastructure and now includes an improved security regime, wireless power transfer, and bi-directional (vehicle-to-grid) specifications. Plug and charge enables the vehicle to automatically identify and authenticate itself to a compatible charging station without the driver's intervention, providing a quick and stress-free user experience.
The security specification enhancements of ISO 15118-20 include having more secure cipher suites using longer keys, a mutual authentication feature, the ability to cross-sign root certificates, and the recommendation to utilize a hardware secure module (HSM) for key and trust storage.
ISO 15118 security requirements
ISO 15118 is a client-server protocol with the supply equipment communication controller inside the charging station as the server. The electric vehicle communications controller is the client. In addition to servicing requests from the EV, the supply equipment controller can instigate messages to the vehicle controller by setting a flag in a response message. An example: the need to renegotiate the charging schedule.
For the EV charger engineering team, there are many challenges. Aside from a robust and reliable mechanical design, other engineering considerations include accurate power measurement and efficient power delivery through vehicle-to-cloud application connectivity, a scalable architecture, and machine learning algorithms for battery management. Security provision is paramount, adhering to national and local security legislation, conformance to internationally recognized security standards, and future-proofing for next-generation cryptographic methods.
ISO 15118 mandates that charger-to-vehicle communications be done in a way that preserves user privacy and prevents unauthorized charging. However, when we look at the charging station host itself, there is no requirement for firmware integrity or, for example, using a random number generator, secure boot, and tamper resistance, so we need to look deeper.
The ISO 15118 standard only covers the connection's security, so we must consider implementing a multi-layered security regime that covers the whole system. For example, firmware integrity is not specifically covered in ISO 15118, yet firmware updates will be needed over the operating lifetime of charging equipment and the process by which these are implemented presents security risks.
To achieve this, the control circuit within each charger, which is usually microcontroller-based, must have a unique, immutable and unclonable identity that provides the basis for a root of trust. There must be mechanisms for generating cryptographic keys and managing certificate-based authentication, and it must be possible to update firmware securely, ideally over a secure network. Manual updates from USB sticks are not a secure option.
The client-server protocol between the charging station and the electric vehicle's charging controller adopts certificate-based authentication in the cloud.
Secure MCUs and secure elements are at the heart of EV charger communications security
Most major microcontroller (MCU) manufacturers now offer product families that include some security features. The extent of security provided varies widely. If preferred MCUs do not have sufficient security features for the application, complementary secure elements may be included in the design. Secure elements are tamper-resistant silicon devices that not only form the unique identities of devices but can also store data safely and carry out cryptographic operations such as encryption and authentication.
The device identities and cryptographic keys are random numbers. These are frequently injected into MCUs or secure elements using specialized secure computers called hardware security modules (HSMs). This process is a juncture at which security keys can be stolen. As a result, some MCUs now have internal mechanisms for generating random numbers on demand using physical unclonable functions, or PUFs. By generating random numbers in this way, the key injection process can be eliminated, together with the security risks posed by that process.
After selecting a secure MCU, it’s important to consider how it may be provisioned, onboarded to cloud applications, and managed securely throughout its operating life. Most MCU makers have software platforms for some or all of these functions, and Avnet provides provisioning services and onboarding via the /IOTCONNECT™ Partner Program.
Recent developments in secure MCUs
The Renesas RX MCU family comprises devices with proprietary security IP that includes internally generated keys, secure boot and tamper-resistance authentication.
NXP’s secure MCU families for Linux include the i.MX RT Crossover MCUs, which are Arm® Cortex®-M4-based, and optimized for real-time Ethernet protocols in industrial IoT and automotive applications. For Linux-based systems, NXP’s I.MX 8 is optimized for safety-critical applications and IMX 9 is optimized for acceleration of machine learning applications at the edge.
Microchip offers several families of secure MCUs and its CEC1712 platform root of trust is a device that claims to provide “easy-to-use, seamless authentication and encryption for connected applications.”
The latest MCU offering from STMicroelectronics is the STM32H5 family. This is the successor to the STM32F4 family. It is based on the Arm® Cortex®-M33 and is said to provide scalable security. The STM32Trust security framework is a useful guide to MCU security issues and how the company addresses them.