EV fast charging stations, solar, and wind generating units could pose a threat as our grid becomes increasingly vulnerable to cyber attacks
Grid providers should not decouple cybersecurity when considering investing in grid reliability and resilience. In fact, the three areas work together.
The impact of cyber attacks is not limited to potential loss of Personally Identifiable Information (PII) or intellectual property but also to operations service levels.
By way of example, consider the 2021 ransomware attack on the Colonial Pipeline, which stole 100 gigabytes of data over the course of a few hours. The incident disrupted Colonial’s IT systems for several days, illustrating the likely operational impact that cyber hacks can yield. Ignoring the attack vector and motive, the point is this cyber hack resulted in a significant impact to both grid IT operations and their customers, notably airline carriers that depended on fuel from the Colonial Pipeline. Equally impacted were hundreds of gas stations in the southeastern U.S. In numerous cases, the gas stations ran out of fuel albeit mostly due to irrational panic buying. Not surprisingly customers were not happy.
New concerns
One fast emerging sector where the intersection of cybersecurity and reliability and resilience is evident is around Distributed Energy Resources (DER), an example of Industrial IoT for the grid.
As the grid increasingly relies on DER, such as EV fast charging stations, solar, and wind generating units - our grid becomes increasingly vulnerable to being hacked, especially considering the full attack vector surface is unknown. Given the explosive growth involving a myriad of ecosystem providers ranging from hardware, Cloud providers and energy sources -many being start-ups - its critical reliability and resilience are also viewed through the lens of security.
As highlighted in the February 2022 National Cybersecurity Center of Excellence (NCCOE) NIST special publication 1800-32A, ”Any attack that can deny, disrupt, or tamper with DER communications could prevent a utility from performing necessary control actions and could diminish grid resiliency.” With the rapid shift from centrally controlled grid utilities to providers at the grid's edge, unique challenges surface that, if not addressed, could have a devasting impact on customer and provider data integrity, privacy, access, as well as reliability and resilience.
Given the interdependency, a compromise - especially denial of service - to any of these components/players could wreak havoc to the entire ecosystem’s availability and or performance.
Another item worthy of attention is NIST's Securing Distributed Energy Resource Guide, which DER participants are strongly encouraged to take advantage of.
Further, a July 2022 report (SAND2022-9315) by Sandia National Laboratories highlights the growing concern around the impact of EV charging station cyber vulnerabilities to user adoption in the event of a major disruption. The report also examines the knock-on effects to critical infrastructure sectors such as power systems and manufacturing due to poorly implemented electric vehicle supply equipment (EVSE), Electric Vehicles (EVs) or grid operator communication systems. At the time of publication, Sandia noted there were limited best practices adopted by the EV/EVSE industry.
NCCOE stepping in with CyberSecurity Framework
One particular area under close watch by NCCOE is EV Extreme Fast charging Infrastructure (https://www.nccoe.nist.gov/projects/cybersecurity-framework-profile-electric-vehicle-extreme-fast-charging-infrastructure). NCCOE recognizes the distributed nature, need for scale, unstable connectivity - as well as the new opportunities - that EV Extreme Fast charging presents. NCCOE has gathered a community of interest and experts to contribute towards a framework that charging station and electric vehicle manufacturers, charging cloud networks, and electric utilities can leverage for best practices in implementing security by design. (https://www.nccoe.nist.gov/projects/cybersecurity-framework-profile-electric-vehicle-extreme-fast-charging-infrastructure.)
Although the concepts are traditional ones – authentication, access control, confidentiality, data integrity, monitoring, etc. - the implementation for this emerging ecosystem brings new challenges as well as innovation opportunities as data at rest and in transit among the main connected sub-systems like charging stations (EVSE), Electric Vehicles (EVs), Cloud/3rd Party charging networks, and electric utilities require an interoperable, highly reliable and secure method to transact. The attack vectors are numerous, exposing grid operators and customers alike to all sorts of vulnerabilities.
As stated earlier, many of the end points that need securing are categorized as Industrial IoT and as such can rely on traditional safeguards that have been in place in IT networks for decades
The time couldn’t be more right for the explosive growing EV ecosystem to align on cyber security best practices, and I encourage all stakeholders to participate or at the very least heed the advice of the upcoming work product that will likely be chock full of practical best practices presented in a framework and set of scenarios that addresses the common and unique use cases, reliability and resilience needs.