Cybersecurity researchers at Sandia National Laboratories recently published a paper sounding the alarm on potential cyberattacks on electric vehicle charging stations and urging action before there is an explosion in the number of charging stations.

The US went from having about 2,000 public charging stations in 2011 to 50,000 in 2021, according to the Department of Energy. And the number of stations is expected to boom to 500,000 in several years, said Jay Johnson, a cyber security researcher at Sandia and the lead author of the paper, which was published in the scientific journal Energies.

There was US$7.5bil (RM33bil) allocated to build the network of charging stations in an infrastructure bill signed into law last November.

Sandia's cybersecurity work focuses on vulnerabilities in the nation's critical infrastructure. The DOE's Vehicle Technologies Office and the Office of Cybersecurity, Energy Security and Emergency Response funded the paper on charging stations.

The labs are also tasked with handling cybersecurity for the country's nuclear weapons program, said Brian Wright, a cyber security researcher at Sandia who was part of the project.

The potential vulnerabilities found in charging stations run the gamut, from skimming someone's credit card information, locking a charging station or a network of charging stations or hacking into the larger electrical grid, Johnson said.

He said some type of ransomware attack could cripple charging stations.

Ransomware is a malware that encrypts files and then a ransom is demanded in exchange for decryption, according to the Cybersecurity and Infrastructure Security Agency.

Such attacks have caused disruptions at several public institutions in Albuquerque. Earlier this year, Albuquerque Public Schools canceled classes for two days after it was attacked with ransomware, and a similar attack temporarily closed Bernalillo County government offices and affected operations at the Metropolitan Detention Center, which lost access to its cameras.

There have been several documented attacks on charging stations, Johnson said.

Charging stations in Russia, made using parts from Ukraine, were hacked in the early days of Russia's invasion of Ukraine to display anti-Russian rhetoric. Stations in the United Kingdom have been hacked so they wouldn't charge cars and instead displayed pornography, he said.

But as the number of the machines explode, there could be more severe consequences.

"The potential impact of attacks on these systems stretches from localised, relatively minor effects to long-term national disruptions," Sandia's cybersecurity experts wrote in the paper.

Wright said if such attacks become common it could hurt people's confidence in electric vehicles.

"It gives the industry a black eye," he said. "And once you have that black eye, maybe people don't want to trust them any longer."

The Sandia researchers worked with Argonne National Laboratory and Idaho National Laboratory on the project.

The researchers contacted several companies that operate charging stations and visited their facilities. They plugged into different "inputs" and performed "pen tests," said Wright.

A pen test stands for a penetration test and is a way for specialists to see how vulnerable various systems are to a cyberattack.

"Let's just say there are several (cybersecurity) best practices that are not being followed," Johnson said of charging stations.

Johnson and Wright said the national labs' work is needed before more and more essential services, like the US Postal Service or police agencies, convert to electric vehicles.

"The two groups that I'm really focused on getting their attention are the electric vehicle charger manufacturers themselves, to make sure they're aware that this is an important thing to take care of now, before we roll out hundreds of thousands of these things," Johnson said. "And the other is policymakers." – Albuquerque Journal, N.M./Tribune News Service