EVs Discover that War is Good for ‘Absolutely Nuthin‘!’

Late in February, a number of Russian charging stations operated by a state-owned gen-tailer Rosseti were remotely disabled displaying anti-war messages following the Russian invasion of Ukraine.

However, this was no hacking incident said Dmitry Matvievsky, founder and CEO of it.Charge, the vendor of Rosseti’s software platform for these chargers. No third party was involved. Instead, Ukrainian component supplier AutoEnterprise disabled them through an over-the-air update and altered the screen’s default text. The stations were not damaged and no clients complained about harm caused to their vehicles other than inconvenience.

To outside observers, AutoEnterprise’s actions are understandable considering Russia’s incursion into its homeland and only a harbinger for many Western companies to withdraw services from the aggressor including yet more stations being silently disabled by some of the foreign hardware and software vendors. According to Yana Kipriyanova, founder and CEO of World of Electric Vehicles, these included Slovenian Etrel and Portuguese Eurosec and Efacec, among others. The total number of suspended chargers remains unknown, yet, believed to lie in the two-digit range.

These first salvos in the cyber war mirroring the real war are some of the cyber-risks that have, until now, been considered as negligible by charging operators. In any country across the world, it rarely concerns anybody other than special services. In one instance, readers might recall how, in 2019, the US federals barred China’s Huawei Technologies from US telecom networks from concerns of spying. This is somewhat understandable given that war and state-governed cyber risks were once considered extremely rare.

However, now it is clear that military conflict, natural disasters and cyber-security breaches can directly affect EV vendors and consumers even when located thousands miles away from the cause. For example, many charging manufacturers’ reliance on Chinese components is a cause for possible vulnerabilities, Matvievsky said.

For Russian changing providers, the vendor-related risks have suddenly topped the list of concerns, Kipriyanova said. Early in March, there was a flow of calls from clients requesting the dealer to provide full specifications of the stations including the origins of core components and software. In some instances, the operators were recommended to remove IoT sim-cards from the chargers and switch to software platforms developed by local vendors. On the darker side, vendors can no longer remotely monitor the equipment under service contracts, she said. “Those were worrisome days because of concerns about a possible reaction by station makers,” she said. Much to her relief, ABB, Kostad and Schneider Electric continued to perform their maintenance duties: “We’re grateful for not letting us down.”

Concerns about risks coming from those keeping control over a charger can only grow from knowing that its owner can do little to prevent them, she said: “So, it’s very important to have confidence in one’s key vendors,” she said. As of today, the stations disabled in February remain useless heaps of steel and copper. Their owners hope to eventually take them under control again, however, it can take efforts and time.

Awareness comes slowly

A day before the incident at Rosseti, another charging network in Russia was hacked in a ‘conventional’ meaning by a third-party by infecting it with ransomware. In this instance, the control was recaptured in a matter of hours owing to the client’s proper attention to cyber-security, said Maxim Politov, director of development at Corporation PSS.

However, this attitude can rarely be seen at charging providers in Russia and Europe. In most instances, a malicious party would seek to steal sensitive data of charging service users sent over unsecured channels. In other instances, unfair customers can bypass a wrongly configured payment platform to enjoy free charging. However, in the worst hypothetical scenarios, hackers can set the vehicle’s battery on fire by altering charging modes with a risk of human deaths.

“This situation takes roots in a lack of standardized technological approaches,” said Matvievsky. “For this reason, charging operators are poorly informed about different architectures and their pros and cons as well as possible cyber-threats. Unfortunately, hardware and software vendors often take this advantage to sell needless services to their clients.” In his opinion, over-the-air updates were unnecessary in the situation with Rosseti’s stations.

Kipriyanova said that this use case has raised awareness of market players about the importance of cyber-security. “Before this happened, I cannot remember a single instance of any client reading into technical specifications and asking purposeful questions about possible threats. Nowadays, everybody is doing this.”

“Eventually, the operators’ awareness about cyber-threats and solutions steadily grows,” Matvievsky said. “However, it’s a slow process.”