Electric vehicle (EV) charging relies on a complex ecosystem involving multiple entities, including utility operators, third-party data network providers, charging infrastructure owners, and the EVs themselves. The high degree of digital interconnectivity required to run that ecosystem presents significant cybersecurity risks, including the potential for data theft, physical property damage, and electric grid disruptions.
In recognition of those risks, the US Department of Energy commissioned the National Institute of Standards and Technology (NIST) to develop a cybersecurity risk mitigation framework profile for Extreme Fast Charging (XFC) infrastructure. NIST recently issued its initial draft, The Cybersecurity Framework Profile for Electric Vehicle (EV) Extreme Fast Charging (XFC) Infrastructure (the Profile).
As the name suggests, XFC infrastructure is capable of rapid EV charge rates that are much faster than other types of chargers (i.e., Levels 1, 2, and 3) on the market today—about 15 minutes to fully charge a standard 200-mile battery pack.
XFC infrastructure is expected to be a key component in the strategy to deploy 500,000 charging stations by 2030, per the Infrastructure and Investment and Jobs Act. As with other EV charging infrastructure, XFC infrastructure relies on a multilayered ecosystem that includes the charging stations, data networks, and electric utility operator systems—and, similar to other EV charging infrastructure, cybersecurity risks are present at each of those layers.
What’s more, XFC infrastructure presents a unique risk profile because of its higher power output capability. XFC infrastructure can provide 350 kW of power output, and compromising those systems in the aggregate could create significant risks to utility systems.
The Profile provides guidance to help entities securely deploy and manage XFC infrastructure and connected EV ecosystems by aligning cybersecurity controls to the core functions of NIST’s longstanding Cybersecurity Framework (CSF): identify, protect, detect, respond, and recover. Using that framework, the Profile advises entities on the following objectives:
- Identifying key assets and interfaces in each of the ecosystem domains
- Addressing cybersecurity risk in the management and use of EV/XFC services
- Identifying the threats, vulnerabilities, and associated risks to EV/XFC services, equipment, and data
- Applying protections to reduce cybersecurity risk
- Detecting disruptions and manipulation of EV/XFC services
- Responding to and recovering from EV/XFC service anomalies
The Profile represents another important step toward the standardization of cybersecurity controls for EV infrastructure. While there are currently no mandatory standards for EV charging, and the Profile is not a compliance document, other industries have successfully developed compliance programs by adopting NIST CSF-based principles. As such, the industry may find the Profile to be instructive if, and when, mandatory cybersecurity requirements are developed for EV charging infrastructure.
NIST is accepting comments on the draft Profile until August 28, 2023.