Is your electric vehicle plotting against you?: An investigation of the ISO 15118 standard and current security implementations

Bachelor Thesis

HALMSTAD

UNIVERSITY

IT Forensics and Information Security, 180 credits

Is your electric vehicle plotting against you?

An investigation of the ISO 15118 standard and current security implementations

Digital forensics, 15 credits

Halmstad 2021-06-04

Anthon Berg & Felicia Svantesson

Is your electric vehicle plotting against you?

An investigation of the ISO 15118 standard and current security implementations

Anthon Berg & Felicia Svantesson

Examiner: Urban Bilstrup Supervisor: Eric Järpe

The academy of information technology Halmstad University

Halmstad

June 2021

Abstract

Electric vehicles are revolutionizing the way we travel. Climate change and policies worldwide are pushing the vehicle market towards a more sustainable future through electric vehicles.

However, can these solutions be considered safe and secure? Because of the entirely new attack vector that is charging, many new security concerns are present in this new type of vehicle that did not exist in combustion engine vehicles. Here, a literature study of the current situation surrounding electric vehicle charging and the ISO 15118 standard is presented. In addition to this, a risk analysis of currently implemented solutions for electric vehicle charging is also presented. The purpose is to unveil what weaknesses that are present in modern electric vehicle communication standards and how secure electric vehicles on the road today really are. The results indicate that there are vulnerabilities present in electric vehicles today that require radical improvements to the charging security to provide a safer way of traveling for the future. A list of proposed countermeasures to found vulnerabilities as well as verification methods are also presented as part of this paper. The comprehensive study presented here acts as an excellent foundation for future projects but also for organizations to address critical areas within charging security.

Keywords:

Electric vehicles ISO 15118 Information security Risk analysis

Foreword

We want to extend special thanks to the individuals who have provided their assistance and

guidance through the process of conducting this thesis. We are very grateful to the individuals at

the organization that have allowed us to investigate their systems and provided us with the

necessary information. We would also like to thank our supervisor for all the great advice and

feedback throughout the thesis work.

Table of Contents

1 Introduction ... 1

1.1 Background ... 1

1.2 Purpose ... 3

1.3 Demarcations ... 3

1.4 Problem statements ... 3

1.5 Problematisation of the problem statements ... 4

1.6 Ethical stance... 4

2 Method ... 7

2.1 Research approach... 7

2.2 Literature study ... 8

2.3 Risk analysis ... 8

2.4 Business intelligence ... 9

2.5 Method discussion ... 9

2.6 Method problematization ... 10

2.6.1 Literature study problematization ... 10

2.6.2 Risk analysis problematization ... 11

2.7 Earlier studies and related works ... 11

3 Theory ... 15

3.1 The CIA triad ... 15

3.2 Relevant attack types ... 15

3.2.1 Man-in-the-middle attack... 15

3.2.2 Spoofing attacks ... 16

3.2.3 Injection attacks ... 16

3.2.4 Denial of service attacks ... 16

3.3 Quantum computing ... 17

3.4 The ISO 15118 standard ... 17

3.4.1 Structure of the ISO 15118 standard ... 18

3.4.2 ISO 15118 charging process ... 18

3.5 Authentication through certificates ... 19

3.5.1 Certificate authorities ... 20

3.6 TLS ... 20

3.6.1 TLS handshake... 20

4 Results ... 23

4.1 Literature study: weaknesses within electric vehicles and ISO 15118 ... 23

4.1.1 Conceptual weaknesses in the ISO 15118 standard ... 23

Trusted environments ... 23

Insecure clock synchronization ... 24

The PKI policies are lacking in the standard ... 24

AES-128 might not be quantum computing resistant ... 25

4.1.2 Weaknesses in electric vehicles and ISO 15118 ... 25

Man-in-the-middle attacks on electric vehicles ... 25

The use of insecure CAN buses in electric vehicles ... 26

Injection attacks against electric vehicles ... 27

Spoofing attacks against electric vehicles ... 28

Denial of Service attacks against electric vehicles ... 29

4.2 Risk analysis of electric vehicle cable charging... 29

4.2.1 External analysis ... 30

4.2.2 Investigated risks and consequences ... 30

Risk 1: TLS is not in use for electric vehicles ... 30

Risk 2: Certificates are mostly not in use ... 31

Risk 3: Physical access to the charging inlet is possible ... 31

Risk 4: The EV is vulnerable when listening for a charger ... 32

Risk 5: Scheduling can be exploited to prevent charging or attack the power grid .... 33

Risk 6: Executing commands in the vehicle by malicious traffic ... 33

Risk 7: Insecure CAN buses are used for internal communication between components ... 34

4.2.3 Risk evaluation... 34

Risk evaluation method ... 34

Risk 1: TLS is not in use for electric vehicles ... 36

Risk 2: Certificates are mostly not in use ... 36

Risk 3: Physical access to the charging inlet is possible ... 36

Risk 4: The EV is vulnerable when listening for a charger ... 37

Risk 5: Scheduling can be exploited to prevent charging or attack the power grid .... 37

Risk 6: Executing commands in the vehicle by malicious traffic ... 37

Risk 7: Insecure CAN buses are used for internal communication between

components ... 38

4.2.4 Recommended countermeasures and verification ... 41

Implement TLS as specified in ISO 15118 ... 41

Secure physical charging inlet ... 41

Disable active listening for the charging inlet ... 42

External charging controller that measures strain on the power grid ... 42

Secure the CAN bus with pre-shared keys ... 43

4.2.5 SWOT analysis ... 44

5 Discussion... 45

5.1 Discussion – literature study ... 45

5.1.1 Observed results compared to expected results ... 45

5.1.2 Effects of the chosen method on the results ... 46

5.1.3 Source criticism ... 46

5.2 Discussion – risk analysis ... 47

5.2.1 Observed results compared to expected results ... 47

5.2.2 The gap between standards and real implementations ... 48

5.2.3 Effects of the data collection methods on the results ... 48

6 Conclusion ... 49

6.1 Conclusions based on problem statements ... 49

6.1.1 Which vulnerabilities exist in today’s cable charging systems for electric vehicles? ... 49

6.1.2 How large of a threat are these vulnerabilities to consumers and organizations? .. 49

6.1.3 How should an organization mitigate these weaknesses?... 49

6.1.4 How can implemented mitigation solutions be verified? ... 50

6.2 Future studies on electric vehicle charging security ... 50

References ... 51

Wordlist

ACD Automatic connection device BMS Battery management system CA Certificate authority

CAN bus Controller Area Network bus CCS Combined charging system

CIA Confidentiality, Integrity, Availability DOS Denial of service

EIM External Identification Method EV Electric vehicle

EVCC Electric vehicle communication controller EVSE Electric vehicle supply equipment

FDI False data injection

ISO The International Organization for Standardization

ISO 15118 A communication standard regulating how communication should be carried out when charging an electric vehicle

MITM Man-in-the-middle OBD On-board Diagnostics

OCPP Open Charging point protocol PKI Public key infrastructure RFID Radio Frequency Identification SCMS Smart charging management system SDP SECC Discovery Protocol

SECC Supply equipment communication controller SLAC Signal level attenuation characterization TLS Transport layer security

V2G Vehicle to grid

VAS Value-added services

WPT Wireless power transfer

1

1 Introduction

Ever since humans lived as hunter-gatherers, there has been a need for transport from one place to another. Throughout the years, this has taken many forms. At first, humans traveled by foot, then by horse-and-carriage and nowadays by cars or various other methods. Today, the vast majority of vehicles, both commercially and privately owned, are run through the burning of fossil fuels. However, during the last century, the effects of using this type of energy method have had visible and measurable adverse effects on the environment (Somme, 2016). As the issues surrounding our environment grow more concerning, our society has started to search for alternatives to burning fossil fuels for energy.

A promising alternative today is replacing the combustion engines of yesterday with new and clean electric motors. With electric vehicles making up about 2.6% of global car sales in 2019, this number is bound to grow in the coming years making electric vehicles an increasingly common way to travel (IEA, 2020). However, the digitalization and electrification of the way we travel also bring forth new challenges that need to be addressed. Implementing this technology into vehicles opens new opportunities for hackers and other malicious users to launch

cyberattacks against vehicles. Real-world examples show that various attack methods are

available to malicious parties. These attacks could often have significant consequences affecting both the passenger and driver. One example of such an attack showed that an attacker was even able to take control of the entire vehicle and drive it off the road (Greenberg, 2015). Because of weaknesses like this, security will be of great importance in the future of electric vehicles to continue and evolve our methods of travel. The study conducted here thoroughly investigates the systems used in electric vehicles to find and pin-point weaknesses. This is a first step towards providing safer electric vehicles for the future.

1.1 Background

Electric vehicles have been around for a long time. In fact, some of the first electric vehicles were developed during the first half of the nineteenth century. They have no clear country of origin or inventor. Rather many new inventions around the same time led to the creation of electric cars. Some names worth mentioning regarding the development of early electric cars are William Morrison, Andreas Flocken, Ferdinand Porsche and Thomas Edison who all made contributions within the field.

Electric vehicles entered the market at about the same time as gasoline-driven vehicles in the later parts of the 1800s. During this time, electric vehicles gained some levels of popularity (U.S.

Department of Energy, 2014). They were mainly used within cities and were a preferred method of transport, especially for women at the time. Around this time, there was also some focus on developing hybrid versions of cars. (McFadden, 2020)

The popularity of electric vehicles was however halted when the more affordable Model T from

Henry Ford was released in 1908. This, along with new developments in the field of gasoline-

2 driven cars and the dropping oil prices, led to electric vehicles dropping rapidly in popularity (U.S. Department of Energy, 2014).

By 1935, electric vehicles were almost completely gone as gasoline and steam-driven vehicles took over. This lasted until the oil crisis in the 1970s. After this, the focus started to gradually shift towards electric cars once again (McFadden, 2020). Their popularity and use have also resurged due to technological developments in recent years (U.S. Department of Energy, 2014).

As mentioned previously, the percentage of sold electric vehicles is only expected to grow as the market calls for more green alternatives to counter the negative environmental effects of CO

emissions.

During recent years not only electric vehicles have seen a rise in popularity but also connected vehicles as a whole. Modern vehicles make use of a wide range of features to make traveling more convenient for the person riding the vehicle. Often, these features make use of or require a connection to the internet or some other device. This has enabled attackers to exploit and use these new features for malicious intents. According to the 2020 Global Automotive Cyber Security Report (Upstream Security, 2020), the number of cyberattacks against vehicles grew by 99% in just 2018.

Connecting a car to the internet opens many new vulnerabilities that did not exist some years ago. As this is a relatively new phenomenon, it has opened up an entirely new market. The focus on making sure that the charging process proceeds flawlessly is something that is becoming increasingly important. Companies and organizations have realized that they need to implement better security solutions to stay up to date with the current level of cybersecurity in the world.

The fact that charging opens up an entirely new attack vector that was not present previously makes this aspect critical from a security perspective. Charging is a large and important aspect of the security around electric vehicles and will probably continue to need to be focused on in the future. With the many new options for connectivity and features being implemented into vehicles today, the risks of these features being used for attacks increases.

Apart from the development of the electric vehicle and the need for better solutions, the focus on cybersecurity and security in general has become a subject that has grown exceptionally.

Although security in general has always been focused on throughout history in different ways, the concept and need for cybersecurity have only recently become an essential part of everyday life.

The need for professional cybersecurity first started in the early days of the internet, when malicious code began spreading across networks. Back then, some solutions to fixing the problem and restoring security were simply shutting down the entire internet by disconnecting regional networks, which gave time to clean infected networks and computers (La Trobe

University, 2018). Nowadays, such drastic measures are not needed as IT and cybersecurity have evolved quite a bit.

In recent years an increasing interest has been noted in the field of cybersecurity within different

vehicles. With new attacks and exploits being devised regularly, it is evident that this is a field in

which a great amount of effort must be spent on securing our vehicles and the way we travel.

3 This is very much true for electric vehicles, which in addition to all the connected features of a combustion-engine vehicle, also need to charge in order to operate. This opens up a wide range of possibilities that may not even exist for regular fuel-driven vehicles. Some relevant earlier studies are further discussed in part 2.7 when more relevant concepts have been introduced.

1.2 Purpose

The purpose of this thesis is to expand further the knowledge about the security surrounding the charging of electric vehicles with a greater focus on actual current implementations. Another purpose is to provide a security perspective on the ISO standard 15118 and existing weaknesses based on earlier studies and literature. In addition to this, a risk analysis of a currently used implementation of cable charging in electric vehicles is also performed. This risk analysis is conducted through a partnership with an organization in the industry. The aim is to give a greater understanding of what the security situation is currently like in the field of electric vehicles and what needs to be improved for greater security in future implementations.

1.3 Demarcations

In order to limit the scope, some limitations and demarcations have been made. One such limitation is that the focus is only on security surrounding the charging of electric vehicles through cable, and more specifically with combined charging systems (CCS). Because of this, Wi-Fi-based charging and other similar means of charging are not focused on. That being said, similar security measures may still be necessary for other types of charging. The literature study conducted in this paper also focuses on the ISO 15118 standard and no other alternatives. The risk analysis is limited in its scope as not all implementations of charging security are

investigated. This is because the scope of investigating multiple organizations charging implementations would be too large for this bachelor's thesis.

1.4 Problem statements

This thesis investigates and discusses the current and near-future implementations of cable charging for electric vehicles. This is done to better understand the field and how secure and robust currently implemented solutions are. The paper focuses on highlighting solutions

currently in use and how they may be lacking in security. This is achieved through studying the results from earlier studies around the charging of electric vehicles and the ISO 15118 standard.

In addition to this, a risk analysis is conducted targeting a real-life implementation of electric vehicle charging. This study only investigates vulnerabilities related to cybersecurity and not any other weaknesses that may be present related to other fields. The problem statements that are answered through this report are specified below.

1. Which vulnerabilities exist in today’s cable charging systems for electric vehicles?

4 2. How large of a threat are these vulnerabilities to consumers and organizations?

3. How should an organization mitigate these weaknesses?

4. How can implemented mitigation solutions be verified?

These problem statements together provide a picture of how secure electric vehicles are at the time of conducting this study. In addition to this, the problem statements show how urgent each risk or vulnerability is to consumers and organizations as well as how different risks should be mitigated. These problem statements are chosen to provide a new perspective and complement the existing studies within the field of electric vehicle charging security. Existing studies have investigated different aspects of electric vehicle charging, such as the power grid, the charging station and the ISO 15118 standard. Because of this, these problem statements provide a new point of view towards the vehicle and how secure the actual vehicle is at this point in time.

1.5 Problematisation of the problem statements

Regarding the problem statements presented, some limitations and issues need to be addressed before considering the results.

The first issue is that electric vehicles exist in many different forms and are produced by many different companies. Even though there exist standards for how the charging of electric vehicles should work, there is still space for companies and organizations to implement their own

solutions to a certain degree. This has led to a field in which different organizations can suffer from different security issues regarding the charging even though the same standard might be followed. This also means that the results presented might give a somewhat one-sided picture of the area, as not all current implementations of electric vehicle charging are investigated and analyzed. Therefore, the results presented cannot be considered a description of all security flaws in all electric vehicle charging systems without carrying out any type of analysis of different organizations' systems.

Another issue regarding the problem statements is that the area of technology that is being investigated is constantly changing and evolving rapidly. Because of this, the results might become outdated quickly as new technical solutions are implemented and old ones are no longer used. This problem cannot be solved during the course of conducting this study but must instead be solved by continuing to evaluate the situation and conducting new studies as time goes on.

1.6 Ethical stance

It is important to note that the vulnerabilities and risks being discussed in this thesis may expose

significant threats to organizations and individuals using the vehicles. This is the case since

specific details surrounding certain risks may be exposed to malicious parties, increasing the risk

5

of the vulnerability being exploited. Therefore, some details surrounding certain risks are omitted

from the final paper to protect vulnerabilities from being exploited, leading to potential harm to

companies or individuals.

6

7

2 Method

Several different methods are used. The first method used is that of a literature study. The focus of the literature study is to explore what the future implementation of the ISO 15118 standard will bring and what it will mean for EV cable charging security. In addition to this, different already existing weaknesses in electric vehicle charging are investigated through existing literature on the subject. During this part, different earlier studies and conclusions surrounding electric vehicle charging and the ISO 15118 standard are analyzed and put into perspective to produce a full view of the standard. Weaknesses that have already been discovered and discussed by sources are also explored to present a more complete view of the area.

The second method used to investigate the field around EV cable charging is that of a risk analysis. This part of the study aims to identify and analyze the flaws and issues currently

present in existing EV charging systems. This part complements the literature study and provides a new perspective on the area surrounding EV charging security. The risk analysis highlights current security flaws and their impact and how they can be resolved in the future.

Along with this, a SWOT analysis is also produced to present different strengths, weaknesses, opportunities and threats within the investigated field. This is a way to assess a company’s position and a way to develop strategic planning. It is also done to create awareness. This awareness is achieved by assessing internal and external factors but also by estimating current and future potential within the field. (Schooley, 2019)

2.1 Research approach

A mainly qualitative research approach is used in order to answer the problem statements set up around the investigated area. This means that the methods used through this thesis collect data through exploring different interpretations of the subject rather than facts and numerical data.

This type of study can often include elements that are not measurable but rather provide a perspective on a subject through discussion. An example of this could be investigating different individual's thoughts surrounding a subject. According to Trost (2010), a qualitative study is applicable where individuals' ways of thinking around a subject or identifying patterns are being studied.

This approach is well suited to the study at hand since no practical examinations of systems are carried out. Therefore, the information acquired is mainly based on earlier works within the field and discussions with individuals in the industry.

However, some parts of the study are quantitative. These parts mainly relate to the estimation

and grading of risks. In addition to the scores generated for each risk, a quantitative severity

score is also calculated based on these two scores.

8

2.2 Literature study

The study consists partially of a literature study to present a broad view of the investigated subject. The use of a literature study means that the data collected and presented is already pre- existent due to previous research that has been performed and published. The literature study mainly uses information and data collected through various sources on the internet. The search engines used to collect relevant information were mainly the Onesearch search engine available from the Halmstad University library, IEEE Xplore, Web of Science and Google Scholar. Apart from this, Google has also been used to search for information to some degree. All of the sources used have been cross-referenced to make sure that they are reliable and well-suited to the subject of the thesis. Some of the phrases used to search for information were “electric vehicle ISO 15118 vulnerabilities”, "electric vehicle security", “ISO 15118 standard conceptual weakness”

and other similar phrases.

Apart from using the internet to search for sources, some books are also used. The information used in the literature study is centered on trying to gain a deeper understanding of the subject.

This is used to reach results and draw conclusions in the later parts of the study.

2.3 Risk analysis

According to Kaminskiy et al., (2016), a risk analysis is a measurement of the potential loss. It also shows the magnitude of any possible loss from or to a system. Some risk analyses can be done by directly measuring the statistics of previously existing historical data of losses. This is the case when such data on losses are already available for analysis.

If there is no previous data on actual losses, a loss model can be created, which is done by using different types of risk analysis methods. After a model has been produced, the risks can then be predicted. There are many cases where previous data of loss is not available, which means a need to produce a model of different risks and their impact.

The use of risk analysis has advanced in the last centuries, but the concept has been around for a long time. It has been used to choose the best path to take when put in front of a decision. Risk analysis applies to many different parts of society and has been applied to new technological developments in recent years. This new era has also led to new types of vulnerabilities and risks.

Because of this, new risk analysis and decision-support tools that address these uncertainties have become more critical than ever. (Aven, 2012)

Though there are different ways to perform a risk analysis, generally it consists of three

elements. These elements are risk assessment, risk management and risk communication. These three parts interact and overlap many times during the risk analysis process.

Risk assessment consists of two major parts: determining the likelihood of an undesirable event

and evaluating the consequence of the said event. These steps can be performed by looking at

previous data to understand how a similar situation might play out. The risk assessment is

usually divided into two parts; a step where the risks are identified and ranked. Another step is

where they are evaluated, where the consequences are also mentioned.

9 Risk management means that the risks and the factors contributing to them are controlled

through various steps. This is done to potentially minimize the loss. In the risk management step, the risks presented during the risk assessment step are looked at and decided how they should be handled. This is mainly done to minimize potential harmful incidents or failures.

Risk communication is the final step and implies that the people responsible for making the decisions are informed about the risks and consequences. This includes risk assessors, risk managers and other parties who may be interested. During this step, the decisions regarding how to handle the risks can be discussed. This can, for example, include transferring, mitigating or minimizing the risk. (Kaminskiy et al., 2016)

2.4 Business intelligence

In order to perform a risk analysis, a view of the current situation must be obtained and analyzed.

This part is called business intelligence or external analysis and is done by collecting data about a specific subject. This data is then analyzed to get a clear view of how the situation appears around a subject. There exist different ways of performing external analysis and obtaining the needed data.

One way is to perform trend monitoring. This is one of the main points of business intelligence and works by analyzing current trends at this current point in time. It can be described as a predictable direction or series of events and closely follows change in many different societal areas. This can mean many different changes, for example, economic changes or changes of values. Trends are also observable in many different organizations and industries (Wahlström, 2004). In the study being carried out, the trend monitoring can be considered the information gathered in the literature study, as this part deals with current trends and available data.

Performing external analysis within a field is a crucial step when it comes to conducting a risk analysis. As much of this study focuses on providing a view of the area around electric vehicle charging security, the external analysis plays a vital role. The literature study conducted acts partially as an external analysis for the risk analysis as the literature study aims to provide a view of the area. According to Wahlström (2004), the following steps of the risk analysis become easier once the external analysis is completed. External analysis can also be helpful when trying to predict how the future of a specific area will develop. This is especially important for specific fields, such as fields that change and develop rapidly.

2.5 Method discussion

The methods of literature study and risk analysis have been chosen since they provide a picture

of the current situation surrounding cybersecurity in EV cable charging as well as an analysis of

what the future within the area may bring in terms of security. Another reason these methods

were chosen is that there is currently a lack of studies investigating security implementations

used by organizations and companies today. Therefore, the risk analysis of the solutions used by

10 a company in the industry provides a new and desired perspective on the subject of EV charging security.

The literature study takes advantage of the large number of already existing research surrounding the ISO 15118 standard and different EV charging weaknesses in order to provide a

comprehensive picture of the existing flaws in EV charging and the standard. This part also aims to present a gathered view of how secure the ISO 15118 standard is and what security flaws may need to be addressed in future versions. Because of the large number of existing studies, it is necessary to gather the results of these studies and present a collected view of the situation surrounding EV charging as well as the security implementations from the ISO 15118 standard.

The risk analysis is then used to complement the literature study and the already existing works with an example of current security implementations and the flaws that exist within them. The risk analysis investigates a real organization within the electric vehicle industry. It aims to identify the risks and security threats towards their solutions at the current point in time. This highlights both the increase in security that the ISO 15118 standard brings when fully

implemented, as well as what the current EV security situation is like at the moment.

Combining these methods helps gather the information surrounding near-future communication standards like ISO 15118 and provides a new perspective on the current EV charging situation.

Together these paint a picture of how secure EV cable charging is today and what changes need to be made to these systems in the future.

2.6 Method problematization

Different methods will always have positive and negative aspects to them. Some issues related to the chosen methods may need to be considered when using or analyzing the result of a study.

Because of this, some of the problems surrounding the chosen methods are discussed below.

2.6.1 Literature study problematization

A literature study is based on the literature that exists within an area or a field. Because of this, many different sources are used to conduct the study, and each one may have a particular perspective on the subject or hold a specific opinion. Therefore, the process of reviewing and investigating different sources becomes vital when using different sources to provide a result or a conclusion. Each source needs to be reviewed so that any motives of the author can be

understood and that the results can be used reliably and correctly.

On the other hand, exploring many existing studies within an area may provide a cost-effective

method for individuals or organizations to investigate a subject. Moreover, the fact that an area

has been tried and explored repeatedly can display clearly for the reader what is well-known and

what is less known within a field.

11 2.6.2 Risk analysis problematization

By using risk analysis as a method, a clear view of the investigated field and the issues within it may be achieved. Many of the risks affecting an area can be found and evaluated through this method. Therefore, the results of this method can be used as a kind of guiding light for decision- makers when deciding how to continue development within a field. This being said, a risk analysis can also be a valuable tool for an organization or company to identify and prepare for different risks affecting their product or service. Another positive aspect surrounding risk analysis is that it is an excellent way to present the found risks and related countermeasures to individuals who might not have much experience within the area.

However, this method has some shortcomings, for example, the fact that a hypothetical risk model must be created in some cases. This can be because not enough earlier data exists to go on. By doing this, there cannot be complete certainty that the risk model is completely accurate, and therefore the risks presented in it can change or vary to some degree. If the risk analysis is instead based on earlier cases, this can result in the risks presented being more accurate to the actual situation and consequently render a more rewarding result. Another issue surrounding technological risk analysis is that technology within specific fields changes rapidly. This makes the risk analysis inaccurate or outdated very quickly. Therefore, many risk analyses need to be conducted in the future to provide a continuous perspective on the risks against an organization or a product.

2.7 Earlier studies and related works

Several previous studies exist within the field of electric vehicle charging. These studies differ from the one presented here in a couple of distinct ways. In particular, the study at hand is focused on investigating a single organization's security solutions when it comes to charging.

Many of the existing studies on the subject instead focus on investigating standards that regulate the security surrounding charging or have a more general objective. The type of study described here aims to present a better picture of the current situation in the area regarding the actual state- of-the-art security implementations. Moreover, observations and conclusions from other related works are gathered and presented in an organized way through a literature study. Some earlier works that investigate close subjects are listed and shortly described below.

”Är du och din elbil skyddad vid laddning via laddstolpe?” Alfredsson & Brettmar (2020)

The bachelor’s thesis above aims to present a comparison between the two communication

standards ISO 15118 and OCPP. Additionally, three interviews were carried out with individuals

from the industry where these individuals had the opportunity to give their opinions and answer

questions about the future of electric vehicle charging. This differs in some significant ways

from the study presented in this paper. The main differences are that this study will not be aimed

at comparing two different standards but rather to analyze one standard. Furthermore, the results

will be complemented with a risk analysis of the current state of charging based on actual

implementations used by an organization in the field of electric vehicles.

12

“Cybersecurity of Smart Electric Vehicle Charging: A Power Grid Perspective” Acharya et al. (2020)

The study has a similar objective to that of the study at hand. The paper discusses different types of attacks that may target electric vehicles and how they work. Some of the attacks described are purely hypothetical but could pose a significant threat to the power grid if ever carried out.

Though this work discusses several different potential vulnerabilities and different parts of the charging process, it has an overall focus on consequences for the power grid and not for the electric vehicle or charger. Some of the themes discussed are the vehicles, the charging systems and the power grid. This differs from the current study in the way that the focus will mainly be on the electric vehicle and not on the power grid.

“The Security of Charging Protocol between Charging Piles and Electric Vehicles” Xu et al.

(2019)

Like some of the other earlier works, a primary objective with the study above is to find different threats regarding the charging of electric vehicles. The focus is aimed towards finding

vulnerabilities specifically in the charger and not in the vehicle. Another focus in the paper is different charging protocols and how they can open for vulnerabilities in different ways. This differs from the study at hand as the focus will be on the vehicle's security and not the charger.

“Cybersecurity of Onboard Charging Systems for Electric Vehicles—Review, Challenges and Countermeasures” Chandwani et al. (2020)

The focus of the authors presented above is to discuss and analyze different parts of the charging process of electric vehicles. Several different threats against both the software and hardware levels are discussed, and some countermeasures proposed. This differs from the current study in some areas. For example, it has a more significant focus on mathematical and technical issues surrounding charging security. It also goes into great detail surrounding electricity and current, which the study at hand will not.

“A threat analysis of the vehicle-to-grid charging protocol ISO 15118” Bao et al. (2017) This work presents a comprehensive view of the ISO 15118 standard. It discusses various threats and vulnerabilities along with how they can be avoided or mitigated. This has similar traits to this thesis, as they both deal with the ISO 15118 standard. However, the current study will discuss the ISO 15118 standard but also explore currently existing vulnerabilities within electric vehicle charging and not just in relation to the standard.

These earlier studies will serve as a base for this thesis both in the literature study and in the risk

analysis part. Even if some of the studies mentioned in this section explore subjects that differ

13

from that of this study or focus on different areas, the conclusions and results found in these

studies provide an essential foundation.

14

15

3 Theory

In order to fully understand the results and discussions in later parts of this report, some terminology and technological concepts need to be explained and discussed. In this part of the thesis, different concepts are introduced and explained in some detail. This section of the report acts as a foundation for the arguments and conclusions presented later.

3.1 The CIA triad

The CIA triad is a series of three terms that are used when defining different security solutions and which aspects of security they affect. These terms are confidentiality, integrity and

availability. The triad is also functional when developing new solutions or managing security within an organization. It offers three main concepts that need to be balanced to obtain security on different levels. It is also worth mentioning that different aspects of the CIA triad may be more or less important depending on what is to be protected and what is required of the protected entity. For example, a system that requires very high confidentiality may not need to be as easily accessible. The terms that the CIA triad is an acronym for are described below.

Confidentiality refers to the secrecy of the protected entity. High confidentiality means that the protected entity is only accessible to the parties that should be able to have access and no one else.

Integrity defines how well protected an entity is from tampering or modification by unauthorized parties. Integrity can also be seen as the part of the triad that deals with the legitimacy of the protected entity and that it remains in a correct state.

Availability is the term that defines how easily accessible an entity is to parties that have the authorization to access it. An example of high availability is a system that consistently allows legitimate users to log in without making the process a hassle for users.

3.2 Relevant attack types

In this section, some relevant types of attacks are defined and described. A large number of different attacks and variants of attacks exist within the field of cybersecurity. Certain attack types are more common than others and different attacks may be used to reach different goals.

This section describes several attacks that are common within cybersecurity and may present a threat to electric vehicles. This is in order to give a basic understanding of what the concept of each attack is.

3.2.1 Man-in-the-middle attack

One of these attacks is the so-called man-in-the-middle attack (MITM). This attack type is one of

the most well-known attacks when it comes to cybersecurity. The scenario in which a MITM

attack can be performed usually involves two communicating parties where the malicious party

is situated between the parties. The attacker can then use this position in which traffic has to

16 travel through their device to gain access to the communication between the two parties. The attacker can use this position to manipulate traffic on its way to the receiver or simply to eavesdrop. This influences both the integrity and the confidentiality of the data. (Conti et al., 2016)

3.2.2 Spoofing attacks

Another form of attack is the so-called spoofing attack, or just spoofing. This means that a malicious party is disguising itself as a trusted source. By doing so, they can gain access to data or information that is confidential. This can be done through a wide range of methods. Some examples of such methods are through the use of fake websites, phone calls, e-mails, IP addresses and servers. The result of these attacks can be severe and cause an economic loss (Bhaskari et al., 2011). These attacks are often carried out by using names from a well-known, trusted parties to fool individuals. This is sometimes enough to make the victim give up

information or take an action that might lead to compromised or stolen data (Malwarebytes, n.d).

The concept of spoofing is described by the organization Malwarebytes (n.d.) through the quote below.

“Spoofing, as it pertains to cybersecurity, is when someone or something pretends to be something else in an attempt to gain our confidence, get access to our systems, steal data, steal money, or spread malware.” (Malwarebytes, n.d)

3.2.3 Injection attacks

An injection attack is a form of attack that works by injecting malicious code into a program or scenario in which it can cause damage or extract data. An attacker can, for example, submit malicious input which will cause a web application to perform unauthorized actions. This can result in confidential information being exposed or admin access being granted to attackers.

There exists many different forms of injection attacks. Some types are SQL injection, code injection, cross-site scripting, false data injection and command injection which all aim to inject commands into a system. (Pauli & White, 2013)

These types of attacks are not only one of the most damaging types of web application attacks but are also quite common. Another issue with injection attacks is the size of the attack surface.

An attack like this has the possibility of affecting a large number of people (Muscat, 2019). An attack like this would mainly affect the integrity of the data.

3.2.4 Denial of service attacks

A denial of service (DOS) attack is a type of attack that is based on preventing legitimate users from accessing a service or a product during a window of time. Many different versions and modifications of DOS attacks exist but preventing legitimate access to a resource is most commonly the primary goal of this type of attack. There are two main types of DOS attacks:

flooding attacks and crashing attacks. As can be gathered from the name, a flooding attack aims

17 to flood a target with traffic forcing them to slow down or shut down operations. A crashing attack instead aims to exploit some weakness within a system to force it to crash. (Paloalto networks, n.d.) A DOS attack would mainly affect the availability of the data.

3.3 Quantum computing

Quantum computers combine computer science with quantum mechanics. This is a new type of computer that can solve complex problems that the computers of today do not have the

computational power to deal with. While today’s computers work by manipulating individual bits that store binary information, quantum computers use quantum bits or so-called qubits.

While quantum computers are relatively new, the theory of quantum computing has been around for quite some time. Practical developments have progressed since around the 1980s and now scientists are closer than ever to creating this new type of computer. (IBM, n.d)

The field of quantum computing is quickly growing and evolving. This field combines mathematics, computer science and physics. By combining computer theory with quantum theory, performing tasks that were thought to be impossible or infeasible is now closer to being within reach. By using quantum computers, solving problems in a faster and more effective way is sometimes possible. (Kaye et al., 2020)

Quantum computers and their abilities are well debated. However, they are expected to threaten some of the cryptographic protocols available and in use today if they become a reality. If

quantum computers capable of handling thousands of qubits ever arrive, some believe that, some of the most commonly used encryption systems will become obsolete overnight (Mavroeidis et al., 2018). Even agencies such as NSA (National Security Agency) have made official statements about the future of cryptographic protocols and the demand to adapt to quantum-safe options or post-quantum cryptographic algorithms. (Stanger, 2020)

3.4 The ISO 15118 standard

This section aims to describe what the ISO 15118 standard is and what it implies for electric vehicles and their charging process. Some specific details about the charging process and how it is structured according to the standard is also explained.

ISO standards are made on an international scale and therefore aim to provide a standard within an area globally. The ISO 15118 standard is a series of documents that describes and specifies requirements surrounding vehicle to charging station communication. The standard also covers vehicle to grid (V2G) communication where the vehicle will be able to communicate with the grid and other parties involved in the transfer of electric energy (V2G Clarity, 2019). The correct and complete implementation of this standard will bring increased security in the form of TLS encryption as well as authorization with certificates. In addition to this, other features such as automatic payment management will also be available. Even though this is the case,

organizations may decide not to fully implement all the requirements of the standard. Therefore,

they may still be vulnerable based on specific weaknesses. V2G Clarity, which is an organization

18 dedicated to educating about the ISO 15118 standard, describes the standard in the following way.

“In a nutshell, ISO 15118 is an international standard that outlines the digital communication protocol that an electric vehicle (EV) and charging station should use to recharge the EV’s high- voltage battery. As part of the Combined Charging System (CCS), ISO 15118 covers all

charging-related use cases across the globe. This includes wired (AC and DC) and wireless charging applications and the pantographs that are used to charge larger vehicles like buses.”

(V2G Clarity, 2019)

3.4.1 Structure of the ISO 15118 standard

The ISO 15118 standard is divided into a series of documents. Each document in the family of standards deals with a specific area of the standard. A list of all the documents in the ISO 15118 standard family, that are currently available or in development from the iso.org website at the time of this report, can be found below.

ISO 15118-1 General information and use-case definitions ISO 15118-2 Network and application protocol requirements ISO 15118-3 Physical and data link layer requirements ISO/CD

15118-4

Network and application protocol conformance test (under development)

ISO 15118-5 Physical and data link layer conformance test

ISO 15118-8 Physical layer and data link layer requirements for wireless communication ISO 15118-9 Physical and data link layer conformance test for wireless communication

(under development)

ISO 15118-20 2nd generation network and application protocol requirements (under development)

Table 1: A table displaying the different documents that are part of the ISO 15118 standard family. The ISO 15118 standard is divided into multiple different documents handling different subjects and aspects of the standard.

3.4.2 ISO 15118 charging process

The ISO 15118 charging process is briefly described in ISO 15118-1 (2019). In this part of the standard, the charging process of an electric vehicle is described through 8 different use case groups. These groups are ordered as A–H and each one describes a certain part of the charging process. These case groups describe the necessary parts that need to be included in a charging session in order to carry out all the required steps described in the ISO 15118 standard. Some additions were made to the different use case elements in the updated version of the standard in 2019. These changes included the new case element groups P and I. These groups address

necessary steps when a vehicle uses WTP or ACDs in order to charge. Apart from these changes,

the steps remain the same as in previous versions. A flowchart displaying the charging process

according to the ISO 15118-1:2019 standard can be found below. (ISO, 2019)

19

3.5 Authentication through certificates

Digital certificates are implemented by means of public-key encryption. This means that a public key and a private key are generated and can be used to encrypt and decrypt messages. A digital certificate is a file that contains this public key which is made available to everyone. As for the private key, it is kept secret by the owner and can be used for the signature or encryption of files, documents, or other such items. The public key can then be used to verify that the signature is correct and prove that the other party does indeed hold the correct private key and their identity.

In addition to this, the public key can be used by individuals to send confidential information to the private key holder. This is possible since anyone can find and use the public key, but only the private key holder can decrypt the message. (SSL.com, 2020)

Figure 1: ISO 15118 charging process flowchart showing the process which occurs during charging. In this image, the process is listed from A-I. Each part describes a specific part of the charging process. In order to carry out the necessary parts that are required by the ISO standard

these steps need to be included.

20 3.5.1 Certificate authorities

A certificate authority or CA is a third party that guarantees the identity of the party wishing to be authenticated using the certificate. The CA signs a certificate using their own private key.

This allows anyone to check the legitimacy of the CA and through that signature, make sure that the certificate is legitimate. (Vega et al., 2016)

Multiple CAs can verify each other with their own public and private keys forming a chain of CAs confirming the identity of each other. When this is the case, there will be a CA called the root CA that is on the highest level of the chain. This CA will often be recognized by the system as a trusted party and in turn, validates the entire chain of CAs.

3.6 TLS

TLS is a so-called “secure-channel establishment protocol”. This means that TLS is used to provide a secure channel for communication to flow through. TLS uses a combination of encryption and authentication through certificates to ensure that a channel is secured against malicious parties. This protocol is, for example, used in HTTPS to ensure that traffic flowing between a client and server on the internet is secured. (Arfaoui et al., 2019)

Through the years, multiple versions of TLS have existed and been used. Today the most current and secure version is called TLS 1.3. This version differentiates itself from the previous version TLS 1.2 in some crucial ways. For example, TLS 1.3 provides a significant decrease in latency and addresses some of the security concerns present in TLS 1.2 if not configured correctly.

(SSL.com, 2018)

The TLS protocol consists of two main parts. The first part is known as the TLS handshake and this is where the initial authentication with certificates and exchange of keys occurs. The second part is called secure message exchange. This part is where the secure channel has been

established, and traffic can travel over it securely. (Arfaoui et al., 2019)

3.6.1 TLS handshake

As mentioned above, the TLS handshake is the first part of the TLS protocol. The handshake aims to exchange information such as certificates and cipher-suits (a set of cryptographic variables for encryption and decryption) between the parties. This is done to establish a secure channel through which authentic and confidential communication can be carried out.

The authentication part of the handshake is achieved by using certificates. The client will receive

a certificate from the server proving its authenticity. The client then has to verify the identity of

the server by checking the certificate chain until a trusted CA is found. The client (EV in the case

of an EVCC to SECC connection) can then be sure that the server (charging station) is legitimate

and not a fake placed by a malicious party.

21 The second part of the handshake is where the confidentiality of the communication is assured.

This is done by exchanging cipher-suits and establishing a cryptography method to use in the communication. The use of cryptography over the communication ensures that untrusted parties cannot take part in the communication or listen in on what is being said. In the case of ISO 15118 communication there are only two allowed cipher-suits which are

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 and

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. (SIS, 2016)

22

23

4 Results

In order to answer the problem statements presented in the sections above, two different methods were chosen. Because of this, the results section is divided into two parts. The first one presents the results of the literature study and the second part presents the results of the risk analysis.

These results are then used in further parts of the report to answer the chosen problem statements.

4.1 Literature study: weaknesses within electric vehicles and ISO 15118

This part of the paper contains the results from the literature study conducted around already explored weaknesses within electric vehicles and the ISO 15118 standard. Different weaknesses discussed by a wide range of sources are collected and gathered in the sections below. Existing weaknesses within the ISO 15118 standard are also explored and then brought up in the

following sections.

4.1.1 Conceptual weaknesses in the ISO 15118 standard

This part brings up conceptual weaknesses in how the standard is formulated or constructed.

Some thought processes or ways of implementing security that are presented in the standard and leave room for weaknesses are brought up in this part. Also, features in the standard that may present issues in the future are presented in the section below.

Trusted environments

According to ISO 15118-2 (2016) part 7.3.4, TLS is required for all communication that is to be carried out between charger and vehicle in all environments that are not trusted. This means that an exception to the mandatory use of TLS exits for areas that are marked as trusted. ISO 15118-2 (2016) defines a trusted environment in part 3.35 as:

“closed user group (e. g. members of car sharing system) with some pre-distributed token for access to the SECC charging service (e.g. key to home garage, RFID token for car sharing), which is something where a person or instance is responsible for, for example (not limited to) a person with its home garage, a car sharing operator or a taxi operator” (p. 6)

This means that TLS is not mandatory when the charger is only available to a closed group of individuals where some external sort of authentication is used to access supply equipment. This is described in the standard as, for example, being a physical key or RFID tag.

The fact that traffic flowing between supply equipment and the vehicle in a safe environment is

not required to use TLS may open up the traffic to tampering or other types of manipulation for

malicious purposes. Another issue based on this weakness is that incorrect implementations or

errors may force downgraded versions of TLS to be used in other situations. Older versions of

TLS have weaknesses present that could be exploited by a malicious party to gain access to the

communication even if TLS is in use. (Bao et al., 2017)

24 Because of the weaknesses presented above, Bao et al. (2017) propose in their paper that the concept of a trusted environment should be removed altogether. There, it is stated that the implementation of optional security solutions “only provokes implementation errors and mis- configuration” (p. 11). Instead of this, it is recommended that TLS should be mandatory in all situations and environments. Bao et al. (2017) also mention that the ISO 15118 standard is not weak and that it already covers many threats, but it gets weakened by introducing exceptions.

Insecure clock synchronization

Another security aspect that is brought up in ISO 15118-2 (2016) is that of clock synchronization and how this should be done. This subject appears in part 7.3.2 of the document and is

specifically defined in point V2G2-886. This point states that “The EVCC may choose the accuracy of its time source at its own discretion” (p. 17) but also that “The accuracy should be at least one day.” (p. 17). This indicates that the decision of what type of time source the EVCC should use and how secure that source happens to be is left to the EVCC. Even if this is the case, the addition of the “one day” accuracy restriction does add some direction to the EVCC clock synchronization.

The issue created by the lack of direct restriction in how the EVCC clock should be synchronized is that unauthorized clock synchronization mechanisms could be used and therefore compromise the EVCC’s clock settings. The internal clock settings are important from the perspective of handling certificates as the validity of such certificates is often partially described by the expiration date of the certificate. This could leave room for malicious parties to exploit this aspect to get fraudulent certificates accepted by the EVCC. In addition to this, the system could be manipulated into rejecting legitimate certificates based on validity times causing a sort of DOS effect against vehicle charging. (Bao et al., 2017)

The PKI policies are lacking in the standard

One conceptual weakness found in the ISO 15118 standard is the lack of securely implemented public key infrastructure (PKI). This flaw in the ISO standard is discussed in the report “Practical Considerations for Implementation and Scaling ISO 15118 into a Secure EV Charging

Ecosystem” (Chargepoint, 2019). The flaw discussed in this report is based on the way the PKI policies are currently formulated, compared to PKI best practices. The report mentions that some parts of the standard, such as certificate policy documentation, audit policies and certificate revocation policies fail to meet the criteria that a secure PKI system needs to fulfill.

According to Chargepoint (2019), their investigation of the PKI standards in ISO 15118 and the

issues presented shows that it is currently questionable whether it should be considered a trusted,

secure and scalable implementation of PKI. They mention that the standard fails to fulfill as

much as 85% of the criteria presented. These problems increase the possible vulnerabilities and

cause interoperability problems at every level. (Chargepoint, 2019)

25 AES-128 might not be quantum computing resistant

One conceptual weakness found and discussed in some sources is the fact that AES-128, which is the encryption algorithm that is required by the ISO 15118 standard, might not be completely quantum resistant. Quantum computers and their abilities is a very debated subject with some arguing it will never pose a threat. However, with large organizations such as Google, IBM and NSA discussing the possibility, it is still necessary to keep in mind from a security perspective.

Wood (2011) argues that a quantum computer could exhaust all possible combinations of a 128- bit AES key in about six months. A 256-bit AES key could take a quantum computer as long to crack as it would for a traditional computer to crack a 128-bit AES key. Therefore, the

recommendation is to switch from AES-128 to AES-256, which should be considered quantum- safe according to Wood. This is something that Bonnetain et al. (2019) also agree within their report “Quantum Security Analysis of AES”.

Another source that also mentions this threat against AES is Martin (n.d) who argues that the use of powerful quantum computers will have a dramatic effect on the security of some encryption algorithms. Martin also mentions that while this may be in the future of cryptography, there will most likely be quantum-safe cryptography standards implemented before quantum computers can break current algorithms.

4.1.2 Weaknesses in electric vehicles and ISO 15118

In this section, some practical weaknesses that have already been discovered and investigated in earlier studies are brought up and explained. Different variants of attacks and weaknesses are also presented and how large of a threat they pose to the system is commented.

Man-in-the-middle attacks on electric vehicles

A common cyber-attack is the man-in-the-middle (MITM) attack, and when it comes to vehicles and their connectivity, these types of attacks can pose a significant threat. A malicious user could perform this type of attack in order to gain access to transmitted traffic. The attacker would then be able to act as a relay between the sending and receiving party without either’s knowledge.

(Gottumukkala et al., 2019)

In some cases, the attacker could intercept the data communication between the vehicle and charger. By doing so, the attacker could gain the ability to affect the data being transmitted in various ways. In the case of man-in-the-middle attacks against electric vehicles, this could mean committing payment fraud or causing integrity issues. Another issue this type of attack could bring would be overcharging of the batteries, which could potentially lead to damage to the vehicle. (Bhusal et al., 2020)

Some earlier studies around this threat discuss some real-world experiments and tests that have been carried out. These tests aimed to break through the defenses around the charging process of electric vehicles and gain the ability to access the system. This was done to measure the

vulnerabilities in EV charging systems and determine the consequences of a potential attack. The

26 results of these specific tests prove that hacking an EV is possible by developing and using a MITM device. The used device was designed to spoof signals between the charger and the EV.

This proved that the attacker could manage to influence the charging process, which according to the individuals responsible for the test could cause even more considerable disruption at scale.

This attack was relatively simple but still managed to affect the vehicle in significant ways. The main three effects of the attack were overcharging, limiting the charging rate and blocking the battery from charging altogether. (Southwest Research Institute, 2020)

Another threat against electric vehicles are so-called “replay-attacks”. A replay-attack is a form of cyberattack based on a network that can be categorized as MITM. This attack can work in different ways, but one example would be to exploit the fact that a device that is connected to a network receives an IP address from a networking device such as a router, which is then used as a way to communicate with said network. In the case of a replay-attack against an electric

vehicle, the router responsible for handing out IP addresses is not the actual EVSE router but one belonging to an attacker. The malicious router intercepts traffic originating from the EVSE router and replays it to the electric vehicle. This way, the EV becomes vulnerable to attacks made by the malicious party that owns the router. (Alfredsson & Brettmar, 2020)

According to Gottumukkala et al. (2019), a man-in-the-middle attack can be launched quite easily in cases where the traffic is not securely encrypted. As mentioned in the part about

“Trusted environments” in 4.1.1, the ISO 15118 standard allows unencrypted traffic to flow in some specific cases. This means that eavesdropping or manipulating traffic with this type of attack may be possible even if the ISO 15118 standard is fully implemented. From a

cybersecurity perspective, this can be an issue that can potentially leave room for malicious parties to influence traffic.

Sometimes these types of attacks do not require the attacker to be present at the scene of the attack, like for example, if malicious code is introduced to a vehicle through a network.

However, some types of attacks are possible when an attacker has physical access to the vehicle.

For example, an attacker may be in close physical proximity to the target and may therefore be able to eavesdrop and manipulate communication traveling between the supply equipment and the vehicle. (Bao et al., 2017)

The use of insecure CAN buses in electric vehicles

CAN buses are commonly used in electric and hybrid-electric vehicles. CAN stands for

“Controller Area Network” and is a bus standard that works by allowing microcontrollers and other similar devices to communicate within a vehicle without the need for a master that handles traffic on the bus. CAN buses were developed by Bosch in 1983 and were built to be a fast and efficient system. This standard is one of the most used regarding automotive communication. It was not designed for cybersecurity primarily but rather for ensuring that communication can happen reliably, which has led to some security holes being present in the system. (Avatefipour

& Malik, 2017)