While the “tipping point” in the market for electric vehicles (EVs) will not be reached for some years, continued investments by both new companies and established automotive players promise that EV models will displace internal combustion engine (ICE) vehicles and gain a major share of world markets. A key part of this steady evolution is the development of the infrastructure needed to support EV operations.
E-mobility will produce fundamental changes to the concept of ownership, maintenance and general usage as vehicles shift away from being a purely mechanical form of transportation towards becoming a hub for services and connectivity, with multiple interfaces between the vehicle owner/user, devices owned by the user, traffic monitoring systems, etc.
Reference architecture of a connected vehicle as a communications and service platform.
The importance of infrastructure security
As part of this shift, the emerging infrastructure will need to support new types of secure vehicle accessibility. An important part of this is the required interconnection between vehicles and charging infrastructure.
Since charging stations represent a link between vehicles and the power grid, they are access points that can be potentially exploited by attackers looking to steal personal information, skim payment information, manipulate the grid or gain access to home networks. It is therefore critical to protect vital information against attacks during transactions between vehicles and charge points.
Security considerations must encompass not only the vehicles but also surrounding infrastructure and related ecosystems. To ensure that the e-mobility sector grows, highly secured transactions will need to be put into effect quickly and easily, whether they are performed through apps, mobile wallets or card payments. The charging ecosystem must be able to interface seamlessly between various vehicles, charge station service providers, banks and payment platforms.
Considering the diversity and variety of involved stakeholders, the charging ecosystem presents what security specialists refer to as a large attack surface, which makes its protection a challenging task. The transferred data (personal and payment information) and involved entities (vehicles, charging stations, grid and service platforms) are valuable assets that all require strong security. Combining many-faceted access with protection is well-established in other industries and the approaches proven in similar use cases can be leveraged for e-mobility.
One example is the not-for-profit security collaborative, Trusted Computing Group (TCG), which has seen industry best practices adopted by international standards organizations such as the IEC and ISO. TCG has driven the development and acceptance of the specification referred to as the Trusted Platform Module (TPM) to further the goal of providing both security and ease of access. Within the TCG’s specifications are hardware-based Trusted Platform Modules (TPMs). These are considered by the TCG as most secure, and the security demands outlined above suggest their use to protect e-mobility use cases.
TPMs are now implemented using dedicated semiconductors produced by integrated device manufacturers. If certified according to Common Criteria (ISO/IEC 15408) to its adopted standard defining TPMs (ISO/IEC 11889), devices that meet this specification are resistant to physical attacks and implement security features including authentication, encryption and cryptography that help secure connected systems using protected keys.
TPM 2.0, the latest iteration of the specification, provides a flexible approach to developing solutions for security of the charging ecosystem. Microcontrollers that comply with TPM 2.0 offer levels of tamper-resistance that simply aren’t included in general purpose microcontrollers.
Protection from a range of attacks
The benefits of choosing a TPM based on a discrete secured microcontroller include protection against physical and logical attacks, whether they are malicious or merely potentially disruptive.
One form of protection includes adding a root of trust to implement secured boot at power-up, which uses authentication to verify that the code or data stored in an external memory has not been tampered with before it is loaded into the processor’s main memory. Other forms of intrusion include so-called "side-channel" attacks, which exploit easily accessible information about the system to gain insights. This may include using non-invasive techniques such as differential power analysis, which has been shown to be effective in the reconstruction of data. This is specifically important: As there is physical access to both vehicle and charging station, physical attacks must be considered in the attacker model.
In addition to securing the access points in a connected vehicle, a TPM also can secure sensitive data generated by modern vehicles. This may include but is not limited to data attributed to vehicle operation and maintenance as well as data attributed to the driver or owner containing personally identifiable information, whose integrity and authenticity needs to be protected.
E-mobility interfaces and reference architecture
The primary actors in the e-mobility charging infrastructure include the EV and the charge point, referred to as the Electric Vehicle Supply Equipment, or EVSE. Within the EV, an Electric Vehicle Communication Controller (EVCC) will negotiate with the Supply Equipment Communication Controller (SECC) over a connection compliant with the ISO/IEC 15118 specification.
E-mobility involves other entities beyond the vehicle and the charging infrastructure.
Within the EV, the EVCC will control the on-board charging circuit, provide feedback to the vehicle user through an HMI, and remain in close negotiation with the vehicle’s ECU(s). On the EVSE side, the SECC will negotiate with its own electric energy meter and pass data to the paying unit, as well as have final control over the physical delivery of the electricity drawn by the EV. It will also typically feature an HMI to inform the vehicle user of each stage of the process. At the interface of each of these discrete points, it is essential to provide security through state-of-the-art cryptography to safeguard the user’s data and the integrity of infrastructure.
There are numerous examples of how modern vehicles can be compromised through new communication channels. Even third-party technology intended to secure these valuable assets may be susceptible to cyberattacks, allowing attackers to remotely take control of a vehicle, potentially even disabling it while the owner is driving the car.
When considering the e-mobility reference architecture and its various stakeholders, interfaces and communication paths, as well as other forms of communication such as the driver’s smartphone Bluetooth connection or WiFi for other occupants, the potential attack surfaces increase significantly. Thus, a common approach is to route all related traffic through a central ECU, equipped with hardware-assisted security such as a TPM to protect the corresponding assets.
Similarly, the process of charging an electric vehicle at a public charging point must allow for the identification, authentication and safeguarding of information that passes between the charger and the vehicle. This will require cryptography that protects both the charging infrastructure and the vehicles using it.
At a system level, charging stations are also essentially an access port to a large, high-value network: the power grid. Accessing this port could potentially allow access between any of the devices connected to the network. In light of this, highly secured systems are of the utmost importance for every vehicle accessing the power grid.
When charging an electric vehicle, the charging station becomes an access point to the energy grid.
Part of the ISO 15118 international standard is the concept of Plug & Charge. It can be expressed as enabling a secured and convenient way of charging an electric vehicle, covering both wired and wireless charging technologies based on AC and DC subsystems. At its core, Plug & Charge is intended to enable confidentiality, data integrity and authenticity, which it achieves through the algorithms defined by ISO 15118 for symmetric and asymmetric cryptography.
Symmetric cryptography describes the process of using a single key for both the encryption and decryption of information. Any system that implements symmetric cryptography dictates that the sender and receiver must both agree on the single key used on both sides of the secured channel. This is used to achieve the confidential exchange of data in a Plug & Charge system.
Conversely, asymmetric cryptography uses two different keys: One for encryption and another for decryption. This technique is used to provide data integrity and authentication within Plug & Charge. Asymmetric cryptography uses what is normally termed a Public key for encryption and a Private key for decryption. There is no intrinsic difference between the two keys; the term Public is applied because it is not critical that the key is kept secret. If the Public key is discovered it can be used to encrypt a message, but it cannot be used to recover or decrypt a message, so only the Private key must be kept secret. Implemented as a tamper-resistant, secured and certified microcontroller, a TPM is able to securely store Private keys. It also includes a true random number generator in order to generate such cryptographic keys.
In a Plug & Charge application, asymmetric cryptography is used to establish a secured connection, authenticated using digital signatures and allowing a common key to be generated. At that point, symmetric cryptography can be used for all other message exchanges during the charging session to ease processing burden, as the computational effort required for asymmetric cryptography is high relative to symmetric cryptography. The use of both forms of encryption provides the appropriate levels of security without becoming a processing burden.
The entire process is governed by the use of digital certificates, as outlined in ISO 15118 and based on a Public Key Infrastructure (PKI), which describes the way in which digital certificates are created, stored, distributed and eventually revoked by what is termed Certificate Authorities, or CAs.
The digital certificates used in Plug & Charge are used in the authentication and authorization of the agents involved with the electric vehicle charging infrastructure, comprising the Charge Point Operator, the Certificate Provisioning Service (CPS), the Mobility Operator (MO) and the Car Manufacturer, or OEM.
A standards-based approach to architecting a secure e-mobility charging ecosystem is defined today within ISO 15118. Implementation of this standard can utilize a tamper resistant microcontroller such as one certified to TPM 2.0, which plays an essential role in protecting the authenticity of these involved entities, the integrity of the exchanged data and the confidentiality of sensitive information.
An AEC Q100 qualified TPM, such as the OPTIGA™ TPM SLI 9670, serves as a turnkey solution, including firmware compliant with TCG specifications. It is designed for any ECU that requires strong security, such as telematics control units and gateways. As society moves towards fully electric mobility and the infrastructure needed to support e-mobility continues to develop, this type of TPM will be an essential technology that safeguards both consumers and manufacturers from potential harm.When charging an electric vehicle, the charging station becomes an access point to the energy grid.