Arjun Ramadevanahalli is an associate at Morgan, Lewis & Bockius.
The rapid adoption of electric vehicles is unleashing pent-up demand for charging infrastructure. The Department of Energy’s National Renewable Energy Laboratory, which tracks quarterly growth of EV charging infrastructure, has observed steady year-to-year growth in public electric vehicle supply equipment, or EVSE, ports. NREL estimates that the country will need to deploy about 200,000 DC fast charging EVSE ports (150 kW or greater) and about 1 million Level 2 public EVSE charging ports to support the over 30 million EVs estimated to be on the road by 2030. This growth presents a golden opportunity for those in the industry, but it also presents unique risks from a cybersecurity perspective.
The confluence of digital devices in the EV ecosystem presents a target-rich environment for cyber criminals. EVSE involves multiple interconnected platforms, connections to electric grid infrastructure, and exchanges of operational and customer data, all spread over a wide geographic footprint. A large-scale compromise of grid-connected EVSE could cause electric distribution system disturbances by manipulating load patterns or system voltage. Threat actors could also introduce malicious software to a customer’s EV by first compromising an unsecured charging station to which that EV eventually connects.
Mitigating those cyber risks effectively starts with the supply chain. Suppliers and purchasers must ensure that procurements for EVSE and related services contemplate cyber risks over the life cycle of their projects. The good news is that the industry and federal partners have recognized the need to reinforce cybersecurity at the contracting stage — the Joint Office of Energy and Transportation recently released guidance on cybersecurity procurement language. Suppliers and purchasers should consider the following guiding principles as they build out EVSE.
Begin risk mitigation during the procurement stage
Purchasers evaluating EVSE vendors should engage in cybersecurity risk mitigation activities with a risk assessment of the vendor. A vendor risk assessment typically involves some review of the vendor’s security controls, reputation, procedures and broader cybersecurity program with the goal of assigning a risk rating to the desired procurement. The risk assessment can help identify vulnerabilities or potential risks posed by the vendor and determine whether the purchaser can adequately mitigate those risks on its own or through contract provisions. Vendor risk assessments can also be used by purchasers on an ongoing basis, or through a third-party inspector, to evaluate the vendor’s cybersecurity posture.
Balance cyber risk and liability in supply contracts
Parties to EVSE contracts will need to strike the correct balance between cyber-risk sharing and managing potential liability for cybersecurity incidents. Vendors in the technology space often provide products under contracts that limit or fully disclaim liability. However, momentum is building to change that balance and require vendors to bear cybersecurity liability for unsecure products and services. Shifting liability upstream to vendors and suppliers was a key objective in the White House’s National Cybersecurity Strategy released earlier this year, which observed that “[r]esponsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product.”
Purchasers of EVSE should use available tools — such as the risk assessment described above — to carefully weigh the cyber risks of an engagement and determine the appropriate share of cybersecurity liability. At a minimum, contracts should address scenarios in which the supplier is responsible for liabilities resulting from cybersecurity incidents or failure to meet the requisite standard of care.
Push for secure-by-design principles
Companies that are building their own charging networks, or contracting with others for that work, should incorporate cybersecurity considerations through the EVSE lifecycle to ensure that the product is “secure-by-design.” In engineering parlance, “secure-by-design” refers to a product that has been designed to be as foundationally secure from vulnerabilities as possible. Off-the-shelf products in the marketplace today are not designed with those principles in mind and can be deployed with significant security vulnerabilities. Purchasers and suppliers will need to pay particularly close attention to the cybersecurity risks across the entire lifecycle of EVSE — from conception to decommissioning — posed by hardware and software in their supply chains to avoid issues down the line.
Purchasers and suppliers should consider tools to improve transparency and foster secure development practices. Parties can negotiate on accepted secure design practices and standards to guide the work. Parties can also rely on tools, such as hardware and software bills of material, to inventory each component of EVSE to help ensure the integrity of the hardware and software it contains.
Effective cyber practices in post-transaction services
Purchasers that buy or lease EVSE will often require some degree of ongoing support under a long-term services agreement or similar arrangement. Contracts for these services should cover baseline cybersecurity practices, such as incident response, breach notifications, and vulnerability management (e.g., antivirus signature updates). The ongoing interactions between service providers and subcontractors with the purchaser’s EVSE also introduces multiple touchpoints that present unique cyber risks. Remote access is one example.
Purchasers should limit the availability of remote access where possible and ensure that the service provider is only allowing authorized personnel to perform work under the service agreement. The purchaser should also ensure that any obligations agreed to by the service provider, such as background checks for their personnel, will “flow down” to the service provider’s subcontractors performing the work as well.
There is no “silver bullet” that guarantees perfect cybersecurity, and contracts will not mitigate all future risks in the fast-moving EVSE industry. But careful planning at the procurement stage can save entities headaches in the future and help unleash the full energy potential of the EV ecosystem.
