Secure use of communications and protocols at charging stations

Posted date 09/01/2020
Autor
INCIBE (INCIBE)
communications and protocols

Electric charging stations have become a common infrastructure in our lives, as manufacturers' commitment to electric cars has driven up their numbers more and more every day. For this reason, these stations have become a new target for attackers, which poses a risk to manufacturers and users.

One of the ways to ensure the security of these devices is by using secure communications that allow us to prevent incidents, such as enabled insecure services that could allow brute force attacks or code injection (HTTP, SOAP, etc.). To do so, the use of specific protocols such as OCPP (Open Charge Point Protocol) is essential.

Communications and protocols at charging stations

The Open Charge Point Protocol (OCPP) works at the application level within the OSI layer and allows communication between electric vehicle  (EV) charging stations and a central management system, also known as a charging station network, similar to how mobile what mobile telephones do. The protocol appeared as an initiative of the ELaadNL foundation in the Netherlands, with the aim of creating a free protocol that could allow EV charging stations and multi-vendor central management systems to communicate with each other. At the date of publication of this post, the most advanced version is 1.6, though in the specifications of this protocol version 2.0 already exists.

With 1.6 there are two different alternatives. Together with SOAP-based (Simple Object Access Protocol) implementation is the possibility of using the JSON (Java Simple Object Notation) alternative, which is much more compact. In order to avoid confusion when talking about each implementation, we will use the names OCPP-S and OCPP-J respectively.

The connection is established between a central system, which acts as a WebSocket server, and between a charge point using OCPP-J, which will serve as a client.

Diagrama de implementación del protocolo OCPP

- Implementation diagram of the OCPP protocol -

The general communication of the operations between the charge points and the central system can be initiated by the charge point or by the central system, both of which have a different process. In the case of the first, it would be as follows:

1. The charge point requests authorisation to boot the charge using the PDU (Protocol Data Unit). Moreover, it is necessary, in order to stop the charge process, to resend and receive the aforementioned authorisation PDUs.

2. When a charge point is turned on or has a physical reset, it sends the boot notification PDU with information regarding its configuration. This is answered by the central system as:

  • Accepted: synchronising the internal clock with the central system.
  • Rejected: communication with the central system is turned off for a while.
  • Pending: the central system sends requests to the charge point to collect more information.

3. The transactions and control (start/stop, the reservation or cancellation of energy, restore a CP, etc.) are carried out through an authorisation process with an identification tag.

4. Finally, maintaining the notifications provides a set of instructions related to remote diagnostics of the components that make up the OCPP protocol.

OCPP communications diagram

- OCPP communications diagram -

We have already seen the steps that require the communications that can be initiated from the charge points to the central system, but in general, it is not mandatory to go through all the points we have mentioned above when charging.

When communications start from the central system, the process is defined by the following main points:

  1. The central system will have the option of cancelling a reservation for a charge point by sending a PDU and also changing its availability.

  2. It will be the central system that orders starting and stopping a remote transaction that a charge point has requested.

  3. The central system may request a change in the configuration parameters where we will have a key-value pair, in which “key” is the name of the setting of the configuration to be changed and the “value” contains the new setting for the new configuration.

  4. From the central system it is possible perform different actions such as clearing the cache, diagnosing the communication or enabling data transfer.

  5. When a charge point needs to be updated with new firmware, the central system will inform this charge point when it can proceed to download the new firmware. Meanwhile, the charging point will notify the central system with each step as it downloads and installs the new firmware.

     

Estándares de interfaz para vehículos eléctricos

- Interface standards for electric vehicles. Source: Implementation of OCPP Protocol for Electric Vehicle Applications -

Threat scenarios

In an article written in 2017 by several members of the IEEE (Institute of Electrical and Electronics Engineers), possible attacks that compromised the OCPP protocol were specified:

  • A Man in the Middle (MitM) attack could intercept messages through communication channels by sending non-legitimate packages and cause any of the following actions:
    • Information disclosure: reading and/or copying.
    • Distortion of information such as processes or configurations. Within this type of attack are:
      • Energy fraud: it consists of obtaining electricity illegally.
      • Network overload: variation in load levels at certain points that can cause serious problems in the distribution network.
    • Elimination of packages, which may generate a denial of service situation.
  • Redirection of the network traffic that could cause a failure in the communications or a loss of information when it does not arrive at its destination.
  • Threats via Web/TCP-IP protocol because an attacker has connected to a possible insecure protocol and not through secure protocols such as HTTPS or FTPS.
  • Use of PAT (Persistent Advanced Threat): an attacker could manage to exfiltrate information or gain control of the systems.
  • Prevention so that byzantine faults do not happen (a condition in which component failures are recorded but without accurate information about said failure), as they could cause failures in the systems that influence the charging stations.

Improved security of charging stations

Scant security at electric vehicle charging stations could cause problems for users, stations or central systems. It is therefore important to know how to identify, through security analysis, the possible attack vectors in communications using this type of protocol, which can be classified into different types:

  • Physical aspects (hardware) regarding the charging stations, such as the physical breakage of the station.
  • Aspects related to information technology (TCP/IP), both linked to the charging station and the backend system. Here we can find protocols that are not secure, such as HTTP, or other services that could be used, such as the mobile telephone, where during the data exchange the communication could be tapped and said information obtained.

There are certain vulnerabilities that could be exploited through a series of attack vectors and can cause problems at the charging stations. Among the attacks that would compromise this type of infrastructure are: brute force, SQL injection, unencrypted communications channels, etc.

potential attack vectors

- Potential attack vectors. Source: Smart Grid Forums -

It is imperative that the communications used between the charge point and the central station are secure so that there are no possible attack vectors creating a possible vulnerability. Therefore, the following improvements are recommended:

  • Expand the OCPP protocol with digital signatures for greater security between charge points and central systems. Digital signatures add the possibility to verify the integrity of the entire electric vehicle infrastructure chain. Thus, when using digital signatures created from the charge points there will be no problems in the size of the chain. And, by using the public key of the corresponding charge point, we can verify the integrity of the digital signature.
  • Using PKI (Public Key Infrastructure) with the use of digital signatures and certificates, although this will require more effort by the operator of the charge points, since he/she will have to manage certificates.
  • Use of secure communications with TLS 1.2 or higher for OCPP communications.

All security improvements are included in different security regulations and standards that are reviewed and improved over time. For safety standards of the conductive charge between the charge point and the car are regulations SFS-EN 61851-1 (security requirements) or SFS-EN 62196-1 (plug, output socket, connectors, input) among others, while for the conductive charge between the charging station and the electrical substation there are several, including SFS 6000-7-722 (support at the charging station). Besides these regulations, there are others that focus on communication and security.

Conclusion

The OCPP protocol, used in communications between charging stations and electric cars, allows a standardisation of communications that facilitates control in information exchange. This protocol should include improvements in its protection mechanisms in aspects such as the use of digital signatures, the use of PKI systems or in the process of fortifying its communications to deal with future cybersecurity challenges.

Etiquetas