The Electric Vehicle (EV) Council has recently appealed to the Australian federal government to exclude EV charging stations from the Security of Critical Infrastructure Act (SoCI) regulations.
These regulations currently apply to sectors such as defence, telecommunications, energy, water infrastructure, and data processing/storage. Industries that fall under SoCI must comply with risk management regulations and mandatory cyber security incident reporting, among other obligations.
In a submission to the federal government’s recently released 2023-2030 Australian Cyber Security Strategy Discussion Paper, the EV Council expressed interest in…
“legislative reforms being considered by the Government that may introduce regulatory obligations for operators of EV charging infrastructure”
…which would include those assets in the scope of SoCI.
While the council does not believe that EV chargers will be specifically regulated under SoCI, it is concerned that they could inadvertently be included if the government expands the scale of electricity assets covered by the legislation. The council argues that the number of EVs on the road in 2030 is unlikely to reach a level where malicious action or operational disruption could significantly compromise the energy system.
“While EV uptake is increasing, the number of EVs on the road in 2030 is unlikely to reach a level where concerted malicious action or operational disruption could compromise the energy system in a significant way,” the submission said.
“The premature inclusion of EV charging infrastructure in the SOCI framework would instead increase the compliance burden for industry and impede EV uptake, compromising our ability to achieve national emissions reduction targets.”
The submission suggests instead that the government develop “a set of minimum standards for EV charging infrastructure”.
Those standards could outline cyber security strategies to protect customer data, and protect charge networks and the grid against disruption or harm by cyber-attacks.
Australia could, the council said, draw on the US National Highway Administration’s National Electric Vehicle Infrastructure Standards and Requirements, which was finalised in February 2023.
Note: The EV Council is discussing public charging stations, not home EV chargers.
What do you think?
Should public EV chargers be included in the Security of Critical Infrastructure Act (SoCI) regulations? Let us know in the comments.
Are the options only binary, either in or out? Or could infrastructure be included but given a scaled\stepped approach to regulations with stricter standards coming into effect as time passes or other thresholds are reached?
Are potential threats to or via EV chargers even understood?
Ultimately stricter, safer levels are preferable to an open vulnerable system.
Perhaps if the charging station network would “never” in future be used by official EV vehicles (police, first responder, etc.) or mid to large-sized vehicles used in the distribution of critical goods (food, vaccines, antibiotics and other medical goods, etc.), then it might be argued you could exclude the EV network during its early years.
HOWEVER, why allow “any* type of infrastructure to be built with potentially weak links? It only takes one access point – that’s the inherent nature of a network. Look at the telecommunications network in the USA where they are now having to remove potentially vulnerable equipment at significant cost.
Even before 2030 the EV network will have access to personal payment data of owners so why should this network be any less secure? I’m sure the people who can afford early EV adoption would disagree that *their* data should be treated more casually before 2030 than after some unknown threshold of EVs is reached.
And if the EV Council feels it is unlikely there will be any vulnerability, then they shouldn’t worry about a regulatory burden. No incidents? No need to submit paperwork…
It is vested interests with, perhaps, the desire to squeeze every dollar out of an industry during the ‘new frontier’ period that want as little oversight or accountability as possible. That is nothing new.
But it would be sheer insanity or, perhaps, incompetence for the government to insist on anything but the most secure equipment and secure network environment with the requisite reporting requirements and penalties.
This is infrastructure that will span the nation – get it right and build in all possible levels of security from the start. Building in standards, reporting and accountability is a key step.
Agreed. And I fail to see the logic that ” The premature inclusion of EV charging infrastructure in the SOCI framework would instead increase the compliance burden for industry and impede EV uptake,…”
Impede EV uptake?
I don’t know about others but with the recent failures of Optus, Medicare and Latitude I think anyone who holds your personal data should be subject to cybersecurity regulations. Also public charging infrastructure will be critical to the transport sector by 2030. I think once providers reach “critical mass” then ensuring a single bad actor can’t take down every charger in their network would only seem like a sensible precaution.
Vehicle refuelling infrastructure is critical infrastructure. An opponent able to cripple vehicle movement has won a significant battle.
Refuelling infrastructure is a prime target so must be hardened against attack,to the best of our ability.
Sounds like a bad idea. Very large loads attached to very expensive assets sounds like a good target.
Let the pioneers have their cake and eat it, I’d suggest. It seems both simple and essential to include public EV chargers at the highest security level contemplated, but allow staged implementation of compliance with measured milestones each year for 5 years to full compliance. The first year’s implementation ought minimally be a well researched and fully documented plan for the remaining four stages, outlining the hardware and software products to be used, the scope of any in-house or outsourced development work needed if a complete turnkey solution is not ready to go.
A regularly updated project management Gantt chart, showing tasks, deadlines, milestones (including system test results), and resourcing allows supervision of the substantial investment in providing a robust and reliable replacement for the lifeblood of our national economy; interstate and local transport of much of our food and vital goods, as well as allowing workers (including essential services) to go to work. Fire & ambulances, anyone?
We’ve had the government, corporate greed, & the RBA create inflation, then smash home ownership aspirations and ability to feed our kids, as a solution. We pay through the nose for gas for no other reason than windfall profits for foreign corporations and government gutlessness. “Generously” allowing mentally retarded essential EV infrastructure can have only one purpose; to ensure that an “unfortunately and unavoidably unidentifiable” group can render the whole nation’s EV fleet useless, so that ICE and dinosaur juice can be given a few more years of exploitation, due to the cataclysmic loss of confidence in the uselessly unreliable newfangled contraptions.
Let us not blindly stumble into a carefully planned “accidental” economic debacle with additional climate consequences.
At the very least: Those who fail to plan, plan to fail.
That is a fact in real life, especially when things gets a little bit complicated.
Make sure you can charge from PV at home.
Bad idea EV Council
1. Oh its not a problem right now so lets wait until it IS problem then open discussions, then decide on some standards then implement them all the while leaving the infrastructure exposed. If you (EV council) are going to be this complacent why not just put a sticker on each charger that says “Please do not hack” and have done with it?
2. Security should be BUILT INTO the product not bolted on later as an afterthought when it will never work as well as it should.
3. What happens to all the chargers rolled out before the EV council pulls its head out of the sand once it decides there is (and always has been) a threat? A years long upgrade program costing millions to bring things up the the standard they should have been all along. Sound familiar ….NBN?
4. What is the upside of waiting? Genuine question? Will it save money in the short term? What about the upgrade costs mentioned in point 3 once EVC wakes up or a “bad thing” happens?
5. Security threats are a genuine danger (a threat) regardless of whether they actually occur or not. Dont wait to get stung and then “sincerely apologise for any inconvenience”. Banks getting hacked is a threat and banks take proactive measures to avoid this, they dont wait until something bad happens.
Fingers out EVC (please)
110% they should be in. We already have cyber security risks from Solar (think Huawei inverters). We cant let the same risks infect our EV charger networks.