Cybersecurity Lessons Learned from Vehicle to Grid Engagement
As the transportation industry continues to become electrified, introduction of additional digital devices within associated actions such as recharging bring additional potential for cybersecurity attacks. Devices that are designed, implemented, and operated with cybersecurity as a crucial consideration exacerbate these concerns by failing to provide strict boundaries on access to and use of the equipment. Emerging use cases such as Vehicle to Grid (V2G) charging may expand the potential physical effects of a cybersecurity attack by providing indirect access to electrical components of a building microgrid or portions of the larger power grid. This paper serves as an overview of findings and recommendations based on cybersecurity testing performed at a V2G implementation site operated by a member of the Memorandum of Understanding (MOU) to Establish the Vehicle-to-Everything (V2X) Collaboration [1]. The Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response is a signatory of the MOU, and has funded this research paper and associated body of work regarding V2X cybersecurity. Sandia has a large background of previous research focused on Electric Vehicle (EV) cybersecurity, such as reference [2], which includes an overall survey of EV infrastructure cybersecurity and recommendations based on those findings. This report seeks to expand knowledge of EV cybersecurity status and needs by focusing on a specific implementation of V2G charging, and providing recommendations based on the relevant findings. This report serves as a publicly available, sanitized description of applied vulnerability testing on an operational V2G implementation. A more in-depth technical version of the report is provided to the MOU partner, but not available at the time of writing due to inclusion of proprietary information. V2G charging comes with many research problems that must be solved before the technology can securely implemented in sites with unrestricted public access or where cybersecurity attacks could have increased consequences, such as government offices. V2G charging requires many stakeholders such as end users, host sites, equipment vendors, and integrators, which all rely on operational safety and security as well as security and trustworthiness of any associated financial transactions.