This report reveals security gaps at electric car charging points in Switzerland

There are significant safety gaps in Switzerland’s electric vehicle charging infrastructure. This one has that National Cybersecurity Testing Institute (NTC) discovered by approximately 30 operators and manufacturers. A corresponding report was published on Wednesday – here are the most important things.

Where is the problem?

The infrastructure and charging stations for electric mobility are growing rapidly, but the start-ups that drive them do not always invest sufficiently in IT security. This exposes the network to security risks, which can ultimately impact customers.

Between May and August this year, the institute tested the systems of around fifty different manufacturers that are accessible via the internet, as well as the operating systems of eleven charging stations and the backend applications of 23 charging station operators. The result: The public charging infrastructure in Switzerland needs to be improved, writes the NTC. In total, “vulnerabilities” were reported to approximately 30 manufacturers and operators.

Affected companies responded quickly and typically fixed reported vulnerabilities within hours or days, but…

A so-called ‘Vulnerability Disclosure Policy’, as recommended by the NCSC, the federal cybersecurity center, would significantly simplify and accelerate the reporting of such vulnerabilities. The NTC criticizes that this has not yet been implemented at any of the companies contacted.

How dangerous are such vulnerabilities?

One of the biggest risks is using an outdated and unreliable version of the OCPP communications protocol, which is widely used in industry. Manufacturers should only use the latest and more secure version of the protocol, the NTC advises.

The NTC writes about the possible effects:

The cybersecurity testing institute has contacted the affected companies: “No manufacturer or infrastructure operator has reported any damage to us in connection with the vulnerabilities found,” says Tobias Castagna, head of the testing team.

The tests and the final report represent only part of the NTC’s actual work, as informing and advising the organizations involved is an important, time-consuming and invisible part of the entire project effort.

What about Tesla?

As is known, the models of the American company are among the best-selling electric cars in this country. NTC test manager Castagna initially did not want to reveal to inside-it.ch whether Tesla was one of the tested providers.

Reason: They want to prevent a false sense of security from arising. Companies in this sector should not lull themselves into a false sense of security.

However, Castagna confirmed that Tesla was not one of the 30 organizations where gaps were found.

Who investigated this?

The NTC is a non-profit research institute in Zug that is funded by the government.

According to the NTC, the review took place between May and August 2023 and was primarily conducted by a core team of three NTC testing experts. “A total of approximately 90 man-days were spent on research, analysis, testing, documentation and informing and advising the approximately 30 affected organizations.”

The NTC describes itself as a national competence center for independently testing the cybersecurity and reliability of digital products and network infrastructures. According to its own information, the testing and testing laboratory in the canton of Zug works closely with research institutions, private cybersecurity companies and international experts.

In June this year, those responsible for NTC announced that – based on legal advice – they would also unsolicited hack into third-party IT systems to reveal serious problems and security leaks.

Sources

(dsc/sda)