Special initiative for improved cyber security in charging stations

Within the framework of the EU plan for the green transition, Fit for 55, the EU parliament’s committee on transport and tourism has stated that it would like to see a faster expansion of the charging infrastructure along Europe’s main roads. The goal of having short distances between charging stations and fast chargers entails great business opportunities for charging station suppliers.  

However, to be allowed to sell the products, they need to be tested and certified in compliance with regulations and standards concerning, for example, electrical safety, electromagnetic compatibility (EMC), functionality and electricity metering. They also need to be tested in terms of cyber security. This is to avoid hackers being able to use the charging stations to gain access to the vehicles being charged or, worse still, to overcharge the vehicle’s battery resulting in a high fire risk. 

“We need to prevent a number of undesirable events and threats,” says Anders Nilsson, research and business developer at RISE. 

Battery storage an exciting feature that entails risks 

RISE can both test and certify charging components in compliance with regulations and standards concerning, for example, electrical safety, electromagnetic compatibility (EMC), functionality and electricity metering. We also offer a special additional service within cyber security — an area that not only attracts innovative hackers, but also faces a range of new regulations. 

Ted Strandberg, a project manager at RISE with a focus on cyber security, has, for example, examined how connected electric vehicles could act as battery storage for the power grid, via the vehicle-to-grid (V2G) system. In future scenarios, technology is often presented as an important flexibility service. 

In practice, a charging station manufacturer or provider could offer such battery storage as backup for the power grid. Vehicle owners would also be able to buy and sell electricity at favourable times. 

“If we consider it in terms of cyber security, there are risks. Imagine if this entire battery storage system was hacked and all vehicles sent power back to the grid at the same time. If you get too far outside the power grid frequency, damage will occur.” 

Multiple cyber security standards 

Strandberg says that there are a number of cyber security standards for which RISE is already accredited and can test compliance with. 

“We’re also preparing to be able to test compliance with the EU’s new cyber security regulations, which will come into force over the next few years.” 

“I also believe that third-party scrutiny offers peace of mind to buyer and seller alike. Buyers feel that they aren’t alone in making their decision. And sellers gain a certificate showing that they’ve done what they can.” 

In recent years, the EU has started to regulate increasingly more aspects of data use, in the shape of data protection, AI and cyber security. Strandberg also mentions the revised version of the so-called NIS2 directive as a further tightening of safety requirements within, for example, transportation and energy. 

“The directive states, among other things, that you are obliged to implement incident management procedures. You have 24 hours to report an incident [in Sweden, to MSB, the Swedish Civil Contingencies Agency]. I think this will help create preparedness at companies to handle attacks.” 

Risk management rule breaches can lead to fines 

In the updated directive, companies breaching the risk management rules or failing to submit an incident report risk hefty fines of up to ten million euros, or two percent of their global sales. The GDPR and the AI Act have similar mechanisms. 

Strandberg also mentions the radio directive’s new cyber security requirements, which need to be met to sell products containing radio communication components. This directive includes a deadline of 1 August 2024. 

“Few companies have the opportunity to follow this as closely as we do. Especially smaller companies,” says Strandberg.