17 November 2019
Government and industry to agree common standards to manage cyber and digitalisation risks.
The digital integration of EVs needs to be delivered by applying a ‘system resilience by design’ approach. This will address and mitigate against both physical and cyber system vulnerabilities which can have far reaching consequences. Efficient and effective safeguards must be in place to ensure clear accountabilities for all market actors, covering data access, privacy requirements and traceability of digital transactions and decision-making to prevent system failures. Cyber security must be ensured regardless of the form of interoperability. Agreeing common approaches to assure cyber security will be an essential task for successful interoperability.
The purpose of smart charging is to modify network electrical load to reduce peak demands and help manage network constraints. The control of this will primarily rest with the CPOs who will potentially have the ability to modulate the output of large numbers of chargepoints. This capability could have potentially damaging impacts if poorly designed and operated, or if it falls under the control of hostile actors. Government must ensure that CPOs are aware of their responsibilities for ensuring the security of their systems. This will require the adoption of appropriate standards dealing with all aspects of the system from the back office to the chargepoint. It will also likely require certification of the chargepoint and possibly other devices in the system. The choice of standards typically follows a risk assessment of the full end-to-end system and can be different for different service offerings. Even for similar systems, it is possible to choose different sets of standards to support cyber security and it is not recommended that a single solution is mandated. Indeed, this is also an area subject to significant international development, so that some standards have not yet been published. However, Government can work with industry to identify a preferred set of standards. Given that the UK is one of many EV markets, as far as possible these should be international standards and be aligned with international best practice. BSI has reviewed standards for smart chargepoints  and this should provide the starting point for this work. Failure to use these standards to ensure their cyber security protection would require the CPO to provide their own risk analysis and justify how they have mitigated the risks. This would have a strong effect in moving industry towards adopting a common approach. Government could also work with industry to put in place any product testing and assurance processes needed to comply with the standards.
It is proposed that:
Government and industry must ensure system resilience by design. This includes ensuring that CPOs are aware of their responsibilities for ensuring the security of their systems. Government with industry should agree a common standards base for cyber security but not mandate a single solution, however, Government should provide support for the preferred set of standards, including device certification.
3 December 2020