Protecting Electric Vehicles and Charging Stations: Allying Cybersecurity Concerns for the Vehicle and the User

By Qiyan Wang

VP of Engineering


By Yueqiang Cheng

Director, Principal Security Architect, Head of Security Research


July 11, 2022


Protecting Electric Vehicles and Charging Stations: Allying Cybersecurity Concerns for the Vehicle and the User

The International Energy Agency has predicted that there may be as many as 125 million electric vehicles [EV] on the road by 2030. Some consortiums and experts believe that to be a conservative number, and might be more than 200 million.

As the EV market continues to develop and mature, and consumers continue looking for vehicles that don’t rely on fossil fuels and don’t hit their wallets as gas prices fluctuate, more charging options are needed, whether at home or on the road. Fast chargers are being built around the world, with British Petroleum and the Volkswagen Group recently partnering to install 4,000 EV fast chargers in Europe. These chargers will be connected to a low-voltage grid, which reduces the need for dedicated substations and pricey construction, which are considered the main hindrances to the expansion of charging stations worldwide.

As more charging stations get built for the growing EV market, the vulnerabilities of being hacked at these charging stations rise. Charging stations are potential targets because they’re connected to the internet and communicate with the cars, leaving both station and vehicle vulnerable to hacking and security concerns. As a result, cybersecurity for EVs has become a very important topic, which means EV manufacturers and industry-related partners need to work harder than ever.

With new technologies being engineered into electric vehicles, security factors need to be placed front and center. There are too many opportunities and entry points for vulnerabilities. Moving from analog fueling [gas/diesel] stations to electric charging stations is a security issue that needs to be addressed.

All vehicles, including internal combustion engines (ICE), have potential security risks, but smart vehicles have an advantage. They’re designed and built with powerful hardware and dedicated software to give the protection needed to the vehicles and the drivers.

As a pioneer and leading manufacturer of premium smart electric vehicles, NIO has listened to their users’ concerns and implemented an infrastructure to reduce security risks in their vehicles to protect their cars and users.

To do that, NIO’s cybersecurity team uses SeL4 technology to provide an even more secure solution to its cars and charging stations. A secure system originally used by BlackBerry, SeL4 is also known for its secure QNX Neutrino real-time operating system with many application areas.

What is Sel4? SeL4 is an operating system microkernel. Unlike application software, the SeL4 OS has exclusive access to a more privileged execution mode of the processor (kernel mode) that gives it direct access to hardware. Applications only ever execute in user mode and can only access hardware when allowed by the operating system.

SeL4 technology provides a secure foundation to answer the growing questions and need for cybersecurity safety and confidence. It offers an assurance for the security of smart vehicles, and through NIO’s Firmware Over the Air (FOTA), it can continuously upgrade the system to fix the security vulnerabilities and minimize cyberattack risks. 

This is a way for EV manufacturers to ensure that security isn’t compromised at any level, from pre- to post-production of a vehicle. It’s not just one vehicle that is at risk when security is breeched, it can go from a single car to the charging station, which leads to a network of vehicles, to even an electrical grid.

Manufacturers need to actively defend, discover, and protect potential and existing threats and attacks, either with investments in-house or with a reliable third-party that can help monitor cybersecurity threats. Security becomes essential in hardware and system design. NIO actively builds and improves the Simple DirectMedia Layer [SDL] platform to improve its code quality, and has built out an organizational structure to support these emerging threats.

A FOTA system can download data packets over a wireless network to update a system. NIO is currently the only car company that has developed a full end-to-end FOTA rollout entirely in-house. As a result, NIO’s FOTA can continuously upgrade the system, provide convenience and comfort to its users, fix security vulnerabilities, and improve smart EV security and practicality.

To minimize the cyber-attack risks of FOTA, NIO built its CodeSec platform, which checks the code quality, scans for security vulnerabilities, and tests de-fuzzing and penetration. Improving the design and using hardware and system resources will be essential for security in smart vehicles. NIO generally uses hardware as a Root of Trust (RoT) and accelerators to provide trusted environments. For system resources, NIO leverages these to build computing systems with data protection, access control, and threat detection and response, among others.

To defend the various charging methods, NIO offers multiple layers of protection. For example, for public charging stations provided by NIO or NIO’s partners, once the auto-authentication and payment feature for charging is enabled, a token is signed by the vehicle, and the vehicle identity sends it to the charging station. This data is then sent from the charging station to the charging station cloud to validate the sign and vehicle ID to confirm this automatic charging request’s authentication. This authentication design is already considered one of the international standard requirements.

Only authenticated cars know the hidden WiFi in a Power Home (the company’s home charger), with its unique password. NIO supplies a certificate-based mutual authentication scheme to authenticate the car and the charging station. A cloud-based server will also issue a token signed by NIO public key infrastructure (PKI) and send to the charging station through the car for further authentication.

Ensuring information and data are secure and well-protected should always be one of the top priorities for any manufacturer. Automotive cybersecurity will continue to expand as more and more electric and connected vehicles are on the road.

Today’s smart cars have powerful, modern hardware devices and software systems, which gives EV manufacturers, including NIO, enough space to deploy more advanced security defense mechanisms. However, though the challenges and opportunities coexist, they need to constantly improve the design and make full use of hardware and system resources for vehicles’ – and owners’– security and peace of mind.

Experienced Researcher and tech leader with a demonstrated history of working in the EV industry. Skilled in-vehicle security, autonomous driving security, and data protection. In addition, Yueqiang is in charge of cybersecurity regulation, such as WP29 and ISO 21434, etc. Strong research professional with a Ph.D. focused on System Security, software security, data protection, and hardware security.

More from Yueqiang