The electric vehicle (EV) market is growing, and with it the number of EV charge points. The UK now has over 42,000 charge points, with installations expected to grow rapidly by 2030 when it is expected 300,000 public chargers will be available. EV charge points rely on IoT connections to exchange operational, performance, even payment data. To protect EV charging infrastructure and the data it exchanges, those IoT connections must be resilient and highly secure.
Cellular IoT connectivity is ideal to connect EV charge points – it is flexible, scalable and can support rapid implementations. However, charge point operators (CPOs) and original equipment manufacturers (OEMs) must ensure their solutions are ‘secure by design’ because cyberthreats pose a risk to service continuity and data privacy.
Why EV charge points need robust IoT security
IoT-connected EV charge points exchange a range of important, and often sensitive, data. This includes usage data that CPOs monitor to understand the load on the grid and predict peak charging times. CPOs also gather performance data so they can plan maintenance. Public charge points also exchange data to process customer payments.
As the country’s EV charging network expands, so it becomes part of critical national infrastructure, supporting sustainable transport initiatives and enabling consumers and businesses to go about their daily activities. As sectors, including healthcare, enact green strategies they will turn to electric power for their vehicles and EV charge points will become essential for rapid response vehicles.
The criticality of the service, and the sensitivity of the data, makes EV charge points vulnerable to cybersecurity threats that could disrupt ongoing operation or jeopardise the confidentiality of customer data.
Three-part IoT security: defend, detect and react
Comprehensive IoT security defends against cyberthreats, detects anomalies that could indicate an attack, and reacts when needed through swift action designed to protect data and assets:
Defend
Defence mechanisms are designed to manage the attack surface of IoT devices, such as those in EV charge points. The goal is to prevent unauthorised device, cloud infrastructure or data access.
Defence tactics include allocating unique device identities, keeping security credentials private, authenticating devices and users, communicating securely, keeping software up-to-date and complying with relevant regulation.
It makes sense for companies building their defences to start with IoT SAFE (IoT SIM applet for secure end-to-end communication), which is an industry-wide security standard. The IoT SAFE applet is installed in the SIM card and can be configured remotely once the device is commissioned. It then creates cryptographic keys so that it can establish a secure connection with the target application cloud or server.
Detect
A robust defence is critical, but it isn’t sufficient to have these mechanisms in place and assume that will be enough. Detection is vital for IoT security too because devices, networks and data traffic must be monitored to check that all is well.
A very sobering statistic underlines the importance of this. According to IBM Security/Ponemon Institute, it takes on average 212 days to detect a data breach. Until incidents are detected, attackers have time inside breached systems, gathering information and/or causing disruption.
To mitigate that risk, detection centres around identifying anomalies or abnormal behaviour. It relies on usage-based insights and analytics.
React
Should an issue be detected, reaction mechanisms can kick in. When companies plan IoT security at the design stage, implement accordingly, and rehearse potential incidents, they prepare themselves to react. That preparation and rehearsal gives them a vital edge in minimising damage.
Reacting includes quarantining and cleaning affected devices, meeting incident reporting obligations and applying corrective actions across systems.
IoT security extends to people and processes
This three-part IoT security approach encompasses a range of technology capabilities and standards, all of which are important to defend, detect and react in the face of cyberthreats. However, companies must also ensure they don’t neglect processes and people.
The goal across the board is best practice, and that must extend to employees’ actions and behaviours too as these also contribute significantly to security risk level. After all, ransomware, malware and man-in-the-middle attempts often target individuals within organisations.
To mitigate this risk, companies must have robust security policies and processes, designed with security in mind. Suppliers need these too, as their involvement contributes to an IoT solution’s overall risk. Therefore, companies should mandate security measures and processes for the third parties they work with, and ensure these are followed.
EV charge point security is essential to protect users, companies and charging infrastructure. As CPOs, and their IoT partners, ramp up provision of the EV charging network they must ensure solutions are secure by design. A three-part approach to IoT security will help defend assets and data against cyberthreats, detect anomalous activity that could indicate a breach or attack, and react to incidents to minimise their impact.

Justin Godfrey-Cass is Head of Transport Solutions at Wireless Logic, a company featured in ‘The Sunday Times Microsoft Tech Track 100 and Deloitte Technology Fast 50. Headquartered in Hurley, Berkshire, UK with country offices in France, Germany and Spain