EVs rev up cybersecurity challenges

Artur Debat/Getty Images

 

Connecting state and local government leaders

Without a meaningful way to secure and insure the electric-vehicle infrastructure, EV owners, charging stations and fleet managers are vulnerable to hackers.

Even as the Biden administration recently reaffirmed its commitment to electric vehicles (EVs), questions linger about the ability of charging infrastructure and the vehicles themselves to cope with a cyberattack.

If charging stations are deemed critical infrastructure, that could make the challenge even greater, especially as states add them to public property.

Many state and local agencies carry cybersecurity insurance to insulate themselves from some of the financial costs of an attack on their IT systems, but insurance to cover EV and charging stations is relatively unexplored territory.

A recent report from the IBM Institute for Business Value touched on these new cybersecurity risks and the implications for insurance. The report said that “software-heavy” EVs and their charging stations are in constant communication with other vehicles and the world around them, and while software updates can be delivered quickly to patch security gaps, the large attack surface “lights up the radar of cyber criminals.”

The report also noted that the “effects trickle into the insurance industry as well, as they struggle to assess an unfamiliar set of risks and losses.” An IBM spokesperson did not respond to requests for further comment. Mike Hamilton, chief information security officer at cybersecurity-as-a-service company Critical Insight, agreed that the lack of precedent is troubling for the future of insurance.

“The bigger issue is … how are we going to figure out how to price this insurance based on risk, when we do not have the benefit of 200-year-old actuarial tables the way we do for everything else?” he asked. “That's what they need to figure out.”

Dan Leja, a vice president at risk advisory and insurance firm Horton Group, who has already written extensively on the cybersecurity insurance issues associated with EVs, also noted the stakes for local governments who manage and insure their own fleets.

If local governments remain intent on electrifying those vehicle fleets, ensuring they have appropriate insurance against a possible cyberattack must be “top of mind,” Leja said, especially if they rely on self-insurance on vehicles operated by employees, as some are.

“If [governments] are pushing out an incentive or a government initiative to go electric, are you taking into consideration the cyber exposures related to this, and are there enough case studies that [governments] have reviewed where [the EV fleet] could potentially cause more of a threat than a benefit?” Leja asked.

It might be necessary for the federal government to step in and insure for instances of major cyber incidents through legislation, as Congress did after the Sept. 11, 2001, terrorist attacks. The resulting Terrorism Risk Insurance Act created a program that provides for shared public and private compensation for certain insured losses after a terrorist attack and has since been reauthorized several times.

Leja said expanding that scheme, offered by every insurance provider for an additional premium but optional for the insured parties, could help protect EV companies and charging station providers from massive losses in the event of a debilitating attack.

“If you want to be proactive and cover your organization in the event something like this happens, you purchase it. If you want to decline, you decline it,” he said. “But if something happens, you're at risk where the government's not going to step in and help you out,” unless you’re covered, Leja added.

That is especially prescient given the lack of profitability in the auto insurance marketplace. Meanwhile, cyber insurance premiums have also been rising, leaving around half of municipal governments with inadequate coverage. That could produce a perfect opportunity for greater federal intervention, Leja said, especially given the amount of customer data at risk.

In a bid to get the issue under control, insurance companies and EV manufacturers could standardize best practices as a way to assess their cyber risk, said Loney Crist, senior vice president of cybersecurity software development at technology company IPKeys Cyber Partners. 

That includes making sure that cars are fully current on their necessary software patches and updates, something that could be tracked in the same way that insurance companies use telematic devices to make sure a policyholder is a safe driver.

“At some point, I think insurance companies will be able to look and see if you're doing best practices to maintain that technology because it's very vulnerable,” Crist said. “There's going to be some way of going through and making sure that you're not allowing things to be plugged into [the EV ecosystem] and affecting it.”

Just as insurance companies will need to keep track of cars’ software to ensure they are secure, the charging stations will also be subject to continuous monitoring so that insurance companies can “really understand the risk,” Hamilton said. Any self-assessment that charging providers fill out to document risks “ain’t gonna do it,” he said.

Despite the concerns over the cybersecurity of EVs and their charging infrastructure, observers said it will likely take a major cyberattack or other incident to truly focus leaders’ attention on ensuring the technology’s safety. Hamilton drew a parallel with investments in pipeline cybersecurity, which greatly increased after the Colonial Pipeline attack, describing the thinking as “management by landmine.” Crist agreed and also noted the parallels with pipeline cybersecurity.

“If [an attack] can take the grid down because of the way that [hackers] are attacking the charging stations, or if they could create a massive pile up because they took advantage of a car and caused it to kill a bunch of people,” Crist said, that would make it a bigger issue for elected officials and force them to act. “That's when things kick in,” he added.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.