A record 1.8% of US light vehicle registrations in 2020 belonged to electric vehicles (EV), according to research from IHS Markit, a division of S&P Global. For December 2020, that figure rose to 2.5%, a new monthly record. 

Those numbers represent a small fraction of all vehicles on US roads, but interest—and purchases—of EVs have continued to soar amid rising fossil fuel costs and concern for the environment. For the quarter ended March 31, 2022, over 200,000 EVs were sold in the United States, a new record high. And, by 2030, more than half of auto sales will be electric vehicles, according to American automotive executives interviewed by KPMG

There’s a dark side to this burgeoning interest, however. EVs are connected. They’re like computers on wheels and rival our smartphones for the levels of technology they introduce into the driving experience of many Americans. 

Gone are the days when you could dismantle your muscle car with a suitcase of socket wrenches, an automotive repair manual, and the radio tuned to the sports team of your choice. EVs are complex wonders of technology, indeed.

They come with 21st-century cybersecurity risks that never would have come to mind in the days of AM Top40 radio and roll-down window handles in your car.    

The rising stakes of EV cybersecurity

Connected device technology brings innovation and potential to the future of our roads and how we experience them, but how does that connectivity translate into cybersecurity exposures? Could bad actors hack into the doors, steering mechanisms, and autonomous driving systems of our EVs? Could they hack into our charging stations? 

All these things can be connected, which means the risk exists. 

And those exposures have begun to materialize into exploits. 

In January, a 19-year-old man exploited a weakness in a third-party app and was able to start 25 Tesla vehicles in 13 different countries—along with rolling down their windows and blasting their radios. Although more an annoyance than a dangerous cyberattack, if hackers had exploited the vulnerabilities in EV software directly, the results could have expanded beyond mere mischief. Those kinds of cyberattacks may be able to affect an EV’s headlights, brakes, or even its steering, and potentially while the car is in operation.

Those stakes seem much higher.  

As EV charging stations proliferate across the US and the world, stories of cybercrime exploits are surfacing. On the UK’s Isle of Wright in April, hackers manipulated EV charging stations so they would display explicit content from adult websites instead of the usual content from the company’s official website. In another incident, Russian EV stations were hacked to show pro-Ukrainian messages. Scarier, however, is the speculation surrounding how large-scale attacks on EV charging stations could affect victims.

Research funded in part by the National Science Foundation speculates that hackers could simultaneously gain entry into many changing stations and repeatedly switch them on and off, causing irritation, inconvenience, but also potential mayhem if that attack stresses a regional power grid to the point of a failure that causes a blackout.  

How can EV cybersecurity be improved? 

Open the hood of any electric vehicle and see an ecosystem of components from brands you might recognize and some that you don’t. It’s hard to measure any one of those component makers' commitment to cybersecurity. In the future, evidence of that commitment could come in the form of attestations, perhaps a first-party attestation similar to the one created by SOX-302 requirements and signed by public-company executives who attest to the accuracy of their financials. President Biden’s Executive Order (EO) 14028 could also create a framework for a third-party attestation model where an external party would certify the controls of a subject company. 

The Growing Need for Software Bills of Materials

While details like these are still being sorted out, recent regulatory developments suggest that manufacturers of connected devices—EVs included—could soon be required to disclose what goes into their connected products. Generally considered to have been issued in response to the 2020 SolarWinds attack, EO 14028 highlights the need for these connected-device inventories or Software Bills of Materials (SBOMs). 

SBOMs offer solutions to a key roadblock in improving EV cybersecurity. Without a comprehensive inventory of what lies within your product, you can’t assess, improve, or mitigate its threats and vulnerabilities. You need a quality SBOM—linked with relevant vulnerability, weakness, and exposure data—to be able to meet the challenge of improving your product security, or the product security of an upstream supply chain partner. 

SBOMs remove some of the mystery behind the vulnerabilities that may be lurking within software, whether it's software that passed through your own product security process, or code that’s come from your software supply chain lifecycle.

While EV makers face the same pressures as other organizations—speeding time-to-market and reducing costs—it’s important to prioritize the cybersecurity of the electric vehicles to which consumers entrust their lives. That can come through making real commitments to understanding the components that make up their products, as well as the code that makes them run. 

Embracing cybersecurity along the entire supply chain of an electric vehicle’s creation means using tools like SBOM to see into components, binaries, and other exposures that lie at the innermost reaches of an EV’s technology. It’s no longer an option to accept a connected product at face value. 

Today, the EV industry has tools that allow product security and risk management teams to see inside every device that comprises their vehicles. They just must make the time and investment to incorporate product security and software supply chain security into their manufacturing processes.