Irdeto: Pioneering Embedded Security for Connected Transport

In the rapidly evolving landscape of connected transport, Juha Hytönen stands as a distinguished expert, holding the crucial role of Senior Director of Embedded Security for Connected Transport at Irdeto. His extensive knowledge and experience in the field of connected cyber-physical systems, particularly in the electric vehicle (EV) charging ecosystem, have made him a driving force behind the development of robust and secure solutions in this dynamic industry.

The surge in electric vehicle adoption over the past decade has been nothing short of remarkable. As more consumers transition to eco-friendly EVs, with more than 60% of cars sold being EVs in 2030,  the demand for efficient and interconnected charging infrastructure has soared. Juha Hytönen’s expertise is invaluable in navigating the complex landscape of connected transport, where the intersection of critical infrastructure, moving objects, and safety is paramount.

One of the key challenges in the electric vehicle charging ecosystem is cybersecurity. With 96% of public charging stations being connected and reliant on digital technologies, they become attractive targets for cyberattacks. Mr. Hytönen is at the forefront of addressing these cybersecurity concerns and understanding the diverse threats that charging stations face.

One of the most significant threats to consumers is data breaches. Charging stations collect and process a wealth of sensitive information, including payment details. A successful breach could have far-reaching consequences, compromising user privacy and financial security. Mr. Hytönen’s role involves developing robust security protocols to safeguard this critical data, ensuring that it remains protected from malicious actors.

Remote attacks are another area of concern in the EV charging ecosystem. Smart chargers are by definition vulnerable to remote exploitation. Hackers may attempt to compromise the charging infrastructure, leading to service disruptions, energy theft, or even the potential to damage connected vehicles. Juha Hytönen’s expertise is instrumental in fortifying these systems against such attacks and implementing robust security measures to prevent unauthorized access and tampering.

Furthermore, the interconnected nature of the charging network means that a breach or attack on one charging station can have a ripple effect, impacting the entire network, or in the worst case the entire electricity grid. Mr. Hytönen’s role extends to ensuring that the entire ecosystem is resilient and can withstand such threats. This involves implementing secure communication protocols, real-time monitoring, and rapid response mechanisms to detect and mitigate potential attacks promptly.

As electric vehicle adoption continues to grow, so too does the importance of securing the charging infrastructure. Mr. Hytönen recognizes the need for collaboration across the industry to establish best practices and standards for cybersecurity in connected transport. His thought leadership in this area extends beyond his role at Irdeto, as evidenced by his contributions to industry publications and forums.

Beyond cybersecurity, Mr. Hytönen’s work contributes to the overall success and sustainability of the electric vehicle revolution. A reliable and easy to use charging infrastructure is essential for encouraging more consumers to make the switch to electric vehicles. By ensuring that charging stations are protected from cyber-related disruptions, he plays a pivotal role in building trust in the EV ecosystem.

The exponential growth of electric vehicles (EVs) has not only revolutionized the automotive industry but has also sparked a surge in demand for a reliable and interconnected charging infrastructure. As this demand continues to skyrocket, it brings along a slew of intricate challenges and cybersecurity concerns that need to be addressed proactively. To gain insights into these challenges and potential solutions, we sat down with Juha Hytönen, Director of Embedded Security for Connected Transport at Irdeto, a distinguished expert in embedded security with extensive knowledge of the electric vehicle (EV) charging ecosystem.

Automotive Industries: Juha, to kick us off, could you provide an overview of the current state of EV charging infrastructure and its importance in the automotive industry?

Juha Hytönen: The growth of EV charging infrastructure is undeniably critical to the widespread adoption of electric vehicles. It serves as the lifeblood of the EV ecosystem, enabling users to conveniently charge their vehicles, which in turn encourages more people to switch to electric transportation. However, this rapid expansion has introduced several challenges, particularly in the realm of cybersecurity.

Automotive Industries: What are the major cybersecurity threats faced by EV charging stations today?

Hytönen: The short answer is that they are exactly the same as for every new connected industry: financially-motivated cybercrime that manifests itself as data theft, in particular of payment data, energy theft, and ransomware. Then there is a lot of research discovering vulnerabilities that are not, and one might say will not, be actively exploited. One of the most known attacks is called Brokenwire. The key concern with cybersecurity for EV charging infrastructure, though, is that they introduce a huge number of devices that are directly connected to the electricity grid, the Internet, and a huge number of electric vehicles. The worst-case scenario for a malicious actor gaining control of a charging network is much grimmer than somebody potentially being able to charge for free.

Automotive Industries: How can we ensure the security of user data in EV charging infrastructure?

Hytönen: First of all, by limiting the data that is collected and shared. If you don’t have it, you can’t lose it, can you? Secondly, we need to apply secure protocols for the data exchange that remains necessary. Plug and Charge is a good example of emerging technology that ensures payment integrity using well-known cryptographic principles, while also making charging more seamless for the end user. Thirdly, the secure protocol is of no use if one of the endpoints is insecure. There are still huge gaps in the security posture of charging infrastructure. For example, the research carried out by the researchers at the Concordia Institute for Information Systems Engineering showed that many EV Charging Station Management Systems (CSMS) contain multiple vulnerabilities allowing for remote attacks .

Automotive Industries: What measures can be taken to prevent remote attacks on charging stations?

Hytönen: It all starts with implementing basic cyber hygiene, such as secure boot, secure storage, and secure communication. Another important aspect is diversification. You cannot have one key to the kingdom, but each charging station, which is effectively a lone asset in a hostile environment, needs to come with its unique identity. The idea here is that even if a malicious actor can get into one station, they cannot use the same credentials to get to all of them. Once the basic cyber hygiene is there, one can start to think of more advanced protections like intrusion detection systems that should ideally be based on behavioral modeling. For example, if a user disconnects almost immediately reconnects to a charger, how likely an event is that? While it may sound harmless, an event like that at 100,000 charging stations at the same time will most likely cause grid instability or even a blackout. And that’s why both the charging stations and the CSMS controlling them need to be secure.

Automotive Industries: Could you elaborate on the importance of securing the supply chain for EV charging infrastructure?

Hytönen: Supply chain security is a big and controversial topic. Suppliers are often reluctant to share the data that is required to ensure the cybersecurity of their products. We currently lack cybersecurity standardization that is designed for the EV charging infrastructure. This makes second- and third-party verification difficult and at the very least subjective to interpretation. It may be a cliché, but your cybersecurity is only as good as the weakest link in your product. Hence, companies should be setting requirements on the expected cybersecurity measures in the parts that they procure as well as the process in which the parts are produced. Naturally, they will also make sure that those requirements are followed. Defining and verifying the requirements is an area where cybersecurity experts can and should be called to help. Over time, the industry should collaborate on a standardized approach.

Automotive Industries: How can the automotive industry and cybersecurity experts work together to address these challenges?

Hytönen: Collaboration is key to addressing these challenges effectively. The key to being successful is speed and forward-looking thinking. For example, we cannot really afford the current three- to five-year standardization cycle. Here the industry can learn from the record-time development of COVID vaccines. If we don’t develop the cybersecurity standards right now, we risk the pandemic of charging stations in the future and waste resources on island approaches and fixing the infrastructure afterwards. Talking about wasting resources, we need a shared view of where the EV industry is going rather than where the internal combustion engine industry has been. EV is not a propulsion revolution but a consumer habit revolution. In Europe, we are wasting millions into retrofitting chargers with credit card readers while they are used in less than 5% of charging sessions – probably the same amount of people that still prefer a keyboard in their phones. The world is moving on at an increasing pace, and despite our fear of change, we need to embrace it.