Secu ecurity rity of EV f EV-charging charging Erik Poll - - PowerPoint PPT Presentation

C-DAX is funded by the European Union's Seventh Framework Programme (FP7-ICT-2011-8) under grant agreement n° 318708

Secu ecurity rity of EV f EV-charging charging

Erik Poll

Radboud University Nijmegen

EV EV ch char arging: ging: th the e good

• d an

and th the e bad ad

• The good: potential for load balancing by scheduling EV charging –
• r even discharging – to match supply and demand
• The bad: need for congestion management - managing EV charging

within limited local capacity of the line NB two verify different reasons to (re)schedule EV charging!

Erik Poll – Radboud University Nijmegen

2

limited capacity

EV EV ch char arging: ging: th the e ugly

• complexity: many parties involved
• big active impact on grid (and grid stability)
• esp. compared to much more passive smart metering

(if smart meters do not have remote off-switch)

• privacy

all the headaches of public transport card & smart meter?

= +

Erik Poll – Radboud University Nijmegen

3

Pa Parti ties es invo volve lved

• DSO (Distribution System Operator):

regional utility company

• EMSP (E-Mobility Service Provider):

electricity supplier with whom EV owner has a contract

• CSO (Charge Spot Operator)

manages Charge Spots for customers of several EMSPs

• Energy supplier

supplied electricity to ESMPs to sell on to its customers

• CSIO (Charge Spot Infrastructure Operator)

performs on-line maintenance of charge spots for CSO

• Some of these roles may be performed by the same company;

precise market model still in flux.

• Billing could involve roaming charges as for mobile phones.

Erik Poll – Radboud University Nijmegen

4

Sm Smar art t ch chargi arging ng – wh whole le pict cture ure

Erik Poll – Radboud University Nijmegen

5

charge spot DSO DSO CSO SO substa station tion

smart meter

ESMP billing cost consideration: does charge spot contain a smart meter of the DSO? OCSP OCPP Mode 3 CSIO

Pr Priva vacy cy

Lots of interesting potential for aggregation, eg

• to bill the ESMP, the CSO only needs to know total usage per ESMP,

not which individual customers are involved

• to bill clients, the ESMP only needs to know total usage of a client,

not where and when this client used this

• to monitor & manage the grid, the DSO only needs to know

(aggregated) usage, not which client of which ESMP is involved

Erik Poll – Radboud University Nijmegen

6

DSO has to manage limited capacity of the line

• Simple solution: fixed max. capacity per house and charge spot
• Downside: inflexible & restrictive, hence requiring huge

investment in thicker cables

• Better solution: do congestion management by varying capacity

available for EVs over time

charge spot

EV EV ch char arging ging – th the e DS DSO p per ersp spectiv ective

Erik Poll – Radboud University Nijmegen

7

DSO DSO substa station tion

smart meter

limited capacity

DSO informs CSO of available capacity, per 15 min. interval

• based on historical data & weather forecast

Major cost saving in required physical infrastructure (ie. cables)

charge spot

Sm Smar art t ch chargi arging ng usi sing ng OCS CSP

Erik Poll – Radboud University Nijmegen

8

DSO DSO CSO SO OCSP OCPP substa station tion

smart meter

Customers of an EMSP can use public charge spots of any Charge Spot Operator.

User authenticated using an RFID card

EV EV ch char arging ging – th the e CS CSO & & EM EMSP SP per ersp spectiv ective

Erik Poll – Radboud University Nijmegen

9

charge spot CSO SO EMSP billing billing

billing

energy gy suppl pplier ier authentication

charge spot

Erik Poll – Radboud University Nijmegen

10

DSO DSO CSO SO OCSP OCPP Mode 3 substa station tion

smart meter

ESMP

charge spot

Ce Centra tral Interoperabil teroperability ity Reg egister ster (C (CIR)

Erik Poll – Radboud University Nijmegen

11

DSO DSO CSO SO OCSP OCPP Mode 3 substa station tion

smart meter

ESMP ESMP ESMP CSO SO CIR CIR DSO DSO DSO DSO CSO SO

Pr Problem lem 1: 1: we weak ak au authentication thentication

• Authentication of customers uses only the serial number of the

Mifare Classic RFID card. This can be eavesdropped & replayed, so cards are trivial to clone

• More general concern: security of Mifare Classic was already

broken prior to the intro of EV charging. Why did nobody pick up on this in the design or before roll-out?

Erik Poll – Radboud University Nijmegen

12

Pr Problem lem 2: 2: lac ack of en end-to to-end end se secu curity ty

The discussion of security in OCPP and OSCP standards is limited

• This is the only mention of security anywhere in OCPP standard,
• n the very last (200th!) page

+ using a standard security solution such as TLS is a good idea – securing this link might not provide end-to-end security we want…

Erik Poll – Radboud University Nijmegen

13

Using secure communication tunnels (and then using standard solutions such as TLS) is a good idea! However, these have their limits.... 1. Concatenated secure tunnels do not provide end-to-end security.

Eg no end-to-end security between A and C below as C will have to trust B!

• so tunnels also do not work for one-to-many communication

2. TLS does not provide convenient non-repudation.

For C to prove to a third party that B sent some data, it would have to log the entire TLS session

Limi mitati tations

• ns of se

secu cure e tu tunne nnels ls

Erik Poll – Radboud University Nijmegen

14

TLS

A B C

TLS

charge spot

Sm Smar art t ch chargi arging ng – se secu curing ing one e link

Erik Poll – Radboud University Nijmegen

15

DSO DSO CSO SO OCSP OCPP Mode 3 substa station tion

smart meter

ESMP CIR CIR

charge spot

Sm Smar art t ch chargi arging ng – se secu curing ing tw two links? s?

Erik Poll – Radboud University Nijmegen

16

DSO DSO CSO SO OCSP OCPP Mode 3 substa station tion

smart meter

ESMP CIR CIR

charge spot

Sm Smar art t ch chargi arging ng – se secu curing ing al all links? s?

Erik Poll – Radboud University Nijmegen

17

DSO DSO CSO SO OCSP OCPP Mode 3 substa station tion

smart meter

ESMP CIR CIR

ESMPs still have to trust CSOs to provide correct data DSOs still have to trust CSOs to provide correct data

Solution: “data-centric” security

• Instead of (better still, in addition to) securing the communication

links, secure the data being sent

• ie. sign or MAC the data
• This does provide end-to-end security, across any number of

communicating parties

• Nice example of this: the ISO15118 standard supports this, by having ,

meter reading signed by both the EV and the charge spot

• Work in progress: pilot by E-Laad on more secure RFID card for

authentication, which will also sign meter reading records for charging session

Erik Poll – Radboud University Nijmegen

18

Co Conclus clusions ions

• Lots of parties exchanging information, incl. billing information and

information important to manage the grid

• Lots of scope for privacy concerns & solutions
• Do use secure tunnels, but don’t assume that this will

automatically provide the end-to-end security needed

• smart grid standard are right to stress end-to-end security,

but precisely what does it mean in a specific context?

• Ie. also secure the data, not just the communication tunnels

Erik Poll – Radboud University Nijmegen

19