Electric car chargers will have to include secure boot and automatic network disconnection if unsigned software runs on the smart devices – but only from 2023, the British government has said.
New security requirements for smart chargers won’t be enforced until the last day of this year, according to government papers reviewed by The Register.
While those changes are positive, and help protect against a deliberate cyber attack or a drive-by malware infection, the Electric Vehicles (Smart Charge Points) Regulations 2021, passed in December, gives industry a whole year before it has to meet the standards.
Schedule 1 of the regulations sets out the cybersecurity requirements new car chargers will have to meet and there’s little to complain about there: secure boot; only running signed firmware; automatic checks for software updates; and a ban on “hard-coded security credentials.”
This is all in line with the Product Security and Telecoms Infrastructure Bill’s general approach to Internet of Things (IoT) device security. Yet there’s a hole in the smart charger regulations with the 12-month grace period.
A government consultation carried out last year said “many of the legislative requirements are already being met by UK industry.”
Current electric car chargers, however, aren’t required to comply with mainstream cybersecurity standards. Last year there was a minor kerfuffle after infosec firm Pen Test Partners revealed just how poorly secured some chargers are, including at least one that was based around a Raspberry Pi.
Thus we see the government statement: “Compliance with cyber requirements may require a longer timeframe, to ensure that the supporting changes can be implemented by industry.”
Designing a secure product does take time and effort, though the 12-month grace period could lead to a year of free-for-all installing of substandard chargers to beat the deadline.
Clearly UK.gov reckons that’s an acceptable trade-off to bridge the gulf between 2030’s planned ban on new conventional cars and the state of electric car infrastructure today – whether properly secured or not. ®