Expected Outcome:
Project results are expected to contribute to all the following outcomes:
- A (holistic) architecture integrating cyber-resilient hardware and software modules, such as Hardware Secure Modules considering state-of-the-art cryptographic primitives/technologies (e.g., Post-Quantum Cryptography) to enhance the security, resilience, and robustness of e-mobility systems;
- Implementation and demonstration in real-life environment of cybersecure e-mobility and system tools based on open-source framework, and on use cases for testing, verification, and certification;
- Guidelines towards future mitigation plans, such as advanced cryptographic solutions, over-the-air software corrections etc. for enhanced cybersecurity in short period of time;
- Guidelines towards a data breach response plan for the ecosystem as a framework that sets out the roles and responsibilities involved in managing a breach;
- Hardened Electric Vehicle Supply Equipment (EVSE) against natural hazards, vandalism and criminal tampering by cyber-attacks and physical intrusion.
Scope:
The system approach of the e-mobility entails the interconnection of several e-mobility actors with the technologies (EVs, EVSEs) and e-mobility users but also the establishment of communication interfaces among e-mobility/energy actors via different ICT systems, front-end and back-end systems. On one hand, the charging infrastructures should be open and accessible (to everyone, for all users, for all types of EVs, software systems, charging protocols and apps, communication networks) and, on the other hand, they must fully comply with the Cyber-Resilience Act (CRA) by November 2027 and hence be secured from hackers, criminals, and other malicious parties. It is critical to ensure that all these interactions are secured and reliable, also considering the transition of the automotive industry towards the software-defined vehicle (SDV) concept and the continuous Over-The-Air (OTA) software (SW) updates. A cyber-attack on any level of the e-mobility ecosystem may have financial and/or operational implications which might result in wider disruptions, up to nationwide power outage.
Proposals are expected to address all the following aspects:
- Develop a secure-by-design architecture and secure design principles encompassing all components and direct interfaces with EVs, EVSE, Charging Point Operators and E-Mobility Service Providers (EMSP) within the e-mobility ecosystem[1] considering governance models involving the roles and responsibilities of the different actors;
- Conduct a thorough threat analysis and risk assessment to identify potential security vulnerabilities within the ecosystem, also analysing the security of interfaces with all involved actors (e.g., EV Aggregators, Facility Managers, Flexibility Providers, Distribution System Operators, etc.) when applying V2X services;
- Define a comprehensive testing framework for penetration including reacting against live attacks to EVSE as well as to vehicle network on hardware (HW) and software (SW) components to uncover potential weaknesses and vulnerabilities, including behavioural aspects such as sub-standard repair or vehicle tampering;
- Implement a shared system of systems testing approach and develop co-designed verification and certification methods (also via Hackathon);
- Demonstrate in real-life operational environment the use of the framework for testing the cyber security and resilience of vehicles and charging infrastructure isolated and in connection to situations like charging, preparing for charging and payment processing;
- Compliance with existing standards[2] and best practices for security, resilience, and robustness of e-mobility systems for more secured systems should be ensured, making use, where applicable, of generative AI;
- Extend Public Key Infrastructure (PKI) deployment, while considering emerging cryptography threats (i.e., quantum crypto) and exploring solutions, particularly focusing on pre-emptive measures against Post-Quantum Cryptographic attacks;
- Support to the set-up and implementation of the EC’s PKI ecosystem governance based on ISO 15118-20 standard;
- Develop digital twins to help define vulnerable elements of infrastructure and identify measures for risk mitigation;
- Consider the HW/SW elements and communication channels spanning from vehicles to charging stations and the electricity grid as a proactive design to mitigate vulnerabilities across the entire chain;
- Exploitation of synergies with projects related to the Software-Defined Vehicle of the Future[3] is encouraged where applicable.
This topic implements the co-programmed European Partnership on ‘Towards zero emission road transport’ (2ZERO). As such, projects resulting from this topic will be expected to report on the results to the European Partnership ‘Towards zero emission road transport’ (2ZERO) in support of the monitoring of its KPIs.
[1] The cyber security analysis for connected vehicles performed by the European Union Agency for Cybersecurity (ENISA) and Joint Research Centre (JRC) should be considered.
[2] Such as UNECE R155 or UNECE WP.29 (based on a ISO standard 21434), European CRA and the EC’s PKI ecosystem governance and ISO15188-20, see also Cyber Resilience Act Requirements Standards Mapping - Joint Research Centre & ENISA Joint Analysis — ENISA (europa.eu)
[3] See Call HORIZON-KDT-JU-2023-3-CSA-IA, HORIZON-CL5-2024-D5-01-05 and HORIZON-JU-Chips-2024-1-IA-T3
