The ISO 15118-2 standard provided a Plug-and-Charge method for EVs, but aspects remain surrounding the convenience feature’s security protocols. (BMW)

The ISO standard for electric-vehicle “Plug-and-Charge” faces security concerns

The dispute is about how digital security certificates are exchanged between automakers, chargepoint facilitators and mobility operators.

In 2010, a joint working group of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) started contemplating how the equipment used by two goliath industries, automotive and electric utilities, would “talk.” The resulting standard was ISO 15118, entitled “Road Vehicles – Vehicle to Grid Communication Interface.” It provides the protocols for secure communications that signal charging stations to send current to an electric vehicle (EV).

By 2014, the so-called “Dash 2” section of 15118 was released. ISO 15518-2 prescribed a method for automakers, charging-station manufacturers and charging network operators to offer the so-called Plug-and-Charge feature. The idea is for EV drivers to roll up to a charging station and strictly by plugging in have the vehicle automatically begin charging. At the same time, financial transactions to pay for the electricity seamlessly and securely occur in the cloud – no credit cards or RFID membership cards required.

Tesla’s closed and proprietary Supercharger network has offered this feature to its users since 2012. Plug-and-Charge, as outlined by ISO 15118, is designed for all players. Six years later, ISO 15118-2’s Plug and Charge system has not yet been implemented by any automaker. Several companies – including Audi, Porsche and Ford – are expected to introduce Plug-and-Charge to EV customers in the next year.

Like SSL for electric cars
Some industry players complain that aspects of ISO 15118-2’s technologies – established in 2014 – need to be updated (for example, the standard’s interchange format is EXI, a binary XML, instead of JSON). But the stumbling block is not the technology employed for communications between the EV and charger. That’s primarily handled by the HomePlug Green PHY powerline communications device, which is integral to the Combined Charging System (CCS) used by most EVs and chargers today.

The dispute is about how security certificates are exchanged between entities, including automakers, chargepoint operators (CPOs) and so-called mobility operators (MOs). There are disagreements about the appropriate role for each business entity, which is mostly outside the scope of ISO 15118.

The abridged version of standard’s methodology is that secure transactions would be made using communications not identical but similar to client-server exchanges on the web employing Transport Layer Security (TLS) and Public Key Infrastructure (PKI). In this case, the client is the vehicle and the charging station is the server. The vehicle itself replaces the driver’s use of an RFID card or mobile app. A few more details:

  • A unique identifier is assigned to each vehicle
  • The EV’s owner establishes a relationship with a Mobility Operator (MO). The MO also is known as an e-mobility service provider (EMSP)
  • The MO issues a digital “contract certificate,” which it received from a “certificate authority.” The contract certificate is tied to an owner account
  • When the EV is connected to a charging station, the contract certificate (stored on the vehicle and containing the digitally signed authentication token, as well as driver identification and billing info) is transmitted to the charging station
  • The CPO, which operates the charging network and its stations, electronically verifies the contract with MO
  • When the CPO confirms that it will get paid according to pricing and other terms established by the CPO, the charging session begins
  • The MO invoices the owner, debits their account and handles all the backend processes and contracts, including paying the CPO’s cost for delivering the charging service

Spotlight on the “certificate authority”
ChargePoint, the Campbell, Calif. company that serves as both a CPO and mobility operator, created a stir in May 2019, when it co-published a white paper entitled, “Practical Considerations for Implementation and Scaling ISO 15118 into a Secure EV Charging Ecosystem.” The paper – co-authored by DigiCert, a digital security company and EonTi, a trust management consulting company – gave rock-bottom scores to how ISO 15118-2 handles security certificates.

Eric Sidle, senior vice-president of engineering at ChargePoint, said, “The way 15118 was written is very biased toward a small group of organizations that hand out and control those certificates. With 15118, a higher-level mobility operator is injected into the system.” He asserts that the certificate authority – the new entity that he says is inserted into the process – can control pricing , even though it’s a middleman. Sidle also questions 15118’s various security protocols, which he believes are prone to man-in-the-middle attacks.

The industry’s most established certificate authority for EV charging is Hubject GmbH, the Berlin-based IT platform. Hubject is a joint venture of the BMW Group, Bosch, Daimler, EnBW, innogy, Siemens and the Volkswagen Group. Marc Mültin, one of the co-authors of ISO 15118, acknowledged that the standard’s backend processing procedure “can be quite complicated.” That led him in 2016 to launch V2G Clarity, a consulting company helping organizations implement the standard. His views represent V2G Clarity Ltd., which also offers software services to implement ISO 15118.

Mültin said that Hubject is simultaneously a certificate authority and the operator of the platform that connects all the players. “Hubject operates what is called the V2G Root CA,” said Mültin. “There is a top-level trust anchor defined in 15118 and that is the V2G Root CA. The V2G Root CA certificate needs to be installed in an electric vehicle to enable secure communication between the car and a charging station.” Mültin explained that Hubject is the “only operator” of the V2G Root CA and the “only provider of a Plug-and-Charge ecosystem.”

Concerns about independence
Hubject earns revenue by charging setup and annual fees to automakers and CPOs to use its platform – as well as for testing services, consulting and certificate management. To enable Plug-and-Charge, automakers, including competitors to the German car companies backing Hubject, are required to install Hubject’s digital security certificates in their vehicle’s charging-system software.

While Volkswagen, for example, might see Hubject as a trusted partner, that might not be the case for other automakers. Mültin acknowledged that “stakeholders say Hubject is not independent enough.” But he said he believes all the players in the “Plug-and-Charge ecosystem should be thankful for them” for setting up its platform. Hubject GmbH was founded in 2012.

“Our V2G Root is installed in the EV’s communication controller,” confirmed Barton Sidles, Hubject’s senior director of corporate and business development. “This is the same location that contains the vehicle identification and stores the OEM’s provisioning certificate.”

Ford Motor Co. will soon introduce its all-electric Mustang Mach-E SUV, followed by electric versions of the company’s other popular models. Scott Turik, an EV charging-standards analyst at Ford, has been working with ISO 15118 since 2014. He says Ford supports the standard because its technical and communications protocols enable the fundamental communication between the EV and the charging station.

“We’ll do our best obviously to meet all the requirements, but we developed a different method to deliver data files – and specifically the certificates and private keys – to our vehicle, what is written into the standard,” said Turik. “Our cybersecurity team didn’t like the way the standard was doing it, so we had to kind of go outside of the standard in order to ensure a higher level of security for customers.”

Turik explained that Ford will use a “known secure method that involves our telematics system.” He added, “We don’t go through those intermediary parties. We do it directly to our vehicle.” As Ford’s approach demonstrates, car companies and CPOs can implement ISO 15118’s core technology stack but elect to handle digital security in a more direct fashion.

Additional research in progress
In December 2019, SAE International announced plans to form an industry-led pre-competitive research project to strengthen the Plug-and-Charge security outlined in ISO 15118 and CHAdeMO 2.0 protocols. “There are operational and governance issues that, quite frankly, I don’t think are germane to a standard. We need to decouple security from EV charging,” said Tim Weisenberger, SAE project manager for emerging technologies standards. He noted that the SAE research project now underway will take about a year to develop an improved PKI platform and another year for testing.

Mültin, the co-author of ISO 15118, said he believes it’s “a good idea to bring everyone to the table to openly and fairly discuss how to make the system super secure.” But he worried, “I hope they don’t try to reinvent the wheel and all the work we have already done.” Mültin disagrees with ChargePoint’s assertions that ISO 15118 doesn’t provide adequate security. “I would like to see a profound analysis that says where exactly there is a security weakness, taking into account what we have written in our application guide. No one has done that so far.”

The next meeting of the ISO 15118 joined working group is scheduled for November 2020. The group's current focus is a new document entitled ISO 15118-20, as well as an update of 15118-2 and 15118-4. "Major enhancements to the existing AC and DC charging process are the support of inductive charging and Wi-Fi communication, reverse power flow and automatic connecting devices, meaning charging via robots," said Dirk Großmann, the ISO15118 convener. Großmann serves as senior manager of off-board electronics for charging infrastructure at Vector Informatik, a company providing networking tools for electronic systems based in Stuttgart, Germany.

"The handling of security certificates is not a feature of the standard, even though some parties try to argue this,” said Großmann. “The focus of ISO 15118 is the communication between the vehicle and the charging station. The way certificates are created or maintained on the backend is not in the scope of the document."

Continue reading »