The EV charging-security project aims to design a PKI platform that is charging-protocol-neutral, scalable, and extensible to other use cases in the vehicle. (GM)

SAE kicks off project to develop cyber-secure EV charging

The SAE-led industry joint venture will design and test a secure, trusted, and scalable EV charging Public Key Infrastructure (PKI) platform by 2022.

Electric-vehicle charging is critical to the mainstreaming of EVs. A 2019 study by the International Council on Clean Transportation estimates that to create, by 2025, a charging network for the 100 U.S. metro areas with the highest populations will require 82,000 more EV charging stations at workplaces, 103,000 public stations with Level 2 (240-V) chargers and 10,000 direct current fast charging stations.

That network must be cyber-secure, scalable and trusted by industry and the public. For this reason, SAE International and industry partners recently launched a collaborative project to strengthen EV charging system security. The SAE EV Charging Public Key Infrastructure (PKI) project will design and test, over the next 18-24 months, an inclusive, global EV charging PKI platform aimed at ensuring the interface points between EV drivers and EV charging infrastructure, are secure and trusted. PKI is a best practice used across industries to ensure a high level of trust between entities in an ecosystem by providing message authentication among trusted devices.

SAE is serving as administrative project manager. Core team member companies have been recruited from OEM EV developers, EV charging providers, and charging network operators from throughout the global marketplace. The team members lead the technical development by best-in-class security contractors and make all technical decision in the project.

After designing a draft PKI platform over the next 9-12 months, a comprehensive testing phase will begin.  Testing will include functionality and scalability testing, and robust security testing.  Security testing will be held initially in a closed environment at a neutral cybersecurity laboratory and will be followed by an open “hack-a-thon” stage involving “black hat” hackers at an EV Charging pavilion at and open security conference.

Once the full development and testing is complete, the project technical deliverables will be published in 2022.  These deliverables are an EV Charging PKI Platform and a Handover Plan for fielding an operational industry PKI. “SAE International is bringing industry together in this pre-competitive research project – it’s not in our Open Standards area,” said Tim Weisenberger, technical program manager, Emerging Technologies, at SAE. He explained that industry has highlighted a “gap issue” that exists in the security of EV charging transactions: a lack of two-way authentication and a ubiquitous way to achieve it.

“Currently with EV charging there is only one-way authentication – the vehicle ‘trusts’ the charging station but the charging station doesn’t trust the vehicle,” Weisenberger explained. “And grid operators have to treat this as a potential unsecure access mode into their network. A chain is only as strong as its weakest link.”

A ‘big tent’ project
Industry concerns about some gaps in the ISO I5118 standard prompted the development of an independent white paper published in May 2019 by charging network ChargePoint, security services company DigiCert, and Eonti, a PKI consultant. The findings and suggested potential solutions are based on a “360-Degree Assessment” (gap analysis) of the security aspects of the standard.

“Industry must have a technical approach for EV charging security, but it also needs the operations and governance of the solution- the policies and processes to manage keys, digital certificates, and compliance aspects,” Weisenberger observed. “Yes, the technical specifications are important, but viewed from another level, the industry trust in EV charging security has got to be ubiquitous. This is not a just a specification that must be written, it is a business that must be developed to provide an industry solution.”

The SAE-led project is “not looking to plug holes in ISO 15118, or to revise that document,” he explained. The object is to design a PKI platform that will be charging-protocol-neutral, scalable, and extensible to other use cases in the vehicle. Think of it as a hamburger, Weisenberger suggests, with the charging network on the bottom and the various EV charging protocols (CCS, CHAdeMo, Supercharger) in the middle, and the security on the top.

The $1.5M project’s core team as of mid-September includes ChargePoint, Ford, eMobility Power, General Motors, Mercedes Benz R&D North America, and Shell and aims for a total of 8-10 members. Membership criteria includes providing active subject-matter experts, agreeing to a mutual non-disclosure agreement with SAE, and paying a participation fee. Weisenberger said that the team hopes to bring on future Affiliate members with lesser roles and responsibilities, particularly in the Testing phase.

As the PKI platform is developed, the team will solicit comment from industry stakeholders “to ensure that it’s robust and truly representative of industry needs.” Weisenberger noted that the aim is to “future-proof” the system for expected changes in EV charging technology and infrastructure, as well as advances in security.

“We’re doing this as a ‘big tent’ joint venture because it needs to be,” he said. “We want this solution to provide open and equal access to industry, while being scalable and extensible to the other use cases that electrification and highly connected vehicles are bringing. All transactions and messages have to be fully authenticated.  We need to team up as a global industry to achieve higher security,” he asserted.

For more information on the SAE EV Charging Public Key Infrastructure (PKI) project, contact SAE project specialist Tim Weisenberger at

Continue reading »