The Arizona Department of Transportation (ADOT) is making EV driving more accessible and reliable for Arizonans through its EV Infrastructure Deployment Plan. Approved in 2022 by the FHWA, the plan has positioned ADOT to receive $76.5M in funding over a five-year timeframe through the National Electric Vehicle Infrastructure (NEVI) Formula Program. ADOT is using these funds to enact a statewide NEVI/EV infrastructure rollout.

ADOT and AECOM engaged in a robust public involvement process with Arizona communities, including tribal nations, to develop a citizen-centric plan for charging infrastructure.

The plan reduces EV range anxiety by adding new electric vehicle supply equipment (EVSE) and upgrading existing EVSE along Arizona’s designated alternative fuel corridors. Equitable access and network reliability are key to ADOT’s vision for the program, and protecting the EV charging system from cyber threats is crucial for network reliability. To secure the EV charging ecosystem, the grid, and other critical infrastructure from cyber-attacks, Arizona’s deployment plan includes strong cybersecurity measures.

Protecting against the security threats posed by EV charger hackers

As EV adoption increases and the charging infrastructure network grows in Arizona and nationwide, cybersecurity has become a paramount concern. Cloud-based communication systems help EV owners locate and schedule time at charging stations and provide simple payment options.

They enable station owners to run diagnostic checks, manage power, authorize users, track costs, and update firmware for chargers. However, these communication systems also present a cyber vulnerability. Similarly, EVSE charging connectors at stations depend on digital communications between chargers and vehicles, creating efficiencies but also opportunities for hacking.

Cybercriminals use malware to target vulnerabilities in EV charging infrastructure. Potential risks include illegal access to EVSE users’ data and billing information, interruptions to charging, EVSE safety hazards, and disruptions to electrical grids. Beyond power infrastructure, these cyberattacks have the potential to impact several other critical infrastructure sectors, including manufacturing, medical services, and agriculture.

To protect against hackers, Arizona placed a strong emphasis on cybersecurity in its deployment plan. The plan requires that owners and operators of charging stations demonstrate that their cybersecurity practices are sufficient to prevent infiltration of devices or networks. Our subject matter experts’ background and experience with automotive cybersecurity solutions and digital technology informed the deployment plan’s cybersecurity elements.

Securing EV charging infrastructure for Arizonans

The Cybersecurity Plan and ADOT EV Charging Infrastructure Cybersecurity Specification are key components of ADOT’s overall EV Infrastructure Deployment Plan. The deployment plan also includes a community engagement outcomes report and an analysis of existing and future conditions, and covers topics such as contracting, civil rights, implementation, equity, and labor and workforce. These were all important considerations for identifying where and how to deploy EV charging infrastructure for Arizonans.

The cybersecurity plan and specification focus on making sure Arizona’s EV charging infrastructure ecosystem is secure and protected from cyber threats. They define requirements for secure system updates, event logging and intrusion detection, secure operation of EVSE during communication outages, and physical security measures for customers and service technicians to prevent equipment tampering.

Charging station owners must use appropriate encryption systems, identity and access management processes, mechanisms to detect malware and intrusion attempts on the system, and patch management procedures that adhere to industry standards and best practices. They must also log and report “auditable events” — actions that could affect the security of the system — such as logins, failed logins, high-value transactions, warnings, and error messages. In addition, they must maintain a secure digital payment environment — collecting, storing, and communicating the minimum customer payment information required — together with payment services and administration centers.

Our cybersecurity control baseline (included in the deployment plan as an appendix) provides a “crosswalk” between the federal National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 cybersecurity baseline and other state and federal standards and regulations and serves as a strict requirements checklist for owners and operators.

Bolstering cybersecurity for the EVSE network’s long-term viability

The threats, vulnerabilities, and associated risks to EV services, equipment, and data are wide-ranging. The protection mechanisms presented in ADOT’s EV Infrastructure Deployment Plan provide a roadmap for EVSE owners and operators in Arizona to prevent and respond to disruptions and manipulation. By adopting the most current and stable encryption mechanisms to secure data and mitigate the possibility of malware installation and propagation throughout the EVSE network and its vehicular connections, EVSE in Arizona will be equipped for the future.

The transition to EVs in Arizona will help improve local air quality, reduce transportation-related carbon emissions, and increase resilience of the overall transportation system.