By David Mor Ofek, Head of Product
A Glimpse into the Background
On July 2023 researchers at Saiflow published a report highlighting three critical vulnerabilities found in ABB’s ChargerSync platform which serves as a Charging Station Management System (CSMS) provider owned by ABB. With more than one million EV chargers and 50,000 DC fast chargers across 85 markets, ABB is a global leader in EV charging solutions. The vulnerabilities allowed unauthorized access to files uploaded by other users, bypassing the required provisioning PIN code for authentication and hijacking a charger open charge point protocol (OCPP) connection.
In this blog post, I will address the vulnerabilities discovered in ABB’s ChargerSync platform and suggest recommendations on how EV charging infrastructure companies, from vendors to operators, can mitigate these risks in the future.
A Breakdown of the Security Flaws
The vulnerabilities discovered in the ChargerSync platform were centered around a specific application programming interface (API) with several security flaws. These vulnerabilities can be explained in a way that is easy to understand.
- Bypass of PIN Code Provisioning: The first vulnerability found in the ChargerSync platform allowed attackers to bypass the PIN code requirement during the charger provisioning process. By exploiting this flaw, unauthorized individuals could bind chargers to their own accounts without needing a valid PIN code. This could potentially lead to misuse or disruption of service.
- File Access and Data Leakage: The second vulnerability discovered in the ChargerSync platform was related to file uploads. The system had a flaw that granted unauthorized users access to sensitive data belonging to other users – emails and ID tags, which could be exploited for malicious purposes. This vulnerability could have resulted in privacy breaches and identity theft.
- Unauthenticated OCPP Access: The third vulnerability was the lack of authentication on the OCPP – Open Charging Point Protocol) interface. This flaw allowed attackers to gain unauthorized access to chargers, hijacking the chargers’ operations, disrupting their functionality, and potentially stealing valuable data. Such unauthorized access could lead to denial-of-service attacks and compromise the integrity and availability of the charging infrastructure.
First, we want to applaud ABB for recognizing, taking responsibility, and dealing with the reported vulnerabilities quickly and efficiently. As reported, ABB adopted several mitigation principles to close the vulnerabilities in the ChargerSync API.
The main purpose of this blog is to try and provide recommended processes and measures to help reduce the risk of exposures and vulnerabilities by using principles of security, operations, and validation by design.
Security, Operations by Design, and Security Validation – Key Elements in the Product Security Lifecycle
The following principles can guide security teams in making sure the product (in this case) of the CSMS is secure from concept/design to production and back.
- Threat Analysis and Risk assessment (TARA) can help identify risks and decide on the correct security controls that will keep the risk level at a satisfactory level. In other industries, TARA is regulated and required, while at this point, it is not in EV charging infrastructure. We estimate this industry, which contains safety critical elements, will be regulated soon. Some charging stations and vendors already decided to self-certify themselves according to the ISO/SAE 21434 standard designated for automotive. OEMs become liable under regulations such as WP.29 R155 and must place particular emphasis on including and validating supply chain security to comply with regulations and standards to effectively manage their security posture and risk.
As an example, in the TARA process, an assessor with proper tooling and detailed attack trees designed for EV charging infrastructure might have decided to deal with the OCPP-related threat of OCPP hijacking by implementing OCPP Security Profile 2 as part of the necessary security controls in the design.
- Continuous and dynamic risk management goes beyond the concept and design phase to ensure you constantly validate your design and chosen security controls vs. actual implementation, new vulnerabilities that arise, and more. Validating the functionality of these controls could have prevented an exposed and vulnerable API in production. Consider the case where a security architect specifies closing a network port for security reasons. The development team implements this initially but later opens the port back up for debugging. Without proper validation, the port could remain open when the product ships, rendering the original security control ineffective. This example emphasizes the need for continuous security validation, which extends throughout the product lifecycle, from development to production and post-production, and back to the design. Each new version of the product should undergo the same level of control verification as the original, ensuring that previously secured code doesn’t regress.
In all of the vulnerabilities discovered in the ChargerSync CSMS, managing the risk and validating the security controls prior to release or post-deployment could have prevented the vulnerabilities. For example, validating whether the API is protected with a pin code or whether the file upload mechanism is using a sequential identifier would have verified the security controls are in place and mitigating the risk to the model.
C2A Security’s EVSec Platform is specifically designed to assist product-centric companies with addressing the above challenges. The product security challenge exists in the automotive industry as in other complex and safety-critical products such as EV charging management and infrastructure. Security controls need to be chosen correctly with proper threat analysis and risk assessment, and later the risk needs to be managed throughout the product lifecycle by performing validation within the CI/CD pipeline and vulnerability management post-deployment.
By integrating a virtual cyber model and strategically layering security information at different stages of the product security lifecycle, EVSec provides a comprehensive and holistic view of the product’s security status. Through the implementation of automation, EVSec further streamlines the process, resulting in reduced time and costs associated with product security efforts.
How We Can Help
C2A Security deeply understands the ever-evolving software landscape and the critical importance of continuous product security lifecycle management. EVSec’s unique “breathing” approach to threat modeling ensures that risk management is dynamic, up-to-date, and relevant throughout the entire product lifecycle, facilitating operations and overall security by design.
If you’re looking to improve your security posture, better adhere to regulations to minimize your product security efforts using advanced automation, schedule a demo today and discover how our EVSec Platform can empower your product security development and operations. Own your risk, and reduce your costs and time to deployment today.