C (3:36)

And yeah, we'll get into a deep dive on EVs and particularly the charging infrastructure security on that. But you and your team are at RSAC and you're talking about connected car and specifically about charger security at rsac.

B (3:50)

Actually we had there was a very specific show a week prior to that in Las Vegas called EV Charging Symposium.

C (3:57)

Perfect, okay, sorry.

B (3:59)

All the majors were there and so that's where some of this began to hit publications. We did a press release that mentioned the partnership with Eburged, which is an EV charging infrastructure company.

C (4:11)

Okay, thank you. Sorry I had my wires crossed. Which is deeply ironic in this case, but no. Okay, so first of all, there's an EV charging symposium. Okay, what does that look like?

B (4:21)

It's a trade show of EV charging companies and anything to do with infrastructure for EV charging. So it ran the gamut from power companies that provide backup power and generators and things that we're likely not to touch. But many of the manufacturers of actual charging systems themselves, which is a, that's a very large industry worldwide.

C (4:44)

Yeah, no. And as we watch the headlines, very important industry. It's interesting, these now according to one report have displaced 2.3 million barrels of oil consumption. That would have happened if we didn't have as much adoption of EVs as we have. And certainly getting into the politics of it, obviously for both environmental reasons, national security reasons, economic growth reasons, there's a lot of interest in the sustainability of renewables. And one of those pressure points that everyone thinks about normally when people think about EV chargers, like as a non expert, non cybersecurity person, it's. That's the place where I got to go wait 10 to 30 minutes to a couple hours depending on the charger to charge my car. It's actually ironically, the fear around EV chargers is usually temporal based. This is going to Take me too long. But if there are other reasons to be concerned about the state of EV

B (5:38)

chargers, you named the reason a great. A good deal of the reason why you're seeing a proliferation of electric vehicles is environmental and public public policy and those types of things. Worldwide we focus more on the infrastructure side of it. As a result of every municipality is installing banks of EV charging systems to support the population. But also larger than that, you're seeing electronic vehicle fleets, bus system, school bus systems. You're seeing electronical electronic vehicle within hospitality. Because imagine if you drive up to your local large worldwide hotel, you would expect that there's some number of charging platforms there.

C (6:20)

Yep.

B (6:21)

And so that the build out is not just in the metros around the world or on the highway on between here in Los Angeles or here in Calgary. Not sure where you're at but. But it goes much deeper than that. You're beginning to see investment by hospitality, by enterprise, corporations, governments is across the spectrum.

C (6:40)

And when we think about the risks of hacking these, the average person goes what's the worst thing that can happen?

B (6:46)

They're thinking, oh, you're going to steal some power. But no, that's not the issue. This has a very large network that's been established. So think about it this way. All the way from vehicle to home V2H home charging stations. That's convenient because you can go home and you take power and charge your vehicle in your garage if you had enough money to buy that station. But those systems are now doing what we call vehicle to home. They're load balancing your power requirements at home. And guess what? That starts to lead to the grid, potentially to the grid. The other side of it, there's a very large worldwide effort to do what's called vehicle to grid to do exactly the same as you have charged vehicles, whether it's fleets or individual vehicles in power surge times, they can take some of the load if they're, if they're in their bank, at the hotel or at home or wherever, they can actually feed power into the grid. And so you can see what's beginning to happen. It isn't the power supply, it's all the control systems, the billing systems and in the back office systems that have become vulnerable. That's what the nefarious actors are looking at. That's what they want to get to. Because to them the holy grail would be to cause a disruption.

C (8:08)

And some of our listeners may or may not remember, but it doesn't take much to disrupt the North American grid. We can go back to 2003 and the infamous cyber squirrel incident that led to a blackout and actually, yeah, likely slight baby boom that some listeners maybe may have benefited from that squirrel turning the power out for a couple of days. Congrats to you. The grid's a little shaky and it doesn't take that much to tip it around.

B (8:35)

Yeah. So imagine this if we have a proliferation of vehicle to grid all over the world and that's what we're driving towards. What if it was a attack that was launched simultaneously and now the attack point becomes tens of thousands, if not even potentially millions of points that begin the attack. You can easily see where that will be disruptive. And so those are the things that we're worried about. Those are the things that we're very nervous about. And actually pulling on these IP Internet protocol lines and not getting to the power side of it. Get into the communication sector and taking down networks.

C (9:14)

Okay, lots of fun to be had there. I'm literally wearing the T shirt called hack everything today, so I feel that's really appropriate. So let's break this down in terms of. We'll start with the most severe consequences. We've highlighted the idea that there could be energy grid outages in the work that you've done. One of the things that I've wondered about is a misconfigured charger could harm an EV car. Whether that harm is it's degrading the battery in ways that are non optimal or it's actually pushing it into dangerous territories. Is that, you know, is that a legitimate concern? Is that something that you are thinking about at all in the work that you guys are doing?

B (9:54)

We're not so much on the charging side, we focus on the communication side of it, the IP side of it. But I just read anecdotally about particular charging system for in the home that has been leading to a lot of fires. And when they figured out what the problem was, it was a vulnerability that was placed there through bad actors. So yeah, that's a problem if they can get to it. Because you have persistent VPNs. I know you know what that is. You have open ports because nobody thought it was an issue. Right. For service, if you will. And so you really have attack vectors that are exposed in the current architecture. And so we have to focus on rebuilding these architectures, thinking about it differently, how do we close off those attack vectors. And that's what we focus on.

C (10:43)

And so if I bought my dream Volkswagen EV and I bought the thousand dollar home charging unit and is this a Service that I would be looking to buy as a consumer. Is this something that you would be selling to the charger manufacturers that get off of their products safely? Tell me more about like where you guys sit in that relationship.

B (11:08)

Yeah. Today we focus on the charging infrastructure, the charging, the developers and designers and implementation of charging systems. Not so much for the home. We could talk to a manufacturer of home systems, no doubt about that. But really more on the commercial side. The ones that are providing chargers for metropolitan areas and for large hospitality hotel chains and places like that, campuses, those are the most vulnerable because let's face it, somebody breaking into my home charging unit, that's a nuisance. But if they can get into the network, the control plane, the back office of an EV charging system that's controlled by one company, they can take down all of their back office that's residing in AWS or someplace else over time. The worry is they'll find their way to the grid and get to those systems. So that's what we try and do is we try and create an environment where these terminals are no longer reachable, therefore they're less vulnerable.

C (12:14)

So from a layperson's perspective, semi layperson, is this firewalls for EV chargers?

B (12:22)

No, it's much different than that actually. So we studied the market before we designed this product going back a number of years ago. And we decided that the current method for, for, I guess protecting the environment was really using old and outdated systems that continually being patched. I'm sure you see the patches that happen on your little Linux or Windows machine on a weekly basis. They're constantly finding vulnerabilities and they're patching them. Those aren't features. I wish they were features, but it's almost always vulnerabilities on these patches. Firewalls have the same issue. So do switches. And that leads to the CVEs that we know now, the common vulnerabilities that are exposures that are published on a daily basis, essentially. So that's the old way of doing it. We've designed a system that allows you to begin to eliminate reachability. It's really an oxymoron when you think about it. We built this thing that we call the public Internet. And now here comes a company like ours and others that are beginning to think the same way we do. Let's design systems that are not reachable, but only invite in specific allowed users, if you will, or machines. Which is different than saying we built an Internet that everybody could reach. Oh, we better build firewalls to Keep certain things out. It's a different thought process. So everything we talk to EV charging companies about and enterprise and everything else that we do is about creating environments where it's not reachable. You take your most valuable assets and, and flip the switch and say it's no longer reachable by the public. And that means closing ports on firewalls so you can't reach it. That means turning off static IP addresses so you can't reach it. And we provide a tool that sits at that application layer I talked about that allows a registered user to be able to access that charging system. They need to do the management, they need to upgrade it, they need to get certain amount of data from it. The back office has to talk to it machine to machine. Those are allowed and they're registered. And so they have very specific tunnels that are provided. But there is no, no way in there. We've closed all the doors and windows to that house.

C (14:37)

And one of the, one of the theories that I've been wondering about. So I've followed connected car security for a decade plus and fascinated by it. And since Andy Greenberg's just amazing reporting and that hilariously and terrifying drive on the St. Louis highway where the two hackers over the Internet took control of the vehicle. And I haven't really been thinking about the EV side with respect to the chargers, but in theory there's a communication that flows between the car and the charger to regulate the flow of electricity. Like again, not an electrical engineer layperson, but you. It's not. These aren't dumb connectors. These are. There's a communication layer from the car.

B (15:22)

They call it a ECU. They have any one electric vehicle has 25 or more ECU electronic control units built into that system.

C (15:30)

What if that car is the threat? So it pulls into the commercial place at the mall to plug in. And it has the newest version of Russian ransomware 4.0 where our business model is making sure you can't charge your cars. And this thing, it tries to infect the charging station and the network from there. What's the model for preventing that?

B (15:56)

We've actually talked to a few of the ECU manufacturers on that and that's something that I've been not studying but keenly aware of. And it's not an area that we do with the EV charging stations. But think about this. If you're buying, building a car from the ground up manufacturer, you're buying in one case battery systems. People think batteries, that can't be a problem. But batteries have to Have a control unit. Control units are computers. If somebody were to put nefarious malware on that control unit, it can sit there for years waiting for the rest of it to be built out within a network outside of that vehicle. So it can do something really bad. And this is what state sponsored actors are going to do. I'm not saying they're doing it, but it's not out of the question. The malware could be there now. We don't know. The ECU companies, by the way, do an incredible job of scrubbing and double scrubbing and checking their systems before they deploy it. But that's not to say that this can't happen. It could. So I agree with you on that, David. There's no doubt that's a scary proposition.

C (17:02)

Yeah, It's a frightening place to live. In my head sometimes, covering this sector, working at day to day thinking about this, the only thing that I know for sure is the a unlimited creative capacity for humans to think through ideas, to do things someone else didn't think was possible. And that's our superpower as a species. It's the power of imagination. As your elementary school teacher would tell you, that's literally what power is really good at. And nation states do this. They build capacity and other things. So when you think about that, and it's hilarious because of course we're having this conversation about securing these vital devices. And in the United States, the most important policy decision this week in cyber was banning home routers made overseas. So we're thinking about someone putting in backdoors into things.

B (17:49)

That's a really interesting discussion. That's that sidebar, and it's not ev, but I've been looking at that for years. I have all these electronic lights that I can change colors and all that. And guess what? Drive by my house, you can probably hack them. I'm one of the smart ones that subnetted my home because I want to keep those separate. Hack away.

C (18:06)

Yeah, but think about it.

B (18:08)

Yeah.

C (18:09)

No. So I think it's good that we're thinking about this. It's just, it's interesting because I was testifying to a parliamentary committee two weeks ago. It's a weird life that I live. And I got asked to explain some comments I made to regular media about connected car security and this idea that they can be rolling spy vans.

B (18:27)

True story.

C (18:27)

They got microphones, they got cameras, they're on wheels, they get banned from certain places for certain reasons. And. And I was trying to explain the safety risks of all these things and the importance of dealing with the car. But when I saw your note from your company to us, I was like, oh, I really haven't thought through the charger side. And it was interesting that you made the point right off the bat about smart grid stability on that side and that, listen, the next 20 years is going to be shaped by these technologies. There's no ignoring that side of things. I think it's really important. The physical safety stuff is important. But you said something interesting earlier that I think we can make all the cases and all the evidence can be there. But are the players installing this as commercial infrastructure, particularly municipalities, the poor municipality that's always striving for budget, do they understand this risk? Are they talking about this risk? Are they asking the market to respond for this? Or is this still a education effort to say, hey, man like you, you gotta make sure that you're buying this stuff and it's secure?

B (19:38)

I think it's a little both. On the public sector side, we're seeing CISA put out lots of communication and guidelines and guidance on EV systems, EV charging systems. So they're very aware of the problem. The industry has rallied around it. They have a pond to own consortium. It's like black hat, but for the environment. So, yeah, municipalities are probably more vague, even though the customer we're working with here, E Verge, they're selling units in San Diego, Denver, lots of different metros, and they're using our product. But I'm not sure if the RFQ or if the proposal required the security. I'm sure it had security, but I don't know how deep it went, I guess is my point.

C (20:21)

Yeah, and I think that's the.

B (20:23)

You must use a VPN and that's just not enough.

C (20:26)

That's. Yeah, no, not even close on this. It's. But I think that's the part of this, right, because you can be on the bleeding edge of this problem. You can see the problem, you can have a solution for this problem. But if the folks don't value the problem, if for lack of imagination on the other side, they're like, ah, that's not a thing. There's this thing called optimism bias where we always think bad things happen to somebody else, bad things happen to other technologies, but we don't really like to, as humans think, oh, this could be a risk. But I think you've made a really interesting case here because the fire risk with EVs is fascinating because when one of these things gets burning, it's not exactly easy to put that fire out. I've seen one fire department where it's. We got a blanket. We throw the blanket over the car and we wait it out.

B (21:17)

That's what we do today. Yeah, it's scary.

C (21:20)

Yeah. So we really want to avoid EV battery fires for lots of reasons, making sure they charge it. But you said something interesting. It wasn't just about the physical safety. You said these things could be used to take down telecommunications networks. And that. That got my attention because obviously botnets are a thing having a whole bunch of EV chargers stop working because they're now somebody's botnet because they're upset at some government policy decision or some geopolitical conflict. And now people can't charge their cars and the telecommunications network is going down. Have you seen any. Has there been any examples of one of these devices getting owned yet to be using it as either jumping point or a DDoS point?

B (22:04)

Definitely on the DDoS side, we've seen, and we continue to see those things are up quite a bit. And we've also seen attacks on the cloud back in at aws. So, yes, it is happening. It is very much happening. And I think it's something that the service providers should be very aware of and conscious about now. Good for us that we're. And actually we were surprised at the EV charging show. We were stopped in our tracks because of the press release. People recognized our badge and said, hey, you're the ones that did that thing with E Verge. We want to talk. So apparently their charging companies are paying attention. So now they. We have several that want to talk to us. That's good. But the problem is going to be one that continues to morph and move similar to the way the Internet is today. It's not going to go away. We're not going to have a magic bullet. We're trying to provide a different way to protect that makes it unreachable and we'll hopefully be the last ones to go down. But just when you think you fix one problem, Congress is going to introduce another one. And I'm not. Because they're not technicians. Right. They do policy. So right now, today, and this is a little political, so I shouldn't go there, but right now, today, they're about to pass legislation that it's already passed. Actually, it happened in the Biden era that starting, I think next year or the year after 2027, you have to have an electronic kill switch that the government can access. They want to be able to disable your vehicle. That's in law right now. Okay, great. So the bad Driver didn't pay his whatever his alimony and we're going to kill his car. I'm okay with that. But what are the state sponsored actors already planning and working on? Can you imagine if that kill switch hit 100,000 cars at one time, what that would do? Freeway traffic, whatever. These are dangerous policy decisions that aren't well thought out.

C (23:54)

I really appreciate you adding that. I did not realize that they had.

B (23:58)

You'll probably get off and go, is that real? You're going to find out it's real.

C (24:02)

I know. Yeah, I believe you. I'm just. The audacity of the stupid on this one is pretty huge because we have a problem renewing certificates. We have a problem with screwing up DNS and BGP. Are we like one underpaid interns agentic AI coding tool away from 100,000 cars getting turned off because. Whoops. Yeah, that. Okay, thanks. Thanks for adding to my nightmare fuel. Steve, I appreciate having you on.

B (24:34)

That might be a good one that you can go look at. I'm sure there's experts in that area. But it's about for us building these systems as most resilient you can build based on the technology and the attacks that we know today. So we have to study the attacks and be ready.

C (24:49)

No, I. Steve, I really appreciate the chance to have this conversation. I learned something today and I hope listeners and viewers do as well. If you happen to be one of these companies building charging infrastructure and you saw that press release, would it give Steve and his team a call to chat about hey, maybe we should secure our stuff. And I could tell you as a cybersecurity professional, you need to secure your stuff. So this has been a great conversation. I appreciate it. I've learned a ton Congrats on on the success of the symposium and I really hope that we don't see the Internet of not good bad practices continued with things that can cause fires or DDoS attacks or all these other things. But I really appreciate your time.

B (25:32)

Yeah, David, thank you very much. I appreciate the opportunity to speak to you.

C (25:36)

Thank you so much.

A (25:38)

And that's our show for this holiday weekend. We'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises and working with their partners. Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments and run support. It's a single integrated solution that scales from branch offices to warehouses and large campuses to data centers. Book a demo@meter.com CST I'm Jim Love. Thanks for listening. David will be back with the cybersecurity news on Tuesday morning.