The Dutch National Charging Infrastructure Agenda commissioned us to investigate the cybersecurity risks associated with the Dutch charging infrastructure. After all, for road transport, the energy transition means that the number of charging points for electric cars will increase from 270,000 today to 1.8 million charging points by 2030.
The Netherlands is currently leading in this respect. However, charging points are managed by back-office systems which can be hacked. The total peak power demand in 2030 will be twenty times higher than it is today, which increases the vulnerability for cyberattacks.
Cybersecurity risks
Cyberattacks can lead to significant disruptions to the charging infrastructure itself and, as a result, to mobility in the Netherlands. Furthermore, cyberattacks could also disrupt the country’s electricity supply or even cause a blackout. We identified a total of four types of cyberattack that could lead to substantial disruption. Each scenario develops in its own way and has different impacts on society:
- Smart attack by a state actor (usually a group of hackers with wide ranging capabilities). In this scenario, a charging point operator's back-office system is attacked and the smart charging options manipulated. This could cause the Dutch electricity grid to fail and cause a blackout. This scenario is possible after 2025.
- Major attack by a state actor. In this case, an underlying central information system is attacked. A national blackout could result, possible from 2027 onwards, although disruptions with less impact could also occur.
- Ordinary cyberattack. For example, a charging point operator's back-office system is attacked, causing the charging points managed by that operator to fail. This would disrupt the mobility of groups of citizens and organisations.
- Privacy attack. Customer data relating to charging sessions may be stolen and published or misused in some other way. This would damage those affected and could undermine confidence in electric charging.
Effective regulatory framework
At present there is no legislation or regulatory framework for cybersecurity of back-office systems that manage charging infrastructure. Our recommendation to the client was therefore to establish a regulatory framework to ensure effective cybersecurity of the national charging infrastructure. This should also be put on the agenda at European level. This would impose a duty of care on parties involved with the charging infrastructure: they should be supervised and also be obliged to report incidents.