TL;DR
- Electric vehicles represent a large and growing pool of distributed energy storage that could help balance short-term peaks and troughs on the UK power grid through vehicle-to-home and vehicle-to-grid charging.
- This capability relies on bidirectional EV chargers, which are close to being deployed at scale in the UK.
- Our previous research showed that vulnerabilities in connected EV chargers could be abused to create disruptive changes in grid demand by remotely switching large numbers of chargers on and off.
- Bidirectional charging increases the impact of these attacks by allowing chargers to switch between charging and discharging, effectively doubling the power swing per device.
- This turns what was previously an inconvenience for vehicle owners into the ability to remotely discharge vehicle batteries and amplify grid-level disruption.
- As bidirectional charging is rolled out, secure design, secure defaults, and robust vulnerability handling will be critical to prevent these risks scaling alongside adoption.
Introduction
I’m a huge fan of micro generation and domestic power storage batteries. However, as we dash for net zero, one of the ways to balance the grid is to capitalise on EV batteries and their large capacity to store power.
BUT
To take advantage of their capacity, we need bidirectional EV chargers and vehicles capable of discharging to the home.
Currently, the only thing that EVs can do that’s helpful is to charge at times of overcapacity in the grid. Dynamic pricing allows EV owners to charge for little cost when generation exceeds demand and the ability of pumped storage systems such as the reservoirs at Dinorwig to absorb that overcapacity.
Whilst large battery storage systems are being built, they occupy land that could be used for other purposes and are rather unpopular with nearby residents. Why, therefore, build these systems if there is a near-ready supply of EVs with storage capacity to spare?
Is there enough capacity in our EVs?
There are approaching 2M EVs in the UK. The average capacity is ~50kWh. That’s total storage of ~100GWh… and growing rapidly.
That’s more than enough to address the short-term fluctuations in demand in the UK power grid. Indeed, it’s probably enough to make the difference between base load and peak demand on an average day in the UK!
Now, I’m not suggesting that anyone would want to fully discharge their vehicle, but that’s not what the grid needs. It needs the ability to manage peaks and troughs in demand, so the ability to pull in some extra power and offload some when needed. In the past, the grid had significant ‘inertia’ provided by the large steam turbine flywheels at coal fired power stations, but with the advent of renewable energy sources, that inertia has had to be replaced. That inertia was critical for evening out grid frequency changes. Whilst we have synchronous compensators which help stabilise frequency, we also need large sources of energy to cover peaks and troughs in demand as well as the variability of renewable generation.
Vehicle to Home and Vehicle to Grid
The obvious solution to address the imbalances in demand and supply would be to exploit EV car batteries. That’s what V2H / V2G technologies are intended for. Home power storage batteries have tiny capacities compared to an EV. Our storage batteries in the office are 13.5kWh capacity, compared to my EV with 77kWh.
Even better, my EV is already equipped to supply power to my home.
Bad news: there are no bidirectional EV chargers on the market in the UK.
Whilst manufacturers such as Indra, Wallbox, Zaptec and others have all trialled bidirectional chargers, none are available on the open market yet.
But what about the cyber rub?
Our earlier work on EV chargers showed vulnerabilities that would allow remote takeover of large numbers of EV chargers. Providing the chargers were plugged in to EVs, one could trigger a large number of vehicles to charge, stop charging, charge, stop charging etc. The spikes created by this were a significant enough risk for the UK government to change EV charger regulations to mitigate this.
However, V2H/V2G now creates the potential to double the size of these spikes. Currently, our work showed the ability to switch domestic chargers on and off. The majority of domestic chargers in the UK will be 7kW capacity, so one needed a lot of compromised chargers to create a spike large enough to affect grid stability. At one point, we had found around 3 million exposed chargers, though these were spread around the world.
A bidirectional charger doubles the impact. Switching the current flow from charge to discharge means the swing from any one charger is now doubled from 7kW to 14kW. Where a home has a three-phase supply, the swing is up to 44kW.
So now, only half the number of chargers are needed to effect the same spike in supply.
One mitigating issue with our earlier research in to connected EV chargers was that the worst impact to the individual was that one could simply stop the car charging. That would be a bit irritating, but it’s rare that one ever drains the battery to the point where charging is essential
Bidirectional charging changes that: a vulnerability such as those we found with earlier chargers would allow the vehicle to be DISCHARGED. That means that the attack would result in the vehicle battery being emptied.
That’s a whole lot more irritating.
Conclusion
The push to electrify everything from cars to heating at the same time as the huge effort to decarbonise the grid, means there are large savings to be had with battery storage and smart time-of-use tariffs. EV manufacturers saw this trend and many now include bidirectional charging hardware to entice buyers.
However, will the push to be first to market cloud manufacturers’ security responsibilities, or have they learnt from the security mistakes of the past?
Fortunately, there is good guidance to follow. ETSI EN 303 645 provides a solid baseline for the design of connected devices. The EU Cyber Resilience Act goes further, setting mandatory requirements for secure development, update mechanisms, and vulnerability handling for digital products sold into the EU. In the UK, we have the Electric Vehicles (Smart Charge Points) Regulations 2021 that provides regulation for the security of private charge points.
