1. 2. Organizational Structure

2. Organizational Structure

Cybersecurity should be incorporated into every stage of electric vehicle and EVSE development. To build secure products and then manage identified vulnerabilities, organizations must have structures and corporate policies that support cybersecurity awareness throughout the design, development, and deployment of their devices and systems.

During the design process, domain architects, engineers, and security personnel should coordinate to create secure systems. Once electric vehicles and EVSE leave the manufacturer’s floor, they could be monitored regularly to detect irregular behavior. This can help identify vulnerabilities being exploited. If a vulnerability is identified, that information should be shared with the owner, manufacturer, appropriate Information Sharing and Analysis Center (ISAC), and those who can provide solutions to address the vulnerability in a timely manner.

To accomplish the aforementioned goals, some organizations have created an executive position in the c-suite who is in charge of product and/or information security. This officer’s responsibilities may include the following functions:¹⁸

• Protect, shield, defend and prevent: Taking preemptive measures to ensure products and information are proactively secured from cyber threats.

• Monitor, detect, and hunt: Identifying irregular activity as it occurs.

• Respond, recover, and sustain: Minimizing the impacts of the exploited vulnerability and restoring the system to normal operations.

• Govern, manage, comply, educate, and manage risk: Creating a work environment where security is a concern in all parts of operation, rather than an afterthought when an incident occurs.

While an executive who oversees security is an important step for integrating cybersecurity into the core of an organization, it is also necessary to define clear paths of information flow. Quick information sharing between security and engineering teams allows identified problems to be remedied quickly which can prevent vulnerabilities from being widely exploited.

An example scenario that a vehicle manufacture or EVSE vendor could think through:

How would our company respond to a compromised charger, charging system, or EVSE vendor?

Relevant sub-questions may include:

• Could our company simply deny any attempt for a vehicle trying to charge at that vendor’s stations?

• How would we communicate the denial of charging ability to vehicle owners and operators?

• What happens internally at our company when making these decisions that could potentially impact the reputation of our company?

• Who would need to be brought in on the decision making process?

By testing how an organization responds to an identified vulnerability, the flow of information can be mapped out and the process for how information gets to those who need to act can be refined. An efficient information sharing procedure will enable an organization to respond in a timely manner to an identified vulnerability. Threat modelling is another way through which an organization can systematically evaluate, identify, assess and address the security risks and vulnerabilities associated with a process or an application. It is one of the ways to map out the attack surface of the application which can assist personnel in devising effective strategies to mitigate those attacks.

¹⁸https://resources.sei.cmu.edu/asset_files/TechnicalNote/2015_004_001_446198.pdf

Table of Contents

• 1. Background / Introduction
• 2. Organizational Structure
• 3. Incorporating Cybersecurity into Design
• 4. Trust
• 5. Ownership and Maintenance
• 6. Coordination
• 7. Gaps and Conclusions
• Appendix A - Electric Vehicle Technical Standards Overview