Secure boot for UK electric car chargers isn't mandatory until 2023 – but why the delay?
Good: New requirements in new law. Bad: Grace period
Electric car chargers will have to include secure boot and automatic network disconnection if unsigned software runs on the smart devices – but only from 2023, the British government has said.
New security requirements for smart chargers won't be enforced until the last day of this year, according to government papers reviewed by The Register.
While those changes are positive, and help protect against a deliberate cyber attack or a drive-by malware infection, the Electric Vehicles (Smart Charge Points) Regulations 2021, passed in December, gives industry a whole year before it has to meet the standards.
Schedule 1 of the regulations sets out the cybersecurity requirements new car chargers will have to meet and there's little to complain about there: secure boot; only running signed firmware; automatic checks for software updates; and a ban on "hard-coded security credentials."
This is all in line with the Product Security and Telecoms Infrastructure Bill's general approach to Internet of Things (IoT) device security. Yet there's a hole in the smart charger regulations with the 12-month grace period.
- Pass that Brit guy with the right-hand drive: UK looking into legalising automated lane-keeping systems by 2021
- UK.gov emits draft IoT and smartphone security law for Parliamentary scrutiny
- The UK is running on empty when it comes to electric vehicle charging points
- Brit transport pundit Christian Wolmar on why the driverless car is on a 'road to nowhere'
- Think you can solve the UK's electric vehicle charging point puzzle? The Ordnance Survey wants to hear about it
- New UK product security law won't be undercut by rogue traders upping and vanishing, government boasts
A government consultation carried out last year said "many of the legislative requirements are already being met by UK industry."
Current electric car chargers, however, aren't required to comply with mainstream cybersecurity standards. Last year there was a minor kerfuffle after infosec firm Pen Test Partners revealed just how poorly secured some chargers are, including at least one that was based around a Raspberry Pi.
Thus we see the government statement: "Compliance with cyber requirements may require a longer timeframe, to ensure that the supporting changes can be implemented by industry."
Designing a secure product does take time and effort, though the 12-month grace period could lead to a year of free-for-all installing of substandard chargers to beat the deadline.
Clearly UK.gov reckons that's an acceptable trade-off to bridge the gulf between 2030's planned ban on new conventional cars and the state of electric car infrastructure today – whether properly secured or not. ®