Defending the power grid by segmenting the EV charging cyber infrastructure

Abstract

This paper examines defending the power grid against load-altering attacks using electric vehicle charging. It proposes to preventively segment the cyber infrastructure that charging station operators (CSOs) use to communicate with and control their charging stations, thereby limiting the impact of successful cyber-attacks. Using real German charging station data and a reconstructed transmission grid model, a threat analysis shows that without segmentation, the successful hack of just two CSOs can overload two transmission grid branches, exceeding the N-1 security margin and necessitating defense measures. A novel defense design problem is then formulated that minimizes the number of imposed segmentations while bounding the number of branch overloads under worst-case attacks. The resulting IP-MILP bi-level problem can be solved with an exact column and constraint generation algorithm and with heuristics for fast computation on large-scale instances. For the near-real-world Germany case, the applicability of the heuristics is demonstrated and validated under relevant load and dispatch scenarios. It is found that the simple scheme of segmenting CSOs evenly by their installed capacity leads to only 23% more segments compared to the heuristic optimization result, suggesting potential relevance as a regulatory measure.

Figures (5)

• Figure 1: By hacking a CSO's cyber infrastructure, an attacker can change default power system operation (black numbers) by a certain level (orange numbers). EVCSs can be manipulated up- and downwards by starting additional charging processes or terminating current ones. Attached EVCSs are addressed directly by the adversary, power plants taking part in FCR react indirectly. A branch overload (orange line) follows. A defense against this attack is the segmentation and shown assignment of the CSO's cyber infrastructure (dashed, green lines): in this case, an attack using any one of the segments cannot achieve an overload anymore. The defense is done preventively, i.e., before any attack arises, to prevent a lateral movement of an adversary after an intrusion.
• Figure 2: The optimal preventive segmentation of the IEEE RTS 24-Bus system with five CSOs (black letters next to EVCSs) splits only the cyber infrastructure of CSO A into two segments, with a uniform distribution at each bus. This results in at most one overloaded branch (marked orange) in case of a worst-case LAA attack.
• Figure 3: Reconstructed transmission grid of Germany from matke2017structure joined with EVCS data of bnetza_emobilitaet_2025. The assigned charging capacity to a bus is coded by size and color of the node.
• Figure 4: LAA decision and overloaded branches for the HLLR scenario and hacking budget $\text{C}^\text{Hack} = 10$. The absolute load-altering at a bus is coded by the size of the node. Parallel branches are not shown individually; if one is overloaded, all are marked red.
• Figure 5: Number of overloaded branches versus the number of used segments for different heuristic segmentation schemes in the scenario HLLR with hacking budget $\text{C}^\text{Hack}=10$. The iterative informed heuristic segmentation itin_thres_2, where every hacked segment is uniformly split, ensures at most one overloaded branch in the worst-case, while requiring 16 segments less than the uniform thresholding scheme uni_thres_50. Thresholds CS for the uni_thres_CS scheme are given in MW. Note that 20 segments are minimally needed, one for each of the 20 modeled CSOs.

Theorems & Definitions (2)

• Proposition 1
• proof