With the price of gas soaring to near record highs, small business owners may be considering alternative modes of commercial transportation.
A recent survey by Hartford Steam Boiler (HSB), a Munich Re company, found that 15% of small and medium-size businesses (SMBs) had leased or purchased electric vehicles (EVs) for commercial use. While EVs could certainly help companies to offset the risk of volatile gas prices, they do not come without risks.
Among the SMBs who had added EVs to their service fleets, there was one common concern. More than three-quarters (76%) said they were worried about the cybersecurity of EVs and the potential for public EV charging stations to be targeted by hackers, ransomware, and other cyberattacks.
“When talking about vehicles of any kind, there are a couple of ways that a hacker could potentially get in,” said Timothy Zeilman, vice president of HSB. “One is through Bluetooth or Wi-Fi, a second is through something that gets plugged into the vehicles via diagnostic ports, and a third way is by getting into the manufacturers’ servers that communicate with and provide updates to vehicles.
“Those kinds of exposures exist for basically all modern vehicles. But for EVs, you’ve got that additional use of public charging stations, where not only electricity, but data is also exchanged. This basically provides an additional potential way in for hackers.”
Plug-in electric chargers communicate with EVs through an internet connection, and security experts have warned that these systems could be hacked. This is concerning for SMBs, many of whom (46%) told HSB they were somewhat or very concerned about the cyber exposures and safety of internet connected and automated vehicles.
So far, in North America, cyber exposures related to EV charging stations have been in the hands of researchers, analysts, and white hat hackers, who have proven the risks through controlled testing. There have not been any significant incidents attributed to bad actors.
However, in recent weeks, there have been reports of EV charging stations on a Russian motorway being hacked and disabled by a Ukrainian company, and then made to display anti-Putin messages. Where there is motivation – in this case, hackers are trying to undermine and antagonize Vladimir Putin following Russia’s invasion of Ukraine – the risk has evolved from a possibility to a reality.
For the SMB owners and managers who are concerned about the cybersecurity of EV charging stations, unfortunately, there’s not a lot that they can do on an individual basis to mitigate their risk, according to Zeilman. The security of the charging stations is generally under the control of the private organizations that build and own them.
“With traditional IT, the owner has a lot of control over the security [of their networks and devices] and whether they use endpoint protection software, firewalls, back-ups, and all those traditional things [that are deemed] best practices,” said Zeilman.
“But with EVs, you have much less ability to customize the security on your vehicle – that’s largely controlled, if not entirely controlled by the manufacturer of the vehicle – and you have no ability to influence the security of the public charging stations, there’s not a lot that the owner of the vehicle or fleet of vehicles can do to mitigate the security risks.
“To a certain extent, if you can avoid public EV charging stations, and mostly charge your vehicles at home or at your business premises, I think that’s one step that can be taken to mitigate those risks.”
Beyond the risks associated with using public EV charging stations, 44% of SMB owners and managers responding to the HSB poll said they fear that malware, or another cyberattack will damage or destroy their vehicles’ data, software, or operating systems.
Most of them (56%) said they are somewhat or very concerned their vehicles could be immobilized or made inoperable, their safety compromised (54%), and that a hacker could communicate and confront them over their audio system (43%).
One big insurance question related to all of this revolves around whether there is insurance coverage under traditional policies, like commercial auto insurance, that would apply and respond to these risks.
“I don’t think you’re going to find explicit coverage for these cyber risks [but] you might find coverage for the consequences of them,” Zeilman told Insurance Business. “For example, if a bad actor takes control of a vehicle and causes an accident, I believe the consequences of that accident would still be covered [by commercial auto insurance] regardless of the cause. But if a vehicle were instead to be disabled or have its capabilities diminished in some way because of a hack, I don’t believe you’re going to find coverage for that sort of thing under a standard commercial auto policy.
“One interesting question would be: if the fleet owner also has a commercial cyber policy, would you find coverage under that policy? And I think the easy answer is that there’s not going to be explicit coverage. Generally, you’re not going to find commercial cyber coverage that says: ‘We affirmatively cover the vehicles you own.’ But I also think that many commercial cyber coverage forms are probably broad enough that you might be able to find some coverage […] if you look hard enough.”
These types of EV cyber risk scenarios are frequently discussed by insurers and risk managers, and, according to Zeilman, SMB owners and managers are right to be concerned.
“It is mostly a potential risk at this point, although we’re starting to see evidence that when people are properly motivated, it is something that actually can be carried out,” said Zeilman. “But if I were a small business, I wouldn’t let that hold me back if moving to EVs made sense in all the other considerations that I was weighing.
“It is my expectation, and certainly my hope, that EV manufacturers, owners of EV charging station networks, and the insurance industry will all adapt to the increasing threat environment, particularly if we start seeing actual events, so that the response will be sufficient, both from a security side, and from a risk transfer and insurance coverage side as well.”