Meeting the necessary cybersecurity requirements and standards is a crucial prerequisite for securing a National Electric Vehicle Infrastructure (NEVI) Formula Program’s funding. State plans require site owners and third-party contractors to provide cybersecurity plans that demonstrate the cybersecurity maturity of the suggested solution and their compliance with the applicable standards and regulations. Read this article to better understand what are the required cybersecurity components in the NEVI plans and how Saiflow can help you maximize your NEVI scoring criteria.
The National Electric Vehicle Infrastructure (NEVI) Formula Program, derived out of the $5B US Bipartisan Infrastructure Law (BIL), is designed to allocate funds to states for the purpose of strategically deploying electric vehicle (EV) charging infrastructure mainly along the Alternative Fuel Corridors (AFCs) and creating an interconnected network to enhance the data collection, accessibility, and reliability of the charging infrastructure.
According to the NEVI Formula Program Guidance issued on February 10, 2022, a state’s EV AFC network and sites must meet minimum standards and requirements for projects funded under the NEVI Formula Program. The standards and requirements proposed, apply to the installation, operation, or maintenance of EV charging infrastructure.
Sites Must Meet The Minimum Cybersecurity Regulations And Comply With State Regulations And Laws Related To Power Grid Protection And Data Privacy
As NEVI Plans enter the implementation phase, there is an increased emphasis on cybersecurity in States Plans‘ scoring criteria. To qualify for NEVI funding, sites must meet the minimum cybersecurity regulations and comply with State regulations and laws related to power grid protection and data privacy. Additionally, the development of response and recovery plans from cyber attacks is necessary to gain the maximum scoring.
NEVI Cybersecurity Requirements
The NEVI Program’s main goal is to increase EV adoption by eliminating one of the most common sources of anxiety surrounding EVs – how far they can travel without running out of battery, also known as range anxiety. Moreover, in the event of a necessary evacuation, states that are susceptible to natural disasters will need to rely on the charging infrastructure to operate effectively. Thus, it is crucial to protect the charging sites against cyber attacks and ensure the availability, continuity, and integrity of the charging infrastructure.
Meeting the necessary cybersecurity requirements and standards is a crucial prerequisite in all States Plans, and is also a key criterion for gaining NEVI funding. State plans require site owners and third parties contracted to provide cybersecurity plans that demonstrate the cybersecurity maturity of the solution and how the recipient will maintain and improve the cybersecurity throughout the life of the proposed solution. Compliance with the applicable Federal and State cybersecurity standards and regulations is also necessary, as site recipients will own, operate, and maintain the EV charging stations as well as the data produced.
Meeting The Necessary Cybersecurity Requirements And Standards Is A Crucial Prerequisite In All States Plans And Is Also A Key Criterion For Gaining NEVI Funding
EV charging stations provide direct connections to the electric vehicle’s onboard system and the EV charging service provider’s network (via the internet or the cellular networks), and indirectly to the driver’s smartphone, if the charge is paid for with an app, banking information, if a debit or credit card is utilized, telecommunication providers, and the electric grid. Moreover, recipients and third parties are required to share and publish the stations’ locations, power ratings, and costs to the various sites tracking EV charging stations, including the US Department of Energy Alternative Fuel Data Center (AFDC).
With all the network connectivity and data sharing, States require that the EV charging network will not pose cybersecurity or personal privacy risks, both to customers and to the power grid. Although charging station vendors do enhance the charger’s individual resilience against cyber attacks, it is only one aspect of the overall exposed site’s network. To maximize the site’s NEVI scoring criteria and prevent potential harm to customers, hardware, or the power grid, it is essential to incorporate necessary network security layers and tools, such as network monitoring, nextGen firewalls, and vulnerability management systems.
Cybersecurity Requirements Checklist
The NEVI cybersecurity requirements include:
- Enforcement of open-source network connectivity, and the usage of applicable encryption and authentication mechanisms when possible.
- Implementation of access control for the network, assets, and the systems used within the network and ensuring no unauthorized modification was made.
- Auditing, monitoring, and logging of systems that store or process citizen information.
- Development of data management plans that incorporate guidance on risk assessments for personnel involved.
- Protection against malicious software updates for the stations and other assets in the network.
- Protection against malicious vehicles that can infect stations during future charges.
- Mitigation plans for adverse impacts on the electric grid.
- Ability to correlate events, create security alerts, and alert on a cyber event.
- Plans for maintaining and improving the network cybersecurity posture, which should include the ability to detect and mitigate known vulnerabilities and misconfigurations.
- Present evidence that the cybersecurity plan was properly implemented.
- Present third-party cybersecurity tests and reports.
- Alerting the State and the Cybersecurity and Infrastructure Security Agency (CISA) of any known or suspected network or system compromises.
Partner With Saiflow To Meet NEVI Compliance
Saiflow’s turnkey solution helps you meet the cybersecurity criteria while enhancing your offering to maximize your site’s NEVI scoring. Saiflow supports the EV charging site from the get-go with network assessment, cybersecurity analysis, and safeguards implementation, and helps you pass the NEVI privacy and cyber impact assessments.
Saiflow provides NEVI consultancy services with risk assessment reports and needed cyber mitigation plans and supports the site owner during and after the NEVI funding application process including planning, implementation, and 24/7 cybersecurity monitoring that will alert and respond to cyber incidents and events.
Saiflow core engines, products, and services are vendor agnostic, using the required open-source protocols (including OCPP, OCPI, IEEE 2030.5, DNP3, IEC 61850), and tailored for the uniqueness and challenges of the DC fast charging networks. The Saiflow platform integrates natively to the site network and provides operators with an increased chance of being funded via the NEVI formula program, and supplies sites with the tools they need to prevent data and energy theft, manipulations, hardware damage, and grid impact.