Electric Vehicles Face Hidden Cyber Threats in Their Power Systems

As electric vehicles become mainstream, their reliance on advanced electronics for propulsion introduces new cybersecurity risks that go beyond typical car hacking. A study published in the Journal of Information Systems Engineering and Management investigates how cyber-attacks could target the traction power electronics in EVs—components like inverters and motor controllers that convert battery energy into motion. These systems are critical for vehicle safety and performance, yet they are increasingly connected through networks like CAN bus and automotive Ethernet, creating entry points for malicious actors. The research highlights that attacks on these low-level systems could lead to physical dangers, such as uncontrolled acceleration or braking failure, making this a pressing issue for the automotive industry and consumers alike.

The researchers used the STRIDE threat modeling framework to systematically identify vulnerabilities in EV traction systems, focusing on six categories: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. They mapped these threats to specific components, such as torque sensors, gate driver firmware, and communication interfaces. For example, spoofing attacks could inject false torque feedback, leading to incorrect motor control, while denial-of-service attacks could flood the CAN bus with messages, delaying critical commands. This structured approach revealed that even minor disruptions in control signals or sensor data could have severe consequences, emphasizing the need for robust security measures in these embedded systems.

To test the impact of these threats, the team conducted simulations using MATLAB/Simulink and SCADASim, modeling a typical EV traction powertrain under normal driving conditions with a 50% torque demand. They injected four types of attacks: sensor spoofing, denial-of-service, firmware tampering, and data injection. Each scenario was evaluated based on metrics like torque deviation, response latency, voltage anomalies, and system downtime. For instance, in sensor spoofing attacks, forged torque feedback caused a maximum torque deviation of 36.8%, leading to noticeable acceleration oscillations. The simulations showed that without protection, such attacks could destabilize the system for up to 0.9 seconds before safety systems intervened, highlighting the real-time sensitivity of these components.

Demonstrated significant disruptions across all attack types. Denial-of-service attacks increased command latency by 185 milliseconds, reducing torque response by 24.5% and causing system downtime averaging 2.3 seconds. Firmware tampering led to voltage anomalies exceeding 420 volts, triggering hardware shutdowns, while data injection attacks caused a 28% torque drop by misleading the controller with false speed data. To mitigate these risks, the researchers implemented a lightweight, rule-based intrusion detection system (IDS) embedded in the motor controller firmware. This IDS detected attacks within 55 to 120 milliseconds, with zero false positives, and enabled safe-state responses like activating a limp mode that limits power output to 30-40% of nominal levels, allowing for continued drivability while alerting the driver.

Despite these promising countermeasures, the study acknowledges limitations, such as the lack of hardware-in-the-loop testing and the simplified nature of the rule-based IDS, which may not catch more stealthy attacks. Future research should explore hybrid IDS frameworks combining rule-based and AI-driven anomaly detection, as well as formal verification of control firmware. underscore that as EVs evolve with greater connectivity and autonomy, cybersecurity must extend beyond infotainment systems to protect the embedded electronics that control propulsion. This calls for updated industry standards and regulatory frameworks to ensure that EV manufacturers prioritize security-by-design, safeguarding the safety and reliability of electric mobility for all users.