Content uploaded by Shashank Sripad
Author content
All content in this area was uploaded by Shashank Sripad on May 29, 2019
Content may be subject to copyright.
Vulnerabilities of Electric Vehicle Battery Packs to Cyber-
attacks
Shashank Sripad1, Sekar Kulandaivel2, Vikram Pande1, Vyas Sekar2& Venkatasubramanian Viswanathan1
1Department of Mechanical Engineering, Carnegie Mellon University, Pittsburgh, Pennsylvania
15213.
2Department of Electrical and Computer Engineering, Carnegie Mellon University, Pittsburgh,
Pennsylvania 15213.
Electric Vehicles (EV) like all modern vehicles are entirely controlled by electronic devices
and networks that expose them to the threat of cyberattacks. Cyber vulnerabilities are mag-
nified with EVs due to unique risks associated with EV battery packs. Current batteries
have well-known issues with specific energy, cost and fire-related safety risks. In this study,
we develop a systematic framework to assess the impact of cyberattacks on EVs and EV
subsystems. While the current focus of automotive cyberattacks is on short-term physical
safety, especially in the context of EVs, it is crucial to consider long-term cyberattacks that
aim to cause financial losses through accrued impact. Compromised battery management
systems such as the control of the voltage regulator could lead to cyberattacks that can either
overdischarge or overcharge the pack. Overdischarge could lead to failures such as internal
shorts in timescales of under an hour through cyberattacks that utilize energy-intensive EV
subsystems like auxiliary components. Attacks that overcharge the pack could shorten the
lifetime of a new battery pack to less than a year. Further, this also poses potential physical
safety risks via the triggering of thermal (fire) events. Attacks on auxiliary components lead
to battery drain, which could be up to 20% per hour. We also develop a heuristic for the
stealthiness of a cyberattack to augment traditional threat models for automotive systems.
The methodology and the approach presented here will help in building the foundational
principles for cybersecurity in the context of electric vehicles: a nascent but critical topic in
the coming years.
1
Figure 1: A pictorial illustration of various attack scenarios. The illustration enumerates all the
variables that need to be considered for analyzing the impact of cyberattacks, which could cause
(i) Physical or (ii) Financial impact. The attacker could utilize auxiliary components within the
EV or the charging systems using the attacker’s control dimensions. The cyberattacks can cause
temporary effects or permanent damage. The only environmental state variable of relevance in this
scenario is the ambient temperature. The different variables that define the state of the battery pack
influence the magnitude of impact due to the cyberattack. (The automobile outline illustration is
published with permission from Chris Philpot.)
Modern vehicles consist of a myriad of devices and systems ranging from safety-critical sys-
tems that control a vehicle’s brakes to auxiliary components that adjust cooling and wiper speeds.
While such components enhance the users’ safety and comfort, they also render the vehicle’s in-
ternal networks vulnerable to cyberattacks. When these vulnerabilities are exploited, attackers can
gain access to safety-critical systems like the brakes and transmission of the vehicle, as demon-
strated by recent work.1, 2
Alongside, another notable development in the automotive sector is the transition to electric ve-
hicles (EVs) motivated by efforts to downscale tailpipe emissions.3, 4 Widespread EV adoption is
bottlenecked by limited driving range, battery pack cost, battery lifetime and safety issues associ-
ated with Li-ion batteries.3, 5, 6 The battery pack forms a significant fraction of the total cost of the
electric vehicle (∼20% of the cost).7, 8 From the standpoint of automotive cybersecurity, while the
primary focus is on immediate safety concerns, EV battery packs introduce several new aspects
of vulnerability. It is crucial to explore the cybersecurity aspects of battery packs to inform and
improve future work in EV cybersecurity.
One challenge in assessing systems involving batteries is to accurately analyze the complex molecular-
2
scale processes occurring inside a closed system.9–11 A practical battery system stores a fixed
amount of energy via reversible electrochemical reactions. During normal operation, several un-
wanted side reactions also occur, which eventually degrade the battery’s ability to store energy
and thus, reduce the lifetime.12–18 Further, from a safety standpoint, batteries have a specified set
of conditions for safe operation, outside of which there is the risk of thermal events. Cyberat-
tacks may compromise driving range by draining energy through higher loads, reduce lifetime by
enhancing side reactions, and compromise safety by pushing the operating conditions to unsafe
limits, shown in 1.
The threat model for an EV is centered around an attacker who aims to cause either physical or
financial losses through cyberattacks. Modern vehicles, including EVs, contain several devices
called Electronic Control Units (ECUs) that are responsible for a majority of vehicle’s functions.
These ECUs gather sensor inputs and actuate mechanical components within the vehicle.1Recent
efforts that have demonstrated the vulnerabilities in automotive networks, have primarily examined
vehicles that employ the Controller Area Network (CAN) communication protocol. CAN is the
prevailing standard for intra-vehicle communication due to low cost and robustness; however, there
are many CAN exploits.1An attacker can gain access to the vehicle’s CAN networks via direct
physical access 1, 19 or the remote exploitation of an ECU with existing direct access.2
Attack Scenarios: If an attacker aims to cause financial impact, one attack trajectory could
be reducing the lifetime of the battery pack by enhancing the rate of degradation. In terms of
physical damage, cyberattacks could increase the risk of thermal runaway where the attacker can
overcharge or overdischarge the battery pack through attacks on the battery management systems
(BMS) used in conjunction with parasitic loads.
In this work, we develop a physics-driven approach which uses an experimentally validated battery
model20 within a vehicle dynamics model to simulate the operation of an EV.21,22 We also explore
new concepts like ‘stealthiness of attacks’ and the trade-offs between stealthiness of attack and
extent of damage from the attack. Using this framework, we quantify the impact of cyberattacks
in different scenarios. We analyze either financial and physical losses incurred through either: (i)
permanent damage, defined as a change in the state of system that is irreversible, for example,
irreversible capacity loss in a battery pack and (ii) temporary damage, defined as a change in
the state of system that is (mostly) reversible, for e.g., reduction in state-of-charge which can be
recovered by re-charging.
Permanent Damage: As we stated previously, cyberattacks can accelerate cell degradation
and shorten the lifetime of the battery pack. Experimental demonstration of degradation is typi-
cally indirect as batteries are closed systems and measuring the internal states of the batteries is
extremely difficult.23,24 Thus, a validated physics-based model that can track the internal states of a
battery packs provides a convincing means to demonstrate permanent damage due to cyberattacks.
3
Among the different mechanisms that cause cell degradation, two main processes of interest are:
(i) growth of the solid-electrolyte interphase (SEI) layer at the graphite anode and (ii) lithium
plating.12, 14–16, 18, 25 The SEI layer grows as a result of solvent reduction at the anode-electrolyte
interface and consumes Li+ions, thereby causing a decrease in the amount of active Li+ions
available and a reduction in capacity. Plating of Lithium at the anode similarly leads to a loss in
capacity along with an increase in the risk of internal shorts which could lead to catastrophic safety
issues.26–28
The permanent damage due to a cyberattack can be quantified using the rise in the internal resis-
tance of the cell. The rise in the internal resistance is estimated using the increase in the thickness
of the SEI layer.25,29 The extent of Li-plating is controlled by the electrochemical potential for
lithium deposition or the ‘Li-plating potential’.14 The EV battery pack end-of-life is characterized
by degradation in capacity to 80% of the initial capacity.30, 31 We define the usable 20% of the
capacity as the ‘vital capacity’ of the battery pack. A parametric study of the effect of different
variables on degradation is compiled in the Supplementary Information.
Compromised Auxiliary Components: Compromised auxiliary components effectively act as
parasitic loads. Quantifying the impact of such attacks requires a close examination of different
operating and environmental variables. The variations in each of the state variables like tempera-
ture, state-of-charge (SOC), pack size, age of the pack, etc. and the set of variables that defines a
given auxiliary component attack workload32–34 affects the degradation in vital capacity in a dif-
ferent manner. A parametric analysis of all the variables, exploring the effect of each variable,
similar to other studies15, 16 reveals that the damage to vital capacity increases with the tempera-
ture by following the Arrehenius relationship which implies that cyberattacks conducted at higher
ambient temperature would cause greater impact. Damage to vital capacity also increases with
the State-of-Charge of the battery pack which suggests that attacks on fully charged battery packs
would cause more damage. As the age of the pack increases, the damage caused by a fixed load
in the same conditions decreases. The damage to vital capacity is seen to be a sub-linear function
of the total time of attack, characteristic of a diffusion-limited process. Further, damage to vital
capacity increases linearly with an increase in the cumulative energy consumption of the load, a
phenomenon which has been covered previous studies on capacity fade.15, 16
Following the insights from the parametric analysis, we infer that attacks which comprise of energy
intensive auxiliary components when engaged after a new battery pack is fully charged cause
the most damage. We design the attack scenarios accordingly. We consider two types of EV
users based on charging behavior, either charging at ‘Home’ or charging at ‘Home’ and at ‘Work’.
The sample attack workload spans a duration of one hour and is based on the combination of
A/C at high power along with Lights, Power-Steering and Wipers. We analyze the cases where
these users are located in Oslo, San Francisco, Beijing, Delhi and Phoenix which serve as proxies
for the environment state variable of temperature and are chosen to represent a wide range of
temperature conditions. In order to analyze the impact of auxiliary component cyberattacks, we
use ∆R, a quantity which represents the increase in internal resistance of the cell compared to a
4
Charging at Work
Charging at Home
Oslo
San Francisco
Beijing
Delhi
Phoenix
1
1.5
2
2.5
3
3.5
R* in 400 days
0
5
10
15
20
25
30
35
Mean Temperature, [°C]
Figure 2: We can study the impact of auxiliary component cyberattacks here, based on the results
for simulations equivalent to ∼400 days. ∆R∗represents the increase in the resistance of the cell
due to the cyberattack when compared to the baseline scenario. The triangular markers indicate
situations where the vehicle is attacked twice in a day. In such cases, the average ∆R∗of the two
attacks is shown, while the circular markers represent the cases with one attack over the day.
cell which has not been subjected to the attack workloads. ∆R essentially provides information
on the effectiveness of the cyberattack. We calculate ∆R after 400 days for each case using the
following relationship,
∆R = RA
SEI −RB
SEI
RB
SEI
,(1)
where RSEI is the resistance due to the SEI layer, and ‘A’ and ‘B’ represent the attack and baseline
scenario. For the quantities reported in (Fig. 2), ∆R∗values are obtained by normalizing all the
∆R values with the minimum value in a given set which facilitates the comparison of values within
the set.
In (Fig. 2), the rise in ∆R∗is the most for Oslo, which has the lowest average ambient temper-
ature. While an increase in ambient temperature causes an increase in the thickness of the SEI
layer, the resistance due to the formation of SEI layer impedes further growth.35 This phenomenon
leads to the fact that places like Phoenix, where the ambient temperature is high, already feature a
substantial SEI layer thickness, thereby minimizing any additional damage to vital capacity due to
the attack workload. However, it is worth highlighting that the average resistance due to the SEI
film formed is higher in warmer regions compared to colder regions. The two cases of charging, at
Home and at Work, do not show any substantial difference, although, if the EV is charged in both
locations, then we have two separate time windows for attack.
5
Figure 3: A compromised battery management system, is vulnerable to attacks that override the
lower voltage cutoff which can overdischarge the pack. During overdischarge, one of the initial
steps is the decomposition of the Li-ion containing SEI layer which is followed by the dissolution
of copper ions from the current collectors, with the possibility of internal shorts and other safety
events. The estimated time to the onset of copper dissolution occurs during overdischarge is shown
above for the cells based on NCA (Ni0.8Co0.15Al0.05O2) cathode and Graphite anode. For compo-
nents with the power consumption equivalent to lights (∼200 W), the time to onset of copper dis-
solution is under 2 hours while components with a high power consumption like air-conditioning
have a timescale of less than an hour.
Compromised Battery Management Systems, Overdischarge: When a BMS is compromised,
an override of the lower cut-off voltage is possible.36 An attack on an EV with a depleted battery
pack and compromised BMS can lead to overdischarge through energy-intensive auxiliary compo-
nents. In terms of such cyberattacks occurring on an EV with the depleted battery pack, the idea
of using wake-up functions as attacks has been demonstrated recently.37 Such attacks could be fol-
lowed by auxiliary component attacks discussed in this work, to overdischarge the cells. During
overdischarge, the initial stages involve the decomposition of the SEI layer which is composed
of Lithium containing compounds and subsequently Copper dissolution from the current collector
begins.38 The dissolved Copper ions eventually lead to deposition of metallic Copper and poten-
tial internal shorts. The time for potential failure can be estimated using the time required for the
decomposition of the SEI layer during the cyberattack, as shown in (Fig. 3). The cells shown
in (Fig. 3) correspond to that of a 100 kWh battery pack based on NCA (Ni0.8Co0.15 Al0.05O2)
cathode and Graphite anode. The thickness of the SEI layer is a function of the age of the battery
pack where 50nm is assumed to be equivalent to a battery pack aged over 2 years, however, the
thickness would change with the vehicle operating conditions. We observe that attacks that in-
volve components with an energy consumption rate of over 200W, the timescale for the complete
decomposition of the SEI layer and potential failure is under 2 hours. While the consequences of
overdischarge in Li-ion batteries depend on the kind of materials used in the cells, the impact could
range from the loss of energy through the internal short to thermal and safety events as well.36,38
6
Figure 4: The impact of cyberattacks on charging systems specifically aimed at overcharging the
battery pack is summarized here.(a) The attacks studied here lasts for one hour after charging.
We can study the increase in the SEI growth rate and ∆R∗.(b) This increase along with Li-plating
translates to capacity fade and could shorten the lifetime to about 200 days at an overcharge voltage
of about 0.4V. The reduction in the Li-plating potential due to overcharge in (Fig. 4a), provides a
metric to quantify the risk of developing internal shorts due to lithium plating.41 When the same
attacks are performed on older packs, we observe that the ∆R∗growth rate increases while the
Li-plating potential decreases, both of which are detrimental to the state-of-health of the battery
pack.
Compromised Battery Management Systems, Overcharge: A compromised BMS can modify
the upper cut-off voltage.39 The pack can then be charged at a voltage higher than the normal
charging voltage (manufacturer specific upper voltage cutoff) leading to overcharging. Within a
constant current-constant voltage protocol,40 an increase in the charging current would lead to
an increased rate of degradation which is an extension of the previously mentioned parametric
analysis on the discharge rate of the battery pack. However, overcharging the battery pack leads to
various other issues shown in (Fig. 4).
In (Fig. 4a), we observe a super-linear rise in the growth rate of ∆R∗as the overvoltage per cell
increases in a fresh cell. The charging system cyberattack simulated spans a duration of one hour
after charging similar to the auxiliary component cyberattacks. However, the consequent damage
caused to the battery pack in terms of capacity fade, as shown in (Fig. 4b), is enormous. At a
cell overvoltage of 0.4V, we observe that the pack reaches its end-of-life or 100% damage to vital
capacity in about 200 days. This could result in significant financial impact as shown in (Fig. 4b)
where we estimate the monetary value of the loss of capacity for a 100kWh battery pack assuming
the cost of battery packs of about $200/kWh.42 (Fig. 4a) also shows the decrease in the Li-plating
potential which implies that lithium would plate more readily at higher overvoltage. Over time,
such attacks could lead to an increased amount of Li-plating which could have safety implications
resulting in physical impact including thermal events and fire.26,43
Temporary Damage: With compromised auxiliary components, attack workloads can cause
a depletion of energy contained in the battery pack, thereby a reduction in available driving range.
7
Table 1: Stealthiness of attack, a qualitative metric used by attackers to reduce the chance of
detection.
Auxiliary Component Stealthiness of Attack
Parked Stationary Driving
A/C-High High Low Medium
A/C-Low High High High
Power Steering N/A High High
Lights High Low Medium
Fan High Low Medium
Wipers Medium Very Low Very Low
Combinations High Low Low
This damage can be reversed by charging the battery pack. However, such attacks can play into
the well-known issue of ‘range anxiety’.3For some vehicles, with battery packs <40kWh battery
packs, up to 20% of the available range could be depleted in under one hour with energy intensive
attack workloads which include combinations of auxiliary components as discussed previously.
Such attacks which engage several components at the same time will be more energy intensive
compared to single components, however, such attacks might be easier to detect for the user which
is discussed in the subsequent sections.
Stealthiness of Attack: An important constraint on a cyberattack is the likelihood of it getting
detected. In the case of auxiliary components, the detection is by the user and hence it is difficult
to develop a quantitative metric for the same. However, in order to provide a basic overview of the
issue, we develop a qualitative understanding using three scenarios, namely, ‘parked’, ‘stationary’
(at rest within driving operation) and ‘driving’. A summary of the stealth of an attack involving a
given auxiliary component is given in (Tab. 1). Such a metric is heuristic but it provides a calibra-
tion for the components that are more likely to be targeted based on the attacker’s perspective. An
auxiliary component that involves a high stealthiness of attack and is also energy intensive would
naturally be targeted often.
Rowhammer Attack: Rowhammer style attacks44 have been demonstrated previously where
targeted workloads on memory systems were generated to cause corruptions which can be used
to launch further attacks. We observe an analogous case here with battery systems since battery
pack is made up of several cells arranged in a matrix involving a series-parallel configuration. This
architecture is vulnerable to ‘rowhammer’ attacks since individual strings or cells within battery
packs could be targeted through a compromised battery management system and the damage to
individual strings or cells is magnified. Each of the cyberattack scenarios we have considered, like
attacks on auxiliary components, overcharge, and overdischarge could be orchestrated as rowham-
mer attacks. We previously discussed the various factors due to which the damage to the battery
pack increases with a reduction in pack size for the same workload which is especially relevant
to rowhammer attacks. Such attacks could not only shorten the lifetime of the targeted subset of
the battery pack but could also lead to issues related to instabilities due to the isolation of strings
within the battery pack.
8
We have discussed the potential physical and financial impact due to cyberattacks on EVs and EV
subsystems. We identify simple but effective cyberattacks on auxiliary components that can tem-
porarily drain the battery pack up to 20% per hour. Furthermore, we analyze attacks could lead to a
deterioration in the power capability due to an increase in the cell resistance. We use a metric which
is equivalent to the ‘normalized resistance increase’, which can be used to quantify the extent of
performance reduction. We find that normalized resistance increase is generally higher for colder
regions. We find that cyberattacks on auxiliary components launched after the pack is completely
charged (i.e. high state-of-charge) leads to more damage. The cell resistance increase, largely
due to the formation of a solid-electrolyte-interphase (SEI) layer, follows a sublinear relationship
with time. This results in a new pack being more vulnerable than an aged pack to cyberattacks on
auxiliary components. Compromised battery management systems expose the pack to two kinds
of attacks, (i) Overdischarge and (ii) Overcharge. Overdischarge attacks which override the lower
cutoff voltage of the pack could lead to the complete decomposition of the SEI layer in under two
hour thorough auxiliary components with a power rating of over 200W. The decomposition of the
SEI is followed by the dissolution of Copper ions which could eventually lead to internal shorts
and potential safety events. Cyberattacks launched during charging through the compromise of the
voltage regulator could lead to an overcharge of the cells, which in some cases could even lead to
physical safety issues (e.g. fire). Further, this could lead to a new pack being depleted to 80% of
its initial capacity (end-of-life for an EV battery) in less than a year. Finally, a compromise of the
battery management system could lead to novel “rowhammer"-style attacks (attacking a string of
cells), which could damage a subset of cells in a short time span. We believe that the results pre-
sented here will inform the development of robust detection and prevention systems and provide a
rational design approach for electric vehicle automotive security.
Acknowledgements S. S., S. K., V.S. and V. V. gratefully acknowledge support from Technologies for
Safe and Efficient Transportation University Transportation Center. V.S. and V. V. gratefully acknowl-
edges support from the Pennsylvania Infrastructure Technology Alliance, a partnership of Carnegie Mellon,
Lehigh University and the Commonwealth of Pennsylvania’s Department of Community and Economic
Development (DCED).
Competing Interests The authors declare that they have no competing financial interests.
Correspondence Correspondence and requests for materials should be addressed to V.V.
(email: venkvis@cmu.edu).
Methods
Battery Pack Simulations. The description of the system of equations for the multiphysics bat-
tery model14, 20 can be found elsewhere. Cells constructed based on this modelling framework are
assembled into a battery pack model. The baseline load profile for the vehicle is based on Urban
Dynamometer Driving Schedule for 50 miles per day, along with a constant current-constant volt-
age (CC-CV) charging protocol with a peak power of a level-1 charger. The attack workloads are
9
implemented within this daily load profile. The daily load profiles are repeated to simulate the
operation over a long period. The battery model is a thermally coupled model,20 and the ambient
temperature conditions are implemented within the same simulation framework, described in detail
in the Supporting Information.
Supporting Information (SI): Supporting Information contains details of the parametric study for
battery degradation and other information on the battery modeling undertaken for the study.
References
1. Koscher, K. et al. Experimental security analysis of a modern automobile. In 2010 IEEE
Symposium on Security and Privacy, 447–462 (IEEE, 2010).
2. Miller, C. & Valasek, C. Remote exploitation of an unaltered passenger vehicle (2015).
3. Needell, Z. A., McNerney, J., Chang, M. T. & Trancik, J. E. Potential for widespread electri-
fication of personal vehicle travel in the united states. Nat. Energy 1, 16112 (2016).
4. Kempton, W. Electric vehicles: Driving range. Nat. Energy 1, 16131 (2016).
5. Cano, Z. P. et al. Batteries and fuel cells for emerging electric vehicle markets. Nat. Energy
3, 279 (2018).
6. Gröger, O., Gasteiger, H. A. & Suchsland, J.-P. Electromobility: Batteries or fuel cells? J.
Electrochem. Society 162, A2605–A2622 (2015).
7. Safari, M. Battery electric vehicles: Looking behind to move forward. Energy Policy 115,
54–65 (2018).
8. Schmuch, R., Wagner, R., Hörpel, G., Placke, T. & Winter, M. Performance and cost of
materials for lithium-based rechargeable automotive batteries. Nat. Energy 3, 267 (2018).
9. Wang, C. & Srinivasan, V. Computational battery dynamics (cbd)-electrochemical/thermal
coupled modeling and multi-scale modeling. J. Power Sources 110, 364–376 (2002).
10. Ramadesigan, V. et al. Modeling and simulation of lithium-ion batteries from a systems engi-
neering perspective. J. Electrochem. Soc. 159, R31–R45 (2012).
11. Dubarry, M., Vuillaume, N. & Liaw, B. Y. From single cell model to battery pack simulation
for li-ion batteries. J. Power Sources 186, 500 – 507 (2009).
12. Christensen, J. & Newman, J. Cyclable lithium and capacity loss in li-ion cells. J. Electrochem.
Soc. 152, A818–A829 (2005).
13. Santhanagopalan, S., Guo, Q., Ramadass, P. & White, R. E. Review of models for predicting
the cycling performance of lithium ion batteries. J. Power Sources 156, 620–628 (2006).
10
14. Yang, X.-G., Leng, Y., Zhang, G., Ge, S. & Wang, C.-Y. Modeling of lithium plating induced
aging of lithium-ion batteries: Transition from linear to nonlinear aging. J. Power Sources
360, 28–40 (2017).
15. Safari, M., Morcrette, M., Teyssot, A. & Delacourt, C. Life-prediction methods for lithium-
ion batteries derived from a fatigue approach i. introduction: Capacity-loss prediction based
on damage accumulation. J. Electrochem. Soc. 157, A713–A720 (2010).
16. Safari, M., Morcrette, M., Teyssot, A. & Delacourt, C. Life prediction methods for lithium-ion
batteries derived from a fatigue approach ii. capacity-loss prediction of batteries subjected to
complex current profiles. J. Electrochem. Soc. 157, A892–A898 (2010).
17. Ramadesigan, V. et al. Parameter estimation and capacity fade analysis of lithium-ion batteries
using reformulated models. J. Electrochem. Soc. 158, A1048–A1054 (2011).
18. Peled, E. & Menkin, S. Sei: past, present and future. J. Electrochem. Soc. 164, A1703–A1719
(2017).
19. Checkoway, S. et al. Comprehensive experimental analyses of automotive attack surfaces. In
USENIX Security Symposium (San Francisco, 2011).
20. Kalupson, J., Luo, G. & Shaffer, C. E. AutolionTM: A thermally coupled simulation tool for
automotive li-ion batteries. Tech. Rep., SAE Technical Paper (2013).
21. Sripad, S. & Viswanathan, V. Evaluation of current, future, and beyond li-ion batteries for
the electrification of light commercial vehicles: Challenges and opportunities. J. Electrochem.
Soc. 164, E3635–E3646 (2017).
22. Sripad, S. & Viswanathan, V. Performance metrics required of next-generation batteries to
make a practical electric semi truck. ACS Energy Lett. 2, 1669–1673 (2017).
23. Fathi, R. et al. Ultra high-precision studies of degradation mechanisms in aged licoo2/graphite
li-ion cells. J. Electrochem. Soc. 161, A1572–A1579 (2014).
24. Smith, A., Burns, J. C., Zhao, X., Xiong, D. & Dahn, J. A high precision coulometry study of
the sei growth in li/graphite cells. J. Electrochem. Soc. 158, A447–A452 (2011).
25. Safari, M., Morcrette, M., Teyssot, A. & Delacourt, C. Multimodal physics-based aging model
for life prediction of li-ion batteries. J. Electrochem. Soc. 156, A145–A153 (2009).
26. Abada, S. et al. Safety focused modeling of lithium-ion batteries: A review. J. Power Sources
306, 178–192 (2016).
27. Deng, J., Bae, C., Marcicki, J., Masias, A. & Miller, T. Safety modelling and testing of
lithium-ion batteries in electrified vehicles. Nat. Energy 3, 261 (2018).
28. Deng, J., Bae, C., Miller, T., L’Eplattenier, P. & Bateau-Meyer, S. Accelerate battery safety
simulations using composite tshell elements. J. Electrochem. Soc. 165, A3067–A3076 (2018).
11
29. Lawder, M. T., Northrop, P. W. C. & Subramanian, V. R. Model-based sei layer growth and
capacity fade analysis for ev and phev batteries and drive cycles. J. Electrochem. Soc. 161,
A2099–A2108 (2014).
30. Wood, E., Alexander, M. & Bradley, T. H. Investigation of battery end-of-life conditions for
plug-in hybrid electric vehicles. J. Power Sources 196, 5147–5154 (2011).
31. Saxena, S., Le Floch, C., MacDonald, J. & Moura, S. Quantifying ev battery end-of-life
through analysis of travel needs with vehicle powertrain models. J. Power Sources 282, 265–
276 (2015).
32. Hendricks, T. J. Vehicle Transient Air Conditioning Analysis: Model Development & System
Optimization Investigations. Tech. Rep., National Renewable Energy Lab., Golden, CO.(US)
(2001).
33. Johnson, V. H. Fuel used for vehicle air conditioning: a state-by-state thermal comfort-based
approach. Tech. Rep., SAE Technical Paper (2002).
34. Perrucci, G. P., Fitzek, F. H. & Widmer, J. Survey on energy consumption entities on the
smartphone platform. In Vehicular Technology Conference (VTC Spring), 2011 IEEE 73rd,
1–6 (IEEE, 2011).
35. Christensen, J. & Newman, J. Effect of anode film resistance on the charge/discharge capacity
of a lithium-ion battery. J. Electrochem. Soc. 150, A1416–A1420 (2003).
36. Lee, Y.-S. & Cheng, M.-W. Intelligent control battery equalization for series connected
lithium-ion battery strings. IEEE Transactions on Industrial electronics 52, 1297–1307
(2005).
37. Cho, K.-T., Kim, Y. & Shin, K. G. Who killed my parked car? arXiv preprint
arXiv:1801.07741 (2018).
38. Guo, R., Lu, L., Ouyang, M. & Feng, X. Mechanism of the entire overdischarge process and
overdischarge-induced internal short circuit in lithium-ion batteries. Sci. Rep. 6, 30248 (2016).
39. Lelie, M. et al. Battery management system hardware concepts: An overview. Applied Sci-
ences 8, 534 (2018).
40. Zhang, S. S. The effect of the charging protocol on the cycle life of a li-ion battery. J. Power
Sources 161, 1385–1391 (2006).
41. Bugga, R. V. & Smart, M. C. Lithium plating behavior in lithium-ion cells. ECS Transactions
25, 241–252 (2010).
42. Kittner, N., Lill, F. & Kammen, D. M. Energy storage deployment and innovation for the clean
energy transition. Nat. Energy 2, 17125 (2017).
12
43. Wang, Q. et al. Thermal runaway caused fire and explosion of lithium ion battery. J. Power
Sources 208, 210–224 (2012).
44. Kim, Y. et al. Flipping bits in memory without accessing them: An experimental study of
dram disturbance errors. In ACM SIGARCH Computer Architecture News, vol. 42, 361–372
(IEEE Press, 2014).
13
Vulnerabilities of Electric Vehicle Battery Packs
to Cyberattacks on Auxiliary Components
Shashank Sripada, Sekar Kulandaivelb, Vikram Pandea, Vyas Sekarb,1 , and Venkatasubramanian Viswanathana,1
a
Department of Mechanical Engineering, Carnegie Mellon University, Pittsburgh PA 15213;
b
Department of Electrical and Computer Engineering, Carnegie Mellon University,
Pittsburgh PA 15213
This manuscript was compiled on February 18, 2018
Modern automobiles are entirely controlled by electronic circuits and
programs which undoubtedly exposes them to the threat of cyber-
attacks. Alongside, there is a potential for massive growth in elec-
tric vehicle (EV) adoption. The cyber vulnerabilities are magnified
with electric vehicles because of the unique and critical risks that
entail most EV batteries. EV battery packs provide ‘limited driv-
ing range’ and have ‘finite lifetime’, and there is widespread anxi-
ety regarding range and life. In this study, we develop a systematic
framework to model cyberattacks on auxiliary components and iden-
tify the consequent impact on EV batteries. We model the possible
cyberattacks on auxiliary components by engaging them in various
’modes’ and analyze the impact on battery packs described through
a physics-driven experimentally-validated model that accurately cap-
tures battery dynamics and degradation. In the short-term, cyberat-
tacks could deplete a battery pack by up to 20% per hour and com-
pletely drain the available range. The EV battery pack is most vul-
nerable to cyberattacks when it is fully charged due to the influence
of state-of-charge (SOC) on the battery health. For long-term impact,
we explore the location effect of attack and identify that cyberattacks
could cause a 3-fold increase in the internal resistance (an indicator
of cycle life) in cold regions versus hot regions. We believe that the
methodology and the approach presented will help in building the
foundational principles for cyber-security in the context of electric
vehicles; a very nascent but crucially important topic in the coming
years.
electric vehicles
|
automotive cyber-security
|
Li-ion batteries
|
battery
degradation
T
he modern automobile has all of its ‘workflows’ controlled
by electronic circuits, and the provision of additional
features and wireless instruments renders the vehicle vul-
nerable to a host of cyberattacks. The area of automotive
cyber-security has received significant attention over the
past few years (
1
,
2
) and demonstrated cases of automotive
cyberattacks till date have been primarily focused on the
possibility of compromising the functionality and safety of
automobiles.(1,2)
Alongside, another notable development in the automotive
sector is the transition towards EVs as a response to tailpipe
emissions and global warming.(
3
,
4
) The current global stock
of over 2 million EVs and HEVs is evidence for the tremendous
progress in EV adoption.(
5
) However, their adoption is still
limited by concerns of limited driving range, lifetime, and
safety owing to the limitations and potential risks associated
with current Li-ion batteries.(6–8)
Given these two emerging trends, a natural question that
emerges is the possibility of cyberattacks in undermining
the range, life and safety of EV batteries. The hacking
of battery firmware, limited to portable electronics, where
the supplanting of routine commands with malicious ones
within battery monitoring systems is shown.(
9
) It is worth
highlighting that EV batteries are vastly different from
portable electronics in terms of the scale of the systems,
conditions of operation, as well as the constituent materials
and thus, there exists an enormous gap in understanding
the landscape of automotive cybersecurity unique to electric
vehicles.
The primary challenges involved in assessing the security
concerns of systems involving batteries is due the complex
molecular-scale processes occurring inside a closed system. A
practical battery system stores a limited amount of energy via
reversible electrochemical reactions at each electrode. During
normal operation, several unwanted side reactions also occur
which eventually degrade the battery’s ability to store energy
and thus, reduce the lifetime(
10
). In addition, any battery
system also has a specified set of conditions for safe operation,
outside which there is a potential risk of fire due to the
flammable electrolytes used in modern batteries (
7
,
11
), an
event generally referred to as ‘thermal runaway’ (
7
). cyberat-
tacks could compromise the driving range of EVs by targeting
the stored energy, the lifetime by enhancing the side reactions,
and safety by pushing the operating conditions to unsafe limits.
In this article, we develop a physics-driven approach to sys-
tematically analyze cyberattacks on EV batteries. Using this
approach, we analyze the potential impact of a cyberattack
on the driving range of the EV, and secondly, the impact
Significance Statement
Modern automobiles are exposed to a host of cyberattacks and
the potential risks that entail such attacks has gained significant
attention lately. Alongside, globally, the automotive industry is
transitioning towards electric alternatives as a response to the
harmful effects of tailpipe emissions. The heart of an electric
vehicle, the battery pack, could be the target of such cyberat-
tacks, and the associated risks are both critical and unique. In
order to understand and quantify these risks, we need a new
paradigm which couples existing automotive cyber-security nar-
ratives with the knowledge-base on battery systems, and this
study presents the first such model for analysis.
V.S and V.V designed the research, S.S. performed all the battery pack simulations. S.K. and S.S.
developed the detectability index. S.S., S.K., V.P., V.S. and V.V. analyzed the results and wrote the
paper.
The authors declare no conflict of interest.
1To whom correspondence should be addressed. E-mail: venkvis@cmu.edu,
vsekar@andrew.cmu.edu
PNAS | February 18, 2018 | vol. XXX | no. XX | 1–11
Fig. 1.
Pictorial illustration of an
attack scenario. The illustration
enumerates all the variables that
need to considered for analyzing
the impact of a cyberattack. The
four sets of variables together de-
fine the environment, specify and
define the state of the battery pack,
provide a description of the vari-
ables under the attacker’s control,
and stipulate the constraints that
the attack is subjected to. The
attacker employs the control vari-
ables with the intention of causing
short-term impact in terms of re-
duction in the range of the vehi-
cle or to cause long-term perma-
nent damage to the battery pack.
(The automobile outline illustration
is published with permission from
Chris Philpot.)
on the lifetime of the battery pack. The attack scenarios
considered are shown in (Fig. 1), where the attacker is able to
gain control of the auxiliary components of the automobile to
orchestrate a cyberattack. The different variables that need
to be considered for modeling such an attack scenario could
be categorized as (i) Environment state variables, (ii) Battery
pack state variables, (iii) Attacker’s control dimensions, and
(iv) Attacker’s constraints. Throughout this study, we only
consider ‘primary’ attacks which can compromise systems
within the vehicle. It is worth pointing out that ‘secondary’
attacks which attempt to compromise the infrastructure
around EVs like charging stations could also be important.
Furthermore, we do not explicitly address the issue of the
possibility of fire (
7
), since a physics-driven understanding of
this phenomenon is limited at this stage.
In order to enable this analysis, we systematically compiled
the energy consumption pattern of every auxiliary component
along with its characteristic power profile. The relevant data
for such power profiles is curated from a large number of
studies (
12
–
16
) where several components in different modes
of operation have been analyzed. We believe this dataset will
form an important piece for future automotive cybersecurity
studies.
The workload of a cyberattack is determined by the instanta-
neous power consumed and the duration of the attack. In the
context of auxiliary components, the cyberattack can engage
one or more components in different operating modes for vary-
ing periods of time, which forms the control dimensions of the
attacker. The workloads cause a quantifiable impact on the
functionality of the battery pack and thereby of the vehicle
itself. It is worth pointing out that cyberattacks engaging
certain components can be easily identified (for e.g. windshield
wipers). Further, long term engagement also leads to possible
identification (for e.g. air conditioning). Thus, there exists
additional constraints on duration of attacks and the choice
of components for engaging the attack. We explicitly address
this issue by developing a preliminary metric for detectability
by systematic categorization of the components.
Results and Discussion
We begin by examining the short-term and long-term impacts
of cyberattacks on EV battery packs followed by a discussion on
a possible approach to understand the attacker’s constraints.
Short-term Impact.
Once the auxiliary components are
compromised, the attack workloads cause a depletion of
energy contained in the battery pack, thereby a reduction in
available driving range. Such an impact would play into the
well-known issue of ‘range anxiety’(17,18).
For the examination of short-term impact or range reduction,
we examine different electric vehicles chosen on the basis of
the availability and market share in the United States (
19
),
namely, Leaf manufactured by Nissan Motor Company Ltd., i3
by BMW AG, Model S P100D by Tesla, Inc., and e6 by BYD
Auto Co., Ltd.. The relevant data on the energy consumption,
range, and battery pack characteristics for each of these
vehicles can be found in the (SI-Text). For all our battery
pack analysis, we use a multiphysics thermally coupled Li-ion
battery model (
20
) based on the AutoLion-ST platform. The
details and working of the model can be found in the (Methods
Section). We have successfully utilized this platform for realis-
tic pack design in a variety of electric vehicle use-cases. (
21
–
23
)
The short-term impact of different attack workloads on each
of the aforementioned EVs is shown in (Fig. 2). The workload
could comprise of either a single component or multiple
components engaged at the same time. The important variable
in the context of short-term impact is energy consumption,
which determines the range of the vehicle. In terms of battery
pack state variables, the pack energy or size determines the
range based on the energy consumption per unit distance
or electric-mileage of the vehicle. In (Fig. 2), we observe
the short-term impact by engaging various components is
roughly linear in time with the slope being given by the power
consumed by the component(s). As would be expected, the
high power components such as air conditioning (A/C, 2.6
kW) and Wipers (1.2 kW) lead to the greatest reduction
in range. We observe that EVs with smaller battery pack
like the Nissan Leaf (30 kWh) or the BMW i3 (33 kWh) are
impacted to a much greater extent with a loss in range of
2| Sripad et al.
Leaf
i3
e6
Model S
0 0.2 0.4 0.6 0.8 1
Total Time of Attack [hr]
AC-High+Lights+Power-Steering+Wipers
AC-Low+Power-Steering+Wipers
AC-High
AC-Low
Wipers
Power Steering
Lights
Fan
0
6
12
18
Fraction of Total Range Lost [%]
0
6
12
18
0
3
6
9
0
2
4
6
Fig. 2.
The fraction of rated range lost due to the
cyberattack is determined using the energy con-
sumption per unit distance of the electric vehicle.
The energy consumption changes with temperature,
where extreme (low of high) temperatures lead to
an increased energy consumption. The quantity of
range reduced is calculated using the same energy
consumption as the one used to calculate the rated
range, and hence the fraction of rated range lost is
independent of the ambient temperature. Fur ther
details of the relevant calculations can be found in
the (SI-Text).
approximately 20% of the total rated range compared to
under 10% for EVs like the Tesla Model S (100 kWh) and the
BYD e6 (75 kWh) for an hour-long attack. An important
implication of (Fig. 2) is that regions and countries where EV
adoption is being proposed with the deployment of EVs with
small battery packs for urban commute would face a greater
threat from cyberattacks.
It is worth noting that the fraction of total range shown in (Fig.
2) is calculated in the best-case scenario of a fully charged
battery pack (100% SOC). However, it is well-known that the
average SOC will be well below 100%(
24
) and approximately
half the Tesla EV users maintain a charge-level of 80% or
lower(
24
). Based on the this average state of charge, the
fractional range reduction could be 25% higher.
The short-term range reduction analysis also highlights the
risk to hybrid electric vehicles (HEVs) since most HEVs
have much smaller battery packs compared to EVs, and
consequently would lose most of the electric driving range in
a short span of time. As the battery packs age, the capacity
and driving range reduces, and consequently the impact of
short-term cyberattacks would be greater. The rate of aging
for current EV battery packs is typically low and thus, the
age of the pack has minimal effect in the context of short-term
impact.
To summarize, short-term impact or range reduction due to
a given cyberattack workload is more effective on smaller
battery packs at a lower state-of-charge. The impact would
also be marginally higher for older battery packs. The move
towards smaller battery packs for urban commute faces a
huge threat from cyberattacks. In addition, in the urban
scenario, the typical state-of-charge of EVs is well below full
charge and with limited charging infrastructure available per
EV, this represents a serious vulnerability.
Long-term Impact.
Assessing long-term impact is challenging
due to the prohibitive (and often impractical) ‘time-cost’
associated with actual battery testing.(
25
) Thus, the only
realistic approach to tackling this challenge is to build
high-fidelity experimentally validated models coupled with
high-precision testing for a short period of time.(26,27)
The primary mechanism responsible for cell degradation is the
growth of the solid-electrolyte interphase (SEI) layer at the
graphite anode of a Li-ion battery.(
28
) The layer grows as a
result of solvent reduction at the anode-electrolyte interface
which consumes Li
+
ions, thereby causing a decrease in the
amount of active Li
+
ions available and loss in capacity. A
model for the current density of the rate of SEI formation is
given by:
jSEI =−kSEIcsol exp( αF
RT (φ1−φ2−
δ
κSEI
(jn+ jSEI))),[1]
The details of each of the variables can be found in (SI-Text).
In addition to loss in capacity, the thickness of the SEI layer
increases the internal resistance or impedance of the cell,
thereby leading to a loss in the power capabilities.
We propose that the long-term impact of a cyberattack can
be quantified using the increase in thickness of the SEI layer
or equivalently by the increase in internal resistance due to
the attack. The EV battery pack end-of-life is characterized
by degradation in capacity to 80% of the initial capacity
(
29
). The usable 20% of the capacity can be called the ‘vital
capacity’ of the battery pack, and the variations in each of
the state variables like temperature, state-of-charge, pack size,
pack age, etc. affect the degradation in vital capacity in a
different manner. A parametric analysis of all the variables
was carried out, shown in (Fig. S1-S4), to explore the effect
of each variable on the damage to vital capacity and thereby
identify the variables which influence the degradation process
to the greatest extent.
The damage to vital capacity as a function of ambient tempera-
ture during the cyberattack displays the well-known Arrhenius
relationship (
30
) as seen in (Fig. S1). Attacking a battery
pack at higher operating temperatures, or in other words, a
Sripad et al. PNAS | February 18, 2018 | vol. XXX | no. XX | 3
time-of-day when the temperature is higher or in geographical
locations where the ambient temperature is higher would lead
to a greater damage to vital capacity. Evaluating the effect of
temperature along with variations in the state-of-charge of
the battery pack can be seen in (Fig. S2), based on which we
can conclude that cyber-attacks conducted on fully charged
battery packs would have a much greater impact than attacks
on depleted packs. The time-window after an EV battery pack
is fully charged is when the battery is at its highest state-of-
charge, and hence is the point when the EV is most vulnerable.
Baseline Load
Attack Load
Home Work Home
Attack
(a)
-20
0
20
40
60
Power [kW]
AttackAttack
(b)
Baseline Load
Attack Load
0:00 4:00 9:00 14:00 19:00 23:59
Time-of-day [24-hour clock]
-20
0
20
40
60
Power [kW]
Fig. 3.
The daily power load on the Model S P100D which shows multiple scenarios.
The power load shown in ‘blue’ represents the baseline scenario where we have no
cyberattacks, and the ‘red’ represents the attack scenario. The attack is assumed
to take place only during the time-window after charging based on the conclusions
drawn from the our analyses above. The case where the user charges only at home is
illustrated in (a) while (b) is a case where the user charges both at home and at work.
The attack scenario in the work-charging case could have two distinct sub-cases
where the attack is conducted either at one or both the time-windows after charging.
An important question emerges on whether age of the pack
plays a role in determining the impact of cyberattack. (Fig.
S2) shows a bi-variate analysis between SOC and temperature
for battery packs of different age, where we observe that older
packs show a lower magnitude damage for the same attack
workload. Further, we observe a monotonic decrease in the
magnitude of damage with every successive attack for the
same attack workload. (Fig. S3) shows this quantitatively,
illustrating the damage to vital capacity as a function of
the time taken by different attack workloads. This shows
that damage to vital capacity is a sub-linear function of the
total time of attack and age of the pack, characteristic of a
diffusion-limited process.
The effect of the nature of the power profile of a workload
can be studied using the metrics of cumulative energy
consumption, the average power, and the rate of change in
power. In (Fig. S4), we observe that while the damage to vital
capacity increases linearly with increase in the cumulative
energy consumption and average power, the effect of an
increase in the differential of power is minimal. Alternatively,
what we see is that the magnitude of the discharge rates
induced due to auxiliary components is not large enough
to have a significant effect on the damage to vital capacity,
consistent with prior experimental predictions of the capacity
fade with rate of discharge (30).
Using an attack workload that is more energy intensive or
attacking a battery pack that is smaller have an equivalent
effect, since the metric needed to assess is the depth-of-
discharge (∆DOD) due to the workload. We would also obtain
a linear relationship between the ∆DOD and the damage to
vital capacity similar to the one seen in (Fig. S4). It follows
that workloads which employ energy intensive components
or workloads with multiple components engaged together,
would cause a greater impact on the battery pack. Although,
the increase in the magnitude of damage due to workloads
with higher energy consumption is not significant, as seen in
(Fig. S4) from the small slope of the linear relationship. A
‘row-hammer’ attack scenario based on the same concept is
that of exerting the attack workload on a few rows of cells
within the pack. Under such a scenario the ∆DOD increases
linearly with the decrease in number of rows. Such an attack
would magnify the damage on the rows of the cells under
attack and would accelerate the degradation to end-of-life.
Charging at Work
Charging at Home
Oslo
San Francisco
Beijing
Delhi
Phoenix
1
1.5
2
2.5
3
3.5
R* (in 400 days)
Fig. 4.
We can study the long-term impact of cyberattacks here based on the results
of simulating the power loads shown in (Fig. 3) for
∼
400 days.
∆R∗
represents the
relative increase in the resistance of the cell due to the cyberattack when compared
to the baseline scenario. Each geographical location shown is incorporated using
the variations in ambient temperature over the year. The triangular mar kers indicate
situations where both time-windows after charging in the work-charging case are
exploited to attack and in such cases the average
∆R∗
of the two attacks is shown in
the figure, while the circular markers represent the cases where only one cyberattack.
The data used to incorporate the ambient temperature variations can be seen in (Fig.
S6)
Based on the parametric study summarized above, we can
now describe critical attack workloads that are possible and
examine them in real-world scenarios. The combination of
components chosen for an attack aimed to cause greater
impact would be a combination shown in (Fig. 2) which uses
4| Sripad et al.
high-powered air-conditioning, along with lights, wipers, and
the power-steering. The results from the parametric analysis
of the state-of-charge suggests that the attack should be
conducted after the pack is charged completely, and hence we
need to design the attack scenario accordingly. We consider
two types of EV users as shown in (Fig. 3), the first is a
user who only charges the battery pack at ‘Home’ and the
other is a user who charges at ‘Home’ and at ‘Work’. In
the former case we have only instance to attack, while the
latter case has two instances for the attack. We analyze the
cases where these users are located in Oslo, San Francisco,
Beijing, Delhi and Phoenix. These locations are chosen to
represent a range of temperatures and including potential
locations where there could be substantial EV penetration.
We also limit the total time for attack to one hour due to
the constraints of detectability, which will be discussed later.
Another aspect to note here is the apparent analogy between
our current approach to assessing long-term damage from
cyberattacks and discussions on damage to EV batteries
from the Vehicle-to-Grid (V2G) model(
31
), but an important
distinction between the two situations is that the in the latter,
the user controls whether or not the EV participates in the
V2G model, whereas, in the context of cyberattacks the user
has no control. It follows that, the findings from our analysis
would have implications on the approaches to assess damage
for V2G scenarios as well.
In order to assess the permanent damage caused due to the
cyberattack in real-world scenarios shown in (Fig. 3), we
propose the use of a normalized quantity,
∆R
, which represents
in the increase in internal resistance of the cell as compared to
a cell within a pack which has not been subjected to the attack
workloads.
∆R
provides information on the effectiveness of
the cyberattack. We calculate
∆R
after 400 days for each case
using the following relationship,
∆R = RA
SEI −RB
SEI
RB
SEI
,[2]
where
RSEI
is the resistance due to the SEI layer, and ‘A’
and ‘B’ represent the attack and baseline scenario. For the
quantities reported in (Fig. 4),
∆R∗
values are obtained by
normalizing all the
∆R
values with the minimum value in a
given set.
In (Fig. 4), we observe an interesting result regarding location
that the relative increase in internal resistance is the most
for Oslo, which has the lowest average ambient temperature.
This appears to be in contradiction with earlier analysis that
shows that higher temperature leads to greater damage to vital
capacity. While an increase in ambient temperature causes an
increase in the thickness of the SEI layer, the resistance due
to the formation of SEI layer impedes further growth. This
phenomenon leads to the fact that places like Phoenix, where
the ambient temperature is high, already feature a substantial
SEI layer thickness, thereby minimizing any additional damage
to vital capacity due to the attack workload. It is worth
highlighting however, that the average resistance due to the
SEI film formed is higher in warmer regions compared to colder
regions.(
32
) Comparing the two scenarios of an attack after
charging at home versus at work, there is minimal effect on
the damage to vital capacity, since the average temperature
between the two cases is nearly the same. This analysis
suggests that the extent of damage is highest for colder regions,
but largely independent of attack timing. In (Fig. 4) we can
also study the second case which is that of two attack sequences,
one at Work and the other at Home, which is possible in the
Work charging scenario.
Driving
(a)
0
2
4
6
8
Detectability Index
AC-High
AC-Low
Power Steering
Lights
Fan
Charging or Parked
(b)
0 0.5 1 1.5 2
Total Time of Attack [hr]
0
2
4
6
8
Detectability Index
AC-High+Lights+Power-Steering+Wipers
AC-Low+Power-Steering+Wipers
AC (High/ Low)
Wipers
Power Steering
Lights
Fan
Fig. 5.
Detectability Index for the various auxiliary components considered for two
cases (a) When the user the driving (b) When the EV is charging or at rest in a
parked state, where the detectability index limit is assumed to be 5. Components like
Air-Conditioners have an exponential rise in the detectability index in the driving case
while in the resting or charging scenario we observe a much lower detectability for the
same. When more than one component is engaged the detectability limit is exceeded
in the driving scenario and hence do not feature in the first case.
Attack Constraints.
An important limitation on the attack
is the ability to be detected and the detection process is a
highly probabilistic quantity that depends on many different
factors. Here, we propose a simplistic model towards handling
this complex issue. We develop a quantity, which we term
‘detectability index’ for each component which is a function of
time, that measures the degree to which an attack on that
component can be detected. The methodology for calculating
the detectability index is based on the evaluation of three
primary detectable indices associated with a given auxiliary
component, (i) physical actuation, (ii) notification regarding
the engagement of component and (iii) the component’s
Sripad et al. PNAS | February 18, 2018 | vol. XXX | no. XX | 5
effects on the environment. For example, a component like an
air-conditioner would involve physical actuation which can be
detected due to the audibility of the fans and compressors,
with user notifications which indicate the component has
been engaged, and finally cause a change in temperature and
humidity over time. The detectability index, is examined in
two scenarios, when the user is driving or when the EV is at
rest. A more detailed discussion on the methodology followed
in the development of detectability index can be found in
(SI-Text) and (Fig. S5).
The detectability index limit is chosen to be five at which
point, it is very likely that the attack will be detected. The
detectability index of an attack workload with more than
one component engaged at the same time would be a linear
combination of the detectability indices of each of the engaged
components. Among the easily detectable quantities while
driving, our index identifies that A/C can be detected in
about 20 minutes. However, such an attack while charging or
when parked could go undetected for several hours. Engaging
multiple components (for e.g. power steering and lights) while
driving leads to quite easy detectability within an hour. All
of these factors highlight that the maximum likelihood of a
cyberattack going undetected is when the vehicle is parked or
charging. It is worth highlighting that average vehicle is idle
and unused for well-over 90% of the time.(33)
Conclusions.
We have analyzed the potential impact of
cyberattacks utilizing the auxiliary components alone without
compromising the battery managements systems or the
infrastructure setup around EVs like charging. Auxiliary
component-based attacks are to cause significant short-term
damage by depleting the available range and potential
long-term impact on battery packs by enhancing the side
reactions that damage the battery. Attacks lasting just a
few hours that engage a combination of energy intensive
components could completely deplete the battery pack and as
discussed, this could have serious implications on EV adoption
strategies. Our analysis of long-term damage highlights the
importance of developing phenomenological models of the
degradation process in order to accurate quantify and mitigate
unwanted-and-damaging side reactions. The use metrics
like
∆R
has implications for analyses of damage in other
contexts as well, like damage to EV batteries in V2G scenarios.
While the effect of engaging auxiliary components has the
potential to cause limited damage in the long-term, we believe
that the damage that could be caused during charging could
be much more substantial, as document in other studies as
well (
34
,
35
). Cyber vulnerabilities related to charging is
much less developed and this will form the focus of our future
investigations. In the context of EVs, we have also emphasized
on the critical nature of the battery pack and we need a
more systematic mapping of the automotive (EV) networks
to incorporate the several aspects discussed above for the
design of next-generation security measures. In addition, these
approaches could also be incorporated in battery management
systems in the future, where accurate and precise control
systems could be used both to monitor metrics like
∆R
along
new mechanisms to detect the compromise of EV networks.
We began this analysis by considering the enormous thrust to
adopt EVs along with recently developing automotive cyber
security narratives, and we would like to end by stating that
it is crucial to include EV battery packs within approaches
developed to deal with issues of cyber security. And in this
process, it is vital to understand the importance of accurate,
precise, and predictive models of battery systems.
Materials and Methods
The 1D+1D or Pseudo 2D model used to simulate the battery pack
operation is discussed here. Other details on the power load of the
auxiliary components and the energy consumption of EVs can be
found in the (SI-Text).
Battery Modeling.
These equations used for the battery modeling
are summarized by Fang et al.,(
36
) and Kalupson et al., (
20
) using
Eqns. (3-7) which describe the 1-D transport model for the species
and the charge coupled with a lumped thermal model. The solid
phase charge conservation is given by
∇.(σeff ∇Φs) = jLi,[3]
where
σeff
is the effective electronic conductivity and
Φs
is the po-
tential of the solid phase. The electrolyte phase charge conservation
is given by
∇.(keff ∇Φe) + ∇.(keff
D∇log(ce)) = −jLi,[4]
where
keff
is the effective ionic conductivity,
Φe
is the potential
of the electrolyte phase,
keff
D
is the conductivity and
ce
is volume
averaged Li concentration in the electrolyte phase. The conservation
of species in the electrolyte phase is given by
∂(εece)
∂t=∇.(Deff
e∇ce) + (1 −t0
+)
FjLi,[5]
where
εe
is the volume fraction,
Deff
is the effective diffusion coeffi-
cient,
t0
+
is the transference number, and F is the Faraday constant.
The species conservation in solid phase is given by
∂cs
∂t=Ds
r2
∂
∂r(r2∂cs
∂r),[6]
where c
s
is the concentration of Li in the solid phase, D
s
is the
diffusion coefficient in the solid phase, and ‘r’ represents the radius
of the particles of active material. The energy balance is represented
as a lumped thermal model given by
∂(ρCpT)
∂t= (qr+ qj+ qc+ qe)Acell + hconvAs(k∇T),[7]
which accounts for q
r
reaction heat, q
j
the joule heating, q
c
the
heating due to contact resistance between the current collector
and electrode materials, and q
e
the entropic heating. The
last term represents the heat dissipation, where h
conv
is the
coefficient of heat dissipation and A
s
is the cell external surface area.
Degradation Process.
An SEI film growth model is used to quantify
the loss of active Li-ions and is modeled in a manner similar to
other well-known studies(28).
dδSEI
dt =−jSEI
2F
MSEI
ρSEI
,[8]
where
MSEI
and
ρSEI
are the molecular weight and the density
of the SEI. The resistance due to the SEI is calculated using the
effective conductivity of the electrolyte (solvent) through the SEI
using:
RSEI =δSEI
κeff
SEI
,[9]
ACKNOWLEDGMENTS.
S. S., S. K., V.S. and V. V. gratefully
acknowledge support from Technologies for Safe and Efficient Trans-
portation University Transportation Center. V.S. and V. V. grate-
fully acknowledges support from the Pennsylvania Infrastructure
Technology Alliance, a partnership of Carnegie Mellon, Lehigh Uni-
versity and the Commonwealth of Pennsylvania’s Department of
Community and Economic Development (DCED).
6| Sripad et al.
References
1. Koscher K, et al. (2010) Experimental security analysis of a modern automobile in 2010 IEEE
Symposium on Security and Privacy. (IEEE), pp. 447–462.
2. Checkoway S, et al. (2011) Comprehensive experimental analyses of automotive attack sur-
faces. in USENIX Security Symposium. (San Francisco).
3. Tessum CW, Hill JD, Marshall JD (2014) Life cycle air quality impacts of conventional and
alternative light-duty transportation in the united states. Proceedings of the National Academy
of Sciences 111(52):18490–18495.
4. Laser M, Lynd LR (2014) Comparative efficiency and driving range of light-and heavy-duty
vehicles powered with biomass energy stored in liquid fuels or batteries. Proceedings of the
National Academy of Sciences 111(9):3360–3364.
5. International Energy Agency I (2017) Global EV Outlook, Technical report.
6. Crabtree G, Kócs E, Trahey L (2015) The energy-storage frontier: Lithium-ion batteries and
beyond. MRS Bulletin 40(12):1067–1078.
7. Abada S, et al. (2016) Safety focused modeling of lithium-ion batteries: A review. J. Power
Sources 306:178–192.
8. Lisbona D, Snee T (2011) A review of hazards associated with primary lithium and lithium-ion
batteries. Process Safety and Environmental Protection 89(6):434–442.
9. Miller C (2011) Battery firmware hacking. Black Hat USA pp. 3–4.
10. Santhanagopalan S, Guo Q, Ramadass P, White RE (2006) Review of models for predicting
the cycling performance of lithium ion batteries. J. Power Sources 156(2):620–628.
11. Wang Q, et al. (2012) Thermal runaway caused fire and explosion of lithium ion battery. J.
Power Sources 208:210–224.
12. Hendricks TJ (2001) Vehicle Transient Air Conditioning Analysis: Model Development & Sys-
tem Optimization Investigations, (National Renewable Energy Lab., Golden, CO.(US)), Tech-
nical report.
13. Johnson VH (2002) Fuel used for vehicle air conditioning: a state-by-state thermal comfort-
based approach, (SAE Technical Paper), Technical report.
14. Perrucci GP, Fitzek FH, Widmer J (2011) Survey on energy consumption entities on the smart-
phone platform in Vehicular Technology Conference (VTC Spring), 2011 IEEE 73rd. (IEEE),
pp. 1–6.
15. Lawrence CP (2007) Master’s thesis (University of Waterloo).
16. Andersson C (2004) Ph.D. thesis (Lund University).
17. Rauh N, Franke T, Krems JF (2015) Understanding the impact of electric vehicle driving
experience on range anxiety. Human factors 57(1):177–187.
18. Neubauer J, Wood E (2014) The impact of range anxiety and home, workplace, and public
charging infrastructure on simulated battery electric vehicle lifetime utility. J. Power Sources
257:12–20.
19. Fuels Data Center A (2017) “U.S. Plug-in Electric Vehicle Sales by Model” (https://www.afdc.
energy.gov/data/10567). Published Data, Accessed Date: 06-September-2017.
20. Kalupson J, Luo G, Shaffer CE (2013) Autolion™: A thermally coupled simulation tool for
automotive li-ion batteries, (SAE Technical Paper), Technical report.
21. Sripad S, Viswanathan V (2017) Evaluation of current, future, and beyond li-ion batteries for
the electrification of light commercial vehicles: Challenges and opportunities. J. Electrochem.
Soc. 164(11):E3635–E3646.
22. Sripad S, Viswanathan V (2017) Performance metrics required of next-generation batteries
to make a practical electric semi truck. ACS Energy Lett. 2(7):1669–1673.
23. LeVine S (2017) Researchers try to crack Tesla‘s Model 3 Battery (https://www.axios.com/
researchers-try- to-crack- teslas-wall- of-silence- on-its-model- 3-batter y-2470036723.html).
Online Article, Accessed Date: 22-October-2017.
24. (2017) “Tesla Max Range Batter y Survey” (https://docs.google.com/spreadsheets/d/
t024bMoRiDPIDialGnuKPsg/edit#gid=490778289). Crowd-sourced survey, Accessed Date:
06-September-2017.
25. Ramadesigan V, et al. (2012) Modeling and simulation of lithium-ion batteries from a systems
engineering perspective. J. Electrochem. Soc. 159(3):R31–R45.
26. Fathi R, et al. (2014) Ultra high-precision studies of degradation mechanisms in aged li-
coo2/graphite li-ion cells. Journal of The Electrochemical Society 161(10):A1572–A1579.
27. Smith A, Burns JC, Zhao X, Xiong D, Dahn J (2011) A high precision coulometry study of the
sei growth in li/graphite cells. Journal of The Electrochemical Society 158(5):A447–A452.
28. Safari M, Morcrette M, TeyssotA, Delacour t C (2009) Multimodal physics-based aging model
for life prediction of li-ion batteries. J. Electrochem. Soc. 156(3):A145–A153.
29. Wood E, Alexander M, Bradley TH (2011) Investigation of battery end-of-life conditions for
plug-in hybrid electric vehicles. J. Power Sources 196(11):5147–5154.
30. Choi SS, Lim HS (2002) Factors that affect cycle-life and possible degradation mechanisms
of a Li-ion cell based on LiCoO2.J. Power Sources 111(1):130–136.
31. Richardson DB (2013) Electric vehicles and the electric grid: A review of modeling ap-
proaches, impacts, and renewable energy integration. Renewable and Sustainable Energy
Reviews 19:247–254.
32. Lawder MT, Northrop PW, Subramanian VR (2014) Model-based sei layer growth and capac-
ity fade analysis for ev and phev batteries and drive cycles. Journal of The Electrochemical
Society 161(14):A2099–A2108.
33. Wu Q, et al. (2010) Driving pattern analysis for electric vehicle (ev) grid integration study
in Innovative Smart Grid Technologies Conference Europe (ISGT Europe), 2010 IEEE PES.
(IEEE), pp. 1–6.
34. Safari M, Morcrette M, Teyssot A, Delacourt C (2010) Life-prediction methods for lithium-ion
batteries derived from a fatigue approach i. introduction: Capacity-loss prediction based on
damage accumulation. Journal of The Electrochemical Society 157(6):A713–A720.
35. Safari M, Morcrette M, Teyssot A, Delacourt C (2010) Life prediction methods for lithium-ion
batteries derived from a fatigue approach ii. capacity-loss prediction of batteries subjected to
complex current profiles. Journal of The Electrochemical Society 157(7):A892–A898.
36. Fang W, Kwon OJ, Wang CY (2010) Electrochemical–thermal modeling of automotive li-
ion batteries and experimental validation using a three-electrode cell. Int. J. Energy Res.
34(2):107–115.
Sripad et al. PNAS | February 18, 2018 | vol. XXX | no. XX | 7
Supporting Information for Vulnerabilities of
Electric Vehicle Battery Packs to Cyberattacks on
Auxiliary Components
Shashank Sripad et al.
Supporting Information (SI)
SI Text. Fraction of Range Reduction and the Effect of Temperature:
The energy consumption per unit distance for
each EV is collected from the data of the United States Environmental Protection Agency. The ambient temperature has a
significant impact on the rated range and the use of auxiliary components like heaters and air-conditioners at low or high
ambient temperatures causes an additional loss in range. The SOC is could have an effect on the discharge efficiency of the
battery pack and hence would affect the energy consumption. An aged battery pack would have a lower pack energy, and
hence a lower overall rated range. For more details on the impact of each of these variables on short-term impact. The loss in
range is determined by the energy consumed by the auxiliary components and the energy consumption of the vehicle at the
time instant of the attack. In effect, the fraction of range lost or the ratio of range lost due to a cyber attack and the rated
range of the vehicle would be independent of the temperature.
Parametric Analysis:
Throughout this study, we examine capacity fade considering a quantity defined as ‘vital capacity’
which is equivalent to 20% of the initial capacity of the battery pack. For EVs a degradation of 20% of the initial capacity or
100% of the vital capacity marks the end-of-life of the battery pack (29). In order to examine the effect of each variable, we
select a sample cyber attack defined by a specific workload on the pack conducted for a fixed duration of time. In other words,
we fix all the attacker’s control dimensions and constraints. We also fix all other battery pack and environment state variables
apart from the variable in consideration, and thereby examine permanent damage as a function of the given variable alone.
For examining permanent damage, the first variable considered for analysis is the ambient temperature. The damage to vital
capacity is observed to be an exponentially increasing function of ambient temperature and follows the Arrhenius relationship.
The parametric analysis summarized in (Fig. S1-S4) are the results of battery pack simulations for attack workloads of one
hour comprising of A/C, Lights, Power-Steering and Wipers, for 400 attack-charge cycles. The Constant Current Constant
Voltage (CC-CV) charging protocol is followed in each of the simulations.
The effect of ambient temperature on the damage to vital capacity is illustrated in (Fig. S1). The damage to vital capacity
follows the Arrhenius equation and within the same analysis, on comparing different workload, we can observe the damage to
vital capacity increases linearly as a function of the average power of the workload.
The SOC along with temperature are studied to see their influence on the capacity fade for battery packs of different age,
namely 0, 1, and 2-year-old packs as visualized in (Fig. S2). We observe that the damage to vital capacity increases with
increase in SOC, in other words, if a cyber attack is conducted on a fully-charged battery pack or a battery pack which is
placed in a higher ambient temperature, then the resultant impact would be much greater.
On comparing the SOC-Temperature results for packs of different age, we observe an interesting trend that older packs show
a much lower damage to vital capacity with the same specified cyber attack. This can be explained from the fact that the
SEI layer modeled shows a growth rate which is a sublinear function of time, and hence the capacity fade or damage to vital
capacity decreases for a battery which has already aged for a certain duration.
The effect of total time-of-attack on damage to vital capacity can be seen in (Fig. S3), where we see that the damage is a
sub-linear relationship of time. The damage to vital capacity also increases linearly with a reduction in the battery pack
size. This could be explained as capacity fade being a linear function of the depth-of-discharge, as seen in (Fig. S4) since a
smaller battery pack would have a larger depth of discharge for the same auxiliary component or workload considered, and this
corroborates the findings of other studies (32).
Detectability Index:
The constraints of detectability that need to be examined are shown in (Fig. S5), where we specify a
detectability index to each component as a function of time. The methodology for calculating the Detectability Index in is
based on the evaluation of three primary detectable indices associated with a given auxiliary component, namely, ‘physical
actuation’, ‘dashboard notification’, and changes caused in the environment. For example, a component like an AC would
entail a degree of physical actuation which can be detected due to the audibility of the fans and compressors, with dashboard
notifications which indicate the component has been engaged, and finally cause a change in temperature and humidity over
time. The Detectability Index is examined in two scenarios, either when the user is driving or when the EV is at rest. The
Shashank Sripad et al. 1 of 4
Detectability Index limit is assumed to be five in each case examined in (Fig. S5).
SI Figures.
The results of the paramteric analysis for long-term damage where damage is studied as a function of each variable,
the methodology followed to calculate the detectability index is compiled below, and a visualization of the ambient temperature
data for the long-term damage simulations can be seen here:
0 10 20 30 40
Ambient Temperature [oC]
0
2
4
6
8
10
12
% Damage to Vital Capacity
39.8 39.9 40
10.5
11
11.5
Fig. S1.
Damage to Vital Capacity as a function of ambient temperature for various auxiliary components, where we observe the Arrhenius type relationship. Each attack
workload is run for a time duration of one hour and then subjected to charging with the pack SOC of about 0.7.
Fig. S2.
Bi-variate analysis of the Damage as a function of the SOC and ambient temperature conducted for battery packs of different age (0,1,2 years). The attack workloads
are fixed for a time duration of one hour and then subjected to charging.
2 of 4Shashank Sripad et al.
T = 40oC
0 5 10 15 20 25
Total Time of Attack [days]
0
5
10
15
% Damage to Vital Capacity
18 18.5 19
10
10.5
11
Fig. S3.
Damage to vital capacity studied as a function of the total time of attack for various auxiliary components which shows the sub-linear relationship. Each attack workload
has a duration of one hour, and the pack is then subject to charging. The initial SOC of the pack is maintained at 0.7. The inset shows the different workloads that have been
simulated.
T = 40oC
0123456
Power [kW]
10.8
11
11.2
11.4
11.6
%Damage to Vital Capacity
AC-High+Lights+Power-Steering+Wipers
AC-Low+Power-Steering+Wipers
AC-High
AC-Low
Wipers
Power Steering
Lights
Fan
Fig. S4.
Damage to vital capacity studied as a function of the energy consumption of the auxiliary components at an ambient temperature of 40
o
C. The damage is calculated
after 20 days of attack where the battery pack is subjected to the attack workloads of one over and charged after. The initial SOC of the pack is maintained at 0.7.
Shashank Sripad et al. 3 of 4
Fig. S5.
The basic flowchart for computing the detectability index of various auxiliary components. We see the three categories into which auxiliary components can be
classified into, namely, ‘Physical Actuation’ which includes component like compressors, wipers which involve a moving components. ‘Dashboard/ Notification’ includes all the
components which notify the user about the component being engaged, and lastly the ‘Environment’ includes components that have an impact on the environment like changes
in temperature or humidity. The detectability index values for each of the components is shown with the variable used for categorization where we see two values, the first is the
case where the EV is parked and the second where the values are italicized shows the driving scenario.
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Months
-10
0
10
20
30
40
Average Temperature [oC]
Phoenix
San Francisco
Oslo
Beijing
Delhi
Fig. S6.
The temperature variations in different locations over the year used for the long-term damage studies. The ambient temperature data for each location is incorporated
as an average over every week, and the effect of these changes in temperature can be seen in the SEI growth which is quantified in the model.
4 of 4Shashank Sripad et al.