EV charging security: Network threats & cybersecurity standards
EV charging security: Network threats & cybersecurity standards
Publish Date: 2026-05-01 06:47:00
Source Domain: www.evinfrastructurenews.com
Using an unordered list, summarize the following article with between 4 and 8 key points. EV charging networks have now become critical infrastructure and link residential and commercial infrastructure with a direct connection to the grid at many dedicated locations. EV charging station security is increasingly a concern as more chargepoints are digitally connected to the grid. Control software is connected to the grid to manage energy flow, and EV charging networks also contain software that processes and stores sensitive data. With smart technology and smart grids being more widely implemented, cyberattacks not only present risks to the EV charging structure itself, but also to their customers and the wider grid network.The EV charging threat landscapeAs an increasing number of EV charging stations are online and digitally connected to the energy grid, there is a greater chance that electric vehicle charging vulnerabilities will manifest. This is because there are more entry points for hackers to exploit, both hardware and software. The issue is compounded because there is a lack of standardised protocols when manufacturing components and there are still many EV charging stations that are unregulated, unsecured, and don’t have end-to-end encryption, so are therefore directly vulnerable to cyberattacks.Related:UK surpasses 2 million EV registrations as government grant drives uptakeOnce access is gained, EV chargers can be deactivated, malware can be injected to try and infect the wider digitally connected grid network, firmware can be added that affects the hardware, and attacks can also cause a range of low-level interruptions that include stopping charging sessions mid-charger, imposing the wrong pricing schemes, and displaying malicious messages on the screen of the charging unit. Therefore, EV charging station security is important. It should be noted that there are many layers to smart grid architecture, so gaining access at one entry point doesn’t guarantee entry to all aspects of the wider grid network, but it gives hackers a chance to exploit other network vulnerabilities. A large connected digital network can provide many ways to buffer cyberattacks because of its many layers, but when there are many nodes connected to the network, it makes the potential attack surface for attackers a lot larger.While some stations are being built with robust protocols and cybersecurity measures, hackers can gain access to charging stations through weak login credentials. So, ensuring EV charging station security is critical for new and existing systems. New EV charging systems need to be implemented with robust EV charging cybersecurity protocols, while older and more vulnerable charging stations need to be updated to ensure that they are not susceptible and a liability in the grid network. Related:Grid bottlenecks blocking EV charging expansion as Australia faces fuel vulnerability, industry warnsHowever, there are many types of attacks that can happen, and EV charging stations need to prevent cyberattacks on many fronts, which is why robust protocols and up-to-date software are critical for protecting against the latest threats. On the hardware and cyber-physical system (CPS) infrastructure side, both physical and digital damage can be caused by cyberhackers. If hackers gain entry to charging stations, the chargers themselves and the power converters can be targeted to overload the power and communication systems, which causes the charging stations to shut down. Sensors can also be targeted to provide inaccurate readings that affect the reliability of the charging stations.While hardware damage is visible, some of the biggest potential threats stem from the software side. The energy management systems of public charging systems have access to user identification and vehicle driving data that can be accessed by hackers who inject structured query language and cross-site scripting. On the payment side, personally identifiable information (PII) and payment data (such as credit/debit card information) is exchanged between the chargepoint operator (CPO) and mobility operator (MO), which could be intercepted by hackers if there’s a breach, putting the customer’s financial situation at risk and opens the potential for identity theft.Related:UK’s HMRC to appeal tribunal ruling on public EV charging VATThe software within EV charging networks is also susceptible to a range of cyberattacks that are commonly used to target internet-attached software—most commonly websites. This includes distributed denial of service (DDoS) permanent denial of service (PDoS), man-in-the-middle (MITM), and data theft attacks. Data theft risks are centred around stealing information, MITM attacks target utility communication networks while DDoS and PDoS are used to target critical infrastructure—with the aim of either taking it over or permanently disabling it.Outside of the EV charging infrastructure itself, there is a risk that wider grid operations could be disrupted. This includes drawing excess energy from the grid to the charger, causing local spikes and load demand issues while causing a potential overload of the charging unit. As cities transition towards smart city environments, there is the potential to further infiltrate Internet of Electric Vehicles (IoEV) architecture, including any unsecured Internet of Things (IoT) devices—both physically where they can be tampered with, as well as digitally. A completely digitally connected IoEV network is years away but if peer-to-peer connectivity is not secured, then there is scope for malware infection to be spread widely across the network. This again, is on the extreme end of what could happen in the future.As it stands, smart grid architecture has not been rolled out everywhere, and direct cyberattacks on the energy grid are rare; there have only been a handful of cases in recent years. We may, however, see EV charging security being tested more in the future if hackers believe EV charging infrastructure to be more vulnerable than other grid assets. While EV cyberattacks are likely to be rare, there have already been instances where EV charging infrastructure has been targeted. This has primarily revolved around data theft.The highest profile example of this is believed to be linked to Tesla chargers. In November 2024, a hacker exposed 116,000 customer records, mostly from users in the Middle East, that contained sensitive information and was available for download. The breach was tracked to an unsecured third-party EV charging app that was digitally connected to the charging station. The information leaked included people’s names, addresses, payment information, vehicle identification numbers (VINs), car make and model, geographical locations of charging stations, and the breach also exposed Open Charge Point Protocol (OCPP) logs related to the communication between the CPO and Electric Vehicle Supply Equipment (EVSE) usage.So, the digital threats are not just linked to the charging infrastructure itself, but to also any software and software applications (apps) that link to these charging stations. As this breach showed, it doesn’t need to be the infrastructure itself. Even if the infrastructure is robust, EV charging cybersecurity needs to consider all potential eventualities beyond the charger, and anyone making apps that work with these charging units needs to also put robust cybersecurity protocols in place. As this breach showed, one unsecured and vulnerable entry point is all it takes.Chinese EV charger security risks & supply chain concernsChina is often a topic of contention when it comes to cybersecurity and technology backdoor access. Some fear China based on pure politicking, whereas other concerns around backdoor infiltration are more grounded from a technology perspective. But are there really any Chinese EV charger security risks?Instead of looking at these potential worries from a company perspective, which people view as a risk, we look at how governing bodies and governments are reacting to the potential for Chinese interference, as well as how these issues are just related to national security in general, regardless of who the potential bad state actor is.The China Strategic Risks Institute (CSRI) has stated that there could be potential risks when using Chinese made EV charging systems and components, but have not given any names. The reason why it could potentially be a risk is due to China’s Data Security Law (2021) and National Intelligence Law (2017). These two laws put in place by the Chinese government says that any Chinese company— which includes those who manufacture EV charging components—need to prioritise national security over corporate data privacy. These laws also extend to assisting, supporting, and cooperating with national intelligence efforts. It is a generalisation based on the applicable laws, but it is something that could affect Chinese made EV charging components should the Chinese government believe (or at least postulate) that there is a national security issue. It is not only the CSRI that has viewed this as a risk though. In September 2024, the legal requirement for Chinese companies to collect data prompted the Biden Administration to propose an executive order to ban the import and use of Chinese-connected EVs within the US. At this time, it was already in place that at least 55% of the charging stations would need be from US made materials and components.As we move in 2026, the geopolitical landscape has changed significantly and there has been a strained relationship between the current US administration and China. While earlier Administrations are likely to have acted on decisions by assessing the technical challenges and hard scientific data related to backdoor entry, it’s hard to determine with the current administration if any sanctions or laws that appose Chinese technology sales to US are scientifically driven or are purely politically and emotionally, motivated—especially when you consider the other scientific ecosystems that have been turned on their head since President Trump took his 2nd term in office, including the continued slashing of budgets for the National Science Foundation (NSF) and National Institutes of Health (NIH), as well as key higher education institutions such as Harvard. At this stage, it could be believed that every decision on science and technology has some level of political bias behind it with the current administration, but we will never know how every US technology decision on China is political and how much is based on hard data.Regardless of the core reason for being wary of Chinese technology, there has been a higher scrutiny of Chinese-made components in 2026. Domestic sourcing requirements are being tightened, with plans being put in place to make US EV chargers contain 100% US made components, rather than the current 55% standard today. This means there are plans for a sweeping ban on Chinese software in connected vehicles in the chargers they use by 2027, and a ban on Chinese hardware by 2029. This ban will also include Chinese car companies testing self-driving cars on US roads. However, there are exceptions. The US government has stated that the bans won’t cover Chinese software already deployed before the new rules took place, so long as the software is not being maintained by the Chinese firm, as it will then mean that they can’t collect data. This will be of benefit to a number of big automakers in the US that already rely on some Chinese hardware and software, including Ford Motors and General Motors.In the US at least, this could mean a shifting of the supply chains if the blanket ban is maintained past the Trump administration once his current term finishes. This approach is looking to strengthen the US domestic supply chain, and reduce reliance on Chinese components, which could technically be for US manufacturing interests rather than security issues—although it’s likely that the reasoning is a combination of both. This also suggests that the dynamic of the traditional supply chain has shifted in the EV charging market, and that EV charging supply chain security is just as important as material/component availability and cost.While there is a debate about politicking vs actual threats within the current US Administration, any scepticism towards Chinese technology security is not entirely unfounded. While there is a lot of talk about the transfer and sharing of sensitive data, there is also the issue of poorly executed cybersecurity protocols in some Chinese EV charging systems. In March 2026, a Chinese EV charger manufacturer called ELECQ had one of their systems compromised, with the names, addresses and stored contact details all being leaked from their AWS cloud infrastructure before the system could be shut down. The attack was interrupted by ELECQ, and the chargers were saved from any physical damage, but the damage was done on the backend software side. This incident is something that could happen to an EV charging manufacturer from any country, but because it was a Chinese company, it comes under extra scrutiny. Nevertheless, we can’t tarnish all companies with the same brush, but you can guarantee that after this incident that CPOs, charging manufacturers, and governments are going to be looking at Chinese EV charger security risks more closely and will be scrutinising Chinese components more than before.In the UK, defence companies working with the UK government have said their staff shouldn’t connect their phones to Chinese-made EVs in case any confidential information is stolen once they are connected. If defence companies are saying not to connect to Chinese EVs, then you can assume that it would also extend to charging infrastructure with a lot of Chinese data and communication components. Now, despite this announcement, there’s no definitive guarantee that there are backdoor security risks because defence firms tend to err on the side of caution. At this stage, it is a caution, and defence companies (and their personnel) have to be extra vigilant because of the nature of their work.The EU have also put legislation in place to prevent potential cybersecurity issues from China. However, it should be noted that these legislations don’t necessarily target Chinese components specifically but will cover any smart technology that is a potential security risk. The NIS2 Directive has expanded cybersecurity rules put in place in the 1st NIS Directive back in 2016, and as EV charging infrastructure is now considered critical infrastructure, it also falls under this directive. The NIS2 Directive mandates that companies will manage cybersecurity risks across their entire supply chain, including when working with any third-party vendors and software providers. Outside of this, all charging stations in the EU need a CE certification by law, and charging station providers can also apply for a TÜV certification, which is a voluntary certification but is seen as the gold standard.Standards, protocols & compliance frameworksThere are a number of EV charging infrastructure cybersecurity standards, protocols and compliance frameworks which can be implemented to improve the cybersecurity of EV charging networks. We look at each of these below.NIST IR 8473This is a cybersecurity framework for extreme fast charging EV infrastructure. It has been designed to help organisations manage threats to EV extreme fast charging systems, their networks, and associated assets. This framework helps organisations to identify key assets and interfaces in the ecosystem, address cybersecurity risks when managing and using the extreme fast charging systems, identify any threats, risks and vulnerabilities in the equipment and data, detect any network vulnerabilities disruptions and manipulations, and apply protective mechanisms to reduce risk. It also helps charging stations to recover quicker if there have been any service anomalies.OCPPMany EV charging stations today run OCPP 1.6, but it does not have stringent security measures between the charger and charge point management system (CPMS). There have been updates issued to OCPP 1.6 but most chargers in use today that employ OCP 1.6 do not use these updates. However, the release of OCPP 2.0.1 provides a much stronger security framework than 1.6 and the security updates from 1.6 are included as standard. OCPP 2.0.1 enables secure communication channels between the charging station and CPMS through providing mutual authentication which protects sensitive data, including login credentials and billing information. It also enables firmware updates and logs security events to better monitor the system. OCCP 2.0.1 also helps to build a higher level of trust and reliability in an EV charging station because it only communicates with authorised CPMSs.ISO 15118ISO 15118 is an international standard. It defines the communications protocol between the EV and charging stations. This standard covers plug & charge functions, as well as bidirectional charging such as Vehicle to Grid (V2G) capabilities. ISO 15118 incorporates multiple security mechanisms, such as Public Key Infrastructure (PKI), that ensure a secure communication and data transfer between the EV and charging station and comes with a digital certificate. ISO 15118 ensures that charging stations can only communicate with authorised vehicles using a secure Transport Layer Security (TLS) connection where data is encrypted during transmission to protect payment information. Signed certificates are also required to implement any firmware updates to ensure they are genuine and not malware from a malicious party.System and Organization Controls 1 (SOC 1)SOC 1 is used for a lot of financial reporting processes. For EV charging infrastructure, it provides a high level of trust, transparency, and accountability when handling financial transactions, i.e. billing for charging sessions and credit card processing. SOC 1 will help to protect against billing errors and fraud while providing a high standard of accountability.System and Organization Controls 2 (SOC 2)SOC 2 is centred around managing sensitive customer data to protect it from unauthorised access, ensure the system is always operational, ensure a high data processing accuracy, protect PII and safeguard sensitive data through encryption and secure communication channels. SOC 2 helps EV charging networks to better handle sensitive customer data while maintaining regulatory compliance with data protection laws, such as GDPR.ISO 27001ISO 27001 is an international standard for managing information security and provides a framework for implementing and improving Information Security Management System (ISMSs). This standard helps EV charging infrastructure to be protected against data breaches, unauthorised access and cyberattacks. It is similar to SOC 2 in principle, but it has a broader scope and is more widely recognised internationally. ISO 27001 can help to protect PII and payment details using data encryption and secure communication channels and takes a proactive approach to risk management. It can also help to improve operational efficiency that prevents downtime if downtime is caused by a cyberattack.ETSI EN 303 645 ETSI EN 303 645 is the European standard for cybersecurity in IoT devices. While this standard covers IoT devices from a broader context, it is also directly applicable to EV charging infrastructure that uses IoT devices as part of the smart grid network. The standard can be used to improve communications and minimise the exposed attack surfaces for hackers.How to secure EV charging infrastructure: Practical mitigationThere are many protocols listed above that can be implemented to secure EV charging infrastructure but charging station owners need to make sure that they not only report cyberattacks and network outages to their natural authorities, but they should also be kept up to date with regular updates. Both aspects will help with EV charger hacking prevention and will ensure that charging stations stay resilient against attacks because the latest attacks can be recorded, and then new software updates can be installed to combat them in the future. Additionally, as it has been shown in the past, charging station owners also need to hold external vendors and third-party software companies to the same security standards to prevent data breaches in unsecured apps and software that connects to the charging station. This can be with ensured through regular supply chain audits.Network segmentation approaches should also be employed where the physical device network is separated from customer data. Firmware and grid communications have different threat environments to customer databases and billing information, so segmentation lowers the potential damage if there is a breach. This protects operational continuity if something goes wrong, but robust data security protocols need to be utilised as well.For data security, while there are unsecured solutions that use basic user/password authentication, charging stations today should be employing TLS encryption across all OCPP communications. TLS can be installed with basic authentication between the CPMS and charging station to ensure confidentiality of data during transmission, but it can also be integrated with client-side certificates and multi-factor authentication that authenticate each individual messages to ensure that any communications have not been tampered with. This enables a better lifecycle management for systems with approved certification and will disable any unnecessary remote access services. Companies should also have a robust incident response plan in place in case anything goes wrong. Overall, securing all potential unsecured nodes with EV charging is vital, and any components and networks that don’t currently have validated protocols need to be upgraded as soon as possible to prevent back door access. Prioritising security within the CPMS will not only help to keep EV charging systems safe, but it will also help to keep the wider grid network safer and more resilient to continually evolving cyberthreats.
