As the sales of electric vehicles increase, and EV charging infrastructure expands to support more EV drivers, cybersecurity is top of mind for Charge Point Operators (CPOs). There were 17.1 million EVs sold in 2024, marking a 25% increase compared to the year prior. Each of those vehicles represents a connected device on wheels, contributing to the evolving threat landscape that CPOs are required to oversee.
The EV charging ecosystem requires CPOs to look beyond simply securing their backend systems and implement more robust tactics to prevent various types of cyber threats. Bad actors can deploy a variety of hacks against a charging network, such as denial-of-service attacks on EV charging stations that can take down individual charge points, an entire charging site, or even a whole region. Other hacks can take over charging hardware to display political propaganda messages or inappropriate content. Hacks for theft of personal information are also common, taking EV drivers’ personal data, as well as conducting fraudulent transactions using duplicated Radio Frequency Identifications (RFIDs).
Proactive monitoring for potential hacker activity is necessary to protect drivers’ user data, prevent service disruptions, avoid financial fraud, and enable grid security. Many international regulations are now in place to ensure CPOs maintain compliance with all relevant security protocols for data privacy and cost transparency. Regulatory compliance with national data protection laws, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), are necessary to keep charging businesses operational.
Common Cybersecurity Risks & Mitigation Tactics
From manipulation of charger hardware to hacking into a charging network’s digital infrastructure, some risks are more frequent occurrences. Risk reduction strategies for each threat will differ based on the type of hack:
- RFID Card Duplication Using a Simple Card Reader
- The Risk: By reading and copying card data with RFID skimmers, hackers can initiate a charging session for an EV on a stolen account or conduct simultaneous EV charging at multiple locations using the same RFID card. This allows hackers to charge these EVs simultaneously for free.
- Mitigation Tactic: Using proactive monitoring tools, a CPO can detect abnormal energy usage or unauthorized charging and implement automatic workflows to generate alerts and block suspicious activity. Utilizing mobile app payments over RFID payments, and implementing RFID encryption, are also strategies to protect against RFID duplication. Security protocols such as IEC 62443 require encrypted RFID communication in order to be compliant with its security standards.
- Drivers’ Identities are Sold on the Darknet
- The Risk: Stolen Personal Identifiable Information (PII) is used to track driver activities or to charge other vehicles. With drivers’ PII data, hackers can use the stolen information for identity theft, monitor a driver’s routine, gain access to payment information for unauthorized transactions, or hack the EV’s internal systems.
- Mitigation Tactic: Through proactive monitoring of the Darknet, a service provider can be quickly alerted of any data breaches so EV charging security teams can quickly respond to suspicious activity and prevent further malicious activity.
- Sensitive Information Extraction via Diagnostic Commands
- The Risk: Hackers can extract information such as WiFi passwords and other sensitive data related to the diagnostic function of the EV charging firmware. This includes detailed logs or reports about the station’s operations. The Open Charge Point Protocol (OCPP), has an option for a diagnostic command. It’s with this diagnostic command that hackers can access detailed information from the chargers if not protected.
- Mitigation Tactic: Conducting regular penetration tests of the EV chargers. When buying new chargers, request copies of previous penetration reports and diagnostics to provide insights into its security capabilities. In addition, ensure that the smart EV charging software utilized has the proper security frameworks in place to monitor for such activity. This ensures CPOs can still obtain the interoperability benefits of OCPP-compliant software.
- Physical Attacks: Opening Charger Door to Connect USB Cable
- The Risk: AC and DC chargers are vulnerable to physical risks as well, in which hackers break open the charger door to connect a USB cable to attempt to change the configuration of the charger, access a free charging session, or gather other data available on the chargers.
- Mitigation Tactic: Part of OCPP includes the charger sending an error code to the CPMS if the door is opened. This can alert the operations team who can abort a charging session or take a charger down and send team members on-site, as needed. The automation of such an alert system allows instant identification of physical attacks in order to solve issues fast.
EV Charging Network Topology Best Practices
To get ahead of the various cybersecurity risks outlined above, EV charging network operators can begin to implement processes to protect their charging infrastructure:
Use APN/VPN Networks for Secure Connections. Avoid using the public internet for charger communications. While there may be various reasons why a charging network would opt to use the public internet, such as cost savings or limited options for network providers in the area, using an APN network automatically reduces the attack surface. Without an APN network, charging networks become identifiable to anyone, anywhere.
Maintain SIM-to-Charger Assignment Lists for Quick Deactivation. While APN networks are more secure, they do nott protect against the possibility of a hacker locating the SIM card in the charger to gain access to the network. Digitally mapping the SIM cards to individual chargers allows for quick deactivation responses when suspicious activity is detected. This added layer of security ensures the CPMS can identify the charger and block communication, thus narrowing the options the hacker has to gain access to the network.
Consider the Charger & the Equipment. Oftentimes, localized hacks occur due to minor operational mistakes that are avoidable. For example, the password for a new router or modem is not changed once installed, or it’s changed to something simple and insecure. Once hackers break-through these easy barriers, they have access to the chargers and can modify on-site operations. If the charging station has older chargers installed without encryption, business data can become accessible and compromised. These avoidable mistakes put CPOs in breach of security regulations. Charging operators need to use secure passwords and rotate them often, review the security standards of their hardware, and conduct penetration tests to get ahead of local site hacks.
Restrict SIM-to-SIM Communications within APN/VPN. By limiting the network requests to specific endpoints, if a connection is compromised it will remain contained to the individual charger. This can be accomplished with supporting CPMS providers who can identify changes in activity on the SIM, and then quickly disconnect the affected charger automatically before it impacts additional chargers.
Prioritizing Cybersecurity in EV Charging
Maintaining a secure charging network starts with Charging Point Management Systems (CPMS) that are secure and compliant with international regulations on privacy and transparency. These include full support of OCPP security profiles and TLS 1.2 (and above). In addition, regulations such as the NIS2 (Network and Information Systems) Directive, and the European Union cybersecurity regulations, which consider EV charging networks as critical infrastructure, ensure that risk management strategies are implemented to protect, EV charging networks, EV drivers and the energy grid that powers them.
When selecting an EV charging and energy management software platform, look for one that utilizes the most comprehensive security frameworks. Certifications such as the Service Organization Control (SOC) 2 Type II audit, identifies platforms that comply with the strictest standards for protecting sensitive user and operational data. These software platforms prioritize the security of complex operational environments with comprehensive risk management tools.
It’s also recommended to prioritize providers with a well-defined in-house security team. This is critical to safeguarding infrastructure against cyber threats, ensuring compliance (e.g., NIS2, ISO 27001, GDPR), and maintaining operational resilience. The Chief Information Security Officer (CISO) should oversee the cybersecurity strategy, aligning it with business objectives while managing incident response, risk reporting to the board, and third-party vendor security compliance.
To learn more on cybersecurity best practices, view this webinar presented by Driivz security experts.
