A New OT Surface at Scale

The United Kingdom, European Union, and United States have each committed to transformative buildouts of public EV charging infrastructure over this decade. The UK’s target of 300,000 public charge points by 2030, the EU’s Alternative Fuels Infrastructure Regulation mandating charger coverage across Trans-European Transport Network corridors, and the US NEVI program funding highway fast-charger networks have funded a rapid expansion of connected OT assets with direct grid interfaces.

Electric vehicle supply equipment (EVSE) — charge points — are operational technology in the traditional sense: networked devices that control physical processes with real-world consequences. Unlike traditional OT equipment operating in isolated facility networks, charge points are by design internet-connected, managed through cloud platforms, exposed to users with potentially hostile physical access, and directly interfaced with electricity distribution infrastructure.

The security posture of most deployed EVSE does not match this threat surface.

The OCPP Protocol Attack Surface

The Open Charge Point Protocol (OCPP) is the dominant communication standard between charge points and Charge Point Management Systems (CPMS). OCPP 1.6 (JSON/SOAP over WebSocket) is the most widely deployed version in current infrastructure; OCPP 2.0.1 adds security enhancements that most deployed hardware does not yet support.

OCPP defines how charge points report status, receive commands, and authenticate transactions. The protocol has well-documented security limitations that carry direct operational risk:

Authentication weaknesses in OCPP 1.6. The original OCPP 1.6 specification relies on shared secrets and basic HTTP authentication for charge point-to-CPMS communication, with no built-in certificate-based mutual authentication. CPMS deployments that do not enforce TLS client certificates are vulnerable to:

  • Rogue charge point registration: An attacker who can communicate with the CPMS can register a fake charge point and receive commands intended for legitimate equipment
  • Message replay and injection: Without message signing or sequence numbers, OCPP messages are vulnerable to replay attacks and injection between charge point and CPMS
  • Charge point impersonation: An attacker on the same network segment as a charge point can man-in-the-middle OCPP sessions if TLS is misconfigured or absent

OCPP command injection via the remote start/stop interface. The RemoteStartTransaction and RemoteStopTransaction OCPP commands allow a CPMS to initiate and terminate charging sessions. If the CPMS interface is exposed without adequate authentication — a common finding in deployed systems — an attacker can start or stop charging sessions at will. The December 2022 incident in which an Isle of Wight charging station was hacked to display pornographic content demonstrated this attack vector on a production installation.

Firmware update exploitation. OCPP provides a UpdateFirmware message for over-the-air firmware delivery. If this endpoint is accessible without strong authentication, an attacker can push malicious firmware to charge points — providing persistent access to the hardware and the ability to manipulate metering, enable unjustified billing, or interfere with grid signalling.

Grid Stability Risk from Coordinated Manipulation

EV charging load is significant. A single 150kW DC fast charger draws as much power as approximately 50 UK homes. A motorway service area with 12 fast chargers represents a 1.8MW controllable load. At national scale, the aggregate charging load for millions of EVs is a material component of grid demand.

Smart charging functionality — which allows chargers to shift load based on grid signals, electricity prices, or distribution network operator commands — is the mechanism by which this flexible load is intended to benefit grid stability. It is also a mechanism by which it can be weaponised.

A 2023 study by researchers at Idaho National Laboratory modelled the impact of coordinated attacks on EV charging infrastructure. Key findings:

  • Simultaneous manipulation of a modest percentage of US EV charger capacity (simulated through a CPMS-level attack) was sufficient to cause localised grid frequency deviations that would trigger automatic protective responses in distribution networks
  • High-rate charging activation (causing demand spikes) and simultaneous session termination (causing demand drops) were more disruptive than persistent high load
  • The attack surface was the cloud CPMS, not individual chargers — compromising the management platform is sufficient

This threat model is qualitatively different from traditional OT attacks targeting individual facility SCADA systems. A compromised CPMS controlling thousands of charge points is a distributed grid manipulation tool, not merely a service disruption.

Vehicle-to-Grid (V2G) Bidirectional Risk

Vehicle-to-grid (V2G) charging, where EVs export stored battery power back to the grid, is now commercially deployed in the UK, Netherlands, and Japan. V2G substantially increases the stakes of EVSE compromise:

  • Unauthorised discharge: An attacker who can send remote commands to V2G-capable chargers can force EV batteries to discharge without owner consent, degrading battery health and potentially draining vehicles below their required range
  • Coordinated discharge attacks: A large-scale coordinated discharge event would inject unexpected power onto the distribution network, requiring rapid grid balancing response
  • Metering fraud: V2G systems handle bidirectional energy metering and payment. Manipulation of metering data enables both fraud against vehicle owners (underpayment for exported energy) and against the grid (billing for energy not delivered)

Documented Incidents

Isle of Wight (December 2022): British EV charging network operator Osprey Charging confirmed that charge points at a motorway service area were compromised and their screens used to display inappropriate content. The attack demonstrated that public EVSE with internet-connected management interfaces and weak authentication were exploitable by low-sophistication attackers.

Zaptec charging station vulnerabilities (2023): Researchers at Saiber disclosed multiple critical vulnerabilities in Zaptec Pro and Go charging stations including insecure firmware update mechanisms, hardcoded credentials in the management interface, and the ability to perform man-in-the-middle attacks on OCPP communications. Zaptec equipment is widely deployed across Scandinavia and the UK.

ChargePoint API exposure (2023): Security researchers discovered that ChargePoint’s fleet management API exposed vehicle location data and charge session details for vehicles registered to the platform without adequate authorisation controls.

Regulatory Landscape

The security standards applicable to EVSE are evolving rapidly:

UK: The Electric Vehicles (Smart Charge Points) Regulations 2021 require new private charge points to implement smart functionality with security requirements. The Product Security and Telecommunications Infrastructure (PSTI) Act 2022, which entered full force in April 2024, applies security requirements including unique default passwords, vulnerability disclosure policies, and defined support periods to all internet-connected products — including charge points — sold in the UK.

EU: The Cyber Resilience Act, entering enforcement in 2027, will impose mandatory cybersecurity requirements on EVSE as “important products with digital elements.” OCPP 2.0.1 with TLS client certificate authentication and message signing is the baseline expectation for compliance.

US: CISA and DOE have published guidance for EVSE operators under the National EV Infrastructure (NEVI) program requirements. NEVI-funded installations must meet a cybersecurity baseline that includes network segmentation, encrypted communications, and regular vulnerability assessment.

Priorities for EVSE Operators

For operators of EV charging infrastructure, the immediate priorities are:

OCPP 2.0.1 migration. The security improvements in OCPP 2.0.1 — TLS client certificate mutual authentication, message signing, enhanced authorisation — address the core protocol weaknesses. Migration requires hardware and firmware support. Assess your deployed fleet for OCPP 2.0.1 compatibility and develop a migration roadmap.

CPMS network isolation. The CPMS is the highest-value target — it controls the entire charge point fleet. It should be isolated from general corporate networks, have MFA on all administrative access, and have its API endpoints protected by WAF and rate limiting.

Firmware update integrity. Implement code signing for all firmware updates. Charge points should only accept firmware signed by the operator’s own key. Monitor for unexpected firmware update commands or updates from unexpected sources.

Physical security of charge point hardware. Physical access to charge point hardware enables network-layer attacks, including installation of network taps or manipulation of the OCPP connection. Tamper-evident hardware enclosures and tamper-detection monitoring are baseline requirements for public EVSE.

Incident response for EVSE environments. Most operators do not have incident response plans that cover the specific scenarios of EVSE compromise — coordinated session manipulation, firmware implant, or CPMS compromise. These scenarios need specific playbooks before they happen.

The EV charging buildout is creating critical infrastructure at a pace that security practice is struggling to match. The protocols, management systems, and hardware now being deployed at scale will define the attack surface for the next decade.

Tags
EV-chargingOCPPelectric-vehiclegrid-securityChargePointcritical-infrastructureOT-securitysmart-chargingV2GEVCStransportation-securityenergy-security