Safeguarding the future: Addressing the security risks of EV charging management software

Electric vehicle adoption is accelerating faster than most cybersecurity frameworks can keep pace with. With 17.1M EVs sold in 2024 alone, with a 25% year-over-year increase. The charging infrastructure supporting them has become one of the most targeted sectors in connected technology. Yet for many manufacturers, security is still an afterthought rather than a design principle.

This guide is written specifically for EV charger manufacturers by N-iX experts in EV charging cybersecurity. It covers the real threats your products face, the compliance requirements now coming into force, and the concrete steps you need to build security-first charging management software that protects users, networks, and your reputation.

The stakes: Why EV charging cybersecurity can't wait

• 59% of EV charging attacks in 2024 had the potential to affect millions of devices simultaneously, including chargers, mobile apps, and vehicles, according to Upstream Security's 2025 Automotive & Smart Mobility Global Cybersecurity Report
• 116,000 user records were exposed in a single November 2024 breach traced to a white-labeled EV charging app, leaking names, locations, payment details, VINs, and vehicle information
• Automotive-related CVEs (published vulnerabilities) reached 530 in 2024, which is nearly double the count from 2019, with EV charging infrastructure increasingly in scope
• The US EV charging infrastructure market is projected to grow at 30% CAGR from 2025 to 2030, meaning the attack surface will expand dramatically in the coming years

EV chargers are networked endpoints connected to the power grid, payment systems, vehicle data, and backend cloud platforms. A vulnerability in one charger can become a vector for grid disruption, large-scale data theft, or fleet-wide denial-of-service.

Security risks of EV charging management software 

The cybersecurity risks associated with electric vehicle chargers are an important aspect to consider, especially as these chargers often connect to networks for remote monitoring and control.

Here are the main risks of EV charger infrastructure security.

1. Data breaches

EV chargers collect sensitive personal information: payment credentials, charging history, location data, and vehicle identifiers. This data travels between the charger, the CPMS (Charge Point Management System), and cloud backends, thus creating multiple interception opportunities. Poorly encrypted transmissions, insecure APIs, and inadequate access controls are the most common entry points.

To address these risks, it's crucial to implement robust cybersecurity measures. This includes encryption of data transmission, regular security audits, user authentication processes, and compliance with data protection regulations. With our robust cybersecurity expertise, N-iX can help strengthen your security with encryption, access controls, detection systems, regular checks, and employee training.

2. Network infiltration

A networked charger is an entry point to everything it connects to, including corporate networks, utility infrastructure, and backend management systems. Attackers who compromise the charger can pivot laterally into the broader network. This risk is compounded by:

• Interconnectivity: A vulnerability in one node of a charging network can propagate to others
• Remote access exposure: Most chargers are managed remotely; without proper authentication, that access is a two-way door
• Wireless interception: Chargers communicating over public networks are susceptible to man-in-the-middle attacks. In a documented case, a security researcher demonstrated how a spoofed Wi-Fi network could be used to intercept communications between a vehicle and a charging station

3. Denial of service (DoS) attacks

Attackers can flood charging stations with requests or malicious commands, rendering them inoperable. A successful DoS attack against a charging network isn’t just frustrating for drivers. That is already a bad thing for your business, as it hampers customer satisfaction. Even worse, it can affect grid load balancing, fleet operations, and the availability of public infrastructure. So, it scales from individual frustrated customers to machine downtimes and spikes in electricity costs. 

4. Firmware manipulation

If an attacker gains the ability to modify a charger's firmware, whether through an insecure update channel or a compromised backend, the consequences range from altered charging behavior to physical damage to the vehicle or hardware. At Pwn2Own Automotive 2025, researchers from 13 countries discovered 49 unique zero-day vulnerabilities specifically targeting EV charging systems and in-vehicle infotainment platforms.

Taken together, these threat vectors make one thing clear: security cannot be bolted on after the fact. Moreover, it has to meet a specific regulatory bar to reach the market at all. Let’s take a look at some compliance. 

Regulatory compliance: What EV charger manufacturers must know in 2026

Governments and standards bodies have moved decisively, and the window for non-compliance is closing. The regulations below span communication standards, data security, and critical infrastructure protection. Several of them have hard deadlines that are already within your next product cycle.

Key takeaways for you:

• ISO 15118 compliance is now mandatory in the EU for all new public charging points from early 2026, and will extend to private/semi-public chargers in 2027
• NIS2 treats EV charging networks as critical infrastructure, meaning operators face binding risk management and incident reporting obligations with direct implications for the software products you build for them
• AFIR requires ISO 15118-20 support for all V2G-capable chargers deployed in the EU from January 2026 onward
• SOC 2 and PCI DSS certifications are prerequisites for enterprise procurement in the US and Canada

For companies operating EV charging stations, it is vital to build their compliant EV charger management software and hardware. But how to do it? Our experts have shared some thoughts. 

Best practices of EV charger security: A step-by-step checklist 

What are the best practices and key considerations for manufacturers aiming to enhance the security of EV chargers? Let’s find out. 

1. Find a skilled cybersecurity team

Cyber threats evolve continuously. New vulnerabilities are disclosed, attack techniques mature, and compliance requirements shift. No checklist, however thorough, replaces the judgment of people who live and breathe this domain.

A dedicated cybersecurity team brings several capabilities that are difficult to replicate otherwise: the ability to identify non-obvious risks before they become exploits, the experience to prioritize remediation under real-world constraints, and the institutional knowledge to keep security posture consistent across product versions and regulatory changes. For manufacturers without in-house depth, partnering with an experienced external team is a practical and often faster path to the same outcome.

Everything that follows in this checklist is more effective when there are skilled people owning it.

2. Use OCPP 2.0.1 with Transport Layer Security (TLS) with Client Side Certificates profile 

OCPP (Open Charge Point Protocol) governs communication between chargers and the Charge Point Management System. Version 2.0.1 includes critical security features absent in earlier versions:

• Secure firmware update support;
• Security event logging and notification;
• Three security profiles: unsecured transport, TLS with basic authentication, and TLS with client-side certificates. 

N-iX recommendation: Always implement TLS with the Client-Side Certificates profile. It is the most robust of the three options and provides mutual authentication, ensuring that both the charger and the CPMS verify each other's identity. Avoid deploying products still running OCPP 1.6, which lacks these built-in security measures.

3. Use ISO15118 with TLS communication

ISO 15118 governs the communication layer between the EV and the charging station. It uses TLS to encrypt data in transit, protecting against interception and ensuring data integrity. It also enables:

• Plug & Charge (PnC): Automatic mutual authentication between vehicle and charger without driver interaction, using a certificate-based trust chain
• Vehicle-to-Grid (V2G): Secure bidirectional energy flows, which require authenticated communication to prevent manipulation

Given the EU's mandatory ISO 15118 deadlines in 2026 and 2027, building this support into your architecture now avoids expensive retrofits

4. Implement Plug & Charge communication 

OCPP 2.0.1, an enhanced version of the Open Charge Point Protocol, integrates the ISO 15118 standard, enabling the advanced Plug & Charge feature. This integration facilitates a user-independent charging process, where interaction from the vehicle owner is not required. It establishes a secure communication channel directly from the electric vehicle to the charging operator, ensuring a seamless and secure exchange of data throughout the charging process. This feature represents a significant stride in the evolution of EV charging technology, combining ease of use with robust security measures.

5. Enforce cryptographically signed firmware updates 

Firmware integrity is a critical attack surface. Every firmware update pipeline should:

• Apply a cryptographic signature to each firmware image so chargers can verify authenticity before installation;
• Transmit updates over encrypted, authenticated channels only;
• Use OCPP's built-in firmware update functionality to standardize and secure the process
• Log all update events in the security event log for auditability.

Never allow unsigned firmware to be accepted by the charger, regardless of the update source.

6. Test your solution early and thoroughly

Security testing is an ongoing discipline that should begin in the earliest stages of development. Testing an EV charger thoroughly covers safety, cybersecurity, performance, and compatibility with different EV models, and the earlier issues are caught, the cheaper they are to fix.

A robust testing regimen should include:

• Security penetration testing by a qualified third party before major releases and on an annual basis thereafter
• Interoperability testing against multiple EV models to confirm that communication protocols, including ISO 15118 and Plug & Charge, function correctly across different vehicle implementations
• Physical tamper testing to assess hardware-layer attack resilience
• Regression testing after every firmware update to confirm no new vulnerabilities have been introduced
• Load and stress testing to validate DoS resilience under high-traffic conditions

Beyond security, early testing compresses your time to market. Issues found during development cost a fraction of what they cost to remediate post-deployment, and a security incident after launch costs far more than either.

Conclusion

Making an electric vehicle charger secure is a complex task due to the advanced technology and evolving cyber risks involved. It's important to have strong security measures in place for these chargers, given their growing role in the EV market. If you're unsure about the security of your charger or need expert advice, feel free to contact N-iX. Our team has the knowledge and experience to help ensure your charging system is safe, efficient, and trustworthy. With our support, you can confidently address the security challenges of EV charging management software.

HANDBOOK

EV charger development: get a guide to building your own solution

Full name*

Business Email*

By submitting my details I accept Terms & Conditions to receive relevant news & marketing communication from N‑iX and I’m aware that I can unsubscribe at any time. For more information, please see our Privacy Policy*

Send my copy

Success!

How N-iX helps manufacturers build secure EV charging software

Building a secure EV charging management platform requires deep expertise across multiple domains: protocol-level security, PKI infrastructure, backend architecture, regulatory compliance, and ongoing threat monitoring. At N-iX, our team has direct experience engineering secure EV charging solutions and can support manufacturers at every stage:

• Security architecture design aligned with OCPP 2.0.1, ISO 15118, and NIS2 requirements
• PKI implementation for Plug & Charge and certificate lifecycle management
• Penetration testing and security audits of charging software and hardware
• Compliance readiness assessments for GDPR, NIS2, SOC 2, and ISO 27001
• Intrusion detection and security event monitoring integration

FAQ

What is the most critical security standard for EV charger manufacturers right now?

OCPP 2.0.1 with TLS and client-side certificates governs the charger-to-CPMS communication layer and should be the baseline for any new product. For vehicle-to-charger communication, ISO 15118 with TLS is the applicable standard and is now legally mandatory for public chargers in the EU from January 2026.

What's the difference between OCPP and ISO 15118?

OCPP handles communication between the charging station and the backend management platform (CPMS). ISO 15118 handles communication between the electric vehicle and the charger. Both layers require independent security implementation. OCPP 2.0.1 supports ISO 15118 integration, enabling features like Plug & Charge.

Is OCPP 1.6 still acceptable for new deployments?

No. OCPP 1.6 lacks the built-in security profiles and event logging capabilities of version 2.0.1. Many operators running 1.6 today are exposed to authentication weaknesses that 2.0.1 was specifically designed to address. New products should not be built on OCPP 1.6.

How does the EU's NIS2 Directive affect EV charger manufacturers?

NIS2 classifies EV charging networks as critical infrastructure. This means the software products and platforms you build must enable operators to meet binding requirements for cybersecurity risk management, incident reporting, supply chain security, and data protection. 

What is Plug & Charge, and how does it relate to security?

Plug & Charge (defined in ISO 15118) enables automatic authentication between an EV and a charger using a PKI-based certificate chain, no RFID card or app required. While it improves user experience, it requires a robust certificate management infrastructure. Poorly implemented Plug & Charge is itself a vulnerability if certificates are not properly validated or revoked.

How often should firmware updates be deployed?

There is no fixed schedule, but firmware should be updated whenever security patches are available and manufacturers should have the infrastructure to deploy updates rapidly when a vulnerability is disclosed. All updates must be cryptographically signed and transmitted over secure channels. Regularly scheduled updates should also incorporate the latest security patches from third-party component vendors.

What certifications should an EV charging software platform have?

For enterprise and regulated markets, key certifications include: SOC 2 Type II (information security operations), ISO 27001 (information security management), and PCI DSS (payment data security). For EU deployment, GDPR compliance and NIS2-aligned risk management practices are additionally required.