If electric cars are charged at public charging points, there is also a data connection in addition to electricity. This can be a gateway for attacks on the charging station, the power distribution network or its control systems, but also the connected electric car. The Federal Office for Information Security (BSI) has therefore examined the IT security of publicly accessible charging networks. Result: Central standards, including UNECE R 155, correspond to the state of the art in many areas, but this does not give the all-clear signal.
Read more after the ad
Possible points of attack at the almost 150,000 normal and 50,000 fast charging stations in Germany include, for example, a bug in the Open Charge Point Protocol 2025. The widely used protocol is considered vulnerable in terms of authentication and session handling and is implemented inconsistently. “In practical implementation, however, numerous security mechanisms – such as transport encryption, blacklists or modern cryptographic procedures – are often only implemented to a limited or optional extent, partly for reasons of backward compatibility,” says the 65-page BSI report. The measures are only “lowly widespread” and proprietary protocols are still used. There is therefore a “need for a fundamental paradigm shift towards mandatory security-by-design and security-by-default.” And not just recently.
According to the BSI experts, only a section of the problem has been examined in more detail so far. There are “clear weak points” in the charging station operators’ systems, for example. And the central administration of certificates for communication and identification of those involved in the charging system is problematic. “Compromises of individual trust anchors can have far-reaching consequences for the entire charging infrastructure and its trustworthiness,” writes the authority.
Network stability at risk in the worst case scenario
However, if parts of the system are compromised and charging communication is disrupted, this can have physical consequences – on the electric car, at the charging station, or even in the power grid. “Whether and to what extent damage such as component damage or thermal overload can occur depends largely on whether the corresponding components are designed to be intrinsically safe and protect themselves against overvoltages or excessive current flows,” is how the IT security experts describe the problem. In other words: whether they switch off in an emergency if the control is incorrect.
“If several or extensive connections are affected by attacks at the same time, in the worst case scenario this can endanger network stability.” For example, if the local network of a charging hub were targeted. It has long been known that botnets could cause parts of the continental European power grid to collapse through coordinated influence on electricity consumption.
Bidirectionality compounds the problem
And the problem is getting worse, warns the BSI: “The introduction of bidirectional charging will increase the effect many times over.” As long as charging was only unidirectional to the car, this was not a direct problem, at least for the power grids. But with scaling, targeted or misguided entry and exit control, the problem grows.
Read more after the ad
The Association of Automobile Manufacturers (VDA) is aware of this: “Plug & Charge and bidirectional charging create new requirements for secure communication, authentication and certificate management.” However, IT security at automobile manufacturers is “consistently integrated into development and production processes,” said a spokesman to heise online. It is crucial to implement security standards interoperably and along the entire value chain. In other words: The problem is seen – but not by the car manufacturers.
BDEW boss sees no “reason for alarmism”
The electricity industry also risks, but “no reason for alarmism (…) To the best of our knowledge, there have been no serious security incidents in the charging market that require reporting to the BSI,” says Kerstin Andreae from the Federal Association of the Energy and Water Industry (BDEW) when asked by heise onlines.
She advocates for clearer regulations. Because of the different properties of cars as a product with digital elements, charging stations as part of the energy networks and car battery networks as virtual power plants and therefore potential parts of critical infrastructure, very different regulations apply in parallel, as the BSI also describes. “As the mass market ramps up, the question arises as to which sustainable, pragmatic solutions can be pursued in the European internal market,” says Kerstin Andreae. She calls for better coordination across the individual regulations, without special routes and double regulation.
If all charging stations were remotely controlled, there would be 8.5 gigawatts of controllable power – a quarter more power than a year ago. The Federal Ministry of Transport, which is responsible for the “Charging Station Infrastructure 2030 Master Plan”, has not yet shown any initiative in this regard.
(ds)
