Data breaches and ransomware attacks are making headlines with increasing regularity. How well is the EV industry preparing for these threats as EV infrastructure expands? The future of EV charging will not be judged by how many charging stations have been installed, but by whether drivers can trust each station to be available, affordable, and cybersecure.
Cybersecurity Risks for EVs
Keeping ahead of hackers is a high priority as the industry prepares for a significant build-out of EV charging infrastructure to accommodate major growth in the number of EVs on US roadways. Today in the US, more than 7 million EVs (BEVs plus PHEVs) are on the road, supported by more than 250,000 public charging ports and millions of additional private (primarily residential) chargers. Managed charging programs are essential to continued infrastructure growth, and ensuring the security of the software and hardware they use is paramount.
With the increased use and adoption of EVs “comes an increase in cybersecurity risks across EV supply equipment (EVSE) and the wider EV charging infrastructure charging ecosystem,” the US Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response (CESER) wrote in 2024. “Malicious actors,” CESER stated, “could infiltrate the devices or networks to access user data, interrupt charging or even cause a blackout of the grid.” While the expansion of EV charging stations and their integration with the US electric grid “is necessary to support the transition to a clean energy future,” CESER continued, “it also presents a unique cybersecurity threat within the EV charging infrastructure.”
Secure EV Charging Communication Protocols: OCPP and OCPI
Addressing these risks requires standardized, purpose-built protocols and the EV industry has made meaningful progress on that. The Open Charge Alliance develops and maintains the Open Charge Point Protocol (OCPP), which enables communication between EV chargers (EVSE) and charge station management systems (CSMS). OCPP 2.01 includes built-in security features designed to protect these connections using established practices such as encryption to keep data private and authentication to ensure only trusted devices can connect. These capabilities rely heavily on Public Key Infrastructure (PKI) to establish trusted digital identities and secure communications between endpoints.
Figure 1
Secure EV charging requires secure communication protocols between the various entities shown in Figure 1. Charge Station Management Systems (CSMS) in all the ways that they connect with other entities such as EVSE’s, utilities, E-Mobility Services Providers and Building Management Systems.
Industry efforts, including research led by the National Lab of the Rockies, have highlighted PKI as essential for secure EV charging because it enables systems to both encrypt data and verify device authenticity across networks. OCPP cybersecurity certification verifies that these protections are implemented correctly. To further support the industry, the Open Charge Alliance has released the OCPP Security Operations Guide, which emphasizes that defining security features alone is not sufficient. Effective cybersecurity depends on how those features are implemented and managed in practice. Specifically, the Guide recommends market actors must go beyond protocol compliance to include secure configuration, continuous monitoring, vulnerability management, and alignment with evolving regulatory requirements to ensure resilient and trustworthy charging networks.
Lonneke Driessen, Director of the Open Charge Alliance, underscores why this matters:
“Cybersecurity is a cornerstone in the advancement of the OCPP protocol, helping ensure that as the electric vehicle ecosystem evolves, it remains resilient to emerging threats. The Open Charge Alliance has made significant progress in defining comprehensive security practices for OCPP, providing a robust framework for securing communication between EV charging stations and management systems. By implementing these practices, the industry can strengthen trust and reliability while accelerating the growth of safe, interoperable, and future-proof EV charging infrastructure.”
Where OCPP governs communication between EV chargers and charging networks, the Open Charge Point Interface (OCPI) protocol enables different EV charging networks to exchange information such as charger availability, pricing, authorization, charging-session data, and billing allowing EV drivers to use multiple charging networks more seamlessly. Maintained by the EV Roaming Foundation, OCPI supports more secure interoperability by standardizing authenticated API communication between charging networks using encrypted transport, typically HTTPS/TLS, to help protect operational and customer data while in transit. OCPI implementations also support credential and token exchange mechanisms that help establish trusted connections between interconnected charging networks.
Secure DER Communication Protocol: IEEE 2030.5
Looking beyond charging networks to the broader grid, another protocol addresses how EVs will eventually interact with utilities directly. IEEE 2030.5 defines a secure communication protocol so that distributed energy resources (DERs) such as EV chargers can exchange information with utilities and aggregators to facilitate grid management. The SunSpec/Sandia DER Cybersecurity Work Group defines best practices for cybersecure DER in the SunSpec Cybersecurity Specifications package, and drives these best practices into relevant national and international standards such as IEEE 2030.5 and Secure SunSpec Modbus.
Dylan Tansy, Executive Director of the SunSpec Alliance, highlights how security and interoperability can reinforce rather than conflict with each other:
“By combining secure-by-design interoperability with mutual authentication and role-based access control within open, adaptable specifications supported by rigorous protocol-focused testing and certification frameworks, we can help the industry scale a more resilient and flexible energy ecosystem without forcing operators to choose between security and interoperability”
How EVCAN’s Specification Ensures CSMS Cybersecurity
Because EV charging infrastructure is increasingly connected to the grid, cloud services, and customer data, cybersecurity is a foundational requirement for any Charge Station Management System (CSMS). The EVCAN Technical Specification establishes a structured approach to cybersecurity by requiring CSMS providers to demonstrate compliance with recognized, certifiable standards across three key areas: secure development processes, cloud services, and payment systems.
These include widely adopted frameworks such as SOC 2 for operational controls and risk management, ISO 27001/27017 for standardized information security practices, ANSI/ISA/IEC 62443-4-1 for secure product development, FedRAMP for cloud security, and PCI DSS for payment protection. Rather than relying on a single standard, this multi-layered approach ensures that cybersecurity is embedded throughout the system lifecycle: from how software is built, to how it is deployed and operated, to how sensitive data is protected.
This is critical because EV charging systems will increasingly interface with grid operations and user data, making them potential targets for disruption, data breaches, or unauthorized access if not properly secured. By requiring adherence to these established standards, the Specification helps ensure that qualified systems are designed, implemented, and maintained with robust cybersecurity practices.
Cybersecurity Requires Maintenance and Consistency
As EV adoption accelerates and charging infrastructure becomes more deeply integrated with the electric grid and digital ecosystems, cybersecurity can no longer be treated as an afterthought. It must be built in from the start and maintained over time. The combination of secure communication protocols, industry-led standards, and rigorous certification frameworks provides a clear path forward, but real security ultimately depends on consistent implementation and operational discipline.
For EVs, trust and resilience will be just as critical as speed and scale in powering the transition to an electrified future. Please reach out to us at hello@evcan.org if you have questions or comments on this article
