Your charging infrastructure is a target: real attacks, real consequences

A brief history of an unexpected new front in the forever cyberwar

At the onset of Russia's invasion of Ukraine, a Ukrainian parts supplier used a remote support backdoor to put spicy messages on EV chargers on Russia's main motorway between Moscow and St. Petersburg, also taking the units out of service.

In January 2023, someone walked up to an Electrify America charger in Kettleman City, California, opened TeamViewer on their phone, and gained complete control of the station's Windows 10 system. No sophisticated exploit. No zero-day vulnerability. Just TeamViewer, sitting there, waiting for someone to notice.

If you're running EV charging infrastructure, you need to understand that this isn't a hypothetical threat. The attack surface is real, the vulnerabilities are documented, and the consequences range from annoying to catastrophic.

I spent three years at EVgo (2019-2022) helping to build out a secure infrastructure for running a CPO. Since 2022, working on InCharge Energy's InControl CMMS, I have seen the reality of charging infrastructure sitting at the intersection of three complex systems: the power grid, payment processing, and connected vehicle networks.

The Threat Landscape: More Than Script Kiddies

The charging industry has taken security more seriously of late following a series of high profile attacks.

In 2024, cyberattacks targeting automotive and smart mobility increased 40% year-over-year, with EV charger attacks growing from 4% to 6% of total incidents. Year over year that was an increase from 295 to 409 attacks.

There are several threat vectors for charging infrastructure to worry about:

The OCPP problem: Open Charge Point Protocol (OCPP) 1.6 (deployed on most of the non-Tesla and legacy Chargepoint gear in North America) has no native encryption or authentication requirements. The protocol that manages billions of dollars in charging transactions has operators today that are using plaintext websockets over cellular conections.

The payment data honeypot: Many public charging sessions involves payment card data, personally identifiable information, vehicle identification numbers, and charging patterns that reveal where people live and work. In November 2024, a threat actor leaked approximately 116,000 records from multiple Charge Point Operators, spanning operators globally. The exposed data included payment information and vehicle details, which could then be used to fuel identity theft and fraud.

The grid connection: Charging infrastructure connects directly to the electrical grid and can draw significant power on demand. This makes it a potential vector for grid disruption attacks. While we haven't seen a coordinated attack on grid stability through EV charging yet, the theoretical capability exists and multiple research papers have demonstrated proof-of-concept exploits.

Three Real Incidents Worth Understanding

1. The Electrify America TeamViewer Incident (January 2023)

The Kettleman City incident wasn't sophisticated, which is exactly why it's terrifying. A user known as "The Kilowatts" on Twitter gained access to an Electrify America charger running Windows 10 using TeamViewer. The remote access software was just... there. Running. Accessible.

What they got: Full access to the charger's internal computer. They could navigate with a mouse, type on a keyboard, launch programs. "Essentially, I could spin up a spoofed EA application that collects personal information through the touchscreen," they told reporters.

The response: Electrify America called it "an isolated incident resulting in unauthorized access at the charger level," claiming access was "limited to the charger and did not extend to the network."

Why it matters: If one charger had TeamViewer sitting accessible, how many others did? This is a pretty fundamental failing most likely on the shoulders of the charger manufacturer, not EA.

2. ChargePoint Pwn2Own Compromise (August 2024)

At Pwn2Own Automotive 2024 in Tokyo, security researchers demonstrated exploits against the ChargePoint Home Flex charger. The competition showed vulnerabilities that allowed complete takeover of not just the charger, but ChargePoint's cloud infrastructure.

The technical details: Researchers exploited HTTP and SSH vulnerabilities involving the reverse SSH tunnel, deprecated NTP client, and HTTP servers. Earlier in 2024, Sternum security consultancy had found similar issues in ChargePoint's home chargers.

What they got: Cloud infrastructure access. That's not hyperbole. According to the Sector 7 team, they gained the ability to "completely take over the cloud infrastructure of ChargePoint."

The aftermath: ChargePoint released firmware updates disabling the HTTP server and updating the NTP client. Credit to them for fixing it. But this raises the question: how many other charger manufacturers are running deprecated services and open tunnels that haven't been found yet?

3. CVE-2024-37310: The EVerest Heap Overflow (2024)

CVE-2024-37310 is a heap overflow vulnerability in EVerest, an open-source EV charging software stack used in multiple commercial charging platforms.

The vulnerability: An integer overflow in the v2g_incoming_v2gtp function in the V2G Transport Protocol (V2GTP) implementation. PlaxidityX Security discovered it using their AutoTester fuzzing tool while analyzing V2G communication protocols.

What an attacker could do:

Bypass payment gates (free charging)
Compromise private keys stored in the charging station
Execute arbitrary code on the Linux process running the charger
Potentially pivot to other systems on the network

The fix: Patched in EVerest versions 2024.3.1 and 2024.6.0. EVerest is open source, which is great in getting attention from security researchers and battle tested on multiple company platforms. I would hazard a guess that proprietary systems are tested less often.

More OCPP Vulnerabilities Than You Probably Want to Know About

OCPP vulnerabilities deserve their own section because they're systemic, not isolated incidents.

CVE-2023-49956: Dalmann OCPP.Core versions prior to 1.3.0 allowed anyone to terminate active charging transactions by sending a StopTransaction message with a random transactionId. Just send a properly formatted message and you can stop someone's charging session. Annoying for a consumer. Potentially business-disrupting for a fleet operator with time-sensitive logistics.

The multiple connection problem: OCPP doesn't handle multiple simultaneous connections well. Researchers demonstrated that attackers could disrupt connections through WebSocket manipulation, leading to denial of service, data theft, and energy theft scenarios.

Research findings: Academics studying 16 representative live EV charging management systems found 6 zero-day vulnerabilities in each system. These problems are documented in production systems. Attack scenarios include man-in-the-middle, denial of service, firmware theft, and data poisoning.

Three Things You Can Actually Do About This

If you're operating charging infrastructure, here's what matters:

1. Upgrade to OCPP 2.0.1 with mandatory security profiles

If your chargers can handle it, OCPP 2.0.1 introduced security profiles that actually address authentication and encryption. The key word there is "mandatory"—don't just upgrade the protocol version and leave security as optional.

What this looks like in practice:

Implement certificate-based authentication between charge points and your management system
Use TLS 1.3 or higher for all OCPP communications
Enable mutual authentication so both the charger and backend verify each other's identity
Rotate certificates on a defined schedule (annually at minimum, quarterly if you're serious)

Why operators resist this: First off, OCPP 2.0.1 support is still spotty. Some older chargers will simply never support it. Some manufacturers make upgrades costly as they require a service visit. And even with over the air updates, coordinating updates likes this are time consuming if you want to do it right. OCPP 2.0.1 not having backwards compatibility with 1.6 has been a huge barrier to adoption.

2. Treat your charging network with suspicion

Charging infrastructure communications should be encrypted at rest and at transit. If you can use VLANs and VPNs, great, but in my experience customers never want to pay for it.

Network architecture that works:

Use wss not ws
Monitor network traffic for anomalous patterns (sudden traffic spikes, unusual connection attempts, scanning behavior)

What this prevents: The Electrify America scenario. Even if someone compromises an individual charge point, proper network segmentation limits their ability to move laterally to other systems. They get one charger, not your entire network.

The InControl CMMS perspective: We have seen operators with glaring security holes and operators that rotate passwords on chargers regularly. We pursued SOC2 certification because we wanted to put best practices into practice.

3. Implement real-time monitoring and anomaly detection

You can't secure what you can't see. Modern charging networks generate massive amounts of telemetry—use it.

What to monitor:

Authentication failures and retry patterns
Unusual transaction patterns (e.g., rapid start/stop cycles, zero-value transactions)
Firmware version anomalies (chargers that suddenly report different versions)
Network connection patterns (chargers connecting from unexpected IP addresses)
Power draw anomalies (chargers reporting utilization that doesn't match metering data)

How to implement this:

Feed OCPP message logs into a SIEM (Security Information and Event Management) system
Set up automated alerts for suspicious patterns
Build dashboards that make anomalies visible at a glance
Actually respond to alerts (I know this sounds obvious, but you'd be surprised)

Real-world example: During my EVgo years, we saw fraud ranging from multiple cards being used on the same charger in a short amount of time to the same card being used across multiple chargers at the same time. The key is pattern-matching behaviors indicative of fraud.

The Uncomfortable Truth

Here's what I learned working in this industry: many charging infrastructure operators are under-resourced for cybersecurity. The charger manufacturers are often not thinking about how their machines are exposed in the wild. We have charging networks with the IT budget of a mom and pop but the security requirements of critical infrastructure.

The Electrify America incident wasn't an anomaly in our industry. The ChargePoint vulnerabilities weren't a one-off incident. The OCPP protocol weaknesses aren't going away just because we all agreed to use a newer version. These are systemic issues requiring sustained investment in security practices, training, and infrastructure.

If you're operating charging infrastructure, you have three choices:

Invest proactively in security now, accept the cost and complexity, and sleep at night knowing you've done your due diligence.
Wait until you're breached, then spend 10x as much responding to the incident, notifying customers, managing PR fallout, and potentially facing regulatory consequences.
Hope you're lucky and never become interesting enough for attackers to care about.

The good news is that this is solvable. It just requires accepting that charging infrastructure is IT infrastructure, and IT infrastructure requires security investment.

Your chargers are computers that move electricity around. Treat them accordingly.