BSI on the risks of public charging stations

Contents

When electric cars are charged at public charging points, a data connection is established in addition to the power connection. This can be an entry point for attacks on the charging station, the power distribution grid or its control systems, as well as the connected e-car. The Federal Office for Information Security (BSI) has therefore investigated the IT security of publicly accessible charging networks. Result: Central standards, including UNECE R 155, are state-of-the-art in many areas, but this does not bring cause for relief.

Potential attack vectors on the approximately 150,000 standard and 50,000 fast charging stations in Germany include, for example, a bug in the Open Charge Point Protocol 2025. The widely used protocol is considered vulnerable regarding authentication and session handling and is implemented inconsistently. “In practical implementation, however, numerous security mechanisms – such as transport encryption, blocklists, or modern cryptographic methods – are often implemented only to a limited extent or optionally, partly for reasons of backward compatibility,” it is therefore stated in the 65-page BSI report. The measures are only “widely implemented”, and proprietary protocols continue to be used. There is therefore a “need for a fundamental paradigm shift towards mandatory security-by-design and security-by-default.” And that not just since recently.

According to BSI experts, only a fraction of the problem has been investigated in detail so far. “Significant vulnerabilities” exist, for example, in the systems of charging station operators. And the central management of certificates for communication and identification of participants in the charging system is problematic. “Compromises of individual trust anchors can have far-reaching consequences for the entire charging infrastructure and its trustworthiness,” the authority writes.

Network stability at risk in the worst case

However, if parts of the system are compromised and, for example, charging communication is disrupted, this can have physical consequences – for the e-car, the charging station, or even the power grid. “Whether and to what extent damage such as component damage or thermal overload can occur depends crucially on whether the corresponding components are designed to be intrinsically safe and protect themselves against overvoltages or excessive current flows,” the IT security experts describe the problem. In other words: whether they shut down in case of incorrect control.

“If several or far-reaching connections are affected by attacks simultaneously, this can endanger network stability in the worst case.” For example, if the local network of a charging hub were to be specifically attacked. It has long been known that botnets could cause parts of the continental European power grid to collapse through coordinated influence on electricity consumption.

Bidirectionality exacerbates the problem

And the problem is growing, warns the BSI: “The introduction of bidirectional charging multiplies the effect.” As long as charging was only unidirectional to the car, this was not a direct problem for the power grids. But with scalable, targeted, or misguided feed-in and feed-out control, the problem grows.

The German Association of the Automotive Industry (VDA) is aware of this: “Plug & Charge and bidirectional charging create new requirements for secure communication, authentication, and certificate management.” However, IT security is “consistently integrated into development and production processes” by automotive manufacturers, a spokesperson told heise online. It is crucial to implement security standards interoperably and along the entire value chain. In other words: the problem is recognized – but not by the car manufacturers.

BDEW CEO sees no “reason for alarmism”

The energy industry also sees risks, but “no reason for alarmism (...) As far as we know, there have been no serious security incidents in the charging market to date that are reportable to the BSI,” says Kerstin Andreae from the German Association of Energy and Water Industries (BDEW) in response to a heise online inquiry.

She advocates for clearer regulations. Because the different characteristics of cars as products with digital elements, charging stations as part of energy networks, and car battery networks as virtual power plants and thus potential parts of critical infrastructure mean that very different regulations apply in parallel. As the BSI also describes. “For the ramp-up of the mass market, the question therefore arises as to which sustainably viable, pragmatic solutions can be pursued in the European internal market,” says Kerstin Andreae. She calls for better coordination across individual regulations, without special paths and double regulation.

If all charging stations were remotely controlled, a controllable capacity of 8.5 gigawatts would be available – a quarter more capacity than a year ago. The Federal Ministry of Transport, which is responsible for the “Master Plan Charging Station Infrastructure 2030”, has not yet shown any initiative in this regard.

(ds)