Cybersecurity of Public EV-Charging Infrastructure: Lessons from 80,000 Stations in Germany and Implications for the U.S.
The rapid global adoption of electric vehicles (EVs) has driven the expansion of public charging infrastructure, making secure and resilient charging networks essential for mobility and energy systems. This talk presents the results of a large-scale cybersecurity analysis of more than 80,000 publicly accessible EV charging stations in Germany and explores their implications for U.S. deployments.
The study examined charging stations across multiple vendors, backend software platforms, firmware versions, and Open Charge Point Protocol (OCPP) deployments. Using public data, vendor information, and security advisories, the analysis mapped system components to known vulnerabilities (CVEs) and assessed the exposure of charging infrastructure to exploitation.
Key findings reveal systemic weaknesses. A significant portion of charging stations rely on outdated firmware and legacy OCPP versions (1.5/1.6) with well-documented security gaps. Default credentials, outdated TLS implementations, and insufficient patch management create broad attack surfaces. Vendor concentration and homogeneous backend architectures further increase the risk of large-scale compromise. The results demonstrate that many charging networks remain susceptible to remote exploitation, denial-of-service, energy fraud, or ransomware attacks.
Threat scenarios highlight broader risks. Successful exploitation could disable large charging networks, disrupt mobility services, or create cascading effects on energy grids. Attacks may range from localized denial-of-service incidents to systemic failures with economic and safety consequences. Real-world industry incidents confirm that these risks are not hypothetical but pressing concerns for infrastructure resilience.
Recommendations are offered at multiple levels.
Technical measures: adoption of OCPP 2.0.1 with secure authentication, encrypted communication, and robust firmware management.
Policy measures: minimum cybersecurity requirements enforced by regulators, with alignment to international standards to ensure consistency across markets.
A secure deployment model is presented as a best-practice example, contrasting the resilience of modernized architectures with the vulnerabilities of today’s typical deployments.
Implications for the U.S. context are significant. Like Germany, U.S. charging networks rely heavily on OCPP and cloud-based backends, creating similar systemic risks. While U.S. regulations (e.g., NIST frameworks, DOE initiatives, NEVI program requirements) offer some additional safeguards, they do not yet fully mitigate the vulnerabilities identified in the German landscape. Without proactive measures, U.S. deployments risk repeating the same security pitfalls at scale.
Conclusion. The German case study underscores that public EV charging infrastructure faces critical cybersecurity challenges rooted in outdated software, insecure protocols, and fragmented security governance. Addressing these weaknesses requires coordinated action from vendors, operators, and policymakers. Strengthening cybersecurity today is vital to ensure that EV charging systems remain reliable, trusted, and resilient as they become a cornerstone of global mobility and energy infrastructures.
.jpg "Patrick Rempel, Prof. Dr.-Ing. (he/him/his) photo")
