BSI draws attention to cyber threats to charging infrastructure

12.05.2026

Source: E & M powernews

The German Federal Office for Information Security (BSI) has published its first report on the IT security of public charging infrastructure.

Many charging points, large amounts of energy transferred and a large financial volume in billing illustrate the importance of the charging infrastructure for the energy and transport transition and at the same time give an idea of how great the challenge is to ensure cyber security at all technical and economic levels.

In the introduction to the 72-page document, the BSI points out that the German government's "Charging Infrastructure Master Plan II" describes it as a "key challenge" and calls for measures to be examined to protect against attacks. The charging report now published, which refers to the 2025 investigation period, takes this requirement into account.

The authors illustrate where cyber criminals can attack by listing their focus clusters. These range from charging communication, power supply and authentication to billing and system administration. Broken down to individual systems and players, the "threat profiles" clearly show which potential vulnerabilities exist in vehicles, charging stations and their manufacturers, apps and energy management systems and how the threat situation can actually be assessed.

However, the authors noticed that compared to communication standards and protocols, there are fewer analyses of actors and systems in the research literature on which the situation report is based. It is conceivable that the weak points of products are not passed on to the public. "Conversely, this does not mean that systems without publicly known vulnerabilities are particularly secure. Rather, their security cannot be reliably assessed," the report states.

The report is critical of the central role played by charging stations. Numerous vulnerabilities have been found in recent years - including insecure remote maintenance interfaces, inadequate authentication and errors in software updates. Several charging stations have been successfully compromised in hacker competitions. In some cases, it was possible to execute malicious code or take complete control of a station. In some cases, researchers have even shown that charging communication chips can be manipulated via the charging cable.

Dangers for the power grid

The authors also see risks in authentication. For example, some methods are still based on easily copied RFID cards (Radio-Frequency Identification), which use radio technology for contactless data transmission. In addition, insufficiently protected identifiers can be found. In the so-called "autocharge" process, a manipulated vehicle address may be sufficient to charge at the expense of other users. Phishing attacks are also conceivable, for example via fake QR codes on charging stations or manipulated apps.

The report also warns of dangers for the power grid if, for example, concepts for smart charging and load management connect charging points and energy management systems with the grid operators' systems. The potential for damage continues to increase, particularly with regard to bidirectional charging.

The BSI also considers certificate management to be problematic. The so-called public key infrastructure forms the basis for secure communication and functions such as "plug and charge". However, the management of these certificates is technically and organizationally complex. Unclear responsibilities, optional security measures and a lack of real-time checks could create additional vulnerabilities.

Overall, according to the report, there is still often a lack of consistent "security by design" and "security by default". The BSI therefore sees a considerable need for action. In addition to clearer legal requirements, binding technical security standards, structured vulnerability analyses and tighter testing processes are necessary. This is the only way to build a trustworthy and resilient charging infrastructure in the long term.

The BSI's "Report on the IT security of public charging infrastructure" is available to download online.

Author: Fritz Wilhelm