nl
en en
Overview
June 2nd 2025

Launching Our EV Cybersecurity Report at ElaadNL's Deep Dive Event

Related topics

Tests Cyber security Open Source

On Tuesday, 27 May 2025, ElaadNL hosted its first Deep Dive into EV Cybersecurity – an afternoon packed with insights, demonstrations, and sector-wide collaboration. During the event, we officially launched our new research report: “Cybersecurity Issues in AC and DC Charging Stations”.

This in-depth report is the result of extensive testing conducted over the past year in the ElaadNL Testlab, where dozens of AC and DC charging stations were assessed for cybersecurity vulnerabilities. The findings are both revealing and urgent: charging infrastructure across the board is still vulnerable to a range of cyber threats.

 

Download the full report

Cybersecurity Issues in AC and DC Charging Stations

Key Findings from the Report

The report highlights three primary attack vectors:

  • Charging cable interface – Many modern charging stations (especially DC and ISO 15118-enabled AC models) expose internal services like SSH, MQTT, or HTTP over the charging cable itself. This creates opportunities for attackers to access the station directly from the EV side.
  • Network exposure – Numerous stations run outdated or insecure services on internet-facing ports. Issues such as default credentials, unpatched software, and weak input validation make remote exploitation a real risk.
  • Physical access – Ports like USB, Ethernet, UART, or JTAG are often accessible with minimal effort. Once inside, attackers can extract firmware, bypass authentication, or gain root access to the system.

These vulnerabilities are not just isolated technical flaws. A compromised station can serve as a pivot point into the broader backend or operator network, potentially enabling attackers to manipulate infrastructure at scale or deploy ransomware campaigns targeting energy and mobility services.

Highlights from the Event

During the Deep Dive, cybersecurity professionals, industry experts, and charge point operators came together to share knowledge and chart a path forward. Key sessions included:

  • Real-world insights from ElaadNL’s own assessments.
  • An overview of the updated ElaadNL/ENCS security requirements, now aligned with IEC 62443.
  • Introduction of the new EVC ISAC – a dedicated cybersecurity community for the charging sector.
  • An outlook on upcoming EU regulations like the RED and CRA, and what they mean for manufacturers and operators.
  • A live hacking demo, showing how internal interfaces can be exploited, driving home the need for full-stack security – from plug to backend.
Wilco van Beinum (left) and Harm van den Brink (right) performing a live demonstration of hacking a device.

The Road Ahead

With legislation like NIS2, the Cyber Resilience Act, and updates to the Radio Equipment Directive on the horizon, the regulatory landscape is rapidly evolving. Our report offers technical insights that will help the industry stay ahead of these changes – not just to comply, but to build trust, reliability, and resilience into the energy transition.

At ElaadNL, we believe securing EV infrastructure is not just a technical task – it’s a shared responsibility. This report and the discussions at the Deep Dive event are part of our ongoing commitment to improving the security posture of the sector.