Why automakers are reluctant to discuss EV charger cyber risks

Yahoo

11-03-2025

Automakers are reluctant to discuss their cybersecurity efforts in the electric vehicle charging infrastructure sector because doing so would expose potential weaknesses and invite scrutiny, according to an executive at an automotive cybersecurity specialist.
'No automaker wants to be the one to say, 'We have a problem here.' That immediately raises concerns about liability and consumer trust,' said Giuseppe Serio, who is responsible for global and strategic initiatives at Upstream.
Cybersecurity incidents against automotive and smart mobility targets surged 39 percent to 409 in 2024, according to Upstream.
The company created its report on the problem by analyzing academic research, verified social media accounts of government law enforcement agencies, the Common Vulnerabilities & Exposures (CVE) database and media coverage of the attacks. Upstream's analysts also monitor the deep and dark web to track threat actors operating behind the scenes of automotive cyberattacks, the company said in its report.
There were on average 34 incidents a month last year involving the two sectors across Europe, the U.S. and China, according to Upstream.
In Europe, Germany experienced the highest number of incidents at 31. France followed with 14 attacks, while the U.K. had 16 incidents. Italy and Spain also saw notable activity, with 12 and 10 attacks, respectively, according to Upstream's data.
As EV adoption accelerates, so do the risks — ransomware attacks on smart mobility infrastructure surged, contributing to an overall 38 percent increase in documented incidents.
Sign up for the Automotive News Europe Focus on Electrification newsletter, a weekly wrap-up of the latest electric vehicle news, including interviews and global EV sales data.
A cyberattack on a Lithuanian EV charging system shut down operations for hours, with attackers stealing data from 20,000 customers, according to Vilnius-based new portal Delfi.
Upstream's Serio said automakers prefer to focus on security in areas where they have direct control, such as in-vehicle systems and telematics, rather than openly addressing risks associated with third-party charging networks.
'Once you acknowledge a security risk, you are expected to have a solution,' he said. 'But in the case of EV charging, automakers don't fully own the infrastructure, making it difficult to offer definitive assurances.'
Serio added that public disclosure of cybersecurity vulnerabilities could impact regulatory discussions and industry partnerships.
'If an automaker admits to a security gap, regulators might demand immediate action, which could disrupt product timelines and require costly fixes,' he said.
Instead, several automakers prefer to work behind the scenes, collaborating with charge point operators and industry groups to strengthen security without drawing public attention.
A statement from BMW provided to Automotive News Europe said ensuring customer payment data is adequately secured for charging transactions is a shared responsibility between automakers, electric mobility service provider and charge point operators.
It noted that BMW Group's entire battery-electric vehicle range fulfills the highest safest standard to date.
'BMW conducts its own penetration testing, where its cybersecurity experts attempt to hack the vehicles to uncover vulnerabilities,' the statement continued.
BMW said its 'security by design' principle means automotive security is implemented continuously throughout the vehicle's life cycle, starting from the design phase — an approach now legally required in many countries.
'BMW collects anonymized live data from its vehicles, provided the customer has given consent,' the statement said. 'This enables BMW to identify anomalies and take appropriate action.'
Since 2019, BMW vehicles have been fully updatable over the air, allowing BMW to fix critical cybersecurity vulnerabilities quickly and appropriately throughout the vehicle's life cycle.
A similar statement provided to ANE from Mercedes-Benz noted the company received cybersecurity management system certification in 2021 from the German motor transport authority (KBA).
'All our architectures meet the requirements and are or will be certified in accordance with UN R155 in time,' it said. 'We map the potential cyberthreats, we review future products and services and then design the right architecture and technologies to mitigate prioritized threats.'
Serio said Upstream's findings underscore the urgent need for stronger cybersecurity protections, particularly in EV charging networks, noting security remains an afterthought in the race for market expansion.
'New technologies often prioritize growth over security, and EV charging infrastructure is no exception,' he said.
The rapid adoption of charging networks has created a fragmented ecosystem with multiple stakeholders — including energy providers, charge point operators, automakers, and payment processors —leading to vulnerabilities attackers can exploit.
Gartner Vice President of Research Pedro Pacheco said the EV charging infrastructure presents significant cybersecurity risks, with denial-of-service attacks being the most common threat.
'If a charger loses connectivity, it often becomes unusable, meaning drivers cannot complete payments or access charging services,' he said.
Other threats include data theft and the potential for attackers to use charging stations as entry points into vehicle systems.
What is the biggest enemy of security? Complexity
Serio said the complexity of the charging ecosystem itself is a major risk factor.
'There is a saying in cybersecurity: The biggest enemy of security is complexity,' he said.
Each component in the charging process, from the vehicle interface to the back-end payment system, represents a potential entry point for attackers.
If even one element is weak, it could compromise the entire system.
'Attackers look for the weakest link,' he said. 'A single vulnerability can allow bad actors to hijack sessions, steal payment data, or even disrupt the electrical grid,' Serio said.
Regarding accountability, he noted that while multiple entities are involved, charge point operators have primary responsibility for security.
'Since they control access to the charging stations, charge point operators are the ones that must ensure security across the entire system,' he said.
However, automakers also have a role to play by securing vehicle-side connections and ensuring safe communication protocols between the EV and the charger.
'Automakers must recognize that charging stations introduce a new attack vector, much like telematics systems or connected infotainment units,' he said.
Serio stressed the urgent need for dedicated regulations.
'There is no global cybersecurity standard for EV charging infrastructure,' he said, noting that while automotive cybersecurity regulations exist, similar measures for charging networks remain insufficient.
The U.K. is one of the few countries treating EV charging as critical infrastructure, a model Serio believes should be replicated globally.
'We haven't yet seen the big epiphany moment in EV charging security like we did in the auto industry,' he said. 'But it's only a matter of time before a major incident forces regulators to act.'
Gartner's Pacheco highlighted the role of regulations such as the EU's NIS2 directive, which mandates cybersecurity protections for critical infrastructure, including EV charging networks.
'The main goal of this regulation is to ensure that critical infrastructure remains resilient in the face of cyberattacks,' he said.
Pacheco said automakers and charge point operators often take a reactive rather than proactive approach to cybersecurity.
'Like most risk management issues, cybersecurity tends to receive more attention after a major incident,' he said.
The biggest challenge, he said, is defending against zero-day attacks — new and previously unknown threats.
He said proactive cybersecurity strategies, strong industry collaboration, and a culture of cyber awareness are essential to preventing catastrophic disruptions to EV charging infrastructure.
'Once an entirely new cyberattack emerges, organizations must act immediately to update their security management systems,' Pacheco said.