CaptchaLa Blog

Appearance

Market-Analysis-Driven Methodology for Assessing Charging Station Cybersecurity

Source: arXiv:2605.22151 · Published 2026-05-21 · By Jakob Löw, Lukas Eder, Alexander Müller, Hans-Joachim Hof

TL;DR

This paper addresses the significant challenge of assessing the cybersecurity posture of large-scale electric vehicle (EV) fast charging infrastructures, where direct security testing of tens of thousands of deployed charging points is infeasible. The authors propose a market-analysis-driven, extrapolation-based methodology for national-scale security assessment that strategically selects representative charging stations to test based on clusters defined by charge point operator (CPO) and manufacturer pairs. Validating two key assumptions about configuration consistency within clusters, the approach enables extrapolating measured security properties, such as TLS support, to untested stations sharing the same cluster. Applying this methodology to Germany’s 40,949 CCS charging points with assigned manufacturers and operators, they field-tested a manageable subset covering 51.9% of stations. The results reveal that only 27.4% of charging points provide TLS-protected communication despite the availability of hardware supporting such security, indicating a large deployment gap mainly due to operational and configuration factors rather than hardware limitations.

Key findings

  • Only 27.4% of German CCS charging stations (in the analyzed 51.9% coverage) provide TLS-secured communication, despite theoretical hardware support.
  • 66% of CCS charging points in Germany are manufactured by Alpitronic, with ABB and Tesla comprising 10.3% and 9.2%, respectively.
  • Testing 16 charging stations across three major CPO-manufacturer pairs showed consistent TLS and protocol support within each cluster, supporting assumption-based extrapolation.
  • Across multiple manufacturers and model years (2018-2024), charging stations from the same manufacturer supported the same communication capabilities (e.g., TLS), confirming homogeneity at the manufacturer-level.
  • TLS support is mainly driven by the introduction of plug and charge functionality rather than security concerns, as plug and charge mandatorily requires TLS.
  • Charging stations with equivalent or older hardware models within the same product line exhibited differing TLS activation, attributing the gap to configuration and certificate management rather than hardware limitations.
  • Certificate provisioning challenges and cost prevent widespread TLS adoption; only certificates under Hubject V2G Root CA were observed in the dataset.
  • Incorporating 25 stations from prior cross-country measurements reinforced consistency of configurations within (CPO, manufacturer) clusters across borders.

Threat model

Adversaries include network-level attackers capable of passive eavesdropping and man-in-the-middle attacks against EV-charging station communication sessions. They may exploit lack of TLS or certificate mismanagement to impersonate stations, intercept payment data, or manipulate charging parameters. Attackers cannot bypass hardware-imposed protocol capabilities but rely on exploiting configuration and operational lapses. The methodology assumes no active attacker alters the charging infrastructure or certificate provisioning during measurement.

Methodology — deep read

The methodology unfolds in seven detailed steps: (1) Data acquisition collected public and community-curated datasets (Bundesnetzagentur, goingelectric.de) containing over 44,000 CCS charging points in Germany, reduced to 40,949 with known manufacturers and operators after cleaning and normalization (e.g., resolving labeling inconsistencies like Tesla vs Supercharger).

(2) Data preprocessing unified inconsistent manufacturer labels and filtered incomplete entries.

(3) Clustering formed groups of charging points with identical (CPO, manufacturer) pairs, hypothesizing each cluster shares homogeneous security configurations and capabilities.

(4) Sampling selected representative charging stations from each cluster prioritizing those with largest installed base, minimizing the number of physical field tests needed for substantial coverage.

(5) Field testing used a custom portable EV-side emulation device based on Raspberry Pi Zero 2 W and a HomePlug Green PHY powerline communication modem to interact with charging stations without enabling high voltage power transfer. The device followed standardized ISO 15118 and DIN SPEC 70121 protocols strictly, executing multiple test cycles including service discovery, protocol negotiation, and TLS handshake attempts to detect protocol and security capability support.

(6) Results from each field-tested station were extrapolated to all members of their respective cluster based on prior validated assumptions about configuration and capability consistency within clusters.

(7) Aggregation combined extrapolated cluster results to estimate nationwide deployment rates for TLS and protocol support.

Two central assumptions underpin extrapolation: (A1) all stations from the same manufacturer share identical communication capabilities, and (A2) CPOs configure all stations from the same manufacturer uniformly. Both were validated empirically by analyzing multiple stations from different manufacturers, operators, installation years, and countries (incorporating external datasets).

The testing device simulated the EV side through the entire connection establishment sequence, terminating communication before energizing actual charging for safety. Its software implemented all key protocols, performed handshake and certificate verification, and collected data on supported standards and TLS availability.

The evaluation covered 16 stations in depth across major CPOs and manufacturers for validation, and a larger selected subset for extrapolation. Metrics focused on TLS presence, certificate chain validity, and supported communication protocols. Baselines included prior opportunistic measurements without clustering.

The approach balances empirical measurement fidelity with scalable national coverage enabled by market-informed stratified sampling and validated assumptions to overcome the challenge of testing tens of thousands of heterogeneous deployed stations.

The authors published raw data and communication dumps to foster reproducibility, though some dependence on third-party community-labeled data may limit exact replicability. The testing device architecture and software are well-documented in the paper but no explicit public code release is noted in the provided text.

Technical innovations

  • Market-analysis-driven clustering of charging points by (CPO, manufacturer) pair to enable scalable, assumption-based extrapolation of cybersecurity properties at national scale.
  • Development of a portable EV-side charging station testing device emulating ISO 15118 protocols and communication sequences without enabling high-voltage power transfer for safe field measurements.
  • Validation of two key assumptions (consistent capabilities per manufacturer and configuration uniformity per CPO-manufacturer pair) via multi-location, multi-year station measurements and integration of prior cross-border datasets.
  • Demonstration that operational TLS deployment gaps in real-world charging infrastructure are primarily due to certificate management and configuration challenges, not hardware limitations.

Datasets

  • Bundesnetzagentur charging station list — 44,313 charging points in Germany as of Dec 2025 — Public data source
  • goingelectric.de community-curated EV charging dataset — 114,078 CCS charging points globally, 44,313 in Germany — Public/community data with manual labeling

Baselines vs proposed

  • Opportunistic measurements from Szakály et al. across UK, Switzerland, Hungary: TLS deployment varies widely and lacks national quantification — Current work extrapolates from 51.9% coverage to estimate 27.4% TLS support nationally
  • Within clusters: Samples from same (CPO, manufacturer) show consistent TLS and protocol support — validating homogeneity assumptions

Figures from the paper

Figures are reproduced from the source paper for academic discussion. Original copyright: the paper authors. See arXiv:2605.22151.

Fig 2

Fig 2: Simplified overview of EV charging participants

Fig 1

Fig 1: Charging Communication OSI Layer Overview

Fig 3

Fig 3 (page 4).

Limitations

  • Extrapolation assumes stationary configurations that may vary with firmware updates, certificate rollouts, or misconfigurations over time.
  • Regional differences within large CPOs, temporary deployment inconsistencies, or private charging points registered under shared mobility operators may deviate from the homogeneity assumptions.
  • Dependency on community-curated data for manufacturer and model labels may introduce labeling errors or incomplete coverage.
  • No direct adversarial evaluation or active penetration testing of vulnerabilities was conducted; focus is on security control presence rather than resistance.
  • Testing limited to German CCS charging points, limiting immediate generalization though the methodology is transferable.
  • The precise reproducibility depends on access to raw data and testing device implementation details, which are only partially released.

Open questions / follow-ons

  • How can automated, cost-free certificate enrollment protocols analogous to ACME (e.g., Let's Encrypt) be integrated into EV charging ecosystems to improve TLS adoption?
  • What are the operational challenges and economic factors hindering widespread certificate provisioning and secure configuration at large scale?
  • Could standardized firmware update or configuration management frameworks improve uniform deployment of security controls like TLS in charging networks?
  • How do emerging standards (e.g., ISO 15118-20) and new communication modalities impact the security posture and measurement methodologies?

Why it matters for bot defense

This study provides bot-defense and CAPTCHA engineers a paradigmatic example of leveraging structured market data and clustering to perform scalable security assessments on widely deployed heterogeneous networked infrastructure. The extrapolation-based methodology enables feasible assessment of security control deployment without exhaustive per-unit testing, a principle that can be adapted to various large-scale bot or fraud detection scenarios where individual entity inspection is impractical. Furthermore, the demonstrated importance of configuration and operational factors over mere hardware capabilities reinforces the need for system-level security verification beyond protocol specification compliance. Insights on categorizing entities by operator and manufacturer analogously inform segmentation strategies in bot-defense pipelines. Additionally, the paper illustrates that security standards adoption does not guarantee practical deployment—a cautionary lesson for CAPTCHA systems relying on default security assumptions.

Cite

bibtex
@article{arxiv2605_22151,
  title={ Market-Analysis-Driven Methodology for Assessing Charging Station Cybersecurity },
  author={ Jakob Löw and Lukas Eder and Alexander Müller and Hans-Joachim Hof },
  journal={arXiv preprint arXiv:2605.22151},
  year={ 2026 },
  url={https://arxiv.org/abs/2605.22151}
}

Read the full paper

Articles are CC BY 4.0 — feel free to quote with attribution

© 2026 CaptchaLa