As highlighted in our previous article, Electric vehicle charging infrastructures: Energy performance and new cybersecurity challenges, charge point operators (CPOs) operate within a demanding business model, where profitability depends on their ability to drive recurring usage of their networks. In this context, user experience becomes a key lever: the smoother the charging journey, the fewer failures and friction points it involves, ultimately helping build customer loyalty. 

Plug & Charge is being promoted precisely to address this challenge. Enabled by the ISO 15118 standard, this mechanism allows the charging station to automatically authenticate the user and initiate charging without the need for a badge or mobile application. Originally designed to standardize communication between the vehicle, the charging station and the grid, ISO 15118 paves the way for a more seamless charging experience—often summed up by the promise: “plug in and it charges.” 

However, this apparent simplification on the user side actually relies on a significant increase in complexity across the underlying trust chain and technical mechanisms: digital certificates, Public Key Infrastructure (PKI), ISO 15118 communications, new authentication flows, and dependencies on trusted third parties. In other words, behind a frictionless charging experience, Plug & Charge introduces new points of failure and expands the attack surface that operators must now address as critical cybersecurity concerns. 

In this article, we take a closer look at three risks directly associated with the deployment of Plug & Charge and ISO 15118: 

• availability loss resulting from a compromise of the V2G (Vehicle-to-Grid) PKI; 
• availability loss caused by the exploitation of vulnerabilities on the ISO 15118 interface; 
• the theft of charging station certificates and its implications in terms of fraud. 

Risk 1: availability loss resulting from a compromise of the V2G PKI 

To understand this risk, it is first important to recall that Plug & Charge relies on a digital trust chain that enables the vehicle and the charging station to automatically authenticate each other using certificates and then initiate charging without any manual action from the user. 

As illustrated in Figure 1, a Plug & Charge session follows a multi-step sequence: 

1. Establishment of the ISO 15118 communication channel between the vehicle and the charging station, along with mutual authentication,  
2. Verification of the mobility contract followed by authorization, 
3. Start of charging session. 

If any of these steps fails due to a breakdown in digital trust, the charging session cannot be initiated. 

Figure 1: Steps of a Plug & Charge session 

This mechanism relies on a shared PKI across the ecosystem, known as the V2G PKI, whose role is to ensure interoperability between vehicles, charging stations, and operators. This architecture is built on root and intermediate certificate authorities that issue and validate the certificates used throughout the charging session (Figure 2). 

Figure 2: V2G PKI architecture 

In Europe, this ecosystem currently relies on a limited number of key trusted players—such as Hubject, Gireve, and Irdeto—which combine the role of root certification authority (V2G Root CA) with Plug & Charge certificate management and interoperability services. 

Within this architecture, the CPO holds a pivotal position: charging stations must be integrated into this trust chain and, depending on the chosen model, the operator may run certain PKI components in-house (make) or rely on a specialized provider (buy). In both cases, the CPO becomes dependent on a trust infrastructure whose compromise, misconfiguration, or unavailability can have a direct impact on service availability. 

The risk, therefore, lies in a loss of service availability caused by an incident affecting the V2G PKI. Several scenarios are plausible: compromise of a root or intermediate authority, expired certificates that were not renewed, corruption of a trust store, or unavailability of a component involved in the certificate lifecycle. In all these situations, the operational outcome is the same: the charging station or the vehicle can no longer establish a valid trust relationship, and the Plug & Charge session fails before charging even starts. 

Key takeaways 

With Plug & Charge, PKI no longer only secures communications, it becomes a critical production component. An incident affecting the trust infrastructure is therefore not just a security or compliance issue, but a potential source of partial or large-scale service disruption. 

The choice between make and buy does not eliminate this risk; it shifts where control lies. A make strategy provides greater control to the CPO, but requires mature PKI governance, robust operational capabilities, and strict discipline over certificate lifecycle management. A buy strategy accelerates deployment but increases dependence on a third party for what has become a critical function, implying stronger requirements in terms of contractual oversight, auditability, and monitoring. 

From a cybersecurity standpoint, the implication is clear: the V2G PKI must be treated as a critical operational asset within the charging stations information system. This entails explicit governance of trust roles, continuous monitoring of certificate lifecycles, regular resilience and continuity testing, and the definition of degraded operating modes to prevent a PKI incident from escalating into large-scale service disruption. 

Risk 2: loss of charging infrastructure availability through the exploitation of vulnerabilities in ISO 15118 communication 

This risk stems directly from the increasing complexity of the communication channel. Where charging historically relied on relatively simple interactions—primarily based on electrical signaling and a limited set of basic messages—ISO 15118 introduces a high-level dialogue built on a much richer protocol stack (Figure 3). 

Figure 3: OSI model applied to ISO 15118 

This shift from a minimalist protocol to a full-fledged application layer—including device discovery, IPv6 address allocation, authentication, certificate management, and cryptographic operations—mechanically expands the attack surface. This is particularly true because the communication interface via the charging connector is inherently accessible, with no physical barriers. Any vulnerability in these exchanges (e.g., manipulation of application messages, injection into PLC traffic, improper certificate validation) could disrupt the charging session—or, in a worst-case scenario, lead to a full compromise of the charging station. 

Exploiting such vulnerabilities, however, requires physical access to the charging point: the attacker must be able to interact with the communication channel between the vehicle and the station. In practice, this involves specialized equipment to connect to the PLC network, such as a HomePlug Green PHY compatible interface and a physical adapter for the charging connector. While this constraint makes the exploit harder, it does not eliminate the risk. Several research efforts have demonstrated the feasibility of lab setups capable of observing, relaying, or disrupting ISO 15118 communications directly at the cable or connector level. 

 Figure 4: Equipment required to exploit a vulnerability on the ISO 15118 interface 

Key takeaways 

To mitigate these risks, CPOs must ensure the security level of their vendors’ products, for example through audits, and assess their cybersecurity maturity, particularly regarding processes for maintaining security over time. 

They must also implement vulnerability management processes across their asset base, including maintaining inventories such as SBOMs and HBOMs (Software and Hardware Bills of Materials), as well as robust patch management practices. This enables operators to identify vulnerable assets and respond effectively when attackers attempt to exploit vulnerabilities on this new communication channel. 

Risk 3: theft of charging station certificates 

The theft of a charging station certificate is not only a cryptographic incident: in an ecosystem built on digital trust, it amounts to a compromise of machine identity. For a CPO, such an incident directly impacts the integrity of exchanges and may open the door to charging fraud. 

Two attack scenarios must be distinguished here: 

• Extraction of the private key associated with the certificate, following a software compromise or a physical attack on an insufficiently protected component, 
• Impersonation of a charging station when obtaining a certificate, for example through an insufficiently authenticated enrolment process between the station and the CPMS (Charge Point Management System).  

Figure 5: attack paths to obtain a charging station V2G certificate 

Once in possession of a valid certificate, an attacker can impersonate a legitimate charging station and abuse the ecosystem’s trust for malicious purposes. In a Plug & Charge context, this could allow an attacker to make a vehicle believe it is establishing a normal session, and then relay the proof of possession of the victim’s contract certificate into another session—effectively charging a different vehicle at the victim’s expense. This relay attack scenario has been demonstrated in academic literature and illustrates how a single compromised charging station certificate can enable tangible, operational fraud. 

Figure 6: exploitation of fraud through relay of the EV’s proof of possession 

This type of attack is facilitated in implementations based on ISO 15118-2, where Plug & Charge security relies on a more limited model, particularly in terms of end-to-end authentication and certificate handling. By contrast, ISO 15118-20 strengthens communication security—especially through the widespread use of TLS and a move toward mutual authentication—making such fraud more difficult to exploit, although not eliminating it if machine identities are not properly protected. 

This risk is all the more realistic because it does not require large compromise: a single valid certificate can be sufficient. An attacker may therefore target the least protected charging station or attempt to fraudulently obtain a certificate through a weak enrolment process or inadequately secured backend. For the CPO, the challenge is not only to protect already deployed certificates, but to secure the entire lifecycle of charging station identities from issuance to storage and renewal. 

Key takeaways 

To mitigate the risk of private key compromise, CPOs must ensure that charging stations provide secure storage capabilities for cryptographic material, for example by integrating a TPM (Trusted Platform Module). 

Preventing impersonation during certificate issuance requires a different approach. CPOs must guarantee the authenticity of certificate requests processed by the V2G PKI. 

This relies on authenticating the charging station when establishing the communication channel with the CPMS. In practice, the protocol used on this channel, OCPP, supports mutual certificate-based authentication (mTLS) from version 2.0.1 onwards. The charging station therefore presents a certificate to authenticate itself to the CPMS. Once the session is established, certificate enrolment requests (including ISO 15118 certificates) are authenticated, significantly reducing the risk of impersonation. 

However, this architecture introduces a prerequisite: deploying a dedicated certificate used to authenticate the charging station on the CPO network. This certificate is distinct from the ISO 15118 certificate used for Plug & Charge, as it serves a different scope and purpose. 

It is therefore necessary to implement a dedicated PKI, operated by the CPO, which can be referred to as a “Product PKI.” This PKI issues the certificates used to secure OCPP communications. The certificate management challenges described earlier also apply to this PKI. CPOs must therefore establish the organizational and technical capabilities required to operate such an infrastructure, including certificate lifecycle management, incident handling, and upskilling of teams. 

We thus arrive at a target architecture in which each charging station embeds multiple certificates issued by distinct PKIs, each serving a specific role in authentication across critical communication channels involved in the charging session (Figure 7). 

 Figure 7: target architecture for Plug & Charge deployment 

Risk summary 

The introduction of Plug & Charge and the ISO 15118 standard is progressively transforming charging infrastructures into a true digital trust chain, where service availability now depends as much on cybersecurity as on the electrical operation of the stations. 

The scenarios analyzed show that the main risks no longer relate solely to technical compromise of isolated components, but have broader impacts on: 

• Service continuity, 
• Charging fraud, 
• User trust, 
• And, ultimately, the operator’s reputation. 

The table below summarizes the identified risks using an approach inspired by EBIOS Risk Manager, based on an assessment of: 

• The likelihood of each scenario (scale from 1 to 4), 
• Its severity for the operator (scale from 1 to 4), with the highest impact being a nationwide loss of trust in the charging infrastructure, for instance, in a scenario where a significant portion of charging stations would no longer allow charging, 
• And the resulting overall risk level. 

Ref.​	Risk scenarios	Likelihood​	Severity​	Risk
R1	Reputational/financial impact caused by loss of charging station availability following a compromise of the V2G PKI	2​	4	Medium
R2	Reputational/financial impact caused by loss of charging station availability following large-scale exploitation of a vulnerability in ISO 15118 communication	2	3	Medium
R3	Reputational/financial impact related to fraud resulting from certificate theft	2	2	Low

Table 1: Summary of risks related to Plug & Charge on charging infrastructure 

This analysis, however, should be nuanced: the scenarios presented deliberately take a cautious, even pessimistic, view of likelihood. In practice, such attacks remain difficult to carry out. They often require advanced technical skills, specific physical or logical access, a deep understanding of ISO 15118, and the capability to exploit or manipulate complex trust mechanisms. 

As such, these risks should be seen as plausible scenarios to anticipate, rather than threats that are currently trivial or widely observed in real-world operations. Their “medium” to “low” risk level reflects this balance: a still-limited probability, but potentially significant impacts if such attacks were to scale. 

Conclusion 

Plug & Charge simplifies the charging experience but introduces a strong dependency on a digital trust chain built on ISO 15118, the V2G PKI, and charging station certificates. This dependency creates new risks for charging infrastructures, potentially leading to service disruptions and, ultimately, a loss of trust from users toward the CPO. 

While these attack scenarios remain difficult to execute, their potential impact justifies addressing them early starting from the design phase. For CPOs, the challenge is therefore no longer limited to securing charging stations but extends to securing the entire identity and trust chain that underpins the charging process.