{"id":30152,"date":"2026-06-17T16:26:09","date_gmt":"2026-06-17T15:26:09","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=30152"},"modified":"2026-06-17T16:28:36","modified_gmt":"2026-06-17T15:28:36","slug":"plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/","title":{"rendered":"Plug &amp; Charge and ISO 15118:\u00a0what\u00a0are the\u00a0new\u00a0cyber risks for charging stations?\u00a0"},"content":{"rendered":"\n<p><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:0}\">\u00a0<\/span><span style=\"font-size: revert; color: initial;\" data-contrast=\"auto\">As highlighted in our\u00a0previous\u00a0article,\u00a0<\/span><a style=\"font-size: revert;\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/04\/electric-mobility-charging-infrastructure-evolution-between-energy-optimization-and-emerging-cybersecurity-challenges\/\"><i><span data-contrast=\"none\">Electric vehicle charging infrastructures: Energy performance and new cybersecurity challenges<\/span><\/i><\/a><span style=\"font-size: revert; color: initial;\" data-contrast=\"auto\">, charge point operators (CPOs)\u00a0operate\u00a0within a demanding business model, where profitability depends\u00a0on their ability to drive recurring usage of their networks. In this context,\u00a0<\/span><b style=\"font-size: revert; color: initial;\"><span data-contrast=\"auto\">user experience becomes a key lever<\/span><\/b><span style=\"font-size: revert; color: initial;\" data-contrast=\"auto\">: the smoother the charging journey, the fewer failures and friction\u00a0points\u00a0it involves,\u00a0ultimately helping\u00a0build customer loyalty.<\/span><span style=\"font-size: revert; color: initial;\" data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">Plug &amp; Charge<\/span><\/b><span data-contrast=\"auto\">\u00a0is being promoted precisely to address this challenge. Enabled by the\u00a0<\/span><b><span data-contrast=\"auto\">ISO 15118 standard<\/span><\/b><span data-contrast=\"auto\">, this mechanism allows the charging station to automatically authenticate the user and initiate charging without the need for a badge or mobile application. Originally designed to standardize communication between the vehicle, the charging station and the grid, ISO 15118 paves the way for a more seamless charging experience\u2014often summed up by the promise: \u201cplug in and it charges.\u201d<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">However, this\u00a0apparent\u00a0simplification on the user side\u00a0actually relies\u00a0on a\u00a0<\/span><b><span data-contrast=\"auto\">significant increase in complexity across the underlying trust chain\u00a0<\/span><\/b><span data-contrast=\"auto\">and technical mechanisms: digital certificates, Public Key Infrastructure (PKI), ISO 15118 communications, new authentication flows, and dependencies on trusted third parties. In other words, behind a frictionless charging experience,\u00a0Plug &amp; Charge introduces new points of failure and expands the attack surface that operators\u00a0must now address as critical cybersecurity concerns.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">In this article, we take a closer look\u00a0at<\/span><b><span data-contrast=\"auto\">\u00a0three risks directly associated with the deployment of Plug &amp; Charge and ISO 15118<\/span><\/b><span data-contrast=\"auto\">:<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<ul>\n<li><b><span data-contrast=\"auto\">availability loss<\/span><\/b><span data-contrast=\"auto\">\u00a0resulting from a compromise of the\u00a0<\/span><b><span data-contrast=\"auto\">V2G (Vehicle-to-Grid) PKI;<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">availability loss<\/span><\/b><span data-contrast=\"auto\">\u00a0caused by the exploitation of\u00a0<\/span><b><span data-contrast=\"auto\">vulnerabilities on the ISO 15118 interface<\/span><\/b><span data-contrast=\"auto\">;<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">the\u00a0theft of charging station certificates and its implications\u00a0in terms of\u00a0<\/span><b><span data-contrast=\"auto\">fraud<\/span><\/b><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<\/ul>\n<h1><span data-contrast=\"none\">Risk 1: availability loss resulting from a compromise of the V2G PKI<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h1>\n<p><span data-contrast=\"auto\">To understand this risk, it is first important to recall that Plug &amp; Charge relies on a digital trust chain that enables the vehicle and the charging station to automatically authenticate each other using certificates and then\u00a0initiate\u00a0charging without any manual action from the user.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">As illustrated in Figure 1, a Plug &amp; Charge session follows a multi-step sequence:<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<ol style=\"list-style-type: upper-roman;\">\n<li><span data-contrast=\"auto\">Establishment of the ISO 15118 communication channel between the vehicle and the\u00a0charging station, along with mutual authentication,\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Verification of the mobility contract followed by authorization,<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Start of charging session.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<\/ol>\n<p><span data-contrast=\"auto\">If any of these steps fails due to a breakdown in digital trust, the charging session cannot be\u00a0initiated.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:2,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:300}\">\u00a0<\/span><\/p>\n<p style=\"text-align: center;\"><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:0}\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-30114 aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borne_EV_en1.png\" alt=\"\" width=\"2012\" height=\"1056\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borne_EV_en1.png 2012w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borne_EV_en1-364x191.png 364w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borne_EV_en1-71x37.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borne_EV_en1-768x403.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borne_EV_en1-1536x806.png 1536w\" sizes=\"auto, (max-width: 2012px) 100vw, 2012px\" \/><\/span><i><span data-contrast=\"auto\">Figure 1: Steps of a Plug &amp; Charge session<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This mechanism relies on a shared PKI across the ecosystem, known as the\u00a0<\/span><b><span data-contrast=\"auto\">V2G PKI<\/span><\/b><span data-contrast=\"auto\">, whose role is to ensure interoperability between vehicles, charging stations, and operators. This architecture is built on root and intermediate certificate authorities that issue and\u00a0validate\u00a0the certificates used throughout the charging session (Figure 2).<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: center;\"><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-30116 aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en2.png\" alt=\"\" width=\"1698\" height=\"1100\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en2.png 1698w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en2-295x191.png 295w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en2-60x39.png 60w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en2-768x498.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en2-1536x995.png 1536w\" sizes=\"auto, (max-width: 1698px) 100vw, 1698px\" \/><\/span><i><span data-contrast=\"auto\">Figure\u00a02:\u00a0V2G PKI architecture<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">In Europe, this ecosystem currently relies on a limited number of key trusted players\u2014such as <\/span><b><span data-contrast=\"auto\">Hubject<\/span><\/b><span data-contrast=\"auto\">,\u00a0<\/span><b><span data-contrast=\"auto\">Gireve<\/span><\/b><span data-contrast=\"auto\">, and\u00a0<\/span><b><span data-contrast=\"auto\">Irdeto<\/span><\/b><span data-contrast=\"auto\">\u2014which combine the role of root certification authority\u00a0(V2G Root CA) with Plug &amp; Charge certificate management and interoperability services.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Within this architecture, the CPO holds a pivotal position: charging stations must be integrated into this trust chain and, depending on the chosen model, the operator may run certain PKI components in-house (<\/span><i><span data-contrast=\"auto\">make<\/span><\/i><span data-contrast=\"auto\">) or rely on a specialized provider (<\/span><i><span data-contrast=\"auto\">buy<\/span><\/i><span data-contrast=\"auto\">). In both cases, the CPO becomes dependent on a trust infrastructure whose compromise, misconfiguration, or unavailability can have a\u00a0<\/span><b><span data-contrast=\"auto\">direct impact on service availability<\/span><\/b><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The risk, therefore, lies in a\u00a0<\/span><b><span data-contrast=\"auto\">loss of service availability<\/span><\/b><span data-contrast=\"auto\"> caused by an incident affecting the V2G PKI. Several scenarios are plausible: compromise of a root or intermediate authority, expired certificates that were not renewed, corruption of a trust store, or unavailability of a component involved in the certificate lifecycle. In all these situations, the operational outcome is the same: the charging station or the vehicle can no longer establish a valid trust relationship, and the Plug &amp; Charge session fails before charging even starts.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<h2><span data-contrast=\"none\">Key\u00a0takeaways<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">With Plug &amp; Charge, PKI no longer only secures communications,\u00a0it becomes a\u00a0<\/span><b><span data-contrast=\"auto\">critical production component<\/span><\/b><span data-contrast=\"auto\">. An incident affecting the trust infrastructure is therefore not just a security or compliance issue, but a potential source of partial or large-scale service disruption.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The choice between\u00a0<\/span><i><span data-contrast=\"auto\">make<\/span><\/i><span data-contrast=\"auto\">\u00a0and\u00a0<\/span><i><span data-contrast=\"auto\">buy<\/span><\/i><span data-contrast=\"auto\">\u00a0does not\u00a0eliminate\u00a0this risk; it shifts where control lies. A\u00a0<\/span><i><span data-contrast=\"auto\">make<\/span><\/i><span data-contrast=\"auto\">\u00a0strategy provides greater control to the CPO, but requires mature PKI governance, robust operational capabilities, and strict discipline over certificate lifecycle management. A\u00a0<\/span><i><span data-contrast=\"auto\">buy<\/span><\/i><span data-contrast=\"auto\"> strategy accelerates deployment but increases dependence on a third party for what has become a critical function, implying stronger requirements in terms of contractual oversight, auditability, and monitoring.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">From a cybersecurity standpoint, the implication is clear: the\u00a0<\/span><b><span data-contrast=\"auto\">V2G PKI must be treated as a critical operational asset within the charging\u00a0stations\u00a0information system<\/span><\/b><span data-contrast=\"auto\">. This entails explicit governance of trust roles, continuous monitoring of certificate lifecycles, regular resilience and continuity testing, and the definition of degraded operating modes to prevent a PKI incident from escalating into large-scale service disruption.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<h1><span data-contrast=\"none\">Risk 2: loss of charging infrastructure availability through the exploitation of vulnerabilities in ISO 15118 communication<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h1>\n<p><span data-contrast=\"auto\">This risk stems directly from the increasing complexity of the communication channel. Where charging historically relied on relatively simple interactions\u2014primarily based on electrical signaling and a limited set of basic messages\u2014ISO 15118 introduces a high-level dialogue built on a much richer protocol stack (Figure 3).<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-30118 aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en3.png\" alt=\"\" width=\"1664\" height=\"1016\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en3.png 1664w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en3-313x191.png 313w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en3-64x39.png 64w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en3-768x469.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en3-1536x938.png 1536w\" sizes=\"auto, (max-width: 1664px) 100vw, 1664px\" \/><br \/><i><span data-contrast=\"auto\">Figure\u00a03:\u00a0OSI model applied to ISO 15118<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559685&quot;:0}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This shift from a minimalist protocol\u00a0to a full-fledged application layer\u2014including device discovery, IPv6 address allocation, authentication, certificate management, and cryptographic operations\u2014mechanically expands the attack surface. This is particularly true because the communication interface via the charging connector is inherently accessible, with no physical barriers. Any vulnerability in these exchanges (e.g., manipulation of application messages, injection into PLC traffic, improper certificate validation)\u00a0<\/span><b><span data-contrast=\"auto\">could disrupt the charging session\u2014or, in a worst-case scenario, lead to a full compromise of the charging <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2026-9038\">station<\/a><\/span><\/b><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Exploiting such vulnerabilities, however,\u00a0<\/span><b><span data-contrast=\"auto\">requires physical access to the charging point<\/span><\/b><span data-contrast=\"auto\">: the attacker must be able to interact with the communication channel between the vehicle and the station. In practice, this involves specialized equipment to connect to the PLC network, such as a HomePlug Green PHY compatible interface and a physical adapter for the charging connector. While this constraint makes the exploit harder, it does not eliminate the risk. Several research efforts have demonstrated the feasibility of lab setups capable of observing, relaying, or disrupting ISO 15118 communications directly at the cable or <a href=\"https:\/\/www.sstic.org\/media\/SSTIC2019\/SSTIC-actes\/v2g_injector_playing_with_electric_cars_and_chargi\/SSTIC2019-Article-v2g_injector_playing_with_electric_cars_and_charging_stations_via_powerline-dudek.pdf\">connector level<\/a>.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: center;\"><span data-contrast=\"auto\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-30118 aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en3.png\" alt=\"\" width=\"1664\" height=\"1016\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en3.png 1664w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en3-313x191.png 313w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en3-64x39.png 64w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en3-768x469.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en3-1536x938.png 1536w\" sizes=\"auto, (max-width: 1664px) 100vw, 1664px\" \/><\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:0}\">\u00a0<\/span><i><span data-contrast=\"auto\">Figure 4: Equipment required to exploit a vulnerability on the ISO 15118 interface<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<h2><span data-contrast=\"none\">Key takeaways<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">To mitigate these risks, CPOs\u00a0<\/span><b><span data-contrast=\"auto\">must ensure the security level of their vendors\u2019 products<\/span><\/b><span data-contrast=\"auto\">,\u00a0for example through audits,\u00a0and assess their cybersecurity maturity, particularly\u00a0regarding processes for\u00a0maintaining security over time.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">They must also\u00a0<\/span><b><span data-contrast=\"auto\">implement vulnerability management processes<\/span><\/b><span data-contrast=\"auto\"> across their asset base, including <\/span><b><span data-contrast=\"auto\">maintaining\u00a0inventories<\/span><\/b><span data-contrast=\"auto\">\u00a0such as\u00a0<\/span><b><span data-contrast=\"auto\">SBOMs<\/span><\/b><span data-contrast=\"auto\">\u00a0and\u00a0<\/span><b><span data-contrast=\"auto\">HBOMs<\/span><\/b><span data-contrast=\"auto\">\u00a0(Software and Hardware Bills of Materials), as well as robust\u00a0<\/span><b><span data-contrast=\"auto\">patch management practices<\/span><\/b><span data-contrast=\"auto\">. This enables operators to\u00a0identify\u00a0vulnerable assets and respond effectively when attackers\u00a0attempt\u00a0to exploit vulnerabilities on this new communication channel.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<h1><span data-contrast=\"none\">Risk 3: theft of charging station certificates<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h1>\n<p><span data-contrast=\"auto\">The theft of a charging station certificate is not only a cryptographic incident: in an ecosystem built on digital trust, it amounts to a compromise of machine identity. For a CPO, such an incident directly\u00a0impacts\u00a0the integrity of exchanges and may open the door to\u00a0<\/span><b><span data-contrast=\"auto\">charging fraud<\/span><\/b><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Two attack scenarios must be distinguished here:<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<ul>\n<li><b><span data-contrast=\"auto\">Extraction of the private key<\/span><\/b><span data-contrast=\"auto\">\u00a0associated with the certificate, following a software compromise or a physical attack on an insufficiently protected\u00a0component,<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Impersonation of a charging station<\/span><\/b><span data-contrast=\"auto\">\u00a0when obtaining a certificate, for example through an insufficiently authenticated enrolment process between the station and the CPMS (Charge Point Management System).<\/span> \u00a0<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-30122 aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en5.png\" alt=\"\" width=\"1991\" height=\"1010\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en5.png 1991w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en5-377x191.png 377w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en5-71x36.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en5-768x390.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en5-1536x779.png 1536w\" sizes=\"auto, (max-width: 1991px) 100vw, 1991px\" \/><\/p>\n<p style=\"text-align: center;\"><i><span data-contrast=\"auto\">Figure 5: attack paths to obtain a charging station V2G certificate<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Once in possession of a valid certificate, an\u00a0attacker can impersonate a legitimate charging station and abuse the ecosystem\u2019s trust for malicious purposes. In a Plug &amp; Charge context, this could allow an attacker to make a vehicle believe it is establishing a normal session, and then relay the proof of possession of the victim\u2019s contract certificate into\u00a0another session\u2014effectively charging a different vehicle at the victim\u2019s expense. This\u00a0<\/span><b><span data-contrast=\"auto\">relay attack<\/span><\/b><span data-contrast=\"auto\">\u00a0scenario has been\u00a0demonstrated\u00a0in <a href=\"https:\/\/arxiv.org\/abs\/2512.15966\">academic literature<\/a> and illustrates how a\u00a0single compromised charging station certificate can enable tangible, operational fraud.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: center;\"><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:0}\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-30124 aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en6.png\" alt=\"\" width=\"2078\" height=\"975\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en6.png 2078w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en6-407x191.png 407w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en6-71x33.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en6-768x360.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en6-1536x721.png 1536w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en6-2048x961.png 2048w\" sizes=\"auto, (max-width: 2078px) 100vw, 2078px\" \/><\/span><i><span data-contrast=\"auto\">Figure 6: exploitation of fraud through relay of the EV\u2019s proof of possession<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This\u00a0type of attack is\u00a0facilitated\u00a0in implementations based on\u00a0<\/span><b><span data-contrast=\"auto\">ISO 15118-2<\/span><\/b><span data-contrast=\"auto\">, where Plug &amp; Charge security relies on a more limited model, particularly in terms of end-to-end authentication and certificate handling. By contrast,\u00a0<\/span><b><span data-contrast=\"auto\">ISO 15118-20<\/span><\/b><span data-contrast=\"auto\">\u00a0strengthens communication security\u2014especially through the widespread use of\u00a0TLS and a move toward mutual authentication\u2014making such fraud more difficult to exploit, although not\u00a0eliminating\u00a0it if machine identities are not properly protected.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This risk is\u00a0all the more\u00a0realistic because\u00a0<\/span><b><span data-contrast=\"auto\">it does not\u00a0require large\u00a0compromise<\/span><\/b><span data-contrast=\"auto\">: a single valid certificate can be sufficient. An attacker may therefore target the least protected charging\u00a0station or\u00a0attempt\u00a0to fraudulently obtain a certificate through a weak\u00a0enrolment\u00a0process or inadequately secured backend. For the CPO, the challenge is not only to protect already deployed certificates, but\u00a0to secure the entire lifecycle of charging station identities\u00a0from issuance to storage and renewal.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<h2><span data-contrast=\"none\">Key takeaways<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">To mitigate the risk of private key compromise, CPOs must ensure that charging stations\u00a0provide\u00a0<\/span><b><span data-contrast=\"auto\">secure storage capabilities for cryptographic material<\/span><\/b><span data-contrast=\"auto\">, for example by integrating a TPM (Trusted Platform Module).<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Preventing impersonation during certificate issuance requires a different approach. CPOs must guarantee the authenticity of certificate requests\u00a0processed by the V2G PKI.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This relies on\u00a0<\/span><b><span data-contrast=\"auto\">authenticating the charging station when\u00a0establishing\u00a0the communication channel with the CPMS<\/span><\/b><span data-contrast=\"auto\">. In practice, the protocol used on this channel,\u00a0OCPP,\u00a0supports mutual certificate-based authentication\u00a0(mTLS) from version 2.0.1 onwards. The charging station therefore presents a certificate to authenticate itself to the CPMS. Once the session is established, certificate\u00a0enrolment\u00a0requests (including ISO 15118 certificates) are authenticated, significantly reducing the risk of impersonation.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">However, this architecture introduces a prerequisite:\u00a0<\/span><b><span data-contrast=\"auto\">deploying a dedicated certificate used to authenticate the charging station on the CPO network<\/span><\/b><span data-contrast=\"auto\">. This certificate is distinct from the ISO 15118 certificate used for Plug &amp; Charge, as it serves a different scope and purpose.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">It is therefore necessary to implement\u00a0<\/span><b><span data-contrast=\"auto\">a dedicated PKI<\/span><\/b><span data-contrast=\"auto\">, operated by the CPO, which can be referred to as a \u201cProduct PKI.\u201d This PKI issues the\u00a0certificates used to secure OCPP\u00a0communications.\u00a0The certificate management challenges described earlier also apply to this PKI. CPOs must therefore establish the organizational and technical capabilities required to operate such an infrastructure, including certificate lifecycle management, incident handling, and upskilling of teams.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">We thus arrive at a target architecture in which each charging station embeds multiple certificates issued by distinct PKIs, each serving a specific role in authentication across critical communication channels involved in the charging session (Figure\u00a07).<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: center;\"><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:0}\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-30126 aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en7.png\" alt=\"\" width=\"1982\" height=\"738\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en7.png 1982w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en7-437x163.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en7-71x26.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en7-768x286.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/borneEV_en7-1536x572.png 1536w\" sizes=\"auto, (max-width: 1982px) 100vw, 1982px\" \/>\u00a0<\/span><i><span data-contrast=\"none\">Figure\u00a07: target architecture for Plug &amp; Charge deployment<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559685&quot;:0}\">\u00a0<\/span><\/p>\n<h2><span data-contrast=\"none\">Risk summary<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:851}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">The\u00a0introduction of Plug &amp; Charge and the ISO 15118 standard is progressively transforming charging infrastructures into a true digital trust chain, where\u00a0service availability now depends as much on cybersecurity as on the electrical operation of the stations.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The scenarios\u00a0analyzed\u00a0show that\u00a0<\/span><b><span data-contrast=\"auto\">the main risks no longer relate solely<\/span><\/b><span data-contrast=\"auto\">\u00a0<\/span><b><span data-contrast=\"auto\">to\u00a0technical compromise of isolated components, but\u00a0have\u00a0broader impacts<\/span><\/b><span data-contrast=\"auto\">\u00a0on:<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">Service continuity,<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:0}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Charging fraud,<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:0}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">User trust,<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:0}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">And, ultimately, the\u00a0operator\u2019s reputation.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:0}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\">The table below summarizes the identified risks using an approach inspired by EBIOS Risk Manager, based on an assessment of:<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">The likelihood of each scenario (scale from 1 to 4),<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:0}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Its severity for the operator (scale from 1 to 4), with the highest impact being a nationwide loss of trust in the charging infrastructure,\u00a0for instance,\u00a0in a scenario where\u00a0a significant portion of charging stations would no longer allow charging,<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:0}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">And the resulting overall risk level.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:0}\">\u00a0<\/span><\/li>\n<\/ul>\n<table style=\"width: 100%;\" data-tablestyle=\"MsoNormalTable\" data-tablelook=\"1536\" aria-rowcount=\"4\">\n<tbody>\n<tr aria-rowindex=\"1\">\n<td style=\"width: 6.90477%;\" data-celllook=\"69905\">\n<p style=\"text-align: center;\"><b><span data-contrast=\"none\">Ref.<\/span><\/b><b><span data-contrast=\"none\">\u200b<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559685&quot;:0}\">\u00a0<\/span><\/p>\n<\/td>\n<td style=\"width: 51.6667%;\" data-celllook=\"69905\">\n<p><b><span data-contrast=\"none\">Risk scenarios<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<\/td>\n<td style=\"width: 14.5238%; text-align: center;\" data-celllook=\"69905\">\n<p><b><span data-contrast=\"none\">Likelihood<\/span><\/b><b><span data-contrast=\"none\">\u200b<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559685&quot;:0}\">\u00a0<\/span><\/p>\n<\/td>\n<td style=\"width: 12.381%; text-align: center;\" data-celllook=\"69905\">\n<p><b><span data-contrast=\"none\">Severity<\/span><\/b><b><span data-contrast=\"none\">\u200b<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559685&quot;:0}\">\u00a0<\/span><\/p>\n<\/td>\n<td style=\"width: 13.0952%; text-align: center;\" data-celllook=\"69905\">\n<p><b><span data-contrast=\"none\">Risk<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559685&quot;:0}\">\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n<tr aria-rowindex=\"2\">\n<td style=\"text-align: center; width: 6.90477%;\" data-celllook=\"69905\">\n<p><b><span data-contrast=\"auto\">R1<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559685&quot;:0}\">\u00a0<\/span><\/p>\n<\/td>\n<td style=\"width: 51.6667%;\" data-celllook=\"69905\">\n<p><span data-contrast=\"auto\">Reputational\/financial impact\u00a0caused by loss of charging station availability following a compromise of the V2G PKI<\/span><\/p>\n<\/td>\n<td style=\"text-align: center; width: 14.5238%;\" data-celllook=\"69905\">\n<p>2\u200b\u00a0<\/p>\n<\/td>\n<td style=\"text-align: center; width: 12.381%;\" data-celllook=\"69905\">\n<p>4\u00a0<\/p>\n<\/td>\n<td style=\"text-align: center; width: 13.0952%;\" data-celllook=\"69905\">\n<p>Medium\u00a0<\/p>\n<\/td>\n<\/tr>\n<tr aria-rowindex=\"3\">\n<td style=\"text-align: center; width: 6.90477%;\" data-celllook=\"69905\">\n<p><b><span data-contrast=\"auto\">R2<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559685&quot;:0}\">\u00a0<\/span><\/p>\n<\/td>\n<td style=\"width: 51.6667%;\" data-celllook=\"69905\">\n<p><span data-contrast=\"auto\">Reputational\/financial impact\u00a0caused by loss of charging station availability following large-scale exploitation of a vulnerability in ISO 15118 communication<\/span><\/p>\n<\/td>\n<td style=\"text-align: center; width: 14.5238%;\" data-celllook=\"69905\">\n<p>2\u00a0<\/p>\n<\/td>\n<td style=\"text-align: center; width: 12.381%;\" data-celllook=\"69905\">\n<p>3\u00a0<\/p>\n<\/td>\n<td style=\"text-align: center; width: 13.0952%;\" data-celllook=\"69905\">\n<p>Medium\u00a0<\/p>\n<\/td>\n<\/tr>\n<tr aria-rowindex=\"4\">\n<td style=\"text-align: center; width: 6.90477%;\" data-celllook=\"69905\">\n<p><b><span data-contrast=\"auto\">R3<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559685&quot;:0}\">\u00a0<\/span><\/p>\n<\/td>\n<td style=\"width: 51.6667%;\" data-celllook=\"69905\">\n<p><span data-contrast=\"auto\">Reputational\/financial impact\u00a0related to fraud resulting from certificate theft<\/span><\/p>\n<\/td>\n<td style=\"text-align: center; width: 14.5238%;\" data-celllook=\"69905\">\n<p>2\u00a0<\/p>\n<\/td>\n<td style=\"text-align: center; width: 12.381%;\" data-celllook=\"69905\">\n<p>2\u00a0<\/p>\n<\/td>\n<td style=\"text-align: center; width: 13.0952%;\" data-celllook=\"69905\">\n<p>Low<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><i><span data-contrast=\"auto\">Table 1: Summary of risks related to Plug &amp; Charge on charging infrastructure<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This analysis, however, should be nuanced:\u00a0<\/span><b><span data-contrast=\"auto\">the scenarios presented deliberately take a cautious,\u00a0even pessimistic,\u00a0view of likelihood<\/span><\/b><span data-contrast=\"auto\">. In practice, such attacks\u00a0remain difficult to carry out. They\u00a0often require advanced technical skills, specific physical or logical access, a deep understanding of ISO 15118, and the capability to exploit or manipulate complex trust mechanisms.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">As such, these\u00a0<\/span><b><span data-contrast=\"auto\">risks should be seen as plausible scenarios to\u00a0anticipate<\/span><\/b><span data-contrast=\"auto\">, rather than threats that are currently trivial or widely\u00a0observed\u00a0in real-world operations. Their \u201cmedium\u201d to \u201clow\u201d risk level reflects this balance: a still-limited probability, but potentially significant impacts if such attacks were to scale.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<h1><span data-contrast=\"none\">Conclusion<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h1>\n<p><b><span data-contrast=\"auto\">Plug &amp; Charge simplifies the charging experience but introduces a strong dependency on a digital trust chain built on ISO 15118, the V2G PKI, and charging station certificates.\u00a0This dependency creates new risks for charging infrastructures, potentially leading to service disruptions and, ultimately, a\u00a0loss of trust from users toward the CPO.<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">While these attack scenarios\u00a0remain\u00a0difficult to execute, their potential impact justifies addressing them early starting from the design phase.\u00a0For CPOs, the challenge is therefore no longer limited to securing charging stations but extends to securing the entire identity and trust chain that underpins the charging process.<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u00a0As highlighted in our\u00a0previous\u00a0article,\u00a0Electric vehicle charging infrastructures: Energy performance and new cybersecurity challenges, charge point operators (CPOs)\u00a0operate\u00a0within a demanding business model, where profitability depends\u00a0on their ability to drive recurring usage of their networks. In this context,\u00a0user experience becomes a key&#8230;<\/p>\n","protected":false},"author":1499,"featured_media":30112,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2777,3922,3275,3274],"tags":[5083,5084,2772,5082,5081,5080],"coauthors":[4499,5042,5043,5041],"class_list":["post-30152","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-digital-trust","category-deep-dive-en","category-iot-consumer-goods-en","category-manufacturing-industry-4-0-en","tag-chargingstations","tag-connectedvehicles","tag-cybersecurity","tag-electricvehicles","tag-iso15118","tag-plugandcharge"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Plug &amp; Charge and ISO 15118:\u00a0what\u00a0are the\u00a0new\u00a0cyber risks for charging stations?\u00a0 - RiskInsight<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Plug &amp; Charge and ISO 15118:\u00a0what\u00a0are the\u00a0new\u00a0cyber risks for charging stations?\u00a0 - RiskInsight\" \/>\n<meta property=\"og:description\" content=\"\u00a0As highlighted in our\u00a0previous\u00a0article,\u00a0Electric vehicle charging infrastructures: Energy performance and new cybersecurity challenges, charge point operators (CPOs)\u00a0operate\u00a0within a demanding business model, where profitability depends\u00a0on their ability to drive recurring usage of their networks. In this context,\u00a0user experience becomes a key...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-17T15:26:09+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-17T15:28:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/pexels-maik-poblocki-2170626-10800215-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1440\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Nicolas PONTOIS, Enzo KALALA, Antonin GIANELLA, Ludovic DEGRE\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Nicolas PONTOIS, Enzo KALALA, Antonin GIANELLA, Ludovic DEGRE\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/\"},\"author\":{\"name\":\"Madeline Salles\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ff9185abd0574dc00c0e378146212b8\"},\"headline\":\"Plug &amp; Charge and ISO 15118:\u00a0what\u00a0are the\u00a0new\u00a0cyber risks for charging stations?\u00a0\",\"datePublished\":\"2026-06-17T15:26:09+00:00\",\"dateModified\":\"2026-06-17T15:28:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/\"},\"wordCount\":2239,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/pexels-maik-poblocki-2170626-10800215-scaled.jpg\",\"keywords\":[\"ChargingStations\",\"ConnectedVehicles\",\"cybersecurity\",\"ElectricVehicles\",\"ISO15118\",\"PlugAndCharge\"],\"articleSection\":[\"Cybersecurity &amp; Digital Trust\",\"Deep-dive\",\"IoT &amp; Consumer goods\",\"Manufacturing &amp; Industry 4.0\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/\",\"name\":\"Plug &amp; Charge and ISO 15118:\u00a0what\u00a0are the\u00a0new\u00a0cyber risks for charging stations?\u00a0 - RiskInsight\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/pexels-maik-poblocki-2170626-10800215-scaled.jpg\",\"datePublished\":\"2026-06-17T15:26:09+00:00\",\"dateModified\":\"2026-06-17T15:28:36+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/#primaryimage\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/pexels-maik-poblocki-2170626-10800215-scaled.jpg\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/pexels-maik-poblocki-2170626-10800215-scaled.jpg\",\"width\":2560,\"height\":1440},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Plug &amp; Charge and ISO 15118:\u00a0what\u00a0are the\u00a0new\u00a0cyber risks for charging stations?\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ff9185abd0574dc00c0e378146212b8\",\"name\":\"Madeline Salles\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/madeline-salles\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Plug &amp; Charge and ISO 15118:\u00a0what\u00a0are the\u00a0new\u00a0cyber risks for charging stations?\u00a0 - RiskInsight","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/","og_locale":"en_US","og_type":"article","og_title":"Plug &amp; Charge and ISO 15118:\u00a0what\u00a0are the\u00a0new\u00a0cyber risks for charging stations?\u00a0 - RiskInsight","og_description":"\u00a0As highlighted in our\u00a0previous\u00a0article,\u00a0Electric vehicle charging infrastructures: Energy performance and new cybersecurity challenges, charge point operators (CPOs)\u00a0operate\u00a0within a demanding business model, where profitability depends\u00a0on their ability to drive recurring usage of their networks. In this context,\u00a0user experience becomes a key...","og_url":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/","og_site_name":"RiskInsight","article_published_time":"2026-06-17T15:26:09+00:00","article_modified_time":"2026-06-17T15:28:36+00:00","og_image":[{"width":2560,"height":1440,"url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/pexels-maik-poblocki-2170626-10800215-scaled.jpg","type":"image\/jpeg"}],"author":"Nicolas PONTOIS, Enzo KALALA, Antonin GIANELLA, Ludovic DEGRE","twitter_misc":{"Written by":"Nicolas PONTOIS, Enzo KALALA, Antonin GIANELLA, Ludovic DEGRE","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/"},"author":{"name":"Madeline Salles","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ff9185abd0574dc00c0e378146212b8"},"headline":"Plug &amp; Charge and ISO 15118:\u00a0what\u00a0are the\u00a0new\u00a0cyber risks for charging stations?\u00a0","datePublished":"2026-06-17T15:26:09+00:00","dateModified":"2026-06-17T15:28:36+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/"},"wordCount":2239,"commentCount":0,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/pexels-maik-poblocki-2170626-10800215-scaled.jpg","keywords":["ChargingStations","ConnectedVehicles","cybersecurity","ElectricVehicles","ISO15118","PlugAndCharge"],"articleSection":["Cybersecurity &amp; Digital Trust","Deep-dive","IoT &amp; Consumer goods","Manufacturing &amp; Industry 4.0"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/","url":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/","name":"Plug &amp; Charge and ISO 15118:\u00a0what\u00a0are the\u00a0new\u00a0cyber risks for charging stations?\u00a0 - RiskInsight","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/pexels-maik-poblocki-2170626-10800215-scaled.jpg","datePublished":"2026-06-17T15:26:09+00:00","dateModified":"2026-06-17T15:28:36+00:00","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/#primaryimage","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/pexels-maik-poblocki-2170626-10800215-scaled.jpg","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/06\/pexels-maik-poblocki-2170626-10800215-scaled.jpg","width":2560,"height":1440},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/06\/plug-charge-and-iso-15118-what-are-the-new-cyber-risks-for-charging-stations\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"Plug &amp; Charge and ISO 15118:\u00a0what\u00a0are the\u00a0new\u00a0cyber risks for charging stations?\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ff9185abd0574dc00c0e378146212b8","name":"Madeline Salles","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/madeline-salles\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/30152","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/1499"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=30152"}],"version-history":[{"count":13,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/30152\/revisions"}],"predecessor-version":[{"id":30172,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/30152\/revisions\/30172"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media\/30112"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=30152"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=30152"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=30152"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=30152"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}