A newly discovered cluster of high-severity vulnerabilities in Everon's Open Charge Point Protocol (OCPP) backends has exposed a significant portion of the global electric vehicle charging infrastructure to potential cyberattacks, raising alarms among operators, fleet managers, and national security officials. These flaws, which include a critical WebSocket authentication bypass, could allow malicious actors to remotely manipulate charging stations, disrupt critical infrastructure, and potentially cause physical damage or widespread service outages.

The Vulnerabilities: Technical Breakdown

According to security researchers, the vulnerabilities exist within the OCPP 1.6 and 2.0.1 implementations used by Everon's charging management platform. The most critical flaw (CVE-2024-XXXXX) involves improper WebSocket authentication that allows unauthorized access to the charging station management system. When a charging station establishes a WebSocket connection to the Everon backend, the authentication mechanism fails to properly validate session tokens, enabling attackers to impersonate legitimate charging points or backend systems.

Additional vulnerabilities include:
- Insecure Direct Object References (IDOR): Allows attackers to access and modify data belonging to other users or charging stations
- Insufficient Session Expiration: Session tokens remain valid for extended periods, increasing the window for credential theft
- Lack of Input Validation: Enables injection attacks through OCPP messages
- Weak Cryptographic Implementation: Inadequate protection of sensitive data in transit

These vulnerabilities affect both the central management system and individual charging stations that communicate using the vulnerable OCPP implementation. The impact is particularly concerning because OCPP serves as the standard communication protocol between charging stations and central management systems across multiple manufacturers.

Real-World Impact on EV Infrastructure

The practical implications of these vulnerabilities are substantial. Attackers exploiting these flaws could:

1. Disrupt Charging Operations
Malicious actors could remotely disable charging stations, create artificial queues by manipulating availability status, or alter pricing information to cause financial losses or customer dissatisfaction. In a coordinated attack, this could effectively cripple charging networks in specific regions.

2. Manipulate Energy Grid Interactions
Modern EV charging systems often participate in demand response programs and grid balancing activities. By compromising these systems, attackers could manipulate charging schedules to create sudden spikes or drops in electricity demand, potentially destabilizing local power grids.

3. Steal Sensitive Data
The vulnerabilities could allow access to user payment information, vehicle identification data, usage patterns, and location information. This represents both a privacy violation and a potential security risk if the data is used for targeted attacks or sold on dark web markets.

4. Cause Physical Damage
While most charging stations have physical safety mechanisms, sustained malicious commands could potentially lead to overheating, electrical faults, or other damage to both the charging equipment and connected vehicles.

The OCPP Security Challenge

The Open Charge Point Protocol, while essential for interoperability in the EV charging ecosystem, presents unique security challenges. OCPP was originally designed with functionality and interoperability as primary concerns, with security considerations evolving in later versions. The protocol's WebSocket implementation has been a particular area of concern, as it establishes persistent connections that must maintain security over extended periods.

Security researchers have noted that many OCPP implementations, not just Everon's, suffer from similar authentication and authorization weaknesses. The protocol's flexibility, which allows different implementations of security features, has led to inconsistent security postures across the industry. This creates a situation where vulnerabilities in one vendor's implementation can have cascading effects across mixed-vendor charging networks.

Industry Response and Mitigation Strategies

Following the disclosure, Everon has reportedly released security patches addressing the identified vulnerabilities. Charging station operators and network managers are advised to:

  1. Immediately Update Systems: Apply all available security patches from Everon and ensure charging station firmware is up to date
  2. Implement Network Segmentation: Isolate charging infrastructure networks from corporate IT networks to limit potential attack surfaces
  3. Enhance Monitoring: Deploy intrusion detection systems specifically configured to monitor OCPP traffic for anomalous patterns
  4. Review Authentication Mechanisms: Implement additional authentication layers and regularly rotate credentials
  5. Conduct Security Audits: Perform comprehensive security assessments of charging infrastructure, focusing on OCPP implementation specifics

Industry organizations, including the Open Charge Alliance (which maintains OCPP), have emphasized the need for improved security standards within the protocol specifications. The upcoming OCPP 2.1 version includes enhanced security features, but widespread adoption will take time.

Broader Implications for Critical Infrastructure Security

The Everon vulnerabilities highlight a growing concern in industrial and critical infrastructure cybersecurity: the convergence of operational technology (OT) and information technology (IT) systems. EV charging infrastructure sits at this intersection, combining physical electrical systems with networked software platforms.

This incident follows a pattern of increasing attacks against critical infrastructure, including energy systems. As noted in recent cybersecurity reports, nation-state actors and criminal groups are increasingly targeting energy infrastructure, recognizing its strategic importance and potential for widespread disruption.

The EV charging sector faces particular challenges due to its rapid expansion and the pressure to deploy infrastructure quickly. Security considerations have sometimes taken a backseat to functionality and deployment speed, creating vulnerabilities that attackers are now beginning to exploit.

Looking Forward: Securing the EV Revolution

As electric vehicle adoption accelerates globally, securing the supporting infrastructure becomes increasingly critical. The Everon vulnerabilities serve as a wake-up call for the entire industry, emphasizing that security must be built into charging systems from the ground up, not added as an afterthought.

Key areas for improvement include:

Standardization of Security Practices: The industry needs more rigorous security standards specifically tailored for EV charging infrastructure, with mandatory security requirements rather than optional recommendations.

Security by Design: Manufacturers must implement security considerations throughout the development lifecycle, including threat modeling, secure coding practices, and regular security testing.

Improved Incident Response: The industry needs better mechanisms for coordinated vulnerability disclosure and rapid patch deployment across diverse hardware and software platforms.

Regulatory Oversight: Governments and regulatory bodies may need to establish minimum security standards for critical charging infrastructure, particularly for publicly accessible stations and those supporting fleet operations.

The transition to electric transportation represents one of the most significant infrastructure transformations in modern history. Ensuring this transition proceeds securely requires addressing fundamental vulnerabilities in the systems that power it. The Everon OCPP flaws, while concerning, provide an opportunity for the industry to strengthen its security posture before more damaging attacks occur.

As security researcher Mark Rogers noted in a recent analysis, \"EV charging infrastructure has become critical infrastructure almost overnight. We need to secure it with the same rigor we apply to power plants and electrical grids, because in many ways, that's exactly what it has become.\"