Cybersecurity has become a critical concern in the automotive industry, particularly with the rapid advancement of electric vehicles (EVs) and Internet of Things (IoT) technologies. As EVs become increasingly connected and reliant on software, they present both exciting opportunities and significant security risks.
Cybersecurity Risks in EVs
Electric vehicles and IoT devices face numerous cybersecurity threats due to their interconnected nature and reliance on software.1 One particular concern lies in the proliferation of vehicle-to-everything (V2X) communication systems. These enable vehicles to share real-time data with infrastructure, pedestrians, and other vehicles. While offering immense safety benefits, V2X also exposes EVs to unprecedented levels of external data flow and potential manipulation. Some key risks include:
- Remote hacking: Malicious actors could potentially take control of EVs while in motion, posing serious safety concerns.2
- Data theft: Connected vehicles collect vast amounts of data, including location information, driving habits, and vehicle performance metrics.
- Supply chain vulnerabilities: With complex global supply chains, weaknesses in third-party components could lead to security breaches.3
- Software updates: As vehicles rely heavily on software updates, vulnerabilities in these updates could compromise vehicle security.
- Privacy concerns: The collection and transmission of personal data raises ethical and regulatory questions.

Figure 1: Cybersecurity risks in EVs
Major Security Incidents & Vulnerabilities
Recent incidents highlight the escalating cybersecurity threats in the EV ecosystem:
2024 High-Impact Incidents:
- November 2024: A data breach compromised 116,000 records from multiple global Charge Point Operators (CPOs), affecting charging networks across UAE, Australia, Mexico, Puerto Rico, Guyana, Saudi Arabia, Oman, and India. This incident raised significant concerns about the impact of charging station cyberattacks on the EV boom.4
- February 2024: The UK suspended sales of Spanish EV chargers due to cybersecurity concerns, raising alarms about potential threats to national energy security.5
- April 2024: Researchers discovered six zero-day vulnerabilities in the Open Charge Point Protocol (OCPP), exposing weaknesses in backend communications across multiple EV charging management systems.6
Critical Technical Vulnerabilities:
- Researchers discovered 49 zero-day vulnerabilities, including a two-vulnerability exploit chain in Tesla cars that could allow an attacker to take over the onboard infotainment system.7
- In July 2021, 13 Electric Vehicle Supply Equipment (EVSE) vulnerabilities affecting an EV charging controller firmware manufactured by a major EVSE vendor were discovered, including three critical vulnerabilities, eight high-severity, and two medium-severity.8
- Two vulnerabilities discovered by SaiFlow could lead to remote code execution and potential data theft, exploiting weak authentication routines among various software modules in charging stations.9
Key Attack Vectors
Understanding common attack vectors is crucial for developing robust cybersecurity defenses in EVs:
Charging Infrastructure Vulnerabilities10:
- Local vehicle software, including operating systems, Electronic Control Units (ECUs), and Software Bill of Materials (SBOMs), accounted for 40% of disclosed vulnerabilities.
- Attacks on telematic and application servers account for 43% of all attacks.
- Almost every charging product has major vulnerabilities, including well-known attack methods such as structured query language (SQL) injection and cross-site scripting.
Vehicle-Level Threats11:
- Between 60% and 70% of cars stolen in the United Kingdom in the past 12 months were keyless.
- Man-in-the-Middle (MiTM) phishing attacks can unlock Tesla vehicles using spoofed Wi-Fi networks.
- Ransomware attacks surged by 90% in the previous year, with attackers using increasingly sophisticated methods to compromise critical systems, including those used in EV charging infrastructure.
Regulatory Differences between European Union (EU) and Asia
There are notable differences in cybersecurity regulations between the EU and Asian countries, particularly regarding EVs and IoT devices:
EU Approach:
The EU has taken a proactive and comprehensive approach to automotive and IoT cybersecurity. One of the cornerstone proposals is the Cyber Resilience Act (CRA),12 which aims to establish consistent cybersecurity requirements for all products with digital elements across the EU. It introduces:
- Mandatory cybersecurity-by-design and default principles.
- Obligations for manufacturers to address vulnerabilities and maintain secure software updates throughout a product’s lifecycle.
- A three-tiered cybersecurity assurance framework, categorising products based on risk levels.
Another key piece of legislation is the EU Cybersecurity Act,13 which provides a permanent mandate to European Union Agency for Cybersecurity (ENISA) and establishes a European cybersecurity certification framework. This framework enables evaluation and certification of ICT products, services, and processes across the EU.
In the automotive sector specifically, while the UN ECE R15514 and R15615 regulations have been adopted globally, the EU supplements them with internal frameworks such as Trusted Information Security Assessment eXchange (TISAX),16 widely used in the European automotive supply chain for assessing information security.
In addition, the Network and Information Systems Directive 2 (NIS2 Directive)17 expands cybersecurity requirements for essential and important entities, including energy infrastructure and digital service providers. This has implications for EV infrastructure such as charging networks, as it demands stricter risk management, incident reporting, and supply chain security.
Asian Approach:
Many Asian countries are still developing comprehensive EV cybersecurity regulations, resulting in a more fragmented landscape. For instance:
- China has issued some technical guidelines and cybersecurity recommendations but does not yet mandate the same level of lifecycle security compliance as the EU.
- Singapore has introduced the IoT Cyber Security Guide through its Info-communications Media Development Authority (IMDA), which outlines best practices for securing consumer IoT devices.18
- Japan and South Korea are gradually aligning with international standards but currently focus more on industry-led guidance rather than binding regulation.
- In terms of data protection, the EU’s General Data Protection Regulation (GDPR) remains one of the strictest frameworks worldwide.19 In contrast, while several Asian countries are progressing in this area—such as China’s Personal Information Protection Law (PIPL)—the enforcement and scope often vary significantly.20
Balancing Compliance and Innovation
EV manufacturers face significant challenges in developing and rolling out smart vehicles across different markets while complying with varying regulations. Key considerations include:
- Harmonisation efforts: Manufacturers are working towards developing vehicles that meet multiple regulatory standards to streamline production and reduce costs.
- Data localisation: Companies may need to store data locally in certain markets to comply with data protection laws, potentially limiting global insights.
- Transparency: Clear communication about data collection and usage practices is crucial for building trust with consumers across different regions.
- Risk assessment: Conducting thorough risk assessments for each market helps manufacturers identify potential vulnerabilities and develop targeted mitigation strategies.
Emerging Opportunities:
The evolving cybersecurity landscape also presents significant opportunities for innovation and collaboration:
- AI-Driven Security: Advanced threat detection using machine learning and AI for real-time monitoring can significantly enhance the security posture of EVs and charging infrastructure.
- Regulatory Development: The EU has proposed new cybersecurity safeguards for electric grid operators and IoT vendors in its NIS2 directive, indicating a global trend towards stronger regulatory frameworks.
- Industry Collaboration: There is a growing recognition of the need for comprehensive cybersecurity frameworks across the entire EV ecosystem, fostering collaboration between manufacturers, regulators, and cybersecurity experts.
Conclusion
Cybersecurity in next-generation EVs presents both challenges and opportunities. As the automotive industry continues to evolve, manufacturers must prioritise security throughout the vehicle development process, invest in digital security expertise, and implement robust cybersecurity measures. By addressing these challenges proactively, the automotive industry can harness the benefits of connected vehicles while maintaining the highest levels of safety and privacy for consumers.
References
- https://ecfr.eu/article/security-recall-the-risk-of-chinese-electric-vehicles-in-europe/
- https://www.coro.net/blog/what-new-eu-cybersecurity-rules-mean-for-carmakers
- https://www.csoonline.com/article/652299/automotive-supply-chain-vulnerable-to-attack-as-cybersecurity-regulation-looms.html
- https://www.redhotcyber.com/en/post/intelbroker-claims-tesla-charging-database-breach/
- https://c2a-sec.com/wallboxs-ev-charger-sales-stopped-amid-cybersecurity-regulations-and-threats-to-national-power-grid/
- https://link.springer.com/article/10.1007/s10207-025-01055-7
- https://www.forbes.com/sites/daveywinder/2024/01/27/tesla-hacked-as-electric-cars-targeted-in-1-million-hacking-spree/?sh=1b1534eb22e8
- https://portswigger.net/daily-swig/schneider-electric-fixes-critical-vulnerabilities-in-evlink-electric-vehicle-charging-stations
- https://urgentcomm.com/power/ev-charging-stations-still-riddled-with-cybersecurity-vulnerabilities
- https://sec-consult.com/blog/detail/cyber-threats-to-ev-charging-infrastructure-risks-and-protection-through-penetration-testing/
- https://coalfire.com/the-coalfire-blog/iot-security-vulnerabilities-electric-vehicles
- https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
- https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-act
- https://unece.org/transport/documents/2021/03/standards/un-regulation-no-155-cyber-security-and-cyber-security
- https://unece.org/transport/documents/2021/03/standards/un-regulation-no-156-software-update-and-software-update
- https://enx.com/en-US/TISAX/
- https://digital-strategy.ec.europa.eu/de/policies/nis2-directive
- https://www.imda.gov.sg/-/media/imda/files/regulation-licensing-and-consultations/ict-standards/telecommunication-standards/reference-spec/imda-iot-cyber-security-guide.pdf
- https://gdpr.eu/what-is-gdpr/
- http://en.npc.gov.cn.cdurl.cn/2021-12/29/c_694559.htm