By Amit Bernstein, CISO, Driivz
The electric vehicle charging ecosystem represents one of the most dangerous blind spots in critical infrastructure security. As CISOs, you spend decades defending data centers and corporate networks, but now it is vital to deploy thousands of industrial control systems (ICS) onto public sidewalks, in parking garages, and at highway rest stops. Each charger is a network-connected ICS endpoint, and most are managed with security models inherited from consumer IoT, not critical infrastructure.
This is a catastrophe waiting to happen. The only question is whether one can adapt security models before attackers force the issue.
The Exposure Gap: Why Traditional Testing Fails
Point-in-time penetration tests and quarterly vulnerability scans weren’t designed for infrastructure that changes daily. In the typical EV charging network, you’re managing:
- Cloud-native management platforms with weekly code releases
- OCPP (Open Charge Point Protocol) message flows between thousands of edge devices
- Firmware updates pushed over-the-air to field hardware
- Third-party payment processors and energy management integrations
A quarterly scan creates a predictable 90-day window during which vulnerabilities can remain undetected. Sophisticated threat actors, particularly those targeting energy systems, operate on these exact timelines. They know when your tests occur, they wait for the scan to complete, then they probe the gaps.
Eliminating this exposure window is paramount, by replacing periodic testing with continuous, AI-driven red team operations. But this isn’t simple automation; it’s a fundamental rethinking of how security validation works at scale.
From Scripts to Autonomous Adversaries
Systems that need to be deployed need to function as a 24/7/365 red team, but describing it as “scripted scanners on steroids” misses the point. These are autonomous agents that:
- Think in attack graphs, not CVEs: They model the entire kill chain, chaining low-severity misconfigurations into critical attack paths (cloud API → charger → vehicle → grid)
- Understand protocol semantics: Standard scanners treat OCPP as just another JSON API. Our agents understand OCPP state machines, message sequencing, and the logic flaws that emerge from implementation drift
- Reason about change: When a developer merges code, the agents automatically identify the changed attack surface and prioritize testing based on actual architectural impact, not just code diff size
- Operate without fatigue: They don’t get bored scanning the 10,000th charger or miss edge cases after hours of manual testing
The Four Planes of EV Infrastructure Security
Continuous AI pentesting only works if it covers the full attack surface. For EV charging, that means validating four distinct planes simultaneously:
1. Cloud & API Control Plane
Testing authentication bypasses, authorization logic flaws, and data exfiltration paths across multi-tenant management platforms. This includes third-party ecosystem integrations that most security teams can’t directly scan.
2. OCPP Protocol Logic Plane
This is where traditional tools fail completely. OCPP is a complex, stateful protocol where message ordering and timing create vulnerabilities that static analysis can’t detect. Our agents simulate malicious charging stations and compromised management platforms to find protocol-level logic flaws before they reach production.
3. Operating System & Platform Hardening
Continuous Center for Internet Security (CIS) benchmark validation against the actual runtime configuration of cloud workloads and edge gateways, not just golden images. When a configuration drifts, testing is triggered automatically.
4. Hardware & Firmware at the Edge
Treating chargers as first-class infrastructure assets, not IoT afterthoughts. This means testing for hardware debug interfaces, firmware integrity, and supply chain compromises at the component level. A compromised charger isn’t just a data breach; it’s a foothold into energy distribution systems and a pivot point for grid-level attacks.
Eliminating the “In-Between” Spaces
The real vulnerabilities don’t live in individual components; they live in the gaps between them. Consider this real attack path Driivz’s agents discovered:
A third-party firmware update mechanism had a weak authentication token. An attacker could compromise a single charger, extract grid connection credentials stored in firmware, then pivot to the energy management API. From there, they could manipulate load balancing across an entire region during peak demand.
No single scanner would catch this. It required modeling relationships across hardware, firmware, cloud APIs, and grid protocols. Our agents discovered it in 4 hours after a routine configuration change. A traditional red team would have needed weeks, and likely would have missed the firmware vector entirely.
Implementation: Building the Continuous Loop
Deploying this requires more than tooling; it demands a shift in security operations:
- Change-driven triggers: Every code merge, config push, firmware update, or new charger onboarding initiates targeted testing
- Risk-based prioritization: Agents automatically rank findings by exploitability and business impact, not just CVSS scores
- Human-in-the-loop validation: Critical findings route to human engineers for verification; low-risk issues auto-generate tickets
- Feedback integration: Test results feed directly into CI/CD pipelines, blocking vulnerable builds before deployment
The New Security Posture
The results fundamentally changed our risk calculus. Vulnerabilities that survived multiple human-led pentests surfaced within hours of deployment. Complex OCPP logic flaws were caught in staging. Most importantly, eliminating security drift, the slow accumulation of misconfigurations and partial patches that occurs between annual audits.
Compliance transformed from a point-in-time event to continuous attestation. When auditors ask for security posture, providing real-time dashboards, not quarterly scan reports is key.
For CISOs: Making the Transition
If you’re managing distributed infrastructure, here’s where to start:
- Inventory your change velocity: Map how often each infrastructure plane (cloud, protocol, firmware) actually changes. If it’s more frequent than monthly, continuous testing is non-negotiable.
- Focus on protocol logic: Standard tooling can’t model your bespoke protocols. Invest in AI agents that understand state machines and message sequencing.
- Treat edge devices as infrastructure: Your field hardware needs the same security rigor as data center assets. Anything less is negligence.
- Measure time-to-detection, not just time-to-remediation: The goal is finding vulnerabilities within hours of introduction, not days after deployment.
The Bottom Line
The EV charging industry is building critical infrastructure with consumer-grade security models. Attackers have already noticed — reconnaissance activity mirrors pre-targeting behavior seen in traditional ICS environments.
Continuous AI pentesting isn’t about replacing human expertise; it’s about extending it to a scale and speed at which humans can’t operate. There are still red teams, but they focus on creative adversary emulation while AI handles the continuous validation of our changing reality.
The chargers must work. They must also be resilient. In critical infrastructure, those requirements aren’t in conflict; they’re the same goal. The question isn’t whether AI-driven security is ready for production; it’s whether our infrastructure can survive without it.
Author Bio:
Amit Bernstein is Chief Information Security Officer at Driivz, where he leads security strategy for EV charging management platforms serving major automotive and energy clients. With over 15 years in critical infrastructure defense, he previously held security leadership roles in OT/ICS environments and specializes in securing distributed, protocol-heavy ecosystems.
Sign up for our popular weekly email to catch all the latest EV news!
