Open Charge Point Protocol (OCPP) Security Explained

An overview of the OCPP Security framework and best practices for electrical vehicle (EV) charge points and management systems.

Overview

Electric vehicle (EV) chargers and software management systems communicate via the Open Charge Point Protocol (OCPP). It is governed by the Open Charge Alliance (OCA) which formally certifies products for compliance.

The security part of OCPP defines an end-to-end security design architecture, with implementation guidelines for both Charge Point and Central Management System. It was first introduced in 2018 and now is in its third revision.

System architecture

OCPP defines the communications path between a supported charger and a Charging Station Management System (CSMS). In many cases, the CSMS is a cloud-based platform. The charger and the CSMS communicate with Web Sockets (WS), a bi-directional HTTP-like protocol. When that channel is encrypted, the protocol is called Secure Web Socket (WSS), similar to HTTPS.

OCPP is used between Charge Points and a Charge Point management System (CPMS)

 

The OCPP security framework aims to define the security of this communications channel while using industry-standard best practices.

Security concepts

Like most communication network security frameworks, the OCPP security framework deals with the three most common security issues:

  1. Secrecy of communications – A well-defined system encrypts the communications between the entities so that unauthorized third parties cannot eavesdrop on the communications.
  2. Authentication of the server – the charger should easily verify it communicates with the right server.  Failing to do that may result in a communication hijack to a rogue server.
  3. Authentication of the client – The server should be able to authenticate the charger to prevent attackers from creating fake chargers that impersonate real chargers and pollute the server database.

OCPP Security Profiles

The OCPP security architecture defines three levels of security profiles:

Profile Channel encryption Server Auth Charger Auth
Security Profile 1 Password
Security Profile 2 TLS 1.2 or higher Server Certificate Password
Security Profile 3 TLS 1.2 or higher Server Certificate Client Side Certificate

Security Profile 2 or Security Profile 3, or both must be implemented to receive OCPP Security implementation.

How OCPP security prevents common attack scenarios

Correct implementation of the OCPP Security profiles can protect against some of the more common attack scenarios as shown in the table below:

Attack Name Attack Details Impact Protection
Server hijack A malicious server hijacks traffic from the charger.

This can be easily done by manipulating DNS entries in one of the DNS servers used by the charger.

  • Exposure of confidential data
  • The attacker sends malicious commands to the charger, causing damage.
Security Profile 2 or Security Profile 3 eliminate this attack due to server auth.
Communications eavesdropping Rogue player (e.g. router, proxy, etc.) records or manipulates unencrypted traffic between the charger and the server.
  • Exposure of confidential data
  • The attacker manipulates communications to send rouge commands to the charger, causing damage.
Security Profile 2 or Security Profile 3 eliminate this attack due to channel encryption.
Charger impersonation A fake charger simulator impersonates actual chargers and spams the server with fake data. The server can not distinguish between real and fake messages.
  • Spamming service with fake data
  • The server’s inability to distinguish between real and fake data
  • The server’s inability to stop the attack.
  • Service unrecoverable failure
Security Profile 1 or

Security Profile 2 or Security Profile 3 eliminate this attack due to client auth.

Practical considerations

To receive OCPP Security implementation, Security Profile 2, Security Profile 3, or both must be implemented. In reality, most certified chargers elect to support Security Profile 2 since it is much easier to implement on embedded systems.

Security Profile 2 uses a shared key (password).  The server and the charger must share this password before communication starts. It is recommended to use the following flow upon the initial connection of the charger to the server:

  1. The manufacturer of the Charge Point initializes it with a well-known default password. This can be a fixed password for all Charge Points or unique for a specific batch/customer. However, this default password must be known to the Charging Station Management Systems (CSMS).
  2. When the Charge Point connects to the CSMS for the first time, it uses the default password. It should then immediately update that password with a unique one.
  3. The CSMS randomly generates a unique password. It then securely saves this password in its database for that specific charger.
  4. A unique password is sent to the charger over the secure channel (wss).
  5. The charger will use this unique password for all follow-up communications, and the server will expect and verify it.

The procedure for updating the password in item 4 above is well-defined in the OCPP security documentation and is part of the security certification.

Summary

OCPP Security implementation is critical for the security and stability of any charger network. Operators should verify that the chargers and management systems they choose implement these important security measures.

The simplest way to verify compliance is via the OCPP Security certification badge. This badge is provided only to the best products that pass the rigorous certification process and is considered the gold standard of security in the EV charging space.

 

OCPP security certification mark

 

SHARE

We thought that you would be interested in reading these articles:

SAE J3400
Glossary

The SAE J3400 Charging Connector

The SAE J3400 Charging Connector Standard, based on Tesla’s NACS, ensures North America EV charging interoperability and accessibility.

Talk to our Specialist

Fill in the form below to book a 30 minute no-obligation consulting session.

Your information will be processed as detailed in our privacy policy.

Skip to content