pith. sign in

arxiv: 2605.22151 · v1 · pith:6Z7F7M7Jnew · submitted 2026-05-21 · 💻 cs.CR

Market-Analysis-Driven Methodology for Assessing Charging Station Cybersecurity

Jakob L\"ow , Lukas Eder , Alexander M\"uller , Hans-Joachim Hof This is my paper

Pith reviewed 2026-05-22 06:02 UTC · model grok-4.3

classification 💻 cs.CR
keywords electric vehicle chargingcybersecurityTLSmarket analysisextrapolationCCSGermanysecurity assessment
0
0 comments X

The pith

A market analysis method lets few field tests assess TLS use across over half of Germany's charging stations.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper presents a methodology to assess the cybersecurity of electric vehicle charging stations on a national scale without examining every single unit. It starts with market analysis to group stations by operator-manufacturer pairs, then selects representatives for targeted field tests whose security results are extrapolated to the full group. Applied to Germany, the method covers 51.9 percent of CCS charging points with a manageable number of tests. The results indicate that only 27.4 percent of stations in scope actually implement TLS-protected communication, even though modern standards provide theoretical support for it. This approach offers a practical way to map security postures in rapidly expanding EV infrastructure.

Core claim

The paper establishes that market analysis can identify operator-manufacturer pairs among charging stations, allowing security features such as TLS support to be tested on a small number of representatives and then extrapolated to all stations sharing the same pair. When demonstrated on German CCS infrastructure as of late 2025, this process evaluates 51.9 percent of the national fleet and finds that only 27.4 percent provide TLS-protected communication.

What carries the argument

The operator-manufacturer pair grouping derived from market analysis, which selects a few stations for field testing and extrapolates their observed security configurations to the entire group.

Load-bearing premise

Stations from the same operator and manufacturer pair share sufficiently similar security configurations that results from a few tests can stand in for the whole group.

What would settle it

Testing additional stations within identified operator-manufacturer pairs and finding inconsistent TLS support would show that the extrapolation does not hold.

Figures

Figures reproduced from arXiv: 2605.22151 by Alexander M\"uller, Hans-Joachim Hof, Jakob L\"ow, Lukas Eder.

Figure 1
Figure 1. Figure 1: Charging Communication OSI Layer Overview [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Simplified overview of EV charging participants [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Charging Station Manufacturers Market Share Efacec, EKOenergetyka, ChargePoint) were analyzed across different model gen￾erations and installation years (2018–2024). In all observed cases, charging sta￾tions from the same manufacturer supported the same set of communication capabilities at the protocol level. In particular, no case was observed in which two charging stations from the same manufacturer diff… view at source ↗
read the original abstract

Modern charging communication standards for electric vehicles include optional security controls such as TLS-based authentication and encryption. However, with tens of thousands of fast charging points deployed in any given country, individually testing each one for security control support is infeasible. This paper proposes a scalable, extrapolation-based methodology for assessing charging station cybersecurity at a national level. A market analysis identifies operator-manufacturer pairs, enabling the targeted selection of charging stations for field testing, whose results can then be extrapolated to all stations sharing the same combination. We demonstrate this methodology for Germany, covering over 40000 CCS charging points as of December 2025. With a manageable number of field tests, our extrapolated data examines 51.9\% of german CCS charging stations. It shows that only 27.4\% of charging stations in our scope provide TLS-protected communication, despite widespread theoretical support.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 2 minor

Summary. The manuscript proposes a market-analysis-driven methodology to assess cybersecurity features (such as TLS support) in EV charging stations at national scale. Operator-manufacturer pairs are identified from market data; a small number of stations per pair are field-tested; results are extrapolated to the full group. Applied to Germany, the approach covers 51.9% of CCS stations and reports that only 27.4% provide TLS-protected communication.

Significance. If the core extrapolation assumption holds, the work supplies a practical, scalable alternative to exhaustive testing and yields a concrete national statistic on the gap between theoretical security support and deployed configurations. The targeted use of market data to reduce the testing burden is a clear methodological contribution.

major comments (1)
  1. Abstract and methodology description: the central empirical result (27.4% TLS adoption across 51.9% of stations) rests on the unverified premise that security configurations are effectively identical for all stations sharing an operator-manufacturer pair. No data, variance bound, or validation test is supplied to justify treating intra-pair differences (firmware revisions, site policies, post-deployment updates) as negligible; without this, the extrapolated percentage cannot be treated as a reliable national estimate.
minor comments (2)
  1. The abstract omits the number of field tests performed, the number of distinct operator-manufacturer pairs identified, and any description of the sampling strategy within each pair.
  2. A short limitations subsection discussing the uniformity assumption and possible sources of intra-pair variance would improve transparency.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive feedback on the extrapolation premise. We address the major comment below and will revise the manuscript accordingly to strengthen the description of assumptions and limitations.

read point-by-point responses

  1. Referee: Abstract and methodology description: the central empirical result (27.4% TLS adoption across 51.9% of stations) rests on the unverified premise that security configurations are effectively identical for all stations sharing an operator-manufacturer pair. No data, variance bound, or validation test is supplied to justify treating intra-pair differences (firmware revisions, site policies, post-deployment updates) as negligible; without this, the extrapolated percentage cannot be treated as a reliable national estimate.

    Authors: We agree that the manuscript relies on the assumption that security configurations are sufficiently consistent within operator-manufacturer pairs to support extrapolation, without supplying explicit variance bounds or additional validation tests. The rationale in the paper is that these pairs capture the primary determinants of deployed configurations (standardized hardware/firmware from the manufacturer and operational policies from the operator). Field tests were performed on multiple stations per pair to support this, but we did not quantify intra-pair variance or test for post-deployment differences. In revision, we will expand the methodology section to explicitly state this assumption, discuss potential sources of variation (e.g., firmware updates, site-specific policies), report the number of stations tested per pair and any observed consistency, and add a limitations paragraph clarifying that the 27.4% figure is an estimate for the covered market share rather than a fully validated national statistic. This will better frame the result as a scalable approximation enabled by market data. revision: yes

Circularity Check

0 steps flagged

No significant circularity; methodology uses external market data and independent tests

full rationale

The derivation chain begins with market analysis to group charging stations by operator-manufacturer pairs, followed by targeted field tests whose results are extrapolated under an explicit uniformity assumption. This does not reduce any claimed result (such as the 51.9% coverage or 27.4% TLS figure) to its inputs by construction, nor does it involve fitted parameters renamed as predictions, self-definitional loops, or load-bearing self-citations. The extrapolation rests on an external assumption about intra-pair similarity rather than deriving that assumption from the paper's own outputs or equations. The approach is therefore self-contained against external benchmarks and does not exhibit the enumerated circularity patterns.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain assumption that security configurations are uniform enough within operator-manufacturer pairs to support extrapolation; no free parameters or invented entities are evident from the abstract.

axioms (1)
  • domain assumption Charging stations sharing the same operator and manufacturer have sufficiently similar security configurations to allow extrapolation from a small sample to the full group.
    This premise is required for the extrapolation step that produces the national-level estimates and the 27.4% TLS figure.

pith-pipeline@v0.9.0 · 5677 in / 1338 out tokens · 79790 ms · 2026-05-22T06:02:36.304934+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

25 extracted references · 25 canonical work pages

  1. [1]

    Bundesnetzagentur - Ladesäulenkarte, https://www.bundesnetzagentur.de/DE/ Fachthemen/ElektrizitaetundGas/E-Mobilitaet/Ladesaeulenkarte/start.html

    work page

  2. [2]

    DokumentationderStromtankstellenAPI,https://www.goingelectric.de/stromtankstellen/api/docs/, https://www.goingelectric.de/stromtankstellen/api/docs/

    work page

  3. [3]

    https://open-ev-charts.org/, https://open-ev-charts.org/, ac- cessed: 30 June 2025

    Open EV Charts. https://open-ev-charts.org/, https://open-ev-charts.org/, ac- cessed: 30 June 2025

    work page 2025

  4. [4]

    Iso 15118 security controls, vulnerabilities and possible remedies. pp. 1–2 (2026)

    work page 2026

  5. [5]

    $ HYC300 2019, 2025

    Baker, R., Martinovic, I.: Losing the Car Keys: Wireless {PHY-Layer} Insecu- rity in {EV} Charging. pp. 407–424 (2019), https://www.usenix.org/conference/ usenixsecurity19/presentation/baker Charging Station Cybersecurity Assessment Methodology 15 CPO CPO % OEM OEM % Cluster %Model Year ISO 15118-2 TLS EnBW 18.5 Alpitronic 95.9 17.7 HYC400 2023" $ HYC300 ...

    work page 2019

  6. [6]

    Computer Science - Research and Development 33(1), 3–12 (Feb 2018)

    Bao, K., Valev, H., Wagner, M., Schmeck, H.: A threat analysis of the vehicle-to- grid charging protocol ISO 15118. Computer Science - Research and Development 33(1), 3–12 (Feb 2018). https://doi.org/10.1007/s00450-017-0342-y, https://doi. org/10.1007/s00450-017-0342-y

    work page doi:10.1007/s00450-017-0342-y 2018

  7. [7]

    xlsx?__blob=publicationFile&v=5

    Bundesnetzagentur: Anzahl der öffentlichen Ladepunkte in Deutschland von Januar 2017 bis Oktober 2023 [Graph], Bundesnetzagentur (Feb 2024), https://www.bundesnetzagentur.de/SharedDocs/Downloads/DE/Sachgebiete/ Energie/Unternehmen_Institutionen/E_Mobilitaet/Ladesaeuleninfrastruktur. xlsx?__blob=publicationFile&v=5

    work page 2017

  8. [8]

    CharIN: CharIN V2G PKI goes live!, https://www.charin.global/news/charin-v2g- pki-goes-live/, https://www.charin.global/news/charin-v2g-pki-goes-live/

    work page

  9. [9]

    In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W

    Conti, M., Donadel, D., Poovendran, R., Turrin, F.: EVExchange: A Relay Attack on Electric Vehicle Charging System. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds.) Computer Security – ESORICS 2022. pp. 488–508. Springer Inter- nationalPublishing,Cham(2022).https://doi.org/10.1007/978-3-031-17140-6_24

    work page doi:10.1007/978-3-031-17140-6_24 2022

  10. [10]

    Dudek, S.: HomePlugAV PLC: Practical attacks and backdooring. Netw. Anal. (2015), https://penthertz.com/resources/NSC2014-HomePlugAV_ attacks-Sebastien_Dudek.pdf

    work page 2015

  11. [11]

    Dudek, S., Delaunay, J.C., Fargues, V.: V2g injector: Whispering to cars and charg- ing units through the power-line. In: Proceedings of the SSTIC (Symposium sur la sécuritédestechnologiesdel’informationetdescommunications).pp.1–26.SSTIC, Rennes, France (2019), https://www.sstic.org/2019/presentation/v2g_injector_ playing_with_electric_cars_and_charging_s...

    work page 2019

  12. [12]

    In: Proceedings of the 16th ACM International Conference on Future and Sustainable Energy Systems

    Eder, L., Löw, J., Hof, H.J.: Charging Communication Sniffing and Man-in-the- Middle Attacks. In: Proceedings of the 16th ACM International Conference on Future and Sustainable Energy Systems. pp. 799–804. E-Energy ’25, Association for Computing Machinery, New York, NY, USA (Jun 2025). https://doi.org/10. 1145/3679240.3734648, https://dl.acm.org/doi/10.11...

    work page doi:10.1145/3679240.3734648 2025

  13. [13]

    GmbH, A.: hyperdoc | dashboard, https://doc.hypercharger.it/

    work page

  14. [14]

    Hubject: Download Public Key Infrastructure (PKI) | Hubject, https://www.hubject.com/download-pki, https://www.hubject.com/ download-pki

    work page

  15. [15]

    irdeto: Open and secure ev charging, https://irdeto.com/smart-mobility/ crosscharge-ev-charging

    work page

  16. [16]

    ISO/IEC: ISO/IEC DIS 15118-2: Road vehicles - Vehicle to grid com- munication interface – Part 2: Network and application protocol require- ments (2012), http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_ detail_ics.htm?ics1=43&ics2=120&ics3=&csnumber=55366

    work page 2012

  17. [17]

    htm?ics1=43&ics2=120&ics3=&csnumber=59675

    ISO/IEC: ISO/IEC DIS 15118-3: Road vehicles - Vehicle to grid com- munication interface – Part 3: Physical and data link layer requirements (2012), http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics. htm?ics1=43&ics2=120&ics3=&csnumber=59675

    work page 2012

  18. [18]

    ISO/IEC: ISO/IEC DIS 15118-20: Road vehicles - Vehicle to grid communication interface–part20:2ndgenerationnetworklayerandapplicationlayerrequirements (2022), https://www.iso.org/standard/77845.html

    work page 2022

  19. [19]

    In: Proceedings 2023 Network and Distributed System Security Symposium

    Köhler, S., Baker, R., Strohmeier, M., Martinovic, I.: Brokenwire: Wireless Dis- ruption of CCS Electric Vehicle Charging. In: Proceedings 2023 Network and Distributed System Security Symposium. Internet Society, San Diego, CA, USA (2023). https://doi.org/10.14722/ndss.2023.23251, https://www.ndss-symposium. org/wp-content/uploads/2023/02/ndss2023_s251_pa...

    work page doi:10.14722/ndss.2023.23251 2023

  20. [20]

    In: 2014 International Conference on IT Convergence and Secu- rity (ICITCS)

    Lee, S., Park, Y., Lim, H., Shon, T.: Study on Analysis of Security Vulnera- bilities and Countermeasures in ISO/IEC 15118 Based Electric Vehicle Charg- ing Technology. In: 2014 International Conference on IT Convergence and Secu- rity (ICITCS). pp. 1–4 (Oct 2014). https://doi.org/10.1109/ICITCS.2014.7021815, https://ieeexplore.ieee.org/document/7021815

    work page doi:10.1109/icitcs.2014.7021815 2014

  21. [21]

    Löw, J., Mayer, K., Hof, H.J.: Fast Charging Communication and Cybersecurity: A Technology Review (Nov 2024)

    work page 2024

  22. [22]

    nexusgroup: Identities for Plug and Charge/vehicle-to-grid - V2G PKI, https://doc.nexusgroup.com/pub/identities-for-vehicle-to-grid-v2g-pki, https://doc.nexusgroup.com/pub/identities-for-vehicle-to-grid-v2g-pki

    work page

  23. [23]

    Current Af- fairs: A Security Measurement Study of CCS EV Charging Deploy- ments, February 2025

    Szakály, M., Köhler, S., Martinovic, I.: Current Affairs: A Security Measurement Study of CCS EV Charging Deployments (Feb 2025). https://doi.org/10.48550/ arXiv.2404.06635, http://arxiv.org/abs/2404.06635, arXiv:2404.06635 [cs]

    work page arXiv 2025

  24. [24]

    Szakály, M., Köhler, S., Martinovic, I.: Short: PIBuster: Exploiting a Common Misconfiguration in CCS EV Chargers. pp. 243–249 (2025), https://www.usenix. org/conference/vehiclesec25/presentation/szakaly

    work page 2025

  25. [25]

    https://doi.org/10.48550/arXiv.2601.15515, http://arxiv.org/abs/ 2601.15515, arXiv:2601.15515 [cs]

    Szakály, M., Strohmeier, M., Martinovic, I., Köhler, S.: DCeption: Real- world Wireless Man-in-the-Middle Attacks Against CCS EV Charging (Jan 2026). https://doi.org/10.48550/arXiv.2601.15515, http://arxiv.org/abs/ 2601.15515, arXiv:2601.15515 [cs]

    work page doi:10.48550/arxiv.2601.15515 2026