Open Charge Alliance Enhances OCPP 1.6 Security

The Open Charge Alliance announced today that they have published a new security white paper. According to the news release:

Secure communication and operation is a critical aspect of Electric Vehicle Charging Infrastructure. In the latest release of OCPP version 2.0 security features such as secure connection setup, security events/logging and secure firmware update, have been added to the specification. For OCPP 1.6 however, the security measures have up until now been designed by individual implementers of OCPP. To further assist the industry the Open Charge Alliance now publishes a white paper to describe a standard way to address security using OCPP 1.6-J. Security requirements are included, on security measures for both Charge Point and Central System, to help developers build a secure OCPP implementation.

This white paper contains the following security enhancements:

  • Secure connection setup
  • Security events/logging
  • Secure firmware update

The OCPP 1.6 Security Whitepaper is also added to the OCPP 1.6 zip file that can be found on the download page of the OCA website.

I’m travelling at the moment, and haven’t had a chance to look through the document in detail. However it certainly sounds as though the OCA has ported the new security features in Open Charge Point Protocol 2.0 back into version 1.6. They are perhaps long overdue, since only a few days ago Kaspersky Lab revealed that “electric vehicle chargers supplied by a major vendor carry vulnerabilities that can be exploited by cyber-attackers” had just been patched.

Watch this space!

1 thought on “Open Charge Alliance Enhances OCPP 1.6 Security”

  1. Following the flight from hell courtesy of RyanAir, I’ve now had a chance to skim the new “white paper”:

    This document is for OCPP 1.6-J (JSON over WebSockets) only, OCPP-S (SOAP) is NOT supported. This document was started, as it is seen as a simple step to port OCPP 2.0 security to OCPP 1.6. But as OCPP 2.0 only support JSON over WebSockets (not SOAP), this document is also written for OCPP 1.6-J only. Adding SOAP to this document would have taken a lot of work and review by security experts.

    This document is based on OCPP 2.0. To help developers that are implementing both 1.6J security improvement and OCPP 2.0, we have kept the Use Case numbering from OCPP 2.0. So when implementing for example Use Case N01, it is the same use case in this document as in the 2.0 specification.

Leave a Reply

Your email address will not be published. Required fields are marked *