asvin selected for CYSSDE Open Call 2

asvin labs was selected and contracted in the European Commission's CYSSDE Open Call 2 for cybersecurity penetration testing of electric vehicle charging infrastructure using AI-augmented security automation. We will be working with the EV charging platform provider ChargeIQ to design, deploy and run an intensive penetration testing procedure for EV charging infrastructure, using our cybersecurity expertise. The objectives of the contract are to identify vulnerabilities, create reports on indicators of compromise, and support EV charging infrastructure service providers in fixing vulnerabilities and improving the cybersecurity of their services. asvin and ChargeIQ's consortium was selected by the CYSSDE open call as one of ten European projects in a competition with over 120 applicants.

Electric vehicle (EV) charging infrastructure has been identified as highly vulnerable due to the poor cybersecurity measures implemented by operators. In 2024, the Dutch Institute for Vulnerability Disclosure reported critical vulnerabilities in an EV charging station product. Electric Vehicle Supply Equipment (EVSE) requires compliance with the Critical Reliability Assessment (CRA) and a European Common Criteria (EUCC) cybersecurity certification. Our PenTest4CI project supports EVSE manufacturers and charge point operators (CPOs) by conducting comprehensive penetration testing and vulnerability assessments on EV charging infrastructure to ensure compliance with NIS2 and Cyber Resilience Act.

asvin labs will contribute its expertise in penetration testing and cybersecurity to PenTest4CI, working alongside chargeIQ, a charging infrastructure provider. Our knowledge of NIS2/CRA compliance and the EVSE/CPO domain means PenTest4CI will provide valuable, actionable insights and services to help secure EV charging infrastructure.

The primary objective of CYSSDE project is to perform comprehensive, AI-augmented penetration testing and vulnerability assessments of charging infrastructure to ensure compliance with NIS2 and the CRA. The project plan includes the construction of a controlled laboratory environment that replicates real-world charging infrastructure. This will allow for detailed security assessments, threat landscape analysis, exploration of attack vectors, vulnerability identification and mitigation strategy recommendations. The testing will result in an extensive penetration report identifying critical assets, assessing potential threats and detailing threat actors and specific threat scenarios. Additionally, the CYSSDE project will provide SMEs with actionable security guidelines and establish benchmarks to help them meet evolving regulatory requirements. This will enhance the security of charging infrastructure and prepare manufacturers and CPOs for the EUCC cybersecurity certification.

Through extensive penetration testing and simulated cyberattacks, critical security flaws in commercial EVSEs will be identified, including those relating to hardware, firmware, communication protocols, backend systems, and cloud infrastructure. A detailed penetration testing report will document critical assets, vulnerabilities, threat actors, attack vectors and attack scenarios, as well as providing tailored risk mitigation strategies to enhance the security of charging infrastructure. By addressing these security gaps, the project will support EVSE manufacturers and CPOs in achieving compliance with NIS2, CRA and EUCC certification. Additionally, it will provide SMEs, who are often the most vulnerable to cyber threats, with clear guidelines and a security benchmark to help them navigate evolving regulatory requirements. In the long term, this will improve the cybersecurity maturity of the EV charging ecosystem, reduce attack surfaces, and strengthen resilience against evolving threats.

Our penetration testing approach combines real-world and AI-augmented digital twins to provide a comprehensive security assessment. We will set up a laboratory integrating commercial EVSEs from various vendors, testbed hardware (Raspberry Pis) as emulated EVSEs and Docker containers for virtualized attack simulations. This hybrid, AI-augmented framework enables the controlled, automated experimentation of diverse attack vectors, identifying vulnerabilities that traditional assessments might miss. We will leverage advanced cybersecurity methodologies, including graph theory-based cyber risk management, threat modelling and AI-augmented cyber threat intelligence frameworks, to analyze attack surfaces.

A key innovation is the automation of penetration testing using scripting and AI-driven security analysis tools to efficiently identify vulnerabilities in EVSE systems. Additionally, red team exercises and Capture the Flag (CTF) simulations will test the resilience of EV charging infrastructure under real-world conditions. Our methodology integrates risk assessment models aligned with CRA, CER and NIS2 compliance requirements. This ensures that any identified vulnerabilities can be mapped to the relevant regulatory framework and mitigated effectively.

As well as enhancing the security of EVSE systems, the CYSSDE project will help SMEs to overcome the challenge of complying with new cybersecurity regulations. SMEs, such as charging station manufacturers, often lack the resources and expertise to meet the stringent security requirements of CRA, CER and NIS2 directives. asvin labs will provide these businesses with best practices, clear guidelines and security benchmarks to help them navigate these regulatory challenges and strengthen their cybersecurity resilience.

By providing a comprehensive penetration testing report detailing threat scenarios, risk assessments, and mitigation recommendations, asvin labs will greatly improve the cybersecurity resilience of the EV charging ecosystem. Our findings will help CPOs to secure their products, while also contributing to the development of broader cybersecurity standards for critical infrastructure. This will set a new benchmark for security testing in the EV sector, ensuring that electric mobility remains safe, resilient and compliant with evolving cybersecurity regulations.