ISO 15118 Plug and Charge: Security and PKI Basics

Q: What is Plug and Charge (PnC) and how does it differ from RFID card authentication?

RFID card authentication requires the driver to present a physical card or app to a reader before charging begins. Plug and Charge (per ISO 15118-2) authenticates the vehicle automatically when the cable is connected — no driver action required. Authentication uses a digital certificate stored in the vehicle's EVCC (Electric Vehicle Communication Controller), verified by the SECC (Supply Equipment Communication Controller) in the charger against a PKI (Public Key Infrastructure) trust chain. Billing is attributed to the vehicle's contract certificate without any driver interaction.

Q: What is the PKI (Public Key Infrastructure) in the ISO 15118 context?

The PKI defines the hierarchy of certificate authorities (CAs) that create, sign, and revoke digital certificates for EVs, chargers, and eMobility service providers. The root CA (V2G Root CA) is maintained by a neutral trust anchor organisation (e.g., Hubject operates the European V2G PKI). Under the root are sub-CAs for OEMs (who issue provisioning certificates to vehicles) and eMSPs (eMobility Service Providers, who issue contract certificates that authorise billing). An EV carries both a provisioning certificate (OEM-issued, identifies the vehicle) and a contract certificate (eMSP-issued, authorises payment to a specific billing account).

Q: What cybersecurity vulnerabilities does ISO 15118 Plug and Charge introduce?

The main attack surfaces: (1) certificate theft — if a vehicle's contract certificate private key is extracted, it can be used to fraudulently charge on the victim's account; (2) relay attacks — the TLS session can theoretically be relayed to a legitimate charger by a malicious intermediary, though TLS 1.2/1.3 with proper certificate pinning mitigates this; (3) OCSP replay — if certificate revocation status (OCSP) responses are replayed, a revoked certificate may appear valid; (4) PKI root compromise — if the V2G root CA private key is compromised, all certificates in the hierarchy become untrustworthy. Defense: hardware security modules (HSMs) for key storage in the vehicle, certificate pinning, short-lived contract certificates (refreshed frequently), and regular OCSP stapling.

Q: Does ISO 15118 V2G (Vehicle-to-Grid) discharge work in India?

ISO 15118-20 (the 2022 update) adds bidirectional power transfer (V2G) capability. In India, V2G is technically possible with CCS2 infrastructure and ISO 15118-20 compliant EVs, but regulatory and metering frameworks do not yet support it. DISCOMS (distribution companies) are not currently set up to accept and meter power fed back from EVs, and grid codes do not include EV-as-storage provisions. V2G pilot projects are being evaluated, but commercial V2G availability in India is likely 3–5 years away from 2025.

Q: Is ISO 15118 Plug and Charge available at Indian charging stations?

As of 2025, very few Indian public chargers support ISO 15118 Plug and Charge. Most public DC fast chargers in India use OCPP (Open Charge Point Protocol) with RFID or app-based payment. Some premium chargers (Tata Power, Ather grid upgrades) are implementing ISO 15118 support. Vehicle-side support exists in some imported EVs (Hyundai Ioniq series, Porsche, Audi) but not yet in most domestic EV models. Full PnC ecosystem deployment in India requires PKI infrastructure, eMSP contracts, and charger firmware upgrades — a 2–4 year deployment horizon from 2025.

The Communication Stack
The PKI Architecture
The Plug and Charge Session Flow
Cybersecurity Considerations
V2G: When the Car Becomes a Grid Asset
Key Takeaways

ISO 15118 Plug and Charge is essentially TLS handshake on wheels — the EV presents a certificate, the charger verifies it against a trusted root, and billing happens automatically. The complexity is in managing certificates across millions of vehicles and thousands of chargers.

TL;DRKey Points

ISO 15118 Plug and Charge uses mutual TLS over HomePlug GreenPHY PLC on the CCS control pilot pin, completing the full session handshake in under 4 seconds.
The PKI hierarchy spans 4–5 levels: V2G Root CA down to per-vehicle provisioning certificates and per-account eMSP contract certificates that must be renewed every 90–365 days.
Contract certificate private key security in the vehicle's EVCC is safety-critical — a hardware security module (HSM) is mandatory, not optional, to prevent remote billing fraud.
ISO 15118-20 adds V2G bidirectional power transfer capability, but commercial deployment in India requires regulatory and metering frameworks that do not yet exist as of 2025.
Most Indian public chargers still rely on RFID/OCPP authentication; full PnC ecosystem deployment is a 2–4 year horizon from 2025.

ISO 15118 defines the communication protocol between an EV and a DC fast charger (or V2G-capable AC charger). Part 2 of the standard specifies the Plug and Charge (PnC) feature — a mechanism for automatic vehicle authentication, contract authorisation, and billing without any driver interaction beyond plugging in the cable. The security architecture that makes this trustworthy involves digital certificates, PKI hierarchies, TLS mutual authentication, and certificate lifecycle management at scale.

ISO 15118-2 session establishment time target | <4 | seconds from plug-in to charge start

V2G PKI certificate hierarchy levels | 4–5 | Root CA → Sub-CA → OEM CA → Vehicle cert

Contract certificate validity period (typical) | 90–365 | days before renewal required

CCS2 PLC communication frequency | 2 MHz band | HomePlug GreenPHY over control pilot

ISO 15118-20 max AC bidirectional power | 22 kW | V2G rated

TLS version required by ISO 15118-2 | TLS 1.2 minimum | (1.3 preferred)

The Communication Stack

ISO 15118 operates over the CCS (Combined Charging System) control pilot pin using Power Line Communication (PLC) at 2 MHz (HomePlug GreenPHY). This allows high-bandwidth digital communication over the same cable used for the basic Mode 3 control pilot signal.

Protocol stack:

Physical: HomePlug GreenPHY over control pilot
Data link: IEEE 802.3 (Ethernet framing)
Network: IPv6 with link-local addressing
Transport: TCP/TLS 1.2+
Application: ISO 15118 V2G message set (EXI encoded XML)

The EXI (Efficient XML Interchange) encoding reduces XML message size by 60–80%, achieving the session establishment time target of <4 seconds despite multiple TLS handshake round trips.

QWhy does ISO 15118 use EXI-encoded XML rather than plain JSON or binary protocols for the application layer?

EXI (Efficient XML Interchange) was selected because it reduces XML message size by 60–80% while preserving XML's schema-validated structure, which is essential for the formal security model. JSON lacks the same level of schema enforcement needed for cryptographic certificate handling. Pure binary protocols would require custom parsers at every implementation point. EXI allows ISO 15118 messages to remain interoperable and schema-auditable while fitting within the <4-second session establishment time budget imposed by the HomePlug GreenPHY physical layer's bandwidth constraints.

The PKI Architecture

Certificate	Issued By	Held By	Purpose	Validity
V2G Root CA cert	External trust anchor	All participants	Root of trust for whole ecosystem	10–30 years
V2G Sub-CA cert	V2G Root CA	Intermediate CAs	Intermediate trust	3–5 years
OEM Provisioning Sub-CA cert	V2G Root CA or Sub-CA	OEM PKI	Signs vehicle provisioning certs	3 years
Vehicle Provisioning cert (PCert)	OEM Sub-CA	EV EVCC	Identifies vehicle to charger, enables cert installation	Vehicle lifetime
eMSP Contract cert	eMSP CA	EV EVCC (refreshed)	Authorises billing for specific eMSP account	90–365 days
SECC (charger) cert	CPO Sub-CA	Charger SECC	Identifies charger to vehicle	1–3 years

The Plug and Charge Session Flow

Cable connection

Vehicle detects connection via control pilot signal transition. EVCC and SECC begin SLAC (Signal Level Attenuation Characterisation) to establish PLC link.

IP addressing

IPv6 link-local addresses assigned. Both parties discover each other via UDP broadcast.

TLS handshake

Mutual TLS authentication. Vehicle presents its provisioning certificate; charger presents its SECC certificate. Both verified against PKI trust chain.

Session setup

Vehicle announces capabilities (max voltage, current, battery capacity, V2G capability). Charger responds with its supply capabilities.

Contract certificate check

Charger queries the eMSP whether the vehicle's contract certificate is valid and not revoked (via OCSP or pre-loaded CRL).

Charge authorisation

If certificate valid and contract active, charger authorises the session. Charging parameters negotiated.

Active charging

Continuous BMS-charger negotiation (voltage, current request updated every 50–100 ms via ISO 15118 CurrentDemand messages).

Session termination

Vehicle or charger terminates session. Billing record signed with charger certificate and logged.

QHow does certificate revocation work in ISO 15118 when a charger has intermittent connectivity, such as at a remote Indian highway station?

ISO 15118 supports two revocation mechanisms: OCSP (Online Certificate Status Protocol) for real-time status queries, and CRL (Certificate Revocation List) pre-loaded to the charger. In low-connectivity deployments, the charger caches OCSP responses (typically valid for 24–48 hours) and falls back to the most recently downloaded CRL if the OCSP responder is unreachable. The practical security implication is a revocation latency window — a compromised certificate can still be accepted during the cache validity period. This is a known trade-off accepted in the standard's architecture; chargers in high-fraud-risk deployments should use shorter OCSP cache lifetimes.

Cybersecurity Considerations

The ISO 15118 PnC security model has several critical requirements:

Key storage security: The vehicle's contract certificate private key must be stored in a hardware security module (HSM) or equivalent tamper-resistant storage. If stored in a software keystore accessible from the vehicle's application layer, key extraction attacks (via compromised firmware update, physical memory dump) become feasible. AIS-189 (India's cybersecurity standard for EVs, under development) is expected to mandate HSM-grade key storage.

Certificate revocation: If a vehicle's contract certificate is compromised or the account is closed, the certificate must be revoked promptly. OCSP (Online Certificate Status Protocol) allows real-time revocation checking, but requires charger connectivity to the OCSP responder. Many Indian public chargers have intermittent connectivity — OCSP with caching and CRL (Certificate Revocation List) as fallback is the practical architecture.

Warning

A compromised vehicle contract certificate (private key extracted from a poorly secured EVCC implementation) allows fraudulent charging to the victim's billing account from anywhere in the world with ISO 15118-compatible chargers. Unlike an RFID card (which can be physically blocked), a certificate compromise is entirely remote. OEMs must implement hardware-secured key storage from first production — retrofitting this after deployment is extremely difficult. This is a significant security gap in some first-generation ISO 15118 implementations.

QWhat happens to a Plug and Charge session if the contract certificate expires while the vehicle is mid-charge?

The contract certificate is checked at session authorisation, before charging begins — not on a rolling basis during the session. If the certificate expires while the vehicle is mid-charge, the ongoing session continues uninterrupted. The expired certificate will cause the next new session to fail authentication until the vehicle renews its contract certificate via OTA from the eMSP. This is by design: interrupting an active charge session due to certificate expiry would be operationally unacceptable. The vehicle's BMS/EVCC should alert the driver to renew the certificate before it expires, not after.

V2G: When the Car Becomes a Grid Asset

ISO 15118-20 (2022) extends the protocol to support bidirectional power flow (V2G — Vehicle to Grid). The EV can discharge into the grid through the charger under utility contract, providing grid services (peak shaving, frequency regulation) and earning revenue for the vehicle owner.

The security implications of V2G are more serious than one-directional charging — an EV that can push power into the grid can potentially destabilise it if authentication is compromised and large numbers of EVs push power simultaneously. ISO 15118-20 addresses this with enhanced digital signatures on V2G service agreements and contract-limited power transfer parameters.

Note

India's regulatory framework for V2G is not yet established. The Central Electricity Regulatory Commission (CERC) and Ministry of Power are studying V2G frameworks, but no commercial V2G tariff or metering standard exists as of 2025. The Tata Power-BYD and Magenta-EESL V2G pilot projects are the leading experiments. Fleet operators in India interested in V2G as a revenue stream should monitor CERC consultation documents rather than expecting near-term commercial availability.

Key Takeaways

✦Key Takeaways

ISO 15118 PnC uses mutual TLS over HomePlug GreenPHY PLC on the CCS control pilot pin, completing the full session handshake — SLAC, IPv6 addressing, TLS, contract verification, and charge authorisation — in under 4 seconds.
The PKI spans 4–5 levels from V2G Root CA through OEM provisioning and eMSP contract chains; both chains must validate correctly for PnC to authorise, and contract certificates must be renewed every 90–365 days via OTA.
Contract certificate private key security in the EVCC is safety-critical — compromise enables remote billing fraud at any ISO 15118-compatible charger worldwide; HSM-grade key storage is a production requirement, not an option.
OCSP revocation checking requires charger internet connectivity; in low-connectivity Indian deployments, chargers should cache OCSP responses with short validity windows and maintain a fallback CRL to avoid accepting compromised certificates.
V2G capability (ISO 15118-20) requires regulatory and grid metering frameworks that do not exist in India as of 2025; commercial V2G deployment is realistically a 3–5 year horizon from 2025.

Written by

Sai Chaitanya Dasari

Battery Systems Engineer · Volvo Eicher Commercial Vehicles

3+ years in commercial EV pack development. Writing about real battery engineering from the bench.

Frequently Asked Questions

What is Plug and Charge (PnC) and how does it differ from RFID card authentication?

RFID card authentication requires the driver to present a physical card or app to a reader before charging begins. Plug and Charge (per ISO 15118-2) authenticates the vehicle automatically when the cable is connected — no driver action required. Authentication uses a digital certificate stored in the vehicle's EVCC (Electric Vehicle Communication Controller), verified by the SECC (Supply Equipment Communication Controller) in the charger against a PKI (Public Key Infrastructure) trust chain. Billing is attributed to the vehicle's contract certificate without any driver interaction.

What is the PKI (Public Key Infrastructure) in the ISO 15118 context?

The PKI defines the hierarchy of certificate authorities (CAs) that create, sign, and revoke digital certificates for EVs, chargers, and eMobility service providers. The root CA (V2G Root CA) is maintained by a neutral trust anchor organisation (e.g., Hubject operates the European V2G PKI). Under the root are sub-CAs for OEMs (who issue provisioning certificates to vehicles) and eMSPs (eMobility Service Providers, who issue contract certificates that authorise billing). An EV carries both a provisioning certificate (OEM-issued, identifies the vehicle) and a contract certificate (eMSP-issued, authorises payment to a specific billing account).

What cybersecurity vulnerabilities does ISO 15118 Plug and Charge introduce?

The main attack surfaces: (1) certificate theft — if a vehicle's contract certificate private key is extracted, it can be used to fraudulently charge on the victim's account; (2) relay attacks — the TLS session can theoretically be relayed to a legitimate charger by a malicious intermediary, though TLS 1.2/1.3 with proper certificate pinning mitigates this; (3) OCSP replay — if certificate revocation status (OCSP) responses are replayed, a revoked certificate may appear valid; (4) PKI root compromise — if the V2G root CA private key is compromised, all certificates in the hierarchy become untrustworthy. Defense: hardware security modules (HSMs) for key storage in the vehicle, certificate pinning, short-lived contract certificates (refreshed frequently), and regular OCSP stapling.

Does ISO 15118 V2G (Vehicle-to-Grid) discharge work in India?

ISO 15118-20 (the 2022 update) adds bidirectional power transfer (V2G) capability. In India, V2G is technically possible with CCS2 infrastructure and ISO 15118-20 compliant EVs, but regulatory and metering frameworks do not yet support it. DISCOMS (distribution companies) are not currently set up to accept and meter power fed back from EVs, and grid codes do not include EV-as-storage provisions. V2G pilot projects are being evaluated, but commercial V2G availability in India is likely 3–5 years away from 2025.

Is ISO 15118 Plug and Charge available at Indian charging stations?

As of 2025, very few Indian public chargers support ISO 15118 Plug and Charge. Most public DC fast chargers in India use OCPP (Open Charge Point Protocol) with RFID or app-based payment. Some premium chargers (Tata Power, Ather grid upgrades) are implementing ISO 15118 support. Vehicle-side support exists in some imported EVs (Hyundai Ioniq series, Porsche, Audi) but not yet in most domestic EV models. Full PnC ecosystem deployment in India requires PKI infrastructure, eMSP contracts, and charger firmware upgrades — a 2–4 year deployment horizon from 2025.