The electric-vehicle (EV) ecosystem has evolved into a large-scale cyber-physical system that tightly couples vehicles with charging equipment (EVSE), backend control planes, roaming/payment services, and utility/building networks. Recent measurement studies and public disclosures indicate that security mechanisms assumed by standards are frequently absent or inconsistently deployed in real deployments, leaving practical attack paths open across layers and stakeholders. This paper systematizes the state of the art in research and the incident landscape by presenting a structured view of attack progression, showing how weaknesses at the charging port, PLC/PHY and negotiation layers, EVSE control planes, and cloud/API surfaces can be chained to produce real-world outcomes, from charging disruption and billing fraud to fleet-scale compromise and grid-impacting load manipulation. Synthesizing evidence across peer-reviewed attacks, empirical deploymentanalyses, and vendor disclosures, we present six representative EV cyber kill chains that capture how real vulnerabilities compose across layers: 1 transaction manipulation leading to billing fraud at scale; 2 protocol desynchronization causing persistent charging denial of service; 3 EVSE compromiseenabling backend trust abuse and fleet-wide propagation; 4 cloud/API compromise escalating to CSMS privilege and remote command execution; 5 firmware downgrade and re-exploitationestablishing durable persistence; and 6 coordinated EVSE control resulting in synchronized load manipulation with grid impacts. We distill the ecosystem’s most consequential “missed signals” and derive a prioritized remediation agenda: enforceable security requirements (non-optional secure transport with downgradeproofnegotiation), explicit PLC/PHY threat assumptions, EVSE lifecycle hardening, secured CSMS/OCPP command paths, and grid-aware guardrails against coordinated demand manipulation.
Kumar et al. (Thu,) studied this question.