AI Agents in Electric Vehicle Chargers and the Security Problem Nobody Solved First
The growth of charging infrastructure for electric vehicles has a fundamental problem that rarely makes headlines: every new charger installed is also a new entry point into the electrical grid. Not in metaphorical terms, but in concrete technical and operational terms. A team of researchers from the University of Málaga has just published a proposal that puts that problem on the table with greater clarity than any manufacturer's press release or European regulatory communication in recent years.
The work, led by Cristina Alcaraz from the NICS laboratory —Network, Information and Computer Security— and published in the International Journal of Critical Infrastructure Protection, proposes deploying autonomous artificial intelligence agents at each charging station. The idea is not new in industrial cybersecurity, but its application to electric charging networks built on the OCPP standard is a move that deserves attention, not because of the technological novelty itself, but for what it reveals about the current state of protection in this infrastructure.
The Standard That Connects Everything and Protects Little
The Open Charge Point Protocol —OCPP— is the common language that allows a charging station to communicate with the operator's centralized system. It manages user authentication, load balancing, consumption monitoring, and remote diagnostics. It is, in practical terms, the nervous system of the majority of public charging networks in Europe and North America.
The problem identified by the Málaga team is structural: current monitoring mechanisms based on OCPP look at network traffic or the local events of each station separately. This generates a fragmented picture. When an anomaly propagates across several stations, or when a coordinated attack uses multiple simultaneous entry points, the conventional surveillance system cannot see the full pattern. It only sees local noise.
That limitation is not an implementation oversight. It is a direct consequence of how the standard was designed: for interoperability and efficient energy management, not for the detection of complex threats. OCPP solved the problem of allowing different charger manufacturers to communicate with different management systems. It was not designed to detect distributed anomalous behavior or to coordinate responses to attacks that exploit that very same interoperability.
The architecture proposed by the Málaga team attempts to close that gap by placing autonomous agents at each relevant node in the network. Each agent analyzes its local environment, collects data, and shares it with neighboring agents. The mechanism that allows those agents to arrive at a collective assessment is based on something called opinion dynamics, a mathematical framework borrowed from social network theory that models how individuals in a distributed system converge toward a shared evaluation through the iterative exchange of information.
The application of that framework to industrial cybersecurity is genuinely interesting. It reduces the probability of false positives because no agent acts solely on its own observation: it adjusts its diagnosis based on what other agents are seeing at nearby stations. An anomalous consumption spike at a single station may be a technical problem or a measurement error. The same pattern replicated across five stations in the same area, with correlated variations, carries a different signature. The system is designed to distinguish between both situations.
What Is at Stake Financially
The layer of risk that this work makes visible is not purely technical. It has a direct financial dimension for charging operators, utilities, and vehicle manufacturers, even though none of the actors typically quantify it publicly.
Energy theft at charging stations —users or malicious actors manipulating charging sessions to consume electricity without correct payment— is a loss vector that scales with the number of stations. In a small network of one hundred chargers, the impact is manageable. In a network of tens of thousands of distributed points across multiple countries, like those operated by major European CPOs, the difference between what is delivered and what is billed can become material. And that assumes the problem is detected. If no system identifies it, it is simply recorded as a technical loss.
The more serious risk is not direct theft but the possibility that chargers could be used as vectors to attack more critical infrastructure. The electrical distribution networks that supply fast-charging stations on motorways or in industrial zones are part of the infrastructure that European and American regulators have begun to classify explicitly as critical. A vulnerability exploited through the chargers' communication protocol can, in coordinated attack scenarios, translate into supply disruptions whose operational and reputational cost far exceeds that of individual energy theft.
There is also a contractual and regulatory dimension that is becoming increasingly relevant. The NIS2 Directive in Europe expanded the scope of cybersecurity requirements for critical infrastructure, and large-scale charging networks are progressively being included within that framework. Operators who cannot demonstrate active monitoring, anomaly detection, and incident traceability will face, within a horizon of two to four years, concrete regulatory pressure. Not as an abstract possibility, but as a condition for operation.
The Málaga work incorporates blockchain technology as a validation mechanism: all transactions carried out by the agents are recorded in a distributed, immutable ledger. That is not just a technical guarantee of integrity; it is also the foundation for the traceability that those regulatory frameworks will require when they demand audited evidence of how the system responded to an incident.
An Academic Prototype Facing the Friction of Industrial Adoption
It is worth being precise about what this work is and what it is not. It is a research proposal published in a specialized academic journal, validated in a simulation environment that replicates an OCPP ecosystem. At the time of publication, there is no evidence of field deployment, nor of charging operators or utilities having announced any pilot programme. The test results show that the system detected both specific anomalies at individual devices and behavioral patterns affecting multiple stations simultaneously, and that the consensus mechanism improved diagnostic accuracy compared to the isolated analysis of each individual agent. But moving from simulation to production in real electrical infrastructure involves a long journey.
Hardware charging manufacturers have their own certification cycles. Network operators have management system architectures —the so-called CSMS, Charge Station Management Systems— that vary between providers. Integrating AI agents into those stacks is not a trivial modification: it requires access to charger data at the firmware level, compatibility with the versions of OCPP deployed in the field —which are not uniform— and assurances that the computational overhead of the agent does not affect the performance of the charging process itself.
There is also a less visible but equally real organizational friction: charging operators are, for the most part, companies whose core competence is energy management and driver experience, not industrial infrastructure cybersecurity. Adding a layer of autonomous agents that make decisions about the state of the network implies redefining operational responsibilities, training teams, and assuming that the system will not generate more noise than an operations team can manage. That institutional absorption capacity is the threshold that most frequently determines whether a monitoring technology is adopted or shelved.
None of this invalidates the work. But it marks the difference between a solid technical contribution —which this undoubtedly is— and an operational shift already underway.
Charging Infrastructure as an Involuntary Laboratory
There is a broader pattern that this work illustrates with clarity. Electric vehicle charging networks are moving through, at an unusual speed, the same cycle that smart metering infrastructure —smart meters— went through fifteen years ago: first, massive scaling driven by public policy and market adoption, then the emergence of systemic vulnerabilities that were not contemplated in the original design, and finally combined pressure from regulators, operators, and insurers to add layers of protection on top of an already-built foundation.
The difference with smart meters is that electric vehicle chargers are connected to vehicles that carry high-capacity batteries and, in some cases, have the ability to inject energy back into the grid. This amplifies the potential attack vector beyond the physical point of the charger. And the speed of deployment —driven by energy transition mandates— leaves less time for the habitual cycle of progressive hardening that characterized other critical infrastructures.
The work of the NICS Lab in Málaga does not resolve that structural problem, but it names it with technical precision and proposes an architecture that could scale on top of the communication standard already deployed. That has value regardless of whether this specific implementation ultimately gets adopted or whether it serves as a reference for those that come later. What the work establishes is that the protection of charging networks cannot continue to depend on reactive and local monitoring: the attack surface has already surpassed that detection capacity, and the gap widens with every new charger installed.
The shift that this case reveals is not technological but architectural. The security of distributed critical infrastructure requires systems that can reason collectively about the state of the network, not merely record events at each node. That paradigm shift in monitoring —from local surveillance to collaborative diagnosis— is what is at stake, and the electric charging industry is discovering it later than it should have.
