Northeastern UniversityArlington
Khoury College of Computer Sciences
Graduate Student Government · Impact Symposium
DEFENSE ACTIVE
Research Poster · 2026

An Active Defense Framework for EV Charging Infrastructure Using
Risk-Based Adaptive Honeytokens

Moving beyond passive, authenticate-once security by building intelligent, self-defending charging stations that detect, deceive, and contain cyber threats in real time.

Suchir Vangaveeti
Bansi Bhesaniya
Kathan B. Thakkar
Advisor: Dr. Youna Jung
17M+
EVs sold globally in 2024
50%
Rise in charging network cyberattacks
74%
Attacks causing service disruptions
$125B
Projected market by 2030
📡
01 // Context
Introduction

Global EV sales surpassed 17 million units in 2024, and the charging infrastructure market is projected to grow from $32.26B to $125.39B by 2030. At the same time, cyberattacks on EV charging networks rose by 50% in 2024, with 74% causing service disruptions.

Current standards like ISO 15118 and OCPP authenticate a vehicle once at session start but remain blind to malicious behavior afterward. A compromised vehicle with valid credentials can perform reconnaissance, intercept data, or join coordinated grid attacks, all without triggering an alert. We proposed an active defense framework that embeds risk-aware, deception-based security directly into the charging workflow, turning stations from passive service points into self-defending nodes.

🎯
02 // Goals
Objectives
  • Enable early-stage attack detection (e.g., during reconnaissance) before any damage occurs
  • Achieve high-fidelity alerting with near-zero false positives using honeytokens as tripwires that only malicious actors would trigger
  • Identify and isolate compromised vehicles before they can be weaponized against the power grid
  • Build a safe, sandboxed environment to observe adversary tools and behavior in real time
  • Demonstrate the framework operates as a lightweight software agent on existing charging hardware with minimal overhead
⚙️
03 // Approach
Methodology

We designed a three-stage active defense pipeline on top of existing ISO 15118 and OCPP flows without modifying the underlying protocols.

🔍 Risk Assessment
⚖️ Adaptive Response
🍯 Deception & Containment
Stage 01
Risk Assessment
Evaluates each session's device history, behavioral patterns, protocol compliance, and temporal signals to compute a continuously updating risk score.
Stage 02
Adaptive Response
Low-risk sessions proceed with enhanced logging, elevated-risk sessions require secondary authentication, and high-risk sessions are redirected into a deception environment.
Stage 03
Deception & Containment
Deploys honeytokens (believable but monitored decoy assets) for high-risk sessions. Any interaction is inherently suspicious. Attacker activity is logged in an isolated sandbox while keeping real infrastructure protected.
📊
04 // Findings
Results
Experimental details and quantitative outcomes are not included in this poster to preserve publication eligibility.

We evaluated our framework using a synthetic dataset of 50,000 simulated EV charging sessions spanning normal, suspicious, and malicious categories. The framework successfully separated legitimate from malicious sessions with clear risk-score boundaries.

The adaptive thresholds enabled graduated responses where mild anomalies triggered lightweight checks and confirmed threats were fully contained. No legitimate session was routed into the deception environment, preserving service availability for genuine EV users.

💬
05 // Analysis
Discussion

Shifting from one-time authentication to continuous, risk-aware evaluation fundamentally changes the security posture of EV charging stations. The honeytoken-based approach offers a distinct advantage over traditional intrusion detection: legitimate EV clients have no reason to interact with decoy assets, so any such interaction serves as a strong, low-noise indicator of malicious intent, addressing the chronic problem of alert fatigue. The software-only design means the framework can be integrated into existing infrastructure through firmware updates rather than physical retrofitting, making it practical for large-scale adoption. Our current evaluation relied on synthetic data, and validating against real-world traffic and adaptive adversaries remains an essential next step.

🚀
06 // Next Steps
Future Work
  • Validate the framework in real EV charging environments using live traffic data
  • Refine the risk-scoring model using reinforcement learning to adapt thresholds dynamically based on evolving network conditions and emerging attack patterns
  • Extend coverage to Vehicle-to-Grid (V2G) bidirectional energy flows, which introduce additional attack surfaces involving grid stability
  • Develop an EV-specific vulnerability scoring system inspired by CVSS that captures both cyber and physical consequences unique to charging infrastructure
  • Design an automated user compensation mechanism, such as charging credits, to offset friction from false positive escalations, ensuring security measures do not degrade the user experience