UK legislation requirements
The Electric Vehicles (Smart Charge Points) Regulations 2021 came into force on 30th June 2022. The legislation applies to any non-public electric vehicle charge point rated at <50kW that is sold in England, Wales and Scotland.
Regulation 12 of the legislation is applicable from 30th December 2022 and specifies how charge points must provide ensure the security of the smart charging functionality ("Schedule 1").
Zaptec statement of compliance
The compliance statement (and any relevant Enforcement Undertaking) for each model of Zaptec charger can be downloaded from the links at the end of the article UK Smart Charging.
The statements below apply to all models of Zaptec charger. The relevant Technical File for each model of Zaptec charger is also available on request by visiting https://zaptec.com/help.
General principles
The charge point is designed and configured to prevent harm to or disruption of the electricity system and charge point, and to provide appropriate protection of the personal data of the owner and any other end-user of the charge point. This is achieved though the adoption of the security measures described in this section.
Passwords
Access to the charge point configuration requires the use of a PIN. All charge points are shipped from the factory with a random PIN. This PIN is not derived from or based on any publicly available information. There is no default PIN and it is not possible to reset the PIN to a default that is shared with other charge points.
Software
The charge point incorporates software that can be securely updated. Software updates are provided via a secure over-the-air mechanism that uses cryptographic measures to verify the origin and integrity of the update.
The charge point verifies the authenticity and integrity of each prospective software update by checking:
- The origin of the update using TLS certificate
- The integrity of the update using a checksum
The update is only downloaded if the origin check is successful and only applied if the checksum test is successful.
Additional measures to prevent the installation of non-verified software may be present, depending on the model of charger.
Sensitive security parameters
The software does not use hard-coded security credentials.
The degree of encryption and protection of sensitive security parameters is dependent on the model of charger.
Secure communication
All communication via MQTT and HTTPS is encrypted using SSL.
Data inputs
All data inputs are subject to validation. The inputs are discarded if they do not meet the validation criteria.
Ease of use
The charge point is designed for simple configuration using the minimum number of inputs from the owner for set-up and operation. To request the removal of any personal data from Zaptec systems, visit https://zaptec.com/help and request for your account to be deleted
Protection against attack
The charge point outer cover is secured using either a Zaptec SmartKey or Torx screws, depending on the model of charger. The internal electronics are further protected by a non-removable internal cover.
Depending on the model of charger, active tamper detection may also be present to notify the owner of any attempt to access the tamper protection boundary.
Security log
The charger records and transmits an electronic, timestamped record of the following security-related events to the Zaptec portal:
- Charge authorisation (success/fail)
- OTA firmware update (success/fail)
- Certificate update (success/fail)
Depending on the model of charger, additional security events may also be recorded.
Provision of information
Every Zaptec charger is designed to provide the highest possible level of security. The user manual supplied with the charger provides details of how it should be configured.
If you have any concerns or problems regarding the security of your charger, please notify us by visiting https://zaptec.com/help.