Quick Summary
- A secure charging platform helps ensure fleet vehicles are charged, available and ready for their next shift.
- Fleet operators need confidence that their charging platform can protect service continuity, operational data and day-to-day performance.
- A cyberattack could disrupt charging, alter schedules, ignore site limits or quietly increase energy costs.
- Encrypted and authenticated charger connections help prevent unauthorised devices from accessing the platform.
- Work accounts, multi-factor authentication and precise roles keep access limited to the right people.
- Continuous backups, automated recovery, encryption and layered controls help contain incidents and restore service.
- ISO 27001 certification and independent security testing support VEV’s approach to making security part of everyday fleet operations.
Five in the morning
At five in the morning, a duty manager at a bus depot looks at VEV IQ and needs the answer to one question: is the fleet ready?
From the outside, the platform looks like a dashboard showing charging status, session history and energy costs.
VEV IQ starts, stops and schedules charging across entire fleets, balancing energy prices and site power limits around the priority that matters most: vehicles ready for their next shift. For some fleets, it also decides how available solar energy is used, whether it goes into vehicles, into batteries or back to the grid. That manager just needs the fleet ready to roll. That means the right plan ran overnight, and only the right people could have changed it.
Now consider what could happen if an attacker gained access to a charging platform. The consequences could be obvious: the platform could become unavailable and vehicles could be unable to charge. But the attack could also be much harder to detect. The plan being executed might no longer be the one the operator intended: vehicles skipped, priorities reversed, site limits ignored, and energy exported when it should have been used on site. Several hours of charging cannot be recovered just before the first departures. Vehicles would remain unavailable, some services could no longer operate, and delays and penalties would start to mount. An attack could also remain almost invisible. Someone trying not to be detected could gradually shift charging towards the most expensive hours, week after week. Whatever the method, getting the platform running again would only be the first step.
A security incident is not the same as a breakdown, a breakdown is over when the fault is fixed. After an attack, restoring service is not enough. You also need to trust the system again. That means checking what changed, which accounts were used, what actions were taken, whether the connected chargers are the ones expected, and whether any other part of the system was affected. That can take days, not hours.
That is why the platform’s security matters and these risks are not only theoretical. The wider charging sector has already seen public chargers tampered with and customer records exposed. Those incidents hit public networks, where a stranded driver is inconvenienced and can usually charge somewhere else. A fleet has no somewhere else since the depot is its network, and the business runs on it.
All of this raises the bar for the platform a fleet runs on. Serious systems are built for the day something goes wrong, and judged on how well they contain it.
A platform that runs your depot effectively holds the keys to it, and it should be chosen with that in mind.
Trusting what the chargers tell you
A charging platform lives on a constant stream of data from the chargers. Every decision it makes, when to charge, how fast, where the energy goes, is only as good as that stream.
Chargers connect to VEV IQ over encrypted channels using OCPP, the industry standard for charger communication. We use the security mechanisms provided by the protocol, and VEV IQ’s OCPP implementation is independently certified.
Where we go further is identity. A charger does not get to send us data, or take instructions from us, until it has proved it is the charger it claims to be. We configure and manage each charger using the strongest authentication mechanism its hardware supports.
It is a fair question to ask when choosing a platform: what actually stops an unauthorised device from impersonating one of my chargers? We are always happy to explain exactly how VEV IQ addresses it.
Control in the right hands
First, who gets in. VEV IQ uses the same work accounts your employees already have. Your password rules and multi-factor authentication stay in force, and when someone joins or leaves your organisation, their access is adjusted accordingly. There is no separate VEV IQ account for someone to forget about after they have left.
Second, what they can do once inside. Access mirrors how your organisation actually works, not a handful of generic roles the platform forces on you. A fleet manager sees the whole picture, a depot manager controls their site and not the others, and a support engineer gets diagnostic access without touching billing. These are only examples. Roles can be shaped around how your organisation works and created specifically for your teams where needed.
In my experience, over-privileging is rarely a choice and it happens when a system cannot express access precisely, so you grant more than the task needs just to let people work. We built VEV IQ to be precise at that level, so access can be exactly what the job needs and nothing more.
And the same applies to us. Access to the infrastructure behind VEV IQ is not something our engineers simply have: it has to be requested and approved, it is granted for a limited time, and it expires automatically when that time is up. The principle is simple: standing access is a risk, whoever holds it. It can be stolen, but it can also magnify a human mistake. When access is limited to the task at hand, the impact of a wrong command stays contained. With broader access, the same mistake can cause serious damage. That is why we limit both the scope of access and how long it remains active. And whoever holds it, everything significant leaves a trace: who changed what, and when. For security that is evidence, and for operations it is how you find out what actually happened when something looks wrong.
When something goes wrong
Resilience is how well the platform keeps running when something breaks, and how quickly it comes back. Inside VEV IQ, no request is trusted just because it arrived. It passes through layers that each do a different job: bad traffic is filtered at the edge before it reaches the core, identity is checked, permissions are enforced and access to data is restricted to authorised users. The data remains encrypted while being transmitted and stored.
A serious platform also has to recover well, whatever the cause: a hardware fault, human error, an accident. Recovery starts with the backups: they are taken continuously, and cannot be changed or deleted, even by us, so there is always a recent, clean copy to return to. But restoring the data is only half the job. The entire platform is defined in an automated blueprint that is used directly to deploy and evolve it. It is not a document that can be forgotten or allowed to drift out of date. We test that blueprint very regularly to make sure it can bring the platform back consistently, without relying on an engineer’s memory or a long series of manual steps.
Security as a daily practice
Most breaches do not start with a brilliant attacker. They start with a rushed change on a Friday, a rule someone forgot, a patch that waited too long. So we built VEV IQ not to depend on anyone remembering. The controls are defined once and enforced automatically, on every change, so the protection is the same on a quiet Tuesday as on the day of an audit.
That is deliberate. Even the best teams make mistakes, so the platform is built so the secure way is also the easy way, rather than asking for perfection from every person every day.
We are certified to ISO 27001, and we hold ourselves past the minimum it asks for. Independent, accredited specialists test VEV IQ to find what we might have missed, and whatever turns up is fixed and followed through to closure.
Security is now part of running the fleet
Fleets are becoming more connected, and more of the operation depends on the platform coordinating vehicles, chargers, sites and energy. At the same time, attacks are getting cheaper to build and easier to automate. Put those two lines together and the conclusion is simple: for a connected fleet, platform security is not a feature, it is a condition for operating.
At VEV it is treated that way, in how the platform is designed, operated, tested and improved.
Hanno Klausmeier, VP Software Engineering, has also written a detailed blog to the security criteria to assess when choosing a platform. To understand in more detail how VEV IQ protects your operation, get in touch. We will be happy to walk you through our approach, together with your security team if you wish. Feel free to contact us.
15 July, 2026