The basics of Plug & Charge

Marc Mültin
Marc Mültin
November 15, 2020
• Updated
min read
The basics of Plug & Charge

ISO 15118's feature for a more user-convenient and secure way of charging electric vehicles

Plug and Charge is a technological concept initially introduced by ISO 15118, the international standard for charging electric vehicles (EVs). This future-proof concept enables a more user-convenient and secure way of charging EVs and is available at any charging station that fully supports this standard. It is applicable to both wired (AC and DC charging) and wireless charging use cases.

Now that you have this foundation, let’s get into more detail. The goal of this article is for you to walk away with a thorough understanding of the entire ecosystem that comes with Plug & Charge and to see how this might impact your business model.

The cryptographic foundations of Plug & Charge

The electrical grid is a critical infrastructure and every device that connects to the grid, including EVs and charging stations, needs to provide measures to protect the grid from potential attacks. Imagine the loss of user trust in the charging infrastructure if massive amounts of charging-related information and billing data from a charging process could be manipulated by third parties. This is the reason why the Plug & Charge process requires the EV and charging station to establish and share a secure communication link. Several required actions from both sides ensure confidentiality, data integrity, and authenticity. For a successful Plug & Charge session, both the EV and charging station must be able to:

  • Encrypt and decrypt messages to make sure that no third-party or malicious actor is able to eavesdrop on the communication. This ensures confidentiality.
  • Detect whether or not a received message has been tampered with on the way from the sender to the receiver. This ensures data integrity.
  • Verify that the communicating counterpart - EV or charging station - is who it claims to be. This ensures authenticity. 

Hybrid crypto systems establish confidentiality, data integrity, and authenticity

ISO 15118 specifies a set of symmetric and asymmetric cryptographic algorithms that secure the necessary level of confidentiality and verify both the integrity and the authenticity of the data exchanged. Confidentiality is achieved with a symmetric-key algorithm that uses the same (symmetric) key to encrypt a message on the sender’s side and to decrypt the resulting cipher text on the receiver’s side. This requires the EV and charging station to agree upon a symmetric key at the beginning of each charging session. Verifying authenticity and data integrity, on the other hand, are features that can only be realised through asymmetric cryptography, which uses a key pair composed of a private and a public key. Both keys are mathematically linked to each other in such a way that a message encrypted with a public key can only be decrypted with its corresponding private key, and vice versa. The private key must be kept secret and is only used by the entity to which it belongs in order to create digital signatures. The public key is distributed to peers in the same ecosystem and used to verify the signature that was created with the associated private key. This process ensures that the EV and charging station establish trust in the authenticity and integrity of the messages they send to each other.

The use of private and public keys in asymmetric crypto systems

ISO 15118 follows a common hybrid approach: using asymmetric-key algorithms to create and verify digital signatures and to agree upon a symmetric key, which can then be used to encrypt/decrypt all messages during a charging session with a symmetric-key algorithm.

The pros and cons of symmetric and asymmetric crypto systems

  • Transport Layer Security (TLS v1.2) protocol is used to establish the encrypted communication session.
  • A key agreement protocol, called Elliptic Curve Diffie-Hellman (ECDH), is used to mutually agree upon a shared (symmetric) TLS session key that is valid for one charging session.
  • Symmetric block cipher AES-128-CBC (ISO 15118-2) and AES-128-GCM (ISO 15118-20) are deployed to encrypt and decrypt all messages during a charging session using the symmetric TLS session key.
  • Elliptic Curve Digital Signature Algorithm (ECDSA) will then verify the authenticity of the sender and the integrity of the received message (uses SHA-256 as a cryptographic hash function).

Public Key Infrastructures as the basis of Plug & Charge 

ISO 15118 outlines an ecosystem of digital certificates that need to be in place for Plug & Charge to work. This is where public key infrastructures (PKIs) come into play. A PKI is a tree-like, hierarchical structure of trusted third parties called certificate authorities (CAs). These CAs manage the creation, storage, distribution, and revocation of digital certificates. A digital certificate is an electronic document used to verify that a public key belongs to an authorised party. It is, therefore, also known as a public key certificate. One example of a common PKI is a building’s security system where you present an ID card to a card reader at the door to enter. A certificate stored on the card lets the reader verify whether or not you’re allowed access to the building. The motivation for establishing a PKI is to provide a framework for: verifying the identity of people and devices, enabling confidential communication, and guaranteeing a controlled access to resources. In the case of ISO 15118, the certificates used to authenticate and authorise access are issued to electric vehicles, charging stations, and the other market participants that are essential to the Plug & Charge process. The image below shows the set of CAs and certificates that are required and must be managed to enable secure and trusted communication among all involved parties. Acting as a trusted third-party, any CA is responsible for validating the identity of a certificate holder before issuing the corresponding certificate.

E-mobility market roles and their associated PKIs as defined by ISO 15118

Establishing trust between the EV and charging station using a TLS handshake

Let’s use the example of the charge point operator (CPO). A V2G root CA acts as the top-level trust anchor, meaning: all market participants in this set of PKIs need to consider the V2G root CA as being a trustworthy organisation. This V2G root CA issues and digitally signs the certificate for the subordinate CA (CPO sub-CA 1, e.g. an international charge point operator), which, in turn, issues and signs the certificate for the CPO sub-CA 2 (e.g. the country-level branch of that same CPO). The CPO sub-CA 2 then issues and signs the SECC certificate (also known as the charging station certificate in ISO 15118). SECC is short for supply equipment communication controller, which is the control unit that runs the ISO 15118 communication protocol. The pendant on the EV side is called EVCC.ISO 15118 specifies that at least one and at most two sub-CAs are needed per PKI to establish the chain of trust between a trust-anchor (root) and the corresponding end-entity (leaf) certificate. It's common security practice that a root CA never directly issues and signs a leaf certificate. This means that a V2G root CA will never directly issue SECC certificates for a charging station, and a mobility operator root CA will never directly issue a contract certificate.Let's continue with our example. These CPO certificates are used at the beginning of a Plug & Charge communication session. Here, the EVCC and SECC need to establish an encrypted communication session using what is called a Transport Layer Security (TLS) handshake. During this TLS handshake, the charging station will present its set of digital certificates (SECC certificate, CPO sub-CA 1 certificate, and optionally CPO sub-CA 2 certificate) to the EV in order to identify itself as a trustworthy charging station. The EV will then need verify the digital signature of all certificates - from the SECC certificate all the way up to the pre-installed V2G root CA certificate(s) - and check whether or not any of the certificates have expired. If everything is verified without issue, a TLS session is then successfully established.

Illustration of the CPO certificates that the charging station presents to the EV during a TLS handshake

The EV uses a contract certificate for seamless authentication and authorisation

Before the charging station permits the EV to charge its battery, the EV needs to present a valid contract certificate that will allow it to be authorised for charging.

An example of a contract certificate

This contract certificate is linked to a billing account via a unique identifier, also known as the E-Mobility Account Identifier (EMAID). You can see an example of such an EMAID in the ‘Subject’ field in the image above. Here, the EMAID is ‘DE-8AA-1A2B3CD5-9’. The owner of the EV needs to sign up with a mobility operator (MO) to create a billing account. Synonyms for the mobility operator are e-mobility service provider (EMSP) and e-mobility provider (EMP). The MO will then take care of provisioning the contract certificate to the EV through a series of well-orchestrated steps, as outlined in a specification called VDE application guide (VDE-AR-E 2802-100-1). After the EV has presented its contract certificate to the charging station and is authorised by the driver's mobility operator, it can start charging its battery according to the charging schedule that was negotiated with the charging station.

VDE application guide VDE-AR-E 2802-100-1: the blueprint for the Plug & Charge ecosystem

ISO 15118 only defines the direct message exchange between the EV and charging station, like a Certificate Installation Request / Response message pair to install a new contract certificate. To issue and properly install the aforementioned contract certificate into an EV, several more market roles must be involved including the mobility operator (MO), charge point operator (CPO), and car manufacturer (OEM). Their interaction hasn’t been fully defined in the ISO 15118 specification. That’s where the VDE application guide VDE-AR-E 2802-100-1comes in: this guide closes the specification gaps and serves as the blueprint for establishing a complete and well-orchestrated Plug & Charge ecosystem. To actively participate in the Plug & Charge ecosystem with your product or service, you’ll need to set up the corresponding business processes and implement the interfaces to other market roles in this interconnected system architecture. One market-ready operator of such a Plug & Charge and PKI ecosystem is Hubject. However, more and more companies like are working on providing the necessary services to also facilitate this PKI ecosystem for Plug & Charge. The image below shows an overview of the various processes and interfaces that need to be in place in order to provision a new contract certificate to an EV. Read the image counter-clockwise, starting in the upper left corner.

Big picture overview of the processes and interfaces needed to provision a contract certificate to the EV. Source: VDE-AR-E 2802-100-1.

Next to the well-known market roles in the e-mobility industry (OEM, CPO, MO), you’ll also notice new roles depicted in this illustration, such as data pool operators and a certificate provisioning service. All of these independent roles collaborate closely to ensure that this ecosystem works like a well-oiled machine. As a co-author of this specification, I am certainly a believer in its potential to benefit the e-mobility industry as a whole. For a step-by-step guidance through the intricacies of this VDE application guide, check out our latest online course: The Plug & Charge Ecosystem.

Marc Mültin
Marc, the Founder and CEO of Switch, has over 13 years of experience in the e-mobility space and holds a PhD in Computer Science. He is the leading global expert and co-author of international EV communication standards (ISO 15118 & OCPP 2.0.1) that underpin the Switch platform.
Connect with
Marc Mültin

An e-book for beginners and experts alike. Reduces the steep learning curve of ISO 15118 by providing a comprehensive and easy-to-understand access to the Vehicle-to-Grid communication protocol. Written by our founder, one of the few co-authors of ISO 15118, this e-book has fast become standard literature in the industry.

Single User


All the knowledge you need to become an ISO 15118 expert


  • Saves you many days of tiresome trial and error
  • Helps you to really understand ISO 15118
  • Free updates delivered to your inbox
Buy now
Multiple users


Are you interested in copies for your colleagues or students? We offer company-wide licenses as well as licenses for academic libraries.


  • Train your team on this future-proof technology
  • Provide access to students of e-mobility tech
  • Ensure updates for each employee / student
  • Unlimited number of copies included in purchase
Request now
Switch Ev | ISO

Want to try before you buy?

Get an extract from each chapter to see the quality and in-depth information you’ll get in the full e-book. The ISO 15118 Manual definitely helps you grow your expertise and positioning in the e-mobility market.

Provide your name and email address to get it delivered to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Join a group of experts in the know

Since we have published our ISO 15118 Manual it has been purchased by the biggest names in our industry and has become standard literature.

as well as Daimler, Porsche, Shell, Tritium, and many more...

As we were intensively implementing and testing
ISO 15118, we noticed there was a lack of overview of Plug & Charge and the whole supply chain amongst
our stakeholders.

Our training with Marc helped us achieve a much better understanding of the whole ecosystem. It led to constructive discussions on the requirements and concept of ISO 15118 in general.

Angelika Neuleitner,

charging system Specialist at Ionity

Working with recognized standards is the right way forward for the integration of electric vehicles into the grid, and we value Switch’s strong experience with the ISO 15118 standard.

We were able to leverage Marc’s insights to corner some of the keys issues pertinent to V2G in the published standard that needed to be addressed.

Hamza Lemsaddek,

Director embedded solutions at Nuvve Corporation

Attending Switch’s intensive two day training with the team gave us a deep dive into ISO 15118 and the different use cases.

We were able to validate our design with regards to the ecosystem and beyond. We now have a head start for the development of our next generation chargers and are able to support our customers for the deployment of the equipment all over Europe.

Johan Devos,

business development Manager at ENOvates

Certificate handling in ISO 15118 is a quite complex issue. Marc’s well prepared one-day course on this topic and his deep knowledge helped us to train our team and speed up the development of the ISO 15118 Plug & Charge
charging controller.

Johannes Bergmann,

eMobility Charging Systems DEVELOPER at SIEMENS AG

When I was working with students on ISO 15118 projects, Marc's courses tremendously helped in getting students to understand the standard quickly and dive into coding without hesitation. Marc's crystal-clear explanations with eye-catching graphics will make you an EV charging expert in one week.

Minho Shin,

Professor at Myongji University

In two exciting training days, Marc quickly and effectively explained ISO15118 communication to our experienced development team. In addition to the in-depth technical knowledge, the information about the communication standards that are still being established is very valuable. The training will definitely help us to make the implementation more effective.

Reinhard Starzinger,

Project Manager Electric Mobility AT Keba AG


Related reads

Latest News