Volza Data Reveals 80–85% of EV Charger Components in India Imported from China, Highlighting Heavy Dependence on Chinese Supply
A recent cyberattack on Jaguar Land Rover (JLR), which forced the automaker to suspend operations at three of its UK facilities for nearly a month, has reignited debate about cybersecurity across the global auto industry — and it has triggered new scrutiny of India’s fast-growing electric vehicle (EV) ecosystem.
As India embarks on an ambitious plan to install over 72,000 public EV charging stations under the PM E-Drive scheme by FY28, industry insiders and cybersecurity experts warn that heavy reliance on Chinese components in EV chargers could introduce serious vulnerabilities — from vehicle hijacking to grid-level intrusion.
The backdrop: JLR attack and India’s charger ambitions
The JLR breach, though external to India, has served as a warning: auto and mobility infrastructure are now high-value cyber targets. In that case, attackers reportedly gained footholds in IT systems tied to factory operations, forcing a near-month downtime at multiple plants.
In India, the timing is sensitive. The government has earmarked about ₹2,000 crore to underwrite the expansion of public charging infrastructure. Under PM E-Drive, the state will cover up to 80% of upstream infrastructure costs (cables, transformers, power supply) and 70% of the EVSE (charging equipment) costs in cities and along highways; for chargers on government premises, it will subsidize 100% of costs. In parallel, the policy mandates localization of 12 key components (software modules, charging guns, panel boards, etc.).
However, despite policy nudges, industry participants estimate that localization hasn’t exceeded 50%, and 80–85% of charger components in India are still imported from China according to trade data from Volza.
That dependence leaves India exposed at a time when Beijing has tightened export controls on lithium-ion batteries and rare-earth magnets, two critical inputs for EVs, heightening worries about supply chain chokepoints.
More EV News
Why Chinese components pose a cyber-risk
India’s EV charging infrastructure may be vulnerable not only to electrical faults but to cyber threats built into hardware, firmware, or data links. As EVSEs evolve into smart, connected devices, their cybersecurity posture becomes as vital as their electrical safety.
“A charger today is not just a power device; it is a digital interface that talks to the vehicle, the grid, and the user’s app,” said Anshuman Divyanshu, CEO of Exicom’s EVSE unit. The integrity of hardware, firmware and communication pathways is central to securing the network.
One particular risk arises from how chargers communicate with a vehicle’s internal systems — especially via Vehicle-to-Grid (V2G) or Vehicle-to-Infrastructure (V2I) protocols. According to Shantanu Das, chief architect at Sasken Technologies, malicious actors could exploit these links for unauthorized diagnostics, ECU flashing, or deeper system manipulation.
The danger extends beyond vehicles: EV chargers are connected to power grids, network back-ends, payment gateways and cloud systems. A compromised charger could thus act as a pivot to attack broader infrastructure.
An Electronic Control Unit (ECU) in an EV orchestrates functions from battery management to diagnostics. If an attacker gains control over any component connected to or communicating with the ECU, they could disrupt charging or, in extreme cases, remotely disable vehicles.
Sharif Qamar, Associate Director at TERI, notes that sometimes EVs built in China may cross into India and use our charging infrastructure. The complexity of software and hardware interactions in such cases introduces data and informational vulnerabilities.
A senior executive at a charging infrastructure firm (speaking on condition of anonymity) added that the interface between the charging gun connector and the battery management system is especially sensitive — EV manufacturers must carefully control how much data flows across this interface.
While India has not yet experienced a widely documented charger hack, global incidents reveal the risk is real: In 2023, Electrify America chargers were infiltrated via OS vulnerabilities. More recently, Tesla’s wall chargers were breached twice at the Pwn2Own Automotive 2025 contest in Tokyo, exposing weaknesses in EVSE systems.
In addition to software attacks, recent academic research has revealed physical-layer attacks: malicious devices inserted into charger connectors can inject signals that spoof authentication methods, causing denial of service or charger/vehicle control sabotaging. Another study demonstrated “charge manipulation attacks” on smart chargers, altering data flows to manipulate electricity demand behavior.
These risks are not theoretical — they reflect real-world vulnerabilities in common charging protocols (e.g. SAE, CCS, IEC, GB/T).
Policy, localization, and gaps in oversight
While PM E-Drive’s subsidy scheme attempts to spur domestic manufacturing, the road ahead is challenging. Key issues:
- Localization is slow: The PMP allows import of certain charger parts until a cut-off date to support ramp-up, but many software and hardware modules remain heavily dependent on overseas suppliers.
- Lack of cybersecurity standards: Though chargers must be tested and approved by certified agencies, the government has not yet issued detailed cybersecurity guidelines specific to EVSE systems, leaving oversight gaps.
- Dependence on imports: Even with incentives, many EVSE manufacturers still rely on foreign (mostly Chinese) chips, connectors, and power modules.
- Recall risks and reputational damage: OEMs are increasingly wary of potential cybersecurity recalls and are pushing for higher local content in critical parts to reduce liability.
In response, companies such as Exicom are doubling down on their India-made software stacks. “Our chargers run on Exicom’s own OS, firmware, and controller architecture, all developed in India,” says Divyanshu. “Every layer is rigorously tested, encrypted, vetted — we consider it non-negotiable.”
Manasvi Sharma, CEO of EVERTA, emphasises the dual focus: while hardware localization is central, companies must continually evolve protocols and safety checks, because threats will intensify over time.
The urgency: India’s EV expansion and security imperative
India’s EV adoption is surging. In FY25, sales grew by 17% to 1.9 million units (according to the Vahan registry) — and analysts estimate the domestic EV sector, currently valued at US $137 billion, could reach $203 billion by 2030 (CAGR ~8.2%).
Yet only about 4.8% (≈ 95,000) of those sold vehicles were electric cars; two years ago the share was just 2.6%. Meanwhile, India had ~29,200 public EV chargers as of August end, per data cited in the Lok Sabha.
As charger density scales, the stakes of insecure infrastructure grow larger.
From a business perspective, local manufacturing not only unlocks subsidies but also helps win trust from charge point operators (CPOs), who increasingly demand secure, India-made systems.
Exicom, already manufacturing in Gurugram, is setting up a new facility in Hyderabad, slated to go live by end-2025. The company aims to derive 50% of its revenue from its EV charger business by 2030.
What it will take: securing India’s EV future
To build a resilient, indigenous EV charging ecosystem, key actions are urgently needed:
- Formulate explicit cybersecurity standards for EV chargers
The government should define mandatory cybersecurity protocols — akin to those in telecom and critical infrastructure — covering firmware encryption, secure boot, regular updates, anomaly detection, and certification. - Promote secure design and supply chains
Encourage domestic design of chips, controllers, communication modules, and ensure component-level vetting and audits. Incentivize developers to integrate zero-trust architectures and defend against spoofing or signal-injection attacks like “PORTulator.” - Mandate end-to-end testing and penetration audits
Beyond electrical safety certification, every EVSE should undergo vulnerability assessments, red-teaming, and field audits before deployment. - Encourage architecture segmentation
Charging infrastructure should separate networks: isolate payment/data networks, grid control, and vehicle comms, minimizing lateral attack paths. - Mandate local firmware and OTA update control
Encourage chargers to host firmware update mechanisms under local oversight. Imports of “black-box” firmware should be restricted. - Establish incident response standards and reporting norms
Require CPOs and charger OEMs to follow standardized protocols for breach disclosures, emergency patching, and network segmentation in case of compromise. - Promote awareness and skill development
Support training programs in EV cybersecurity for hardware engineers, firmware developers, and security auditors. - Accelerate component manufacturing capacity
Through incentives, R&D funding, and demand guarantees, nurture local component makers to reduce dependence on external suppliers — especially Chinese.
Conclusion
India’s ambitious green mobility push hinges not only on installing chargers, but on ensuring those chargers are secure. The spectre of imported vulnerabilities — whether hardware, firmware or signal-level — is real, and the cost of neglecting cyber risks could be steep: fleet-wide disruptions, vehicle hijacking, grid attacks, or reputational collapse.The JLR incident serves as a reminder: cyber threats don’t respect geography. For India, building a truly indigenous, trusted, cyber-secure EV ecosystem is not optional — it is a prerequisite for the grid to go fully electric. The next few years will test whether policy, industry and security converge fast enough to keep pace.
