▲ 1 r/ocpp+1 crossposts

What EV charging O&M issues are eating up all your time right now?

Hey everyone. I work on the networking and security side of EV charging infrastructure, and I'm trying to get a better sense of what real-world O&M teams are actually struggling with the most these days.

I'm really curious what specific issues are taking up the bulk of your time out in the field. Are there certain types of connection drops or bugs that are just notoriously difficult to diagnose or reproduce? I also imagine it can be a nightmare trying to figure out who is actually responsible when things go down—how often do you run into incidents where you can't tell if it's a charger hardware fault, a CPO backend issue, or just a bad cellular network?

Would love to hear some war stories or hear about what's causing your biggest headaches right now.

reddit.com
u/JessieOnIoT — 7 days ago

Is the single-channel OCPP approach the root cause of our high truck-roll rates?

In designing protocol security and edge computing architectures for EV infrastructure, I keep running into a structural bottleneck: relying on a single OCPP channel to handle both billing transactions and all O&M (Operations and Maintenance) telemetry.

From an engineering perspective, this single-channel approach creates massive blind spots. It lacks the fine-grained telemetry needed for predictive maintenance, makes remote troubleshooting a nightmare (leading to expensive truck rolls), and creates real security risks by mixing transaction data with debugging info.

Rather than patching a congested channel, a more robust architectural solution is physically and logically decoupling the traffic. By implementing a Dual-Channel Architecture, we can split the communication into two isolated streams:Value Stream: Pure OCPP 1.6J/2.0.1 over WSS dedicated strictly to business transactions and billing.Health Stream: A completely separate MQTT over TLS (or HTTPS) channel dedicated to 1 Hz operational telemetry, remote diagnostics, and secure O&M control.

Decoupling unlocks edge capabilities like Black Box Snapshots—automatically grabbing 30-60 seconds of grid voltage, contactor status, and internal MCU errors precisely when an OCPP failure occurs, without ever congesting the billing channel.

I'm curious about the community's approach to this. Are you still trying to stuff custom diagnostic payloads into standard OCPP messages, or are you moving towards decoupling telemetry from the business layer? How are you handling deep diagnostics remotely without sending a tech on-site?

reddit.com
u/JessieOnIoT — 27 days ago

A question for professionals in the European EV charging infrastructure industry: What are the current operational bottlenecks for legacy charging stations installed before 2021 that lack OCPP 2.0.1 support and cannot be upgraded over-the-air (OTA)?

reddit.com
u/JessieOnIoT — 1 month ago

A question for professionals in the European EV charging infrastructure industry: What are the current operational bottlenecks for legacy charging stations installed before 2021 that lack OCPP 2.0.1 support and cannot be upgraded over-the-air (OTA)?

reddit.com
u/JessieOnIoT — 1 month ago

Are there any European EV charging infrastructure professionals here? I'm curious how everyone is planning to handle the non-compliant legacy chargers installed before 2021 that cannot be upgraded remotely.

reddit.com
u/JessieOnIoT — 1 month ago

Technical Analysis: How to implement OCPP Security Profile 3 (mTLS) on legacy EV chargers?

When modernizing Electric Vehicle (EV) charging infrastructure, engineers often face a critical bottleneck: transitioning early Open Charge Point Protocol (OCPP) 1.5 or 1.6J implementations from Security Profile 0/1 (plain text WebSocket, ws://) to Security Profile 3 (mutual TLS, wss://).

While a simple Over-The-Air (OTA) firmware update seems logical, attempting to force modern cryptographic protocols onto legacy embedded Microcontrollers (MCUs) typically results in catastrophic system failure. This post breaks down the physical hardware constraints and explains how an edge-based proxy architecture solves this engineering challenge.

  1. The "Crypto-Agility" Crisis on Cortex-M3/M4 Architectures

Legacy EV chargers were designed with highly resource-constrained MCUs (such as Cortex-M3 or M4 architectures) to handle basic IO control and state machines. Upgrading these embedded systems to support modern encryption exposes three severe hardware limitations:

  • Heap Memory (RAM) Overflow: A modern TLS 1.2/1.3 protocol stack requires approximately 50 to 100 KB of heap memory to cache the certificate chain and manage the encryption context during the handshake. Since early MCUs often possess extremely limited RAM, enabling TLS causes memory overflow, leaving insufficient memory for core charging logic and resulting in system crashes.
  • CPU Overload and Watchdog Resets: The TLS handshake requires computationally intensive asymmetric encryption algorithms (like RSA or ECC). Without dedicated cryptographic hardware accelerators, a pure software decoding approach can take several seconds to complete a handshake. This excessive delay often triggers a watchdog timeout, causing the device to constantly reboot.
  • Lack of Secure Storage (Flash): Security Profile 3 requires the device to dynamically update and store trusted Root Certificate Authorities (Root CA), client certificates, and private keys. Legacy file systems are often read-only or lack a secure, partitioned Flash area, leaving private keys vulnerable to extraction.

Attempting to force modern TLS 1.2/1.3 protocol stacks onto legacy Cortex-M3/M4 microcontrollers is physically infeasible due to severe heap memory limitations and CPU watchdog timeout constraints.

  1. The Edge Security Proxy Architecture

Since upgrading the embedded endpoint is physically impossible, the standard engineering solution is deploying an Edge Security Proxy Gateway within the local area network (LAN) of the charger. This high-performance embedded Linux device acts as a hardware intermediary to offload cryptographic computation.

Bi-directional Transparent Bridging: The gateway implements a "back-to-back" proxy architecture that logically splits the network session:

  • Southbound (Local): It simulates a Central Management System (CSMS) locally, accepting unencrypted ws:// connections from the charger over a physically secured, short-distance LAN cable.
  • Northbound (Cloud): It acts as an OCPP client, initiating a highly secure wss:// mTLS connection to the cloud backend over a Wide Area Network (WAN). This process seamlessly encapsulates plain-text OCPP requests into a TLS 1.3 tunnel in milliseconds without altering the legacy endpoint.
  1. Centralized Certificate Lifecycle Management

Handling the ACME protocol or remote certificate updates is natively unsupported by early charging stations. The proxy gateway resolves this by intercepting certificate-related OCPP payloads directly.

When the cloud CSMS issues SignCertificate.req or InstallCertificate.req commands, the Linux-based gateway acts on behalf of the legacy charger. It generates the Certificate Signing Request (CSR) locally, manages the private keys, and updates the root certificates. By doing this at the proxy layer, the gateway prevents unrecognized commands from reaching the legacy backend, enabling zero-touch certificate rotation.

  1. Defense in Depth: IDS and Secure Storage

Modern cybersecurity standards (such as EN18031) mandate active network defense. A properly configured edge proxy provides capabilities that software-patched MCUs cannot:

  • Intrusion Detection System (IDS): It continuously monitors LAN traffic, identifying and blocking Denial of Service (DoS) attacks or malicious port scans before they exhaust the fragile legacy MCU.
  • Secure Storage Mechanism (SSM): All authentication credentials and TLS private keys are heavily encrypted within the proxy's secure storage, preventing key extraction even in the event of hardware teardowns.

By decoupling cryptographic processing from legacy embedded hardware, network engineers can achieve compliance with the strictest cybersecurity standards without destabilizing the core charging functionality.

reddit.com
u/JessieOnIoT — 2 months ago