Firewall segmentation is the practice of using firewall rules and network zoning to separate EV chargers and charging-related systems from other networks (corporate IT, building systems, guest Wi-Fi) so that only necessary traffic is allowed between them. It reduces cyber risk, limits the blast radius of incidents, and improves operational reliability by making charger connectivity predictable and controlled.
What Is Firewall Segmentation?
Firewall segmentation combines two ideas:
– Segmentation: placing devices into separate network zones (often VLANs/subnets)
– Firewall policy: tightly controlling which zones can communicate, on which ports, and to which destinations
In EV charging deployments, segmentation typically isolates:
– EV chargers (EVSE)
– Site routers/gateways and connectivity equipment
– Back-office systems (CPMS access, monitoring tools)
– Payment terminals (if present)
– Corporate networks and building management systems
Why Firewall Segmentation Matters for EV Charging
– Prevents lateral movement if a charger or IoT device is compromised
– Protects corporate IT and building systems from exposure through chargers
– Reduces risk of ransomware spread across shared site networks
– Improves uptime by reducing network noise and unintended access issues
– Supports compliance expectations in tenders and cybersecurity audits
– Makes troubleshooting easier by defining clear connectivity pathways
Common Segmentation Zones for Charging Sites
A practical zone model often includes:
– EVSE zone: chargers only
– Operations/management zone: authorized maintenance workstations and tools
– Corporate zone: business systems, employee devices
– Guest zone: public Wi-Fi, visitor devices
– BMS/OT zone: building management and operational technology
– Payment zone: payment terminals and related services (where applicable)
The firewall sits between these zones and enforces policy.
Typical Firewall Segmentation Rules
A common “least privilege” policy set for EV chargers includes:
– EVSE zone → allow outbound to CPMS endpoints (TLS), DNS, NTP
– EVSE zone → block inbound from the internet
– Corporate/Guest zones → block direct access to EVSE zone
– Operations zone → allow limited, authenticated management access (prefer VPN + allowlist)
– EVSE zone → restrict east-west traffic (charger-to-charger) unless required
– Log and alert on denied traffic and repeated scans
Segmentation Approaches Used in Deployments
VLAN-Based Segmentation
– Separate VLAN for chargers with its own subnet
– Firewall rules between VLANs control traffic flow
This is common in commercial buildings and depots with managed networks.
Cellular + Private Networking
– Chargers use cellular connectivity (often with private APN/VPN)
– Chargers are not reachable from the public internet
This reduces dependency on site IT policies and can simplify rollout across many sites.
Site Gateway Model
– Chargers connect to a local gateway/router
– Gateway enforces rules and creates a secure tunnel to the CPMS
Useful where multiple chargers share a controlled connection point.
How Firewall Segmentation Supports Operations
– Reduces random inbound traffic and scanning that can destabilize weak networks
– Improves stability of OCPP connections by controlling routing and inspection policies
– Enables safer remote maintenance with time-bound access windows
– Helps isolate faults: if corporate Wi-Fi fails, charger zone can remain stable
– Simplifies incident response by enabling zone-level containment
Best Practices for EV Charging Firewall Segmentation
– Use a dedicated EVSE VLAN/subnet with default-deny inbound rules
– Allow only required outbound destinations (domain/IP allowlists)
– Avoid exposing charger management interfaces directly to the internet
– Use VPN for maintenance access with strong authentication and audit logging
– Ensure DNS and NTP are reliable (time drift breaks logs and receipts)
– Document standard rule templates for repeatable multi-site rollouts
– Validate segmentation during commissioning (connectivity, remote commands, stability test)
– Monitor firewall logs for repeated blocks and anomalies
Common Mistakes to Avoid
– Putting chargers on a flat corporate LAN with broad east-west access
– Allowing inbound access “for convenience” instead of using VPN
– TLS interception or deep inspection that breaks secure charger-to-CPMS sessions
– Over-restricting outbound rules and accidentally blocking firmware updates or certificate renewal
– No ownership clarity: site IT, operator, and OEM each assuming the other manages firewall rules
– Inconsistent segmentation across sites, causing unpredictable connectivity and downtime
Limitations to Consider
– Some sites cannot support VLAN changes, requiring cellular/VPN alternatives
– Third-party services (payments, roaming, monitoring) may require additional endpoints and careful allowlisting
– Segmentation reduces risk but does not replace patching, credential hygiene, and secure provisioning
– Poor documentation can turn segmentation into an operational burden during troubleshooting
Related Glossary Terms
Firewall Protection
Network Segmentation
EV Charging Cybersecurity
Device Authentication
Device Certificate Enrollment
Encrypted Communications
Secure Update Pipeline
CPMS