Written by Deep Pal and Sukanya Thapliyal
Lately, e-rickshaws on Delhi’s streets immediately started stalling in the midst of the street. It turned out that one might use sure Chinese language apps to disable their batteries by exploiting their Battery Administration Techniques (BMS). The Ministry of Electronics and Data Expertise (MeitY) swiftly had Google and Apple take away the errant apps, however not earlier than the acquainted debate in regards to the menace from Chinese language know-how was reignited.
Nonetheless, such a framing misses a extra vital lesson. The apps in query had been diagnostic instruments for technicians to remotely monitor battery well being, diagnose faults, and carry out upkeep. Sure BMS models accepted Bluetooth connections with weak or default credentials, permitting unauthorised customers to entry essential capabilities. Because of this the actual problem isn’t the place the software program originated, however that batteries at the moment are software-defined, linked techniques.
Vulnerabilities in them can disrupt operations or disable essential gear. That could be a important drawback contemplating that linked battery vitality storage techniques now assist energy grids, telecom tower techniques, warehouses, ports, industrial automation, and defence platforms.
The current episode was, the truth is, India’s first extensively seen demonstration of a cyber-physical safety problem stemming from a failure in authentication and entry management. India has strong establishments for cybersecurity steerage, together with the Indian Pc Emergency Response Crew (CERT-In) and the Nationwide Essential Data Infrastructure Safety Centre (NCIIPC) for essential infrastructure. Sectoral regulators and current automotive and electrical energy frameworks collectively deal with incident response, essential infrastructure safety, battery security and operational resilience. Nonetheless, a coherent technique that brings these parts collectively for linked battery techniques stays lacking.
Restricted Institutional Protection
CERT-In has steadily expanded its focus past incident response to steerage on safe software program growth, coordinated vulnerability disclosure, Software program Payments of Supplies (SBOMs), and, most just lately, safety necessities for unique gear producers in opposition to AI-assisted vulnerabilities. Whereas straight related to BMS, these tips should not binding and provide restricted steerage on cybersecurity necessities for linked battery merchandise. Vulnerabilities from insecure BMS design, weak authentication or unauthorised management interfaces stay unaddressed.
The NCIIPC, in flip, protects sectors akin to energy, transport and telecommunications. Grid-scale Battery Vitality Storage Techniques might fall inside their remit when deployed as a part of designated essential infrastructure. Nonetheless, linked battery techniques in EVs, business storage deployments and shopper BMS stay outdoors its jurisdiction.
Sectoral regulators such because the Central Electrical energy Authority of India have sought to handle battery dangers by way of fragmented lenses, specializing in organisational cybersecurity or purposeful security. The Division of Telecommunications and MeitY have launched safety assurance mechanisms for linked units, together with authentication, safe software program updates and vulnerability disclosure. Nonetheless, even these obligatory regimes don’t particularly point out Bluetooth-enabled BMS and apps used to handle them, although they management essential battery capabilities.
Following a sequence of EV fires, the Ministry of Highway Transport and Highways launched India’s automotive battery laws, together with AIS-156 and AIS-038 Rev. 2, centered on battery fires, thermal propagation, electrical abuse, and mechanical security. AIS-189, introduced just lately, establishes cybersecurity administration necessities throughout the automobile lifecycle. Nonetheless, it doesn’t lengthen to most electrical two-wheelers and e-rickshaws that depend on a linked BMS.
The Approach Ahead
Trendy battery techniques comprise {hardware} and software program sourced from world wide. A battery assembled in a single nation might depend on BMS {hardware} developed elsewhere, firmware written by a 3rd provider, cloud companies hosted in one other jurisdiction and software program libraries maintained by completely totally different builders. Consequently, the safety of the battery will depend on the integrity of its digital provide chain as a lot as its bodily one.
World laws replicate the deal with evaluating digital provide chains. The Safe Software program Improvement Framework and SBOM initiatives within the US, or the Cyber Resilience Act and the Digital Battery Passport within the EU, audit software program provenance, firmware integrity, vulnerability administration and lifecycle traceability. The UK’s Product Safety and Telecommunications Infrastructure Act establishes baseline necessities for linked units, together with prohibitions on default passwords, obligatory vulnerability disclosure insurance policies and transparency round safety assist.
India can draw on these rules with out constructing a wholly new regulatory structure. Current CERT-In steerage on safe software program growth, Software program and {Hardware} Payments of Supplies, vulnerability disclosure, and cybersecurity audits will be included into battery requirements. These will enable a battery assembled in India to include imported BMS, firmware or software program replace infrastructure developed overseas. Equally, imported {hardware} will be allowed after rigorous testing and verification of safe software program growth practices. In impact, these will finally transfer the dialog from the origin of know-how to its demonstrable trustworthiness.
Pal and Thapliyal are coverage professionals at Koan Advisory Group, a Delhi-based consultancy agency









