¯
Securing Connected Battery Systems - Strengthening India's Cyber-Physical Security Framework
July 17, 2026

Context:

  • The recent incident in Delhi, where certain e-rickshaws were remotely disabled through vulnerabilities in their Battery Management Systems (BMS), has highlighted a new dimension of cyber-physical security.
  • While the controversy initially centred on Chinese-origin applications, the episode underscored a deeper challenge—the cybersecurity of software-defined, connected battery systems.
  • As batteries increasingly power critical infrastructure, India requires a comprehensive regulatory framework to ensure their digital resilience.

Why the Incident Matters?

  • Certain diagnostic applications exploited weak authentication and default Bluetooth credentials in BMS, enabling unauthorised access.
  • The apps were originally designed for battery diagnostics, maintenance and health monitoring, but poor access controls allowed misuse.
  • This represents India's first prominent cyber-physical security incident involving connected battery systems.
  • The core concern is insecure system design, not merely the country of origin of the software.

Growing Importance of Connected Battery Systems:

  • Modern batteries are no longer passive storage devices but software-controlled, network-connected systems used in -
    • EVs and e-rickshaws
    • Grid-scale Battery Energy Storage Systems (BESS)
    • Telecom towers
    • Warehouses and ports
    • Industrial automation
    • Defence platforms
  • A successful cyberattack on such systems could disrupt essential services, threaten public safety and undermine critical infrastructure.

Current Institutional Framework in India:

  • Indian Computer Emergency Response Team (CERT-In):
    • It issues cybersecurity advisories and incident response guidelines.
    • Promotes secure software development frameworks, coordinated vulnerability disclosure, Software Bills of Materials (SBOMs), and security guidance for AI-assisted software vulnerabilities.
    • Limitation: Guidelines remain largely non-binding and do not prescribe cybersecurity standards specifically for connected BMS.
  • National Critical Information Infrastructure Protection Centre (NCIIPC):
    • Protects critical sectors such as power, transport, and telecommunications.
    • Covers battery storage systems only when integrated into designated critical infrastructure.
    • Limitation: Consumer batteries, EVs, commercial storage systems and e-rickshaws remain largely outside its jurisdiction.
  • Sectoral regulators:
    • Central Electricity Authority (CEA): Focuses on organisational cybersecurity and functional safety.
    • Department of Telecommunications (DoT) and MeitY: Introduced security assurance mechanisms for connected devices, including authentication, secure software updates, and vulnerability disclosure.
    • Gap: Existing standards do not explicitly address Bluetooth-enabled BMS or battery-management applications.
  • Automotive safety standards:
    • Following EV fire incidents, India introduced AIS-156 and AIS-038 Rev.2.
    • These primarily address battery fires, thermal propagation, electrical abuse, and mechanical safety.
    • Recently introduced AIS-189 establishes vehicle cybersecurity management requirements throughout the vehicle lifecycle.
    • Limitation: Its coverage does not adequately extend to many electric two-wheelers and e-rickshaws using connected BMS.

Regulatory Gaps and Importance of Digital Supply Chain Security:

  • Major regulatory gaps:
    • Absence of a unified cybersecurity framework for connected battery systems. Weak authentication and access-control mechanisms in BMS.
    • Limited oversight of software vulnerabilities in battery products. Fragmented institutional responsibilities.
    • Insufficient regulation of digital supply chains involved in battery manufacturing.
  • Importance:
    • Modern batteries involve globally distributed components - hardware, firmware, Cloud services, and software libraries maintained by multiple developers.
    • Therefore, battery security depends not only on physical components but also on the integrity, traceability and security of the digital supply chain.

Global Best Practices:

  • US: Secure Software Development Framework (SSDF); Software Bills of Materials (SBOMs); emphasis on software provenance, lifecycle security and vulnerability management.
  • EU: Cyber Resilience Act; Digital Battery Passport; focuses on firmware integrity, software traceability and lifecycle monitoring.
  • United Kingdom: The Product Security and Telecommunications Infrastructure (PSTI) Act mandates ban on default passwords, responsible vulnerability disclosure, and transparency regarding software security support.

Way Forward for India: Rather than creating an entirely new regulatory regime, India can strengthen its existing framework by -

  • Integrating CERT-In guidelines into battery standards.
  • Mandating Software and Hardware Bills of Materials (SBOM/HBOM) for battery products.
  • Enforcing secure software development practices throughout battery manufacturing.
  • Requiring rigorous testing and verification of imported hardware, firmware and software.
  • Strengthening authentication, encryption and access-control mechanisms for BMS.
  • Establishing lifecycle cybersecurity audits for connected battery products.
  • Promoting coordinated vulnerability disclosure and timely software updates.

Conclusion:

  • The Delhi e-rickshaw incident illustrates that India's expanding digital infrastructure faces emerging cyber-physical risks.
  • Therefore, a comprehensive framework will strengthen India's technological resilience while ensuring that digital trust—not geopolitical origin—becomes the foundation of battery security.

Enquire Now