Context:
- The recent incident in Delhi, where certain e-rickshaws were remotely disabled through vulnerabilities in their Battery Management Systems (BMS), has highlighted a new dimension of cyber-physical security.
- While the controversy initially centred on Chinese-origin applications, the episode underscored a deeper challenge—the cybersecurity of software-defined, connected battery systems.
- As batteries increasingly power critical infrastructure, India requires a comprehensive regulatory framework to ensure their digital resilience.
Why the Incident Matters?
- Certain diagnostic applications exploited weak authentication and default Bluetooth credentials in BMS, enabling unauthorised access.
- The apps were originally designed for battery diagnostics, maintenance and health monitoring, but poor access controls allowed misuse.
- This represents India's first prominent cyber-physical security incident involving connected battery systems.
- The core concern is insecure system design, not merely the country of origin of the software.
Growing Importance of Connected Battery Systems:
- Modern batteries are no longer passive storage devices but software-controlled, network-connected systems used in -
- EVs and e-rickshaws
- Grid-scale Battery Energy Storage Systems (BESS)
- Telecom towers
- Warehouses and ports
- Industrial automation
- Defence platforms
- A successful cyberattack on such systems could disrupt essential services, threaten public safety and undermine critical infrastructure.
Current Institutional Framework in India:
- Indian Computer Emergency Response Team (CERT-In):
- It issues cybersecurity advisories and incident response guidelines.
- Promotes secure software development frameworks, coordinated vulnerability disclosure, Software Bills of Materials (SBOMs), and security guidance for AI-assisted software vulnerabilities.
- Limitation: Guidelines remain largely non-binding and do not prescribe cybersecurity standards specifically for connected BMS.
- National Critical Information Infrastructure Protection Centre (NCIIPC):
- Protects critical sectors such as power, transport, and telecommunications.
- Covers battery storage systems only when integrated into designated critical infrastructure.
- Limitation: Consumer batteries, EVs, commercial storage systems and e-rickshaws remain largely outside its jurisdiction.
- Sectoral regulators:
- Central Electricity Authority (CEA): Focuses on organisational cybersecurity and functional safety.
- Department of Telecommunications (DoT) and MeitY: Introduced security assurance mechanisms for connected devices, including authentication, secure software updates, and vulnerability disclosure.
- Gap: Existing standards do not explicitly address Bluetooth-enabled BMS or battery-management applications.
- Automotive safety standards:
- Following EV fire incidents, India introduced AIS-156 and AIS-038 Rev.2.
- These primarily address battery fires, thermal propagation, electrical abuse, and mechanical safety.
- Recently introduced AIS-189 establishes vehicle cybersecurity management requirements throughout the vehicle lifecycle.
- Limitation: Its coverage does not adequately extend to many electric two-wheelers and e-rickshaws using connected BMS.
Regulatory Gaps and Importance of Digital Supply Chain Security:
- Major regulatory gaps:
- Absence of a unified cybersecurity framework for connected battery systems. Weak authentication and access-control mechanisms in BMS.
- Limited oversight of software vulnerabilities in battery products. Fragmented institutional responsibilities.
- Insufficient regulation of digital supply chains involved in battery manufacturing.
- Importance:
- Modern batteries involve globally distributed components - hardware, firmware, Cloud services, and software libraries maintained by multiple developers.
- Therefore, battery security depends not only on physical components but also on the integrity, traceability and security of the digital supply chain.
Global Best Practices:
- US: Secure Software Development Framework (SSDF); Software Bills of Materials (SBOMs); emphasis on software provenance, lifecycle security and vulnerability management.
- EU: Cyber Resilience Act; Digital Battery Passport; focuses on firmware integrity, software traceability and lifecycle monitoring.
- United Kingdom: The Product Security and Telecommunications Infrastructure (PSTI) Act mandates ban on default passwords, responsible vulnerability disclosure, and transparency regarding software security support.
Way Forward for India: Rather than creating an entirely new regulatory regime, India can strengthen its existing framework by -
- Integrating CERT-In guidelines into battery standards.
- Mandating Software and Hardware Bills of Materials (SBOM/HBOM) for battery products.
- Enforcing secure software development practices throughout battery manufacturing.
- Requiring rigorous testing and verification of imported hardware, firmware and software.
- Strengthening authentication, encryption and access-control mechanisms for BMS.
- Establishing lifecycle cybersecurity audits for connected battery products.
- Promoting coordinated vulnerability disclosure and timely software updates.
Conclusion:
- The Delhi e-rickshaw incident illustrates that India's expanding digital infrastructure faces emerging cyber-physical risks.
- Therefore, a comprehensive framework will strengthen India's technological resilience while ensuring that digital trust—not geopolitical origin—becomes the foundation of battery security.