Leading-edge security for your
charging infrastructure
Our platform ensures top-tier protection by adhering to critical infrastructure security standards, to guaranty your peace of mind. Be it for data protection, or access permissions, we always go for the most solid solutions that deliver 99,7% uptime.
Both Websockets and OCPP connections support:
- Security Profile 1 – Basic Security with HTTP Basic Authentication
- Security Profile 2 – TLS with Basic Authentication
- Security Profile 3 – TLS with Client-side Certificates
- Pro-active authorisation of charging stations at the first connect by admin users
99.7% uptime
- Highly available encapsulated and self-contained microservice stacks
- State and health monitoring of encapsulated stacks
- Automatic relaunch and/or migration microservices
- State, health and load monitoring of microservice hosting server clusters
Data protection
- All data is encrypted at rest
- Each data point is associated to a specific infrastructure, identifiable by UUID
- Access to data is possible only when access is given to a specific side operated by one microservice stack
- All connections use TLS
- Only server-less data processing functions executing data access/modification logic have respectively read/write permissions to the databases.
Server cluster for hosting of microservices
- Azure Bastion Host for inbound access to VMs
- NSG (Network Security Groups) for secure traffic to VMs
- Load balancing for port 443
- Health robe for TCP and HTTP
- Firewall with outbound rules on the load balancer for VMs for internet access – alternatively, VMs can be VPN (Wireguard) connected to the CPMS
Authentication: client accounts
- Stores user authentication data, all data is encrypted at rest
- All data is encrypted in transit during the authentication process, uses only SSL/TLS connections
- Uses OAuth 2.0 flow to authenticate users
- All API requests must have obtained JWT
- All the accounts have the possibility to enable Multi-factor authentication. Admin accounts have MFA mandatory and by default enabled.
- Client admin accounts can view and manage all the clients’ accounts, including deleting, restricting access
Authorization: access permissions
- Stores mapping from users to accessible infrastructures
- All data is encrypted at rest
- Checked on every request
- Allows for 3 permission levels: Admin, User with access to all client's infrastructure, User with access only to subset of client's infrastructure
Microservice stacks
- Via MQTT over WebSocket Secure. All traffic is sent through TLS
- To an endpoint specific to our AWS account, requiring AWS Root CA certificates
- Using a certificate created specifically for that device. Permissions attached to the certificate only allow to publish/subscribe to specific topics, all topics contain the devices UUI preventing any cross-device or cross-client access
- Each connection is identifiable a a specific device (certificate) and is monitored across multiple metrics (Authorization failures, Connection attempts, Disconnected duration, Disconnects, message size, maximum/minimum message size, messages received, messages sent, source IP).
- Each certificate can be revoked, existing connections can be disconnected by an admin
- Daily security audits are performed, based for policies and certificates using IoT Device Defender
- ML based alarm triggering on anomalies and usual traffic based on historic data using IoT Device Defender
Get started with FLEXECHARGE
Contact our team to learn more about what we can help you achieve with our open, vendor agnostic platform and powerful solutions.