Recently, e-rickshaws on Delhi’s streets suddenly began stalling in the middle of the road. It turned out that one could use certain Chinese apps to disable their batteries by exploiting their Battery Management Systems (BMS). The Ministry of Electronics and Information Technology (MeitY) swiftly had Google and Apple remove the errant apps, but not before the familiar debate about the threat from Chinese technology was reignited.However, such a framing misses a more important lesson. The apps in question were diagnostic tools for technicians to remotely monitor battery health, diagnose faults, and perform maintenance. Certain BMS units accepted Bluetooth connections with weak or default credentials, allowing unauthorised users to access critical functions. This means that the real issue is not where the software originated, but that batteries are now software-defined, connected systems.AdvertisementVulnerabilities in them can disrupt operations or disable critical equipment. That is a significant problem considering that connected battery energy storage systems now support power grids, telecom tower systems, warehouses, ports, industrial automation, and defence platforms.The recent episode was, in fact, India’s first widely visible demonstration of a cyber-physical security challenge stemming from a failure in authentication and access control. India has robust institutions for cybersecurity guidance, including the Indian Computer Emergency Response Team (CERT-In) and the National Critical Information Infrastructure Protection Centre (NCIIPC) for critical infrastructure. Sectoral regulators and existing automotive and electricity frameworks collectively address incident response, critical infrastructure protection, battery safety and operational resilience. However, a coherent strategy that brings these elements together for connected battery systems remains missing.Limited Institutional CoverageCERT-In has steadily expanded its focus beyond incident response to guidance on secure software development, coordinated vulnerability disclosure, Software Bills of Materials (SBOMs), and, most recently, security requirements for original equipment manufacturers against AI-assisted vulnerabilities. While directly relevant to BMS, these guidelines are not binding and offer limited guidance on cybersecurity requirements for connected battery products. Vulnerabilities from insecure BMS design, weak authentication or unauthorised control interfaces remain unaddressed.AdvertisementThe NCIIPC, in turn, protects sectors such as power, transport and telecommunications. Grid-scale Battery Energy Storage Systems may fall within their remit when deployed as part of designated critical infrastructure. However, connected battery systems in EVs, commercial storage deployments and consumer BMS remain outside its jurisdiction.Sectoral regulators such as the Central Electricity Authority of India have sought to address battery risks through fragmented lenses, focusing on organisational cybersecurity or functional safety. The Department of Telecommunications and MeitY have introduced security assurance mechanisms for connected devices, including authentication, secure software updates and vulnerability disclosure. However, even these mandatory regimes do not specifically mention Bluetooth-enabled BMS and apps used to manage them, even though they control critical battery functions.Following a series of EV fires, the Ministry of Road Transport and Highways introduced India’s automotive battery regulations, including AIS-156 and AIS-038 Rev. 2, focused on battery fires, thermal propagation, electrical abuse, and mechanical safety. AIS-189, announced recently, establishes cybersecurity management requirements across the vehicle lifecycle. However, it does not extend to most electric two-wheelers and e-rickshaws that rely on a connected BMS.The Way ForwardModern battery systems comprise hardware and software sourced from around the world. A battery assembled in one country may rely on BMS hardware developed elsewhere, firmware written by a third supplier, cloud services hosted in another jurisdiction and software libraries maintained by entirely different developers. Consequently, the security of the battery depends on the integrity of its digital supply chain as much as its physical one.you may likeGlobal regulations reflect the focus on evaluating digital supply chains. The Secure Software Development Framework and SBOM initiatives in the US, or the Cyber Resilience Act and the Digital Battery Passport in the EU, audit software provenance, firmware integrity, vulnerability management and lifecycle traceability. The UK’s Product Security and Telecommunications Infrastructure Act establishes baseline requirements for connected devices, including prohibitions on default passwords, mandatory vulnerability disclosure policies and transparency around security support.How a battery ‘hacking’ app can strand an e-rickshaw — and the risks it poses | Also ReadIndia can draw on these principles without building an entirely new regulatory architecture. Existing CERT-In guidance on secure software development, Software and Hardware Bills of Materials, vulnerability disclosure, and cybersecurity audits can be incorporated into battery standards. These will allow a battery assembled in India to incorporate imported BMS, firmware or software update infrastructure developed abroad. Similarly, imported hardware can be allowed after rigorous testing and verification of secure software development practices. In effect, these will ultimately move the conversation from the origin of technology to its demonstrable trustworthiness.Pal and Thapliyal are policy professionals at Koan Advisory Group, a Delhi-based consultancy firm