Analysis

Norwegian public transport operator Ruter discovered that Chinese bus manufacturer Yutong Group possesses remote access capabilities to its electric buses for software updates and diagnostics, a feature absent in Dutch competitor VDL's vehicles. This access, while intended for maintenance, theoretically allows Yutong to remotely disable or affect bus operations, raising significant security concerns for critical infrastructure. Ruter, which operates half of Norway's public transport, has over 100 Yutong buses in its fleet. This incident highlights broader industry vulnerabilities concerning remote control in electric vehicles, echoing recent U.S. regulatory probes into Tesla's remote command features. While Yutong asserts data is encrypted and stored in Germany, experts from the University of South-Eastern Norway emphasize that this is a systemic issue for all vehicles with integrated electronics, not solely a "Chinese bus concern." The general sentiment is moderately negative, reflecting increased caution around EV supply chain security. In response, Ruter is implementing stricter security requirements, developing firewalls, and collaborating with authorities on clear cybersecurity standards for future procurements. Danish operator Movia is also reviewing its risk assessments for cybersecurity and espionage on scheduled buses. This proactive stance indicates a potential shift towards more stringent regulatory oversight and contractual demands for data sovereignty and control in public transport technology acquisitions across Europe.