Analysis

Norwegian public transport operator Ruter has identified a significant cybersecurity vulnerability in Chinese-made Yutong electric buses, revealing the manufacturer's remote access capabilities for software updates and diagnostics. This access theoretically allows the manufacturer to halt or render buses inoperable, posing a direct operational risk to critical infrastructure. In response, Ruter is implementing stricter security protocols, developing firewalls, and revising future procurement requirements to mitigate these risks. The findings, which showed Yutong buses support over-the-air updates unlike older Dutch models, underscore broader industry concerns regarding remote control in electric vehicles, as evidenced by a recent U.S. probe into Tesla's remote command features. While Yutong states data is encrypted and stored in Germany for maintenance, the inherent access capability raises questions about supply chain security and potential geopolitical implications. Danish transport company Movia is also reviewing similar cybersecurity risks, highlighting a regional and potentially global concern. Experts from the University of South-Eastern Norway emphasize that this is not solely a "Chinese bus concern" but a systemic issue for "all types of vehicles and devices with these kind of electronics built in." This broadens the scope beyond specific manufacturers, suggesting a need for enhanced regulatory frameworks and industry standards for connected vehicles. The moderately negative sentiment and cautious tone reflect the potential for increased scrutiny on EV manufacturers and public transport operators globally.