Ruter identifies cybersecurity risks in connected electric buses during tests

Norwegian public transport operator Ruter has shared the results of a comprehensive cybersecurity test of electric buses, conducted in an isolated mountain environment.

The trials, involving a new Yutong bus from China and a three-year-old VDL bus, identified potential risks linked to Over-The-Air software updates in modern buses. Ruter states it is now implementing measures to secure the fleet and is coordinating with national authorities to define clear cybersecurity standards.

Ruter tests finds potential cybersecurity risks

Ruter CEO Bernt Reitan Jenssen explained that the tests allowed the operator to move “from concern to concrete knowledge about how we can implement security systems that protect us against unwanted activity or hacking of the bus’s data systems.”

The trial confirmed that while the VDL buses do not support autonomous software updates Over-The-Air (OTA), the Yutong bus does, providing the manufacturer with direct digital access for software updates and diagnostics. In theory, this access could allow the bus to be stopped or rendered inoperable, though the low level of integration between critical systems makes it possible to isolate the vehicle from external contact and monitor updates before they take effect. Vulnerabilities in the Chinese software update platform were reported and have since been addressed.

However, it must be stressed that these risks cannot be attributed to the origin of the product, but rather to technological innovation introduced in new generations of buses, which now incorporate OTA updates. This applies not only to Yutong models but also to other modern buses, as the OTA capabilities are also introduced on the new Mercedes eIntouro for instance.