We have conducted a comprehensive safety test of electric buses
– This comprehensive and unique test enables us to implement the proper protection in the buses. Public transport in Oslo and Akershus should have access to the best technology – and the best safety, says Bernt Reitan Jenssen, CEO of Ruter.
A brand new Yutong bus from China and a three-year-old VDL from the Netherlands were tested, and we wanted to examine two specific scenarios:
- Surveillance: The buses' cameras are not connected to the internet – there is no risk of image or video transmission from the buses.
- The Chinese supplier has digital access to control systems for software updates and diagnostics. In theory, this could be exploited to affect the bus.
The testing revealed risks that we are now taking measures against. National and local authorities have been informed and must assist with additional measures at a national level.
The main findings of the test are:
VDL buses and software
The Dutch buses from VDL do not have the capability for autonomous software updates Over The Air (OTA). Therefore, they are not that interesting.
Yutong buses and software
On the other hand, the Chinese bus from Yutong has the capability for autonomous software updates (Over The Air). This means that the manufacturer has direct digital access to each individual bus for software updates and diagnostics.
There is access to the control system for battery and power supply via mobile network through a Romanian SIM card. In theory, therefore, this bus can be stopped or rendered inoperable by the manufacturer. There is a low degree of integration between the systems in the bus and there is only one way out and to the bus's critical functionality. This makes it easy to isolate it from contact with the outside world. We can also delay the signals to the bus, so that we can gain insight into the updates being sent before they reach the bus. Such mechanisms are now being implemented.
Yutong buses and platform
Experts have uncovered vulnerabilities in a Chinese software update platform that counts Yutong among its clients. The vulnerabilities were reported to the platform provider and have now been addressed.
Optimism among experts
Experts are optimistic about the future, as Norway is now at a crossroads where it is possible to introduce requirements for buses and regulations that significantly reduce safety. Currently, buses have the same functionality as a car from 2016. However, the longer we move towards driver support systems and autonomy, the greater the risk if measures are not implemented before we reach this level.
Ruter has had a meeting with the Ministry of Transport about this, who wants to solve this together with us.
Following the testing, Ruter is already implementing specific measures. This is what we are doing now:
- Imposing even stricter security requirements in future procurements
- Develops firewalls that ensure local control and protect against hacking
- Collaborating with national and local authorities on clear cybersecurity requirements
- Exploiting a technological window of opportunity before the next generation of buses becomes more integrated and harder to secure.
– Following this testing, Ruter moves from concern to concrete knowledge about how we can implement security systems that protect us against unwanted activity or hacking of the bus's data systems, says Jenssen.