Article Details

UK asks cyberspies to probe whether Chinese buses can be switched off remotely. Norwegian testers claim maker has remote access, while UK importer says supplier complies with the law. UK governmental is working with the National Cyber Security Centre to understand and "mitigate" any risk that China-made imported electric buses could be remotely accessed and potentially disabled. This follows concerns raised by Norwegian public transport service operator, Ruter, which conducted cybersecurity tests on a new vehicle made by bus maker Yutong and said it identified vulnerabilities in its on-board systems. Yutong is a Chinese manufacturer based in Zhengzhou, Henan province. The vehicles it produces are used by bus operators in several European countries, including the UK. Meanwhile, the importer of Yutong vehicles for the UK and Ireland region, Pelican, has disputed the claims and says the vehicles meet all security certifications. Public transport operator Ruter, which serves commuters in Norwegian capital Oslo as well as the outlying Akershus county, claimed: "The Chinese supplier has direct digital access to each individual bus for software updates and diagnostics, including access to the battery and power supply management system. In theory, the bus could therefore be stopped or rendered inoperable by the manufacturer. "Currently, Ruter can disconnect the bus from the internet by removing the SIM card, as all connectivity to the network goes through this single point. This ensures that we retain local control if necessary," it added. There are about 700 Yutong-made buses already in the UK, primarily in Nottingham, south Wales and Glasgow, operated by companies including Stagecoach and First Bus. A UK Department for Transport spokesperson told The Register: "We are aware of recent speculation concerning certain electric bus manufacturers. The Department takes security issues extremely seriously and works closely with the intelligence community to understand and mitigate potential risks." The NCSC declined to comment. In a statement, the IT Director of mega UK bus operator First Bus, Gavin Davies, said: "Cyber security risk is a core element of our procurement process for new electric buses. Ruter's work in Norway is helpful for wider industry learning, and it's really encouraging that they are carrying out tests and exploring how security systems can be improved even further."  Rival operator Stagecoach declined to comment, but instead directed us to Pelican Bus and Coach, which was appointed Yutong importer for the UK and Ireland in 2014. Ian Downie, Pelican's head of Yutong sales, denied there was any security risk, and told The Register that all the vehicles it deals with are manually updated by engineers that physically go to the customer's site and apply any software patches. Yutong strictly complies with the applicable laws, regulations, and industry standards of the locations where its vehicles operate, Pelican added in a statement. "Yutong vehicles exported to Europe comply with the UN R155 Cyber Security and Cyber Security Management System, UN R156 Software Update and Software Update Management System, ISO 27001 Information Security Management Systems, and ISO 27701 Privacy Information Management Systems. These regulations establish unified standards for vehicle cybersecurity and cybersecurity management systems," the company said. According to Pelican, Yutong stores EU vehicle terminal data at an AWS datacenter in Frankfurt. The data is used for maintenance, optimization and service improvements, and cannot be accessed without signed customer authorization. Pelican said Yutong vehicles in Europe do not support remote control of acceleration, steering, or braking. However, this doesn't address Ruter's specific claim: that Yutong can potentially remotely access the power supply management system and potentially disable buses. Pelican did not respond to questions about whether Yutong has any remote access to the vehicles.