Article illustration 1

Norwegian public transport operator Ruter uncovered a critical cybersecurity vulnerability during internal testing of electric buses supplied by Chinese manufacturer Yutong. Technicians discovered concealed Romanian SIM cards embedded in the vehicles' systems, creating covert communication channels that could theoretically enable remote shutdowns or unauthorized software interference. While no evidence of malicious activity was found, Ruter CEO Bernt Reitan Jenssen confirmed the discovery moves risks "from suspicion to concrete knowledge."

"These buses would likely never be misused, but we must take the risk seriously," Jenssen stated, highlighting the precautionary measures now underway.

The hidden SIMs—bypassed local network controls by establishing direct external connections, potentially allowing Yutong or third parties to:
- Remotely disable buses during operation
- Manipulate vehicle software via unauthorized updates
- Extract operational data without operator consent

In response, Ruter immediately removed the SIM cards and initiated a three-layer security overhaul:
1. Procurement Protocols: Stricter supplier audits and contractual cybersecurity guarantees
2. Network Segmentation: Enhanced internal firewalls isolating vehicle control systems
3. Cloud Security: Migration to Norwegian-controlled cloud infrastructure with sovereign data governance

Norway's Transport Minister Jon-Ivar Nygård told NRK the government is now evaluating supplier risks from nations outside its security alliances, signaling a policy shift toward protecting critical transportation infrastructure. This comes as Yutong dominates Norway's electric bus fleet—holding 65% market share with 850 units among the country's 1,300 electric buses.

Article illustration 2

The incident reveals broader vulnerabilities in global supply chains, particularly as Chinese electric vehicles gain international adoption. With Southeast Asian and European cities rapidly deploying similar buses, the discovery exposes:
- Supply Chain Blind Spots: Lack of hardware-level transparency in complex IoT systems
- Sovereign Control Gaps: Challenges in maintaining jurisdiction over foreign-manufactured critical infrastructure
- Asymmetric Vulnerabilities: Single points of failure affecting entire transport networks

As nations balance decarbonization goals with security imperatives, this case establishes a precedent for hardware-level scrutiny of foreign-sourced technology. Ruter's proactive disclosure and mitigation strategy offers a blueprint for transit agencies worldwide—demonstrating that in the era of connected infrastructure, cybersecurity must extend beyond software into the physical bones of our transportation ecosystems.

Source: Carscoops