A pressing issue has emerged in Denmark, where authorities are racing to address a critical security concern involving Chinese-made electric buses. This story is a cautionary tale of the potential risks associated with technological advancements and our increasing reliance on interconnected systems.
The Danish transport sector is currently grappling with a security loophole that allows remote deactivation of electric buses, a feature that could be exploited maliciously. This vulnerability was first uncovered by Norwegian transport authorities, who discovered that the Chinese supplier had remote access to the buses' control systems, potentially enabling them to affect buses while in transit.
Amid growing concerns, the Norwegian public transport authority, Ruter, decided to test two electric buses in an isolated environment. The tests revealed risks that prompted Ruter to take immediate action, informing national and local authorities of the need for additional measures at a national level.
The solution, however, is not as simple as removing the buses' SIM cards, as this would also disconnect them from other essential systems. Ruter plans to introduce stricter security requirements for future procurements, but the concern remains that the next generation of buses could be even more integrated and harder to secure.
Denmark's largest public transport company, Movia, operates 469 Chinese electric buses, 262 of which are manufactured by Yutong. Movia's chief operating officer, Jeppe Gaard, was recently made aware of the potential for remote deactivation, a feature that is not unique to Chinese buses but is a concern for all vehicles and devices with Chinese electronics.
The Danish agency for civil protection and emergency management has warned Movia that the buses' subsystems with internet connectivity and sensors (cameras, microphones, GPS) could constitute vulnerabilities that could be exploited to disrupt bus operations. Yutong, the Chinese manufacturer, has stated that it strictly complies with applicable laws and regulations and that its vehicle data in the EU is stored securely in an Amazon Web Services (AWS) datacentre in Frankfurt.
This issue has sparked a debate about Denmark's dependence on Chinese companies, with Thomas Rohden, the chair of the Danish China-Critical Society, stating that Denmark has been "way too slow" in addressing this issue. Rohden emphasizes the importance of Denmark's values and ideals, which differ significantly from those of China, and highlights the vulnerability of being totally dependent on China at a time when Denmark is trying to increase its resilience against potential hybrid attacks by Russia.
The Norwegian ministry of transport has declined to comment on the matter.
This story serves as a reminder of the complex challenges we face in an increasingly interconnected world, where technological advancements bring both opportunities and potential risks. It prompts us to consider the importance of robust security measures and the need for ongoing vigilance in an era of rapid technological change.
