Norway’s public transport operator Ruter has identified cybersecurity risks in Chinese-manufactured electric buses, reporting that some vehicles could potentially be stopped remotely by their manufacturer. The finding has prompted the Norwegian government to review digital safety across its public transport systems.
Ruter’s cybersecurity tests revealed that buses made by China’s Yutong include a communication unit connected via a SIM card, enabling over-the-air updates and remote diagnostics. The same function could theoretically allow the manufacturer to halt or disable a bus. “In theory, the bus could therefore be stopped or rendered unusable by the manufacturer,” said Ruter in a statement. The company notified the Ministry of Transport and Communications and the National Security Authority immediately after confirming the vulnerability.
Government Review Underway
Authorities have begun assessing risks associated with vehicles built in countries that do not have security cooperation with Norway. The review will examine data access, software management, and digital control systems in public transport vehicles. The Ministry said it will consider new procurement and monitoring requirements to ensure cybersecurity compliance for all electric fleets.
Ruter operates about 300 Chinese-built buses in the Oslo region, a significant share of its zero-emission network. While the company continues to use the vehicles, it has isolated communication modules and increased oversight of software updates. Tests showed that onboard video systems are not internet-connected, reducing surveillance risks, but the communication interface remains a concern.
China’s Yutong and BYD dominate Europe’s electric bus market, but the Norwegian case highlights growing scrutiny of connected transport systems. The discovery underscores a wider challenge for electric mobility: balancing sustainability goals with digital security. As public transport becomes increasingly reliant on data links and remote management, the risk of external interference grows.
Transport authorities across Europe, including in Denmark and Germany, are now reviewing their electric bus fleets for similar vulnerabilities. The issue has also drawn attention from the European Union’s cybersecurity agency, which has urged operators to safeguard data and control channels in connected vehicles.
Norway’s investigation marks one of the first public actions in Europe to address cybersecurity in electric public transport. Officials say ensuring control over software and data systems will be essential as the country continues its shift toward zero-emission mobility.
Photo Credit: TonyV3112 / Shutterstock.com
