Recent trends in the targeting of critical public transport infrastructures prompt reviews of supply chain vulnerability profiles and EV cyber resilience.

Recent investigations by a Norwegian public transport operator have revealed vulnerabilities in electric buses’ connectivity systems, highlighting how direct digital access to key vehicle components could potentially allow remote disabling.

While these findings sparked immediate scrutiny by authorities, the broader concern lies in the inherent cybersecurity risks associated with connected vehicle technologies and foreign supply chains in critical public transport infrastructures.

Connected vehicles increasingly rely on Over-The-Air (OTA) software updates, cloud-based diagnostics, and telematics systems that transmit data remotely to optimize maintenance and operational efficiency. These functionalities can introduce multiple attack surfaces that adversaries could exploit. Critical vectors include unauthorized remote access, interception of data streams, compromised software update processes, and manipulation of power management systems.

According to the investigations, several key factors must be addressed:

  • Robust access controls: Strict authentication mechanisms and role-based permissions are essential to prevent unauthorized access. Segmentation between diagnostic, control, and user systems limits potential damage.
  • Secure software update mechanisms: OTA updates require cryptographic signing and verification to guarantee integrity and authenticity of software patches, preventing malicious code injection.
  • Data encryption and privacy: Data transmitted between vehicles and cloud systems must be encrypted end-to-end to prevent interception and tampering, preserving passenger privacy and operational confidentiality.
  • Continuous monitoring and incident response: Real-time cybersecurity monitoring paired with rapid incident response capabilities help identify and neutralize threats before they impact safety or service continuity.
  • Fail-safe and local control mechanisms: Systems that physically or logically disconnect from external networks during anomalies ensure local control is retained and critical functions remain operational even amid cyberattacks.
  • Compliance with rigorous standards: Adoption of comprehensive security frameworks such as UNECE regulations R155 and R156, along with ISO 27001, provide structured approaches to cybersecurity risk management.

This evolving technological landscape demands ongoing vigilance, transparency, and collaboration among manufacturers, operators, regulators, and cybersecurity experts to safeguard public transport systems against cyber threats and network outages.