Europe has been expanding the use of electric buses in its cities while trying to increase its use of sustainable public transport. Recently, however, the potential cybersecurity vulnerabilities of having large numbers of China-made electric buses have come to the forefront. Industry experts caution that Europe is already facing risks by continuing to depend on China to provide the technology needed to run public transport systems.
Chinese electric bus manufacturers have captured a large segment of the world market
Chinese-made electric buses are now in large numbers in major cities in the European Union from Berlin to Madrid as the European Union aims to reduce emissions and spend less money to mitigate climate change. A recent report by Strategic Study India (source) highlights the role of cost and battery technology in enabling Chinese brands to dominate the electric bus market in Europe.
Integrating new Chinese-made electric buses
On the other hand, presents the potential for cyber attacks to European transit systems. Electric buses are connected to the internet, unlike mechanical buses. They have systems for remote management, GPS, and telemetry, which require data to flow in and out from the buses.
While that is all very good for bus management, it also serves as an entry point for hack attacks.
The potential for disruption is not all hypothetical
Analysts believe that if these systems are compromised, these buses could easily be disabled or controlled remotely. A recent Times of India article explains that in geopolitical stand-offs, there is fear that Chinese suppliers could be potentially positioned to exploit these weaknesses to destabilize European transit networks.
The concept of โshutting off busesโ in several countries is extreme, but experts believe that, with the amount of programming that goes into these vehicles, it is possible.
Understanding the vulnerabilities of these buses
Cybersecurity experts note that to more fully understand these vulnerabilities, one needs to know that proprietary software coupled with cloud hosting outside of Europe is standard in the integrated systems used to control the buses. This lack of geographic control raises issues of data sovereignty and the degree to which European authorities could govern these systems.
A ripple effect of cyberattacks on transportation
Cities around the world provide public transport to people as a basic and invaluable service to society. The loss of transportation, whether through direct cyber attack, systems shut down, or hacking, is a loss of control.
- The loss of control can have immediate and devastating impacts on cities and their economies.
- Transport and communications systems are intertwined, and there are risks of emergencies going unresponded to.
- Operating system downtime might be the smallest of all the risks.
- Exposed and compromised systems may include sensitive operational data, and systems may be unresponsive to national security needs.
Now, European legislators are working to implement even stricter cyber regulations for imported electric vehicles. Some of these include mandatory code audits, country-based data storage, and active cyber monitoring of remote access.
The European Commission has also hinted at modifying its regulations
The truth of the matter is that electric buses are a necessity for Europe to reach its climate goals, but there are other infrastructure security threats.
If European companies were to close the gaps in affordability and scale that Chinese manufacturers offer, it would also close the gaps in economically stable relationships. Experts recommend a layered approach, operational for risk mitigation, technical for diplomacy, to meet the sustainability goals without derailing.
The conversation about cybersecurity will become more imminent as Europe continues to electrify its transit networks. The continent is at a crossroads: how to adopt green technologies while maintaining technology’s uninterrupted functioning. For the time being, the answer from specialists is unreserved: security should be embedded into the framework, and not added afterwards.
