Maintenance, Performance Optimisation and Control Deactivations of Electric Public Bus Fleets in Absence of "Over-the-air" Updates
Ministry of TransportSpeakers
Summary
This question concerns the cybersecurity and maintenance of electric public buses from a Chinese manufacturer, with Ms Joan Pereira and Mr Melvin Yong Yik Chye inquiring about safeguards for over-the-air (OTA) updates and the verification of deactivated remote controls. Senior Parliamentary Secretary Jeffrey Siow stated that the Land Transport Authority (LTA) adopts a risk-tiered approach, requiring manufacturers to declare OTA capabilities and comply with international UNECE R155 and R156 cybersecurity standards. He noted that current updates are executed by authorised personnel via wired connections at depots only after LTA approval, while technical reviews are conducted to ensure no remote command capabilities exist. Independent technical assessments will further verify manufacturer assurances, as LTA studies safe methods to transition to OTA updates in collaboration with government cybersecurity agencies. These protocols ensure that public electric buses remain secure and reliable while allowing for the prompt patching of future software vulnerabilities.
Transcript
89 Ms Joan Pereira asked the Acting Minister for Transport regarding the electric public bus fleets from a Chinese manufacturer (a) how does the Land Transport Authority (LTA) independently ensure that (i) the remote controls have been deactivated and (ii) vehicle maintenance and performance is optimised in the absence of over-the-air updates; and (b) what measures and resources have been allocated to boost the cybersecurity of such buses.
90 Mr Melvin Yong Yik Chye asked the Acting Minister for Transport in view of the growing adoption of electric vehicles in Singapore, including the transition to electric buses, what safeguards, if any, are put in place before any over-the-air updates by the various manufacturers are sent to these electric vehicles.
Mr Jeffrey Siow: The Land Transport Authority (LTA) adopts a risk-tiered approach in dealing with cybersecurity for private and public connected vehicles.
For all passengers and goods vehicles, in accordance with the Road Traffic Act, motor dealers have to declare if there are Over-The-Air (OTA) capabilities during the vehicle approval process. When Original Equipment Manufacturers (OEMs) want to deploy significant OTA modifications to vehicles that impact a registered vehicle's safe operations or alter its specifications, such as changes to adaptive cruise control features, they need prior approval from LTA.
Public electric buses are an essential public transport service. Hence, cybersecurity vulnerabilities carry higher risk and impact on public safety and service continuity. In addition to the requirements stipulated under the Road Traffic Act, LTA requires all electric buses in its fleet to comply with the United Nations Economic Commission for Europe Regulation Nos 155 and 156 (R155 and R156). These international standards require OEMs to implement certified cybersecurity controls to prevent, detect and respond to cyber threats across the vehicle lifecycle and ensure OTA updates are secure, authenticated, traceable and recoverable.
LTA has also conducted technical reviews with OEMs of public buses, who have provided assurance that they do not possess remote command capabilities. LTA will conduct additional independent technical assessments to verify this. Any software updates or changes needed today are executed by authorised personnel, on-site at the bus depot using a wired connection, only after LTA has verified the purpose of the updates and given approval.
OTA updates for electric public buses are becoming increasingly prevalent, and they are necessary to patch vehicle software vulnerabilities promptly. LTA is collaborating closely with Government cybersecurity agencies to study how to transit from wired to OTA updates safely for these buses.