Maintenance, Performance Optimisation and Control Deactivations of Electric Public Bus Fleets in Absence of "Over-The-Air" Updates

Written Reply to Parliamentary Questions

Ms Joan Pereira asked the Acting Minister for Transport regarding the electric public bus fleets from a Chinese manufacturer

a.          how does the Land Transport Authority (LTA) independently ensure that (i) the remote controls have been deactivated and (ii) vehicle maintenance and performance is optimised in the absence of over-the-air updates; and

b.          what measures and resources have been allocated to boost the cyber security of such buses.

Mr Melvin Yong Yik Chye asked the Acting Minister for Transport in view of the growing adoption of electric vehicles in Singapore, including the transition to electric buses, what safeguards, if any, are put in place before any over-the-air updates by the various manufacturers are sent to these electric vehicles.

Reply by Acting Minister for Transport Jeffrey Siow:

1.          The Land Transport Authority (LTA) adopts a risk-tiered approach in dealing with cybersecurity for private and public connected vehicles.

2.          For all passengers and goods vehicles, in accordance with the Road Traffic Act, motor dealers have to declare if there are OTA capabilities during the vehicle approval process. When Original Equipment Manufacturers (OEMs) want to deploy significant OTA modifications to vehicles that impact a registered vehicle's safe operations or alter its specifications, such as changes to adaptive cruise control features, they need prior approval from LTA.

3.          Public electric buses are an essential public transport service. Hence, cybersecurity vulnerabilities carry higher risk and impact on public safety and service continuity. In addition to the requirements stipulated under the Road Traffic Act, LTA require all electric buses in its fleet to comply with UNECE Regulation Numbers 155 and 156 (R155 and R156). These international standards require OEMs to implement certified cybersecurity controls to prevent, detect and respond to cyber threats across the vehicle lifecycle and ensure OTA updates are secure, authenticated, traceable and recoverable.

4.          LTA has also conducted technical reviews with OEMs of public buses, who have provided assurance that they do not possess remote command capabilities. LTA will conduct additional independent technical assessments to verify this. Any software updates or changes needed today are executed by authorised personnel, on-site at the bus depot using a wired connection, only after LTA has verified the purpose of the updates and given approval.

5.          OTA updates for electric public buses are becoming increasingly prevalent and they are necessary to patch vehicle software vulnerabilities promptly. LTA is collaborating closely with government cybersecurity agencies to study how to transit from wired to OTA updates safely for these buses.