Building OTA Infrastructure That Operators Can Trust

Introduction: The Governance Challenge

Recent investigations in Europe revealed a troubling reality across multiple electric bus fleets. Remote connectivity channels intended for diagnostics and software updates were also capable of reaching battery and power-management systems. This meant a manufacturer, or anyone able to impersonate the manufacturer, could theoretically render a vehicle inoperable. The issue was not a failure of engineering. It was a failure of governance, transparency, and control.

Fleet operators should not depend on blind trust in external vendors. They should hold final authority over what enters their vehicles and when. Secure OTA must therefore be built around operator sovereignty, cryptographic validation, and transparent oversight.

Below are the core principles guiding our work.

Security Architecture Overview

The TrikTraks OTA security model establishes clear trust boundaries and operator control points. The diagram below illustrates the high-level conceptual architecture.

Operator Sovereignty by Design

In modern connected fleets, OTA updates are essential, but they must never bypass the operator. TrikTraks is developing a security framework where the fleet owner—not the manufacturer—grants final approval for any software package destined for a vehicle.

This principle ensures that no external party, intentionally or unintentionally, can deliver unverified firmware or critical commands without authorization.

Clear Separation of Data, Diagnostics, and Safety-Critical Systems

Connectivity is valuable for diagnostics and operational efficiency, but it must be controlled. TrikTraks is designing strict separation between the data services that support fleet operations and the safety-critical systems that govern propulsion, battery management, and braking.

This segmentation ensures that even if a vendor device includes remote connectivity, it cannot reach or modify critical subsystems without explicit, operator-authorized approval.

Network Segmentation in Practice

The gateway enforces authenticated message types, blocks any message outside the approved schema for a specific subsystem, and maintains audit trails for every accepted or rejected request. This ensures that even if a device attempts to communicate unexpectedly, the message cannot hop from telemetry to propulsion without being intercepted and logged.

Zero-Trust Validation for All Update Packages

Every software package must be treated as untrusted until proven otherwise. TrikTraks is developing a multi-stage evaluation process for update packages that includes:

• Authenticity and integrity checks – Verifying vendor signatures and file integrity
• Policy and compatibility evaluation – Ensuring updates meet operator-defined security policies
• Security and version-control validation – Preventing rollbacks and forced downgrades
• Operator-controlled approval – Final authorization by fleet security office

Transparent Oversight of Communication Channels

In several European cases, operators discovered remote connectivity only after isolating buses in Faraday-shielded environments. TrikTraks aims to eliminate such uncertainty by making all communication endpoints visible, traceable, and operator-controlled.

What Operators Can See

Fleet operators should always know:

• Which systems are communicating – Every device and subsystem generating traffic
• Where they are communicating – Domains, ports, and network destinations
• What data is involved – Type and frequency of transmitted information
• Whether communication aligns with authorized policies – Real-time policy enforcement

A fleet owner should never discover a remote connection only after driving a vehicle into a mine. With TrikTraks, the visibility is real-time and continuous.

Ensuring Trust Without Limiting Innovation

Vendors continue innovating—new features, optimizations, and safety improvements appear frequently. TrikTraks's approach supports vendor innovation while ensuring that operators maintain full control over deployment and timing.

This balance allows fleets to stay modern and secure without exposure to vendor-controlled backdoors or undocumented connectivity.

The Update Workflow

• Manufacturers can submit software
• Operators decide what enters the fleet
• Vehicles only trust updates from the authorized OTA server

This architecture preserves vendor innovation while protecting public infrastructure from unauthorized remote influence.

Scalable Across Mixed Fleets

Most fleets include multiple vehicle brands with different OTA philosophies, toolchains, and capabilities. TrikTraks is designing its OTA model to unify these differences so operators can manage updates through a consistent, policy-driven workflow, regardless of vendor.

This strengthens operational consistency, reduces administrative burden, and enhances cybersecurity posture fleet-wide.

Benefits of Unified OTA Management

• Same security rules and approval workflow for any vendor
• Any device class and any model year
• Uniform security practices without rewriting procurement strategy
• Reduced complexity in multi-vendor environments

A Safer Foundation for Modern Connected Fleets

Connectivity isn't the problem—blind trust is. The vulnerabilities uncovered across Europe underscore the need for OTA systems built around strong governance, cryptographic control, and end-to-end transparency.

TrikTraks is actively developing an OTA framework that gives operators the confidence, authority, and traceability needed to keep their fleets secure in an increasingly software-defined transportation environment.