Open search
Advertisement

CAN Newsletter magazine

Generic CAN (FD) security requirements

This article gives an insight into the CAN (FD) security issue as asked by several companies participating within the CiA’s (CAN in Automation) interest group IG safety and security.

The various security roles that need to be assigned in the network system (Source: Emsa)

The complete article is published in the December issue of the CAN Newsletter magazine 2021. This is just an excerpt.

In the past 5 years we have been reporting about various security threats and solutions for CAN and CAN FD. It is interesting to see that security requirements can differ quite a bit depending on the application, and that therefore the solutions developed also differ. An access control system has a high focus on authentication but might not care about encryption. A custom high-tech machinery in a somewhat closed housing might not worry about authentication but more about protecting the intellectual property and encryption of the data exchanged, making re-engineering more difficult. From the security viewpoint, the toughest applications are those where the system owner or user is considering the security threat. For example, when an owner is trying to bypass a machine’s safety limitations such as a maximum weight, speed, or RPM (rotations per minute).

Usually, adding security to the CAN (FD) communication level is not sufficient, a more detailed view at the entire system is required to address all potential attack vectors. Nevertheless, secure CAN (FD) communication is an important “piece of the security puzzle” in more and more applications. As is, CAN (FD) systems are too easy to manipulate once an attacker has access to the CAN (FD) wiring. Adding a sniffer or even a contactless CAN interface allows recording and replaying of CAN frames, often allowing full control of a system. If such access is gained remotely because of a weak gateway, multiple systems can be at risk of misuse.

Current developments

There are currently multiple working groups at CAN in Automation (CiA) addressing security issues. The SIG (special interest group) CAN XL TF Security works on adding security to CAN XL (the third CAN generation), directly on the data link layer so that it can become part of the hard- ware, the CAN XL interface. In September 2021, the IG safety and security decided to also review security options for CAN and CAN FD. The Hochschule Offenburg (Institute for reliable Embedded Systems und communication electronics) and Embedded Systems Academy (Emsa) currently work together on a proposal that defines a generic security layer for secure group communication in lightweight broadcast networks such as CAN (FD).

Being of general interest, the approach is pursued by defining the generic objects, parameters, and roles required in such a way, that they can be mapped to multiple network technologies. Although optimized for CAN and CAN FD (also covering CANopen and CANopen FD) the methods could also be mapped to I2C or EIA-485 based communication.

Key requirements

The key elements and requirements of the proposal are:

  • The underlying communication system exchanges communication blocks with data and meta data (such as a CAN frame using a CAN-Identifier, DLC (data length code), and data field).
  • The underlying communication system shall have a method to identify devices (e.g. using a node ID).
  • To secure these communication blocks a security object is added to or associated with them.
  • A manager role supervises the secure communication and initiates key refresh cycles.
  • A synchronized date and timestamp with one-millisecond resolution is used for uniqueness and to prohibit replay attacks.
  • If required, ALL communication blocks can be secured.

Photo 1 illustrates the various roles that need to be assigned in the network system. All devices that need to be able to produce or consume secure communication blocks need to implement the “participant role”. One device must implement the “manager role” and a total of three “refresher roles” are required. These are helpers to the manager in the current communication key refresh cycles.

If you would like to read the full article, you can download it free of charge or you download the entire magazine.

cw

Publish date
2021-11-30
Company

Emsa
Hochschule Offenburg
CAN Newsletter December 2021

Breadcrumb