CAN Newsletter magazine
This article gives an insight into the CAN (FD) security issue as asked by several companies participating within the CiA’s (CAN in Automation) interest group IG safety and security.
In the past 5 years we have been reporting about various security threats and solutions for CAN and CAN FD. It is interesting to see that security requirements can differ quite a bit depending on the application, and that therefore the solutions developed also differ. An access control system has a high focus on authentication but might not care about encryption. A custom high-tech machinery in a somewhat closed housing might not worry about authentication but more about protecting the intellectual property and encryption of the data exchanged, making re-engineering more difficult. From the security viewpoint, the toughest applications are those where the system owner or user is considering the security threat. For example, when an owner is trying to bypass a machine’s safety limitations such as a maximum weight, speed, or RPM (rotations per minute).
Usually, adding security to the CAN (FD) communication level is not sufficient, a more detailed view at the entire system is required to address all potential attack vectors. Nevertheless, secure CAN (FD) communication is an important “piece of the security puzzle” in more and more applications. As is, CAN (FD) systems are too easy to manipulate once an attacker has access to the CAN (FD) wiring. Adding a sniffer or even a contactless CAN interface allows recording and replaying of CAN frames, often allowing full control of a system. If such access is gained remotely because of a weak gateway, multiple systems can be at risk of misuse.
There are currently multiple working groups at CAN in Automation (CiA) addressing security issues. The SIG (special interest group) CAN XL TF Security works on adding security to CAN XL (the third CAN generation), directly on the data link layer so that it can become part of the hard- ware, the CAN XL interface. In September 2021, the IG safety and security decided to also review security options for CAN and CAN FD. The Hochschule Offenburg (Institute for reliable Embedded Systems und communication electronics) and Embedded Systems Academy (Emsa) currently work together on a proposal that defines a generic security layer for secure group communication in lightweight broadcast networks such as CAN (FD).
Being of general interest, the approach is pursued by defining the generic objects, parameters, and roles required in such a way, that they can be mapped to multiple network technologies. Although optimized for CAN and CAN FD (also covering CANopen and CANopen FD) the methods could also be mapped to I2C or EIA-485 based communication.
The key elements and requirements of the proposal are:
Photo 1 illustrates the various roles that need to be assigned in the network system. All devices that need to be able to produce or consume secure communication blocks need to implement the “participant role”. One device must implement the “manager role” and a total of three “refresher roles” are required. These are helpers to the manager in the current communication key refresh cycles.
News and reports