Conferences and supporting programme
Securing all Network Layers of CAN (FD) Communication
Securing existing industrial communication protocols requires a look at all protocol layers, to also prohibit layer-specific attacks like a DOS (denial-of-service). Our paper provides an overview of the CAN (FD) specific security challenges, a comparison of selected existing security mechanisms for CAN (FD), a recommendation for the use and combination of such security mechanisms, and a summary and outlook with respect to latest developments and standardization efforts. Our study includes the following CAN (FD) network layers and security mechanisms: 1. On the data link layer, using black-list and white-list filtering of the received and transmitted CAN (FD) frames, plus limiting the transfer rate of individual devices (flood protection). The implementation can be in hardware or on lowest-level CAN software drivers. 2. On top of this, dedicated CAN (FD) frames are used for network management services. These require an authentication method that allows 'secure grouping' of multiple devices. 3. In higher network levels, security protocols like TLS can be added. These can also be used to extend secure communications beyond the local network and to implement end-to-end security (e.g. remote diagnostic service) Each of these methods secures a CAN (FD) system against specific attack vectors. Individual security methods only offer limited protection on their own but when used in combination, they provide an adequate shield for a wide variety of attacks.
--- Date: 27.02.2019 Time: 4:30 PM - 5:00 PM Location: Conference Counter NCC Ost