CAN Security Resources and Further Reading
A curated set of white papers, standards references, and a glossary supporting the rest of this reference. White paper PDFs are hosted on esacademy.com.
EmSA White Papers
EmSA-WP-105: Secure Object Fieldbus Access (SOFA)
Hosted at esacademy.com.
Specifies how compact secure protocols can be tunneled generically through fieldbus transports, the basis for the SOFA control described under Solutions. Covers authenticated access to selected object dictionary entries using AEAD.
Download PDF →EmSA-WP-104: Key Provisioning for Minimal Fieldbus Systems
Hosted at esacademy.com.
Covers security key lifecycles and key handling for constrained fieldbus devices: how provisioning, update, and storage of keys are managed on nodes with very limited resources.
Download PDF →EmSA-WP-103: CVSS for CAN
Hosted at esacademy.com.
A practical method for scoring CAN vulnerabilities under CVSS v4.0, with worked examples for an unprotected classical CAN node and the score reductions achieved by physical access limitation, system monitoring, and cryptographic measures. Establishes the 5.2 (Medium) baseline reused throughout this reference.
Download PDF →EmSA-WP-102: Interface Driven Security Evaluation for Sensors
Hosted at esacademy.com.
An interface-driven method for evaluating the security of sensor interfaces, comparing the exposure of the memory bus, SPI, I2C, and CAN connections that bring sensor data into a system.
Download PDF →EmSA-WP-101: Security Justification for Classical CAN
Hosted at esacademy.com.
Discusses when a documented security justification can serve in place of a full risk assessment for low-risk classical CAN systems with strong physical access controls, including the documentation auditors expect.
Download PDF →Regulations
- EU Cyber Resilience Act — official text on EUR-Lex: Regulation (EU) 2024/2847. See also the CRA Annex I requirements matrix for a CAN-focused mapping of each requirement to the defensive measures on this site.
- EU NIS 2 Directive — official text on EUR-Lex: Directive (EU) 2022/2555.
- EU Machinery Regulation — official text on EUR-Lex: Regulation (EU) 2023/1230.
- EU Radio Equipment Directive (RED) — official text on EUR-Lex: Directive 2014/53/EU. Its delegated regulation activates cybersecurity requirements for radio-equipped products, addressed by the EN 18031 series.
Standards and Guidelines
- IEC 62443 — series overview at IEC Cyber Security.
- ETSI EN 303 645 — Cybersecurity for consumer IoT: ETSI EN 303 645.
- NIST SP 800-82 — Guide to Operational Technology Security: NIST SP 800-82 Rev. 3.
- BSI TR-02102 — Cryptographic recommendations: BSI TR-02102.
- NIST SP 800-57 — Recommendation for Key Management: NIST SP 800-57 Part 1 Rev. 5.
- NIST SP 800-30 — Guide for Conducting Risk Assessments: NIST SP 800-30 Rev. 1.
- FIPS 140-2 / 140-3 — Security Requirements for Cryptographic Modules: FIPS 140-3.
SPsec Specification Documents
The full SPsec specification set (documents 101 through 302) is published on esacademy.com.
SPsec specifications →Frequently Asked Questions
Where can I download the EmSA white papers?
All EmSA security white papers are listed at esacademy.com/en/library/security-white-papers.html with PDF download links. Direct deep links may change as new revisions are published; the library page is the stable entry point.
Are the SPsec specifications publicly available?
Yes. The SPsec project page on esacademy.com hosts the specification documents (SPsec 101 through 302). They are intended for public review and implementation.