The cleanest defense is the one that never has to engage.

Access Limitation — Perimeter Shell (Out of Scope)

Physical and logical access limitation around a CAN network is a perimeter shell rather than a CAN-specific control. It is out of scope for this reference because general industrial cybersecurity standards apply directly. The Defense in Depth page under Risk Assessment lists it as one of the perimeter areas acknowledged but not detailed here.

Where to Look

Apply the standard industrial cybersecurity practice around the CAN segments rather than within them. IEC 62443-3-3 SR 1.x (Identification and authentication control), SR 2.x (Use control), and SR 5.x (Restricted data flow / zone-and-conduit) cover the system-level controls. NIST SP 800-82 Section 6 (physical security) and its OT firewalling and remote-access guidance complement this for operational-technology contexts. ISO/IEC 27001 Annex A.5–A.9 give the management-system view (asset inventory, access control policy, identity lifecycle). The bus-side shells covered in this reference assume access limitation is in place; see Defense in Depth for the CAN-specific shells. IEC 62443-3-3 NIST SP 800-82 ISO/IEC 27001

Frequently Asked Questions

Why is access limitation out of scope for this reference?

Access limitation, including physical enclosure, logical gating at gateways, and diagnostic-port authentication, is a perimeter shell around the CAN network rather than a CAN-specific control. General industrial cybersecurity standards (IEC 62443-3-3, NIST SP 800-82, ISO/IEC 27001) cover it well; this reference focuses on the bus-side, CAN-specific shells where less mature guidance exists.

Which standards should I consult for access limitation on a CAN system?

IEC 62443-3-3 SR 1.x (Identification and authentication control), SR 2.x (Use control), and SR 5.x (Restricted data flow / zone-and-conduit) for the system-level controls. NIST SP 800-82 for OT firewalling and remote-access guidance. ISO/IEC 27001 Annex A.5–A.9 for the management-system view. Apply these around the CAN segments rather than within them.