Secure Gateways — Perimeter Shell (Out of Scope)
Gateways, routers, bridges, and repeaters that connect a CAN network to other networks are perimeter coupling devices rather than CAN-specific controls. They are out of scope for this reference because general industrial cybersecurity standards apply directly. The Defense in Depth page under Risk Assessment lists this as one of the perimeter areas acknowledged but not detailed here, with the framing that "every link leaving CAN is a conduit risk".
Where to Look
Treat each coupling device as a conduit between zones with explicit trust levels. IEC 62443-3-3 SR 5.x (Restricted data flow / zone-and-conduit) governs the boundary; SR 7.6 (Network and security configuration settings) requires minimizing services, ports, and protocols. NIST SP 800-82 covers OT firewalling, remote-access design, and intrusion detection at the gateway. For external channels, TLS-PSK (RFC 4279) and cTLS are the practical choices on resource-constrained gateways. The CAN-specific shells covered elsewhere in this reference assume the gateway perimeter is in place; see Defense in Depth for the bus-side shells that pick up where the perimeter stops. IEC 62443-3-3 NIST SP 800-82
Frequently Asked Questions
Why are CAN gateways out of scope for this reference?
Gateways, routers, bridges, and repeaters that bridge between CAN and other networks are perimeter coupling devices rather than CAN-specific controls. The hardening they need (firewall rules, TLS-PSK or cTLS for external channels, zone-and-conduit boundaries) is general industrial cybersecurity practice and is well covered by IEC 62443-3-3 SR 5.x and NIST SP 800-82.
Which standards should I consult for CAN gateway security?
IEC 62443-3-3 SR 5.x for zone-and-conduit and restricted data flow; SR 7.6 for minimizing services and ports; NIST SP 800-82 for OT firewalling and remote-access patterns. For the CAN-specific concern that "every link leaving CAN is a conduit risk", the Defense in Depth page under Risk Assessment covers how the bus-side shells assume the gateway perimeter is in place.