CAN Security Solutions
The catalog of in-scope defensive controls for CAN and CAN FD systems. The entries cover frame-level prevention and detection, application-layer access control, audit logging, authenticated firmware update, and the system-level zoning that decides where each control lives. See Defense in Depth for how to layer them into a posture that meets your IEC 62443 security level, and Threats for what each one defends against.
Solutions Available Today
Each entry below is a defensive control on the CAN side of the system. Click through for the technical depth, the IEC 62443 mapping, and references to the implementations that realize each control. The per-node shells each fit a single column on the threats matrix; Zoning / Segmentation and Secure Bootloader are system-level measures applied selectively, treated separately in the prose below the matrix.
- Bus
Load Monitoring: Physical layer ·
non-cryptographic.
Tracks bus load percentage over one or more time windows, optionally also counting error frames on the bus; surfaces availability impairment (flooding, error-frame storms, sabotage) to the security event log. Per-CAN-ID timing anomalies and directed attacks belong to Anomaly Event Monitoring.
SR 7.x - Local
Injection Detection: Data-Link / Network ·
non-cryptographic.
Each legitimate sender watches for impersonation of its own CAN IDs and raises an alarm when an unexpected source transmits one of them.
SR 3.x - Frame
Security: Data-Link / Network ·
cryptographic.
Authenticated encryption on every protected frame prevents injection and replay outright and provides confidentiality where the deployment requires it.
SR 1.x SR 3.x SR 4.x - Anomaly
Event Monitoring: Cross-cutting (Data-Link
→ Presentation) · non-cryptographic.
A dedicated monitor inspects the whole bus, applies anomaly rules, and emits an auditable event log; the system-wide complement to per-node Local Injection Detection.
SR 6.x - Secure
Object Fieldbus Access (SOFA): Application
layer · cryptographic.
Authenticated and encrypted access to fieldbus objects such as CANopen Object Dictionary entries and equivalent constructs on other higher-layer protocols, protecting configuration parameters, calibration data, and process variables at the application level.
SR 1.x SR 2.x SR 3.x SR 4.x - Zoning
/ Segmentation: System level ·
architectural · non-cryptographic.
Divides the CAN system into separate segments by risk profile, with controlled bridges between them. Lets classical CAN stay where wiring is physically protected and pushes CAN FD with frame protection onto segments where connectors or wires are more exposed.
IEC 62443-3-2 SR 5.x - Secure
Bootloader: System level · architectural ·
cryptographic.
Authenticated firmware update using a pre-shared key and authenticated encryption, with challenge/response gating and secure boot at startup. The control that gates what gets installed on the device in the first place.
CRA Art. 13.2c SR 4.1 SR 4.3
Solution × Threat Matrix
Coverage of each defensive shell against threats and CRA / IEC 62443 requirements.
| Threat | Bus Load Monitoring |
Local
Injection Detection* |
Frame Security |
Anomaly
Event Monitoring |
Secure
Object Fieldbus Access† |
|---|---|---|---|---|---|
| Sniffing | — | — | ✓ | — | ✓ |
| Injection or Replay | — | partial | ✓ | partial | ✓ |
| Node Spoofing | — | partial | ✓ | partial | ✓ |
| Bus Flooding | ✓ | — | — | partial | — |
| Configuration Tampering | — | partial | partial | partial | ✓ |
| Requirement | Bus
Load Monitoring |
Local
Injection Detection* |
Frame Security |
Anomaly
Event Monitoring |
Secure
Object Fieldbus Access† |
| Confidentiality | — | — | ✓ | — | ✓ |
| Integrity | — | partial | ✓ | partial | ✓ |
| Node Authentication | — | — | partial | — | ✓ |
| Configuration Protection | — | — | partial | partial | ✓ |
| Bus Flooding Detection | ✓ | — | — | partial | — |
| Security Event Log | ✓ | ✓ | partial | ✓ | partial |
| IEC 62443 SL1 | — | — | — | — | — |
| IEC 62443 SL2 | partial | partial | partial | partial | partial |
| IEC 62443 SL3 | partial | partial | ✓ | ✓ | ✓ |
Legend: ✓ primary fit · partial contributes but not standalone · dash not applicable.
* Local injection detection raises an alarm on the node whose ID was spoofed. Acting on that alarm requires a channel that reaches beyond the local node; regular CAN communication does not provide one, so the alarm has to be reported via Anomaly Event Monitoring or an equivalent out-of-bus path.
† Secure Object Fieldbus Access covers only the Object Dictionary entries that are marked as security-protected, not every object.
Zoning / Segmentation is a system-level architectural pattern from IEC 62443 rather than a per-node defensive shell. The CAN system is divided into separate segments by risk profile, with controlled bridges between them. The pattern is applied selectively: classical CAN stays where wiring is physically protected, while CAN FD with frame protection covers segments where connectors or wires are more exposed.
Secure Bootloader is a composite control: depending on the implementation, it combines several of the security methods and shells listed above. It is a separate operation mode, typically diagnostic or maintenance, and does not run during regular operation; in industrial systems, firmware updates are not installed while the device is operating normally.
Frequently Asked Questions
What is the difference between Solutions and Defense in Depth on this site?
Solutions is the catalog of individual defensive controls and what each one does at the protocol or application level. Defense in Depth is the strategy layer that explains how to combine those controls into layered protection for a given threat profile and IEC 62443 security level. Use Solutions to look up what a specific control does; use Defense in Depth to decide which combination fits your system.
Which solution do I need for IEC 62443 SL3?
Reaching SL3 typically requires cryptographic frame authentication. Frame Security is the primary control. Pair it with Anomaly Event Monitoring for SR 6.x audit logging and, where the application layer matters, Secure Object Fieldbus Access for object-level integrity and confidentiality.
Can these solutions be combined?
Yes, and most non-trivial deployments combine several. The catalog entries are deliberately complementary: detection controls (Bus Load Monitoring, Local Injection Detection, Anomaly Event Monitoring) surface attacks that the cryptographic controls (Frame Security, Secure Object Fieldbus Access) are designed to prevent; Zoning and Segmentation partitions the system so the right control applies at the right exposure level; Secure Bootloader gates what code runs in the first place. See Defense in Depth for guidance on which combinations match a given IEC 62443 security level.