Six questions that map your system to the controls it actually needs.

Mitigation Flowchart

Our six-step flowchart gives first guidance on which CAN security mitigations to apply. Each step poses one question about your system, and the answer points to the control to add before you move on. The questions run from the least invasive change, protecting an existing gateway or limiting physical access, to the most invasive, updating node firmware to add authentication and possibly encryption. Our goal is that you add only what your exposure requires.

Start Here If You Do Not Know Where to Start

If you have not yet decided which mitigations your CAN or CAN FD system needs, work down the six questions in the flowchart below to get first guidance. Each numbered decision asks one thing about your system. The answer points to a potential control to add before moving on. The order is deliberate. The earlier steps protect what is already there and limit who can reach the bus, the middle step reshapes the network, and the later steps change the nodes themselves. The annotations on the right of the chart show the rising cost of each band: logical and physical access limitation first, then additional hardware, then a firmware or hardware security update of the nodes.
Treat the result as first guidance, then confirm it with a structured risk assessment.

Six-step CAN
            security mitigation flowchart, running from the initial
            fieldbus security evaluation down to a secured fieldbus,
            with each numbered decision routing to the control to add.
The six-step mitigation flow. Each numbered decision points to the control to add before moving to the next question.

0. Secure Bootloader Comes First

This step carries the number zero because it is not really a question. The flowchart branches on properties of your system, but a secure bootloader is required anyway, so it sits before step one rather than inside the chart. The CRA requires that vulnerabilities can be fixed through security updates, and IEC 62443 expects authenticated firmware update and secure boot. An update channel that does not authenticate what it installs becomes the easiest way to defeat every control you add later. For a product in scope of the CRA or IEC 62443 you therefore do not really have a choice: put an authenticated bootloader and secure boot in place first, then work through the six questions below.
See Secure Bootloader.

1. Protect the Gateways

The first question in the chart asks whether the system has any gateways. A gateway is any node that bridges the CAN network to any other network, such as a backend system, a remote-service link or just another neighboring fieldbus. Where they exist, they are exposed entry points, because an attacker who never touches the wiring can still reach the bus through them. If the answer is yes, ensure gateway protection before anything else: harden the gateways, authenticate what crosses them, and treat them as the boundary of trust.
See Secure Gateways and Access Limitation.

2. Limit Physical Access and Security Event Monitoring

The second step asks whether anyone can gain physical access to the CAN bus, its wiring, or its connectors. If a person can reach the bus, they can listen to every frame and inject their own, so this question matters even when no gateway exists. The chart gives two responses. First, verify if you can improve access limitation so the wiring and connectors are harder to reach. Second, add security monitoring so that tampering and abnormal traffic are detected rather than silent.
See Access Limitation, Bus Load Monitoring and Anomaly Event Monitoring.

3. Contain Exposure to a Segment

The third step asks whether the exposure identified so far is limited to one segment. If it is not, the exposed portion of the network can be used to reach all nodes. The mitigation is to add security bridges: divide the system into zones by risk profile and place controlled bridges between them, so classical CAN can stay where the wiring is physically protected while exposed areas sit behind a bridge running a secure protocol. This is the first step that adds new hardware to the system.
See Zoning / Segmentation.

4. Authenticate Nodes and Lock Configuration

The fourth step asks whether you need to verify the authenticity and configuration of the nodes themselves, that is, to be certain which node sent a given message and that its settings have not been altered. If so, add node authentication and configuration locks as provided by SOFA. Authenticated access to configuration objects keeps parameters and calibration data from being changed by an unauthorized party. From this step onward the chart notes that a firmware or hardware security update of the affected nodes is required.
See Secure Object Fieldbus Access.

5. Encrypt Messages That Need Privacy

This step asks whether message contents must remain private. Some process data, calibration values, or key material must not be readable by anyone listening on the bus. If privacy is required, add message encryption on the frame level. Authenticated encryption on each protected frame keeps its payload confidential while also detecting tampering, so confidentiality and integrity come together rather than as separate add-ons.
See Frame Security.

6. Authenticate Messages That Need Integrity

The last step asks whether message authenticity must be guaranteed without confidentiality, so that a receiver can confirm a frame is genuine and unmodified rather than injected or replayed. If so, add message authentication only. An authentication tag on each protected frame lets receivers reject anything that was not sent by a legitimate, keyed node.
See Frame Security.


Frequently Asked Questions

How do I use this mitigation flowchart?

Work down the six steps in order. Each step poses one question about your system, and the answer points to the control to add. The steps are ordered from the least invasive change, such as protecting an existing gateway or limiting physical access, to the most invasive, such as updating node firmware to add authentication, so you add only what your exposure actually requires.

Do I have to apply every step?

No. Each step is conditional on a property of your system. If there is no gateway, step 1 does not apply. If the bus is already confined to a protected segment, step 3 adds nothing. The flowchart is first guidance for teams who do not yet know which controls they need, not a mandatory checklist. A full risk assessment refines and confirms the result.

Where does this flowchart fit with the rest of the site?

It is an entry point into the Solutions catalog. Each step links to the control that implements it, and the catalog carries the full threat-by-control matrix. For how to combine several controls into layered protection for a given IEC 62443 security level, see Defense in Depth under Risk Assessment.