Securing CAN Networks in Commercial Vehicles
A CAN transceiver with built-in security functions can avoid the complexity of end-to-end security that is especially hard to implement on CVs.
Commercial road vehicles are the backbone of the modern consumer economy. Almost any business from construction, to energy, to online retail at some point relies on the delivery of goods by commercial vehicles, which in turn are becoming increasingly connected both to the external world and to each other via telematics. This enables CV owners to optimize and manage their fleets via platooning for safety and efficiency improvements as well as cost and fuel-consumption reduction to meet the increasingly stringent CO2 emissions requirements necessitated by climate change. However, the increased connectivity brings with it an increase in cyberattack surfaces and CV fleets are prime targets for cybercrime due to the high value of the cargo they carry, and their importance to large businesses and the greater economy.
While CV manufacturers are familiar with and prepared for the risk of physical attacks – typically carried out on one vehicle, such as odometer manipulation or theft – they may risk being caught by surprise at the scale and impact of what is possible with remote cyberattacks. Hackers can exploit a vehicle’s wireless network or internet connection to gain entry into the vehicle’s communication network and compromise security to access a vehicle’s CAN (Controller Area Network) and take over remote management of the vehicle while it is in motion.
Modern ECUs in commercial vehicles run on millions of lines of code, which opens up vulnerabilities for compromising them. Even conservative estimates predict a bug every 1000 lines of code. A range of activities can then be carried out with malicious intent from fraudulent manipulation of data to complete control of safety-critical functions such as steering, acceleration and braking. Location tracking and theft are also among the potential motivations for hackers to inject malicious CAN data frames into the CAN network.
UNECE R155: Mandatory cybersecurity compliance
Risks of malicious cyberattacks are relatively new to commercial vehicles, and industry experts are looking at several approaches to mitigate these risks. However, there is already the expectation from regulatory bodies such as UNECE (United Nations Economic Commission for Europe) that it is no longer a question of if there is an attack but when there is an attack on a vehicle network. This has resulted in mandatory cybersecurity compliance regulation R155, which is applicable at first for new vehicle types but will then become applicable to all vehicles on the road, increasing the sense of urgency for the implementation of cybersecurity measures within vehicles that will be on the road in one of the 54 countries that are party to the agreement.
R155 has explicit requirements, such as “The vehicle shall verify the authenticity of the messages it receives,” because in CAN data link layer communication, the sender is unknown and the intended receiver acts on a CAN data frame it receives, even if spoofed. Other requirements are important for safety, such as “Measures to detect and recover from a denial-of-service attack shall be employed,” because a jammed CAN network could prevent the timely transmission of control and safety-critical messages. This makes it important not only to detect attacks and implement fixes to avoid a repeat, but also to find ways to prevent them from causing harm in the first place.
Commercial-vehicle security challenges
Absence of a standard for secure communication – Several OEMs that make passenger vehicles protect their CAN network via secure onboard communication implementation of Autosar SecOC. However, commercial vehicles employ the CAN-based SAE J1939 higher-layer protocol, which does not yet provide standardized cybersecurity measures. For example, there is no way to authenticate the origin of the message. There are ongoing efforts to arrive at a secure communication standard for J1939, but this is still being finalized.
Long life platforms with legacy ECUs and architectures – Eventually there will be a secure communication standard on J1939 called the J1939-91C. However, implementation would require microcontrollers supporting cryptographic functions. As most CVs have a long lifetime once commercially released, there is typically several microcontrollers without the required security features, not only the advanced ones for hardware acceleration of cryptographic key generation, but also more basic features of modern microcontrollers such as secure boot.
Another vulnerability from the long life of CV platforms is that these architectures were not designed with security as a focus. Therefore, they do not have sufficient network separation between the individual CAN branches, leaving a wider footprint of vulnerable devices in the event of an attack. To be able to implement such a secure communication standard effectively once released would still require a major in-vehicle network overhaul to implement. Moreover, there is a lot of know-how and infrastructure that will need to be put in place before the standards are widely adopted within the supply chain. This would still be out of reach for smaller truck and bus OEMs.
Custom security solutions are complex and prohibitive – As the owner of security in the vehicle, some passenger vehicle makers opt to secure their networks with custom security implementations despite the large one-time expense due to the security benefits they perceive. However, implementation of a custom end-to-end security solution is a challenge for commercial vehicle OEMs as they don’t build the entire truck themselves but rather bring together different subassemblies that are integrated into the vehicle.
Cryptographic security solutions that require complex software implementations also can be cumbersome for the CV manufacturer’s security teams to coordinate across their vast swath of suppliers. This would be an integration and testing nightmare. Besides, most smaller OEMs buy off-the-shelf solutions, thus providing little room for the Tier-1 supplier to take on such one-off security projects.
Open architectures – Commercial vehicles are susceptible to malicious access to the vehicle network from the way they are constructed. As a single CV chassis can be transformed into several different variants, this means that the CAN network might well come all the way to the exterior of the vehicle – for example, to establish the connection between the vehicle chassis and a trailer. These could become easy entry points to malicious hackers. As the vehicle is put together from different subassemblies, the suppliers need to be able to secure each subassembly’s network locally, and independently, so that when they come together at the OEM, there aren’t additional security vulnerabilities introduced.
Affordable security is a must – Last but not the least is the commercial aspect of implementing security measures. While there is an increasing number of commercial vehicles hitting the road, driven by demand from industries such as construction and e-commerce, the numbers are still vastly lower than those of passenger cars. This places significant pressure on the development costs of CVs. CV security solutions, therefore, need to not only be easy to implement but also affordable.
Secure CAN transceivers
These challenges highlight the need for an affordable and easy to configure, integrate and validate solution. One possibility is Secure CAN transceivers, which can serve to ensure authentication of communication on a local network – i.e., for CAN data frames not transmitted over a gateway. It does so using a configurable transmission pass-list, or list of user pre-configured CAN-IDs, built into the transceiver itself. This ensures that the local host is only allowed to send these legitimate CAN data frames.
A CAN-ID block-list ensures that no other node uses the CAN-IDs that are legitimately owned by the aforementioned local host. The J1939 protocol specifies unique source addresses (SA) for ECUs (to be assigned by the network designer), which can be masked using the secure CAN transceivers to enable securing the communication based on a pass-list and block-list for CAN-IDs as determined by the OEM to fulfill the network’s security requirements.
To circumvent the Secure CAN spoofing protection, a hacker could attempt to carry out a man-in-the-middle attack to manipulate a legitimately initiated CAN frame by taking control at the data field to insert rogue data along with an appropriately altered CRC value. In Error Active state, the CAN controller detects and invalidates the manipulated frame. However, in Error Passive state, the modifications are not signaled by an error frame. The Secure CAN transceiver has tamper protection on transmit and receive paths to protect from a man-in-the-middle attack by generating the requisite error frame when the CAN controller of the legitimate sender is in the Error Passive state.
A significant benefit of Secure CAN transceivers such as the NXP TJA1152 and TJA1153 transceivers is the provision for adding user-configurable flooding protection thresholds. This protection prevents a compromised local host from flooding the network with high-priority CAN-IDs that are part of the transceiver’s transmission pass-list. In a shared communication channel such as a CAN network, a timing failure can have serious consequences, especially for control and safety functions.
Most systems in commercial vehicles do not have a back-up CAN channel, which raises the importance of keeping the network available at all times. The flooding protection also can help avoid impact to the CAN network on critical pathways where a babbling-idiot failure triggered from the local host’s software could cause bus overload with an excessive transmission of the permitted CAN-IDs.
As the provided security functions are without cryptography or dependence on any other microcontroller features, they are compatible with all MCUs including legacy ones. Moreover, with the security functions being built into the transceiver, there is no software impact, as is usually the case with a key-based security approach. By implementing the transceiver with security measures into commercial vehicles, the need for updating network architectures and software to include sophisticated cryptographic solutions and the associated expensive hardware is avoided.
How secure is Secure CAN?
The transceivers have an option to be fully locked after the initial configuration making the CAN-IDs effectively hard-coded for complete security. However, to provide flexibility to the OEMs, it’s possible to locally or remotely reconfigure the transceiver using a secure boot microcontroller. This should be done only in the first few seconds after the microcontroller goes through a secure boot to prevent a runtime compromised ECU from updating the Secure CAN transceiver’s configured CAN-IDs or flooding thresholds maliciously. The Secure CAN transceivers have a configurable parameter that can be set to ensure this limited time window for configurability.
The TJA1152 and TJA1153 Secure CAN transceivers are key enablers for addressing challenges for CV cybersecurity. The transceivers are available as drop-in replacements to legacy CAN HS (high-speed) and CAN FD transceivers, facilitating a simple populating of the transceiver in an application. The transceivers serve as a one-size-fits-all security solution for Tier-1s that are implementing security across a wide variety of commercial-vehicle OEMs. An initial configuration of the transceivers is sufficient to secure vehicles equipped with a different mix of legacy and new ECUs, and varying levels of software flexibility, while reducing cost for network security.
Improving time to root cause
Imagine a remote fleet spoofing attack on a business’s commercial vehicles for theft of valuable cargo. OEMs implement IDS (Intrusion Detection System) systems to quickly understand the details of such an attack – to carry out forensics on the compromised ECU – and issue a fix to avoid a repeat of the incident. But what if one could prevent the attack from bringing harm in the first place?
The secure transceivers prevent a successful attack on the victim ECU by invalidating the malicious CAN data frame with a CAN error frame and switching to secure mode to prevent any communication by the compromised ECU temporarily. This provides a ready signal to a network monitoring IDS on which node in the local network was hacked due to the absent ECU heartbeat. This latter feature will help the OEM immensely to reduce the time to root cause on the incident and implement a security fix quickly, having to search through only the identified compromised sender, and not the entire subnetwork.
The CV industry is in as much of an inflection point as the passenger-vehicle sector. Their security experts are working hard on meeting the cybersecurity compliance requirements, given the unique challenges they face. Secure CAN transceivers can help bring the industry one step closer to securing their in-vehicle CAN network communication.
Karthik Sivaramakrishnan of NXP Semiconductors submitted this article to SAE Media. As Product Marketing Manager within Product Line In-Vehicle Networking (IVN), Karthik has global responsibility for the Secure CAN and FlexRay transceivers portfolio.