Steve Morgan, the editor-in-chief of the Cybercrime Magazine wrote already in 2020: “If it were measured as a country, then cybercrime – which is predicted to inflict damages totaling 6 trillion US-$ globally in 2021 – would be the world’s third-largest economy after the U.S. and China. Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching 10,5 trillion US-$ annually by 2025, up from 3 trillion US-$ in 2015.”

In the meantime, national, regional, and international authorities have released regulations to protect potentially attackable systems and subsystems. Most important is the European Cyber Resilience Act (CRA): This is a legal framework that describes the cybersecurity requirements for hardware and software products with digital elements placed on the market of the European Union. Manufactures are now obliged to take security seriously throughout a product’s life cycle. Details and impacts what manufacturers and users need to do are still unclear. There are many uncertainties. CAN networks comprise digital hardware and software, implying that CAN-based products are affected by the European CRA.

CAN networks are in general not cybersecure. Cybersecurity needs to be added. In other words, a CAN interface is a door with no lock. Depending on the application and risks of attacks, you need to apply appropriate cybersecurity measures. The OSI (Open Systems Interconnection) model describes a cross-layer security add-on function (ISO 7498-2:1989). It models the secure communication between networked entities. Theoretically, each of the seven layers can provide security add-on functions.

Within the CiA organization, we have two activities related to cybersecurity. The IG (interest group) 04 SIG (special interest group) 01 CAN XL develops a data link layer (DLL, OSI layer 2) cybersecurity add-on function for CAN XL. It is intended that this approach can be implemented in hardware. Additionally, on July 24 CiA is going to inaugurate the IG06 SIG02 HLP (higher-layer protocol) cybersecurity. The aim of this SIG is the specification of security add-on functionality for OSI layers above the data link layer i.e. for OSI layer 3 (network layer) to OSI layer 7 (application layer) for CAN based networks, in particular for CAN CC and CAN FD based protocols that will not directly profit from the CAN XL security add-on functionality. CiA is calling for cybersecurity experts to work within this SIG. Interested parties may contact secretary(at)can-cia.org.

The CiA Technical Committee (TC) task force (TF) Modeling accompanies these cybersecurity-related specifications to model them as specified in ISO 7489-2 and related standards.

There is also a need to discuss the political dimension of cybersecurity measures for different applications. Which measures are necessary? It might be that in some applications a mechanical access protection is sufficient, e.g. for deeply embedded networks. In other applications, an end-to-end protection might be appropriate. If an attacker has access to the CAN network lines, OSI layer cybersecurity add-on functions might be required. As such, CiA is currently considering to establish a Marketing Group (MG) to discuss and to develop design guidelines and recommendations for applying technical cybersecurity measures for different use cases.