James Tyrrell, a Threat Modelling Analyst at Secure-CAV consortium member Copper Horse, takes a closer look at controller area networks – a popular communications architecture found in trains, planes, automobiles and more.
Controller area networks were introduced decades before connected vehicles and the ‘Internet of Things’ became mainstream, which raises a few security issues. But before we get to that, let’s consider the attributes that have made CAN a popular choice with product developers, so that we can better understand its widespread appeal.
First up, price – if you’re looking for an affordable network then CAN fits the bill. Its bus topology allows multiple electronic control units (ECUs) to communicate with each other without the need for multiple point-to-point wiring. This decreases not just cost, but also weight – which are key reasons for the popularity of controller area networks in automobiles. There are other advantages too.
Compared with sending data over Ethernet, CAN interfaces consume a third of the power – according to reports by networking specialists. Also, Ethernet requires switching hardware to connect multiple nodes, pushing up its price against more economical CAN options.
Lean, flexible and reliable
Structurally, CAN hardware is robust with rugged controllers available for use in harsh environments. Connections are easy to make thanks to simple cabling requirements and, if the network needs to be modified further down the line, adding extra ECUs is straightforward. A single bus can support more than 100 nodes at baud rates of up to 1 Mbit/s, which makes it ideal for gathering information from multiple sensors and broadcasting status updates.
CAN employs a number of mechanisms to keep data traffic flowing, including message arbitration and a clever error correction scheme for managing malfunctioning nodes and rejecting inconsistent data.
If messages collide on the bus, an arbitration ID (AID) is used to decide on priority. The winner, with the lower AID, gets to continue transmitting while all other nodes remain silent and receive the message. When traffic on the bus clears, the loser will retransmit their data, eventually winning the contest as higher priority messages complete their broadcast.
All nodes participate in fault detection, generating error frames when messages don’t add up. Erroneous transmissions are destroyed and senders instructed to retransmit their data. Through a system of digital flags, or counters, defective ECUs are placed in a ‘bus-off’ state if errors persist.
Fast arbitration times and quick error recovery contribute to the real time capability of controller area networks, another plus point and not the last.
CAN-buses have the capacity to absorb physical damage, to a certain degree. Should a break occur in either of the differential high/low channels, fault tolerant CAN transceivers can automatically switch to single-wire mode, running communications over a single bus line until normal service is resumed.
Without a doubt, controller area networks put a lot of positives on the table, but as we mentioned at the start, CAN was designed for a different time – before vehicles and other devices joined the internet.
Grappling with connectivity
In the absence of any security solutions, all nodes on the controller area network trust the messages being broadcast by all other nodes. Also, all of the data traffic can be monitored from anywhere on the bus, which makes information readily available to anyone with access to the network.
The addition of wireless interfaces (Bluetooth, Wi-Fi and cellular) presents a challenge to controller area networks, raising the spectre of remote attacks. This, coupled with the wide variety of use cases for CAN across multiple industries, makes securing controller area networks a pressing and critical issue.
To find out more about solutions offered by Secure-CAV, reach out to the team via our consortium page. And stay tuned for more updates.
Related reading on Secure-CAV