CyberCAN

CAN is an excellent technology for control system integration.  However, it was never designed with protection against cyberattacks in mind.

Attacks could include:

• Spoofing of a device or ECU
• Man-In-The-Middle
• Denial of Service – e.g. taking the communications of an ECU down

 

Attack examples include:

• AdBlue ECU cheat– pretending AdBlue tank is full to prevent going into limp-home mode
• Accident data manipulation
• Tachograph cheating
• Making control system dangerous by malicious attack
• Manipulation of Battery Management System data
• Reverse engineering of the CAN bus

 

Warwick Control has developed a patented technology that can be used to fingerprint a CAN network based on the CAN bus electrical voltages e.g. on CAN_H and CAN_L lines.  The broad principle has been demonstrated by Warwick Control in the papers referenced below.

It can be used in applications such Intrusion Detection Systems (IDS).  It works by fingerprinting the CAN bus network upon an installation phase for the CAN system.  The IDS is installed on the CAN bus, a fingerprint learning phase is carried and then the device is ready to run on the live network.

Once running on a live CAN bus, messages from different ECUs or devices can be monitored to carry out:

• Fingerprinting of raw data for each device on the network.
• Classify devices as an intruder or not.

Consider the following example for a NMEA 2000 network.  Left: CAN ID 19F2150B is fingerprinted and found to be correctly transmitted by a device with source address 0x0B.  Right: CAN ID 19F2150C should be transmitted by a device with source address 0x0C but has incorrectly been transmitted by a device with source address 0x0B.  This suggests that one of the devices has been hacked/compromised.