Explore CAST IP here
1. Zonal E/E Architecture and Its Impact on Automotive Cybersecurity
The vehicle electrical/electronic (E/E) architecture is undergoing a significant transformation, moving from a domain-based to a zonal approach. Unlike the domain-based system, where components are grouped by function (such as infotainment, chassis control, or powertrain), the zonal architecture networks end devices based on their optimal physical location in the vehicle. This reduces the length and weight of the wiring harness, improves flexibility, and enables the combination of functions into fewer Electronic Control Units (ECUs). Additionally, middleware facilitates cross-functional communication between ECUs, a concept known as the software-defined vehicle.
However, this architecture also creates new challenges for cybersecurity, particularly for well-established communication protocols like the Controller Area Network (CAN) bus. The CAN bus, which has been a cornerstone of automotive communication for over 20 years, is vulnerable to modern security threats due to its design in the 1980s, long before cyberattacks became a concern.
The Automotive Open System Architecture (AUTOSAR) developed Secure Onboard Communication (SecOC) to protect signal-based communication. However, SecOC operates at the higher layers of the OSI model, introducing software overhead and increased CPU load. A more efficient solution is CANsec, a protocol integrated into the third generation of the CAN bus (CAN XL), which offers real-time protection at the lower layers through authentication, encryption, and integrity checking.
2. CAN XL – Enhancing the CAN Bus for Modern Vehicles
CAN XL is the latest evolution of the CAN bus, developed to close the gap between the previous CAN/CAN FD standards and high-speed Ethernet used in modern vehicle architectures. Introduced by the CAN in Automation Special Interest Group (CiA SIG), CAN XL offers a scalable bit rate of up to 20 Mbps and payload lengths of up to 2048 bytes. These improvements enable the tunneling of Ethernet frames over CAN, allowing for both real-time and service-oriented communication across a single network.
Key features of CAN XL include:
3. CANsec: Securing the CAN Bus
While CAN XL introduces improvements in speed and data handling, it remains susceptible to attacks like spoofing, sniffing, replay, and resource exhaustion. CANsec was developed to address these vulnerabilities by securing CAN communication through authentication, encryption, and integrity checks at the data link layer (Layer 2 of the OSI model, as shown in Figure 1).
Figure 1 - CANsec frame format and classification in the OSI layer model.
Threats Addressed by CANsec:
Figure 2 - CANsec Secure Zone (SZ) Concept
4. Proof of Concept – Testing CANsec’s Performance
Fraunhofer IPMS conducted a proof of concept (PoC) to evaluate CANsec's performance, using CAN bus cores available from CAST. The CAN-CTRL IP core supports CAN XL, while the CAN-SEC IP core provides the security features. Both IP cores were connected to a host system, with the CAN-SEC core managing encryption and authentication processes.
Figure 3 - Proof of Concept with CAN-SEC and CAN-CTRL IP cores
In the PoC, data frames were transmitted at the maximum CAN XL bit rate of 20 Mbps, using 256-bit keys for encryption. Even in this worst-case scenario, the CANsec protocol showed minimal delays in data transmission. For example, the time to authenticate and encrypt a frame was only 2.7 microseconds, while transmission and reception took 73 microseconds. Decryption and verification on the receiver side added just 2.3 microseconds, meaning the overall impact on transmission time was negligible. See Figure 4.
Figure 4 - CANsec transmission sequence
Buffer memory was used to store and manage frames during transmission, ensuring a continuous data stream without additional latency. This setup allowed for efficient processing even when transmitting large amounts of data. Figure 5 in the full white paper illustrates that the duration of authentication and encryption is consistently shorter than the actual frame transmission time, confirming that CANsec can operate without negatively impacting performance.
Figure 5 - Comparison of encryption and transmission time of the CAN XL frame transmission time of the CAN XL frame as a function of the user data length
Exceptional Cases: In rare instances, additional latency may occur, such as when a very short frame is followed by a much longer frame. However, this effect is only observed at transmission speeds exceeding 10 Mbps, making it uncommon in most real-world applications, where nodes typically operate at lower speeds.
5. Conclusion: The Future of Secure Automotive Communication
As zonal E/E architectures become the standard for modern vehicles, the need for efficient and secure communication systems grows. While AUTOSAR's SecOC offers robust protection for signal-based communication, it can cause high CPU utilization, particularly in complex, software-defined vehicles.
CANsec provides a more resource-efficient alternative, operating at the lower layers of the OSI model to secure CAN XL frames without introducing significant overhead. The PoC demonstrated that CANsec can protect data transmission against common cyber threats without adding latency or reducing bandwidth, even under demanding conditions.
This makes CANsec an ideal solution for securing the CAN bus in next-generation vehicle architectures, where real-time communication and data security are critical to both performance and safety.
Explore CAST IP here
1. Zonal E/E Architecture and Its Impact on Automotive Cybersecurity
The vehicle electrical/electronic (E/E) architecture is undergoing a significant transformation, moving from a domain-based to a zonal approach. Unlike the domain-based system, where components are grouped by function (such as infotainment, chassis control, or powertrain), the zonal architecture networks end devices based on their optimal physical location in the vehicle. This reduces the length and weight of the wiring harness, improves flexibility, and enables the combination of functions into fewer Electronic Control Units (ECUs). Additionally, middleware facilitates cross-functional communication between ECUs, a concept known as the software-defined vehicle.
However, this architecture also creates new challenges for cybersecurity, particularly for well-established communication protocols like the Controller Area Network (CAN) bus. The CAN bus, which has been a cornerstone of automotive communication for over 20 years, is vulnerable to modern security threats due to its design in the 1980s, long before cyberattacks became a concern.
The Automotive Open System Architecture (AUTOSAR) developed Secure Onboard Communication (SecOC) to protect signal-based communication. However, SecOC operates at the higher layers of the OSI model, introducing software overhead and increased CPU load. A more efficient solution is CANsec, a protocol integrated into the third generation of the CAN bus (CAN XL), which offers real-time protection at the lower layers through authentication, encryption, and integrity checking.
2. CAN XL – Enhancing the CAN Bus for Modern Vehicles
CAN XL is the latest evolution of the CAN bus, developed to close the gap between the previous CAN/CAN FD standards and high-speed Ethernet used in modern vehicle architectures. Introduced by the CAN in Automation Special Interest Group (CiA SIG), CAN XL offers a scalable bit rate of up to 20 Mbps and payload lengths of up to 2048 bytes. These improvements enable the tunneling of Ethernet frames over CAN, allowing for both real-time and service-oriented communication across a single network.
Key features of CAN XL include:
- Virtual CAN Network ID (VCID): Enables the definition of up to 256 virtual networks within a single CAN XL segment, improving network segmentation and management.
- Service Data Unit Type (SDT): Allows for multi-protocol stacks to run over the same physical infrastructure.
- Arbitration and Addressing Separation: CAN XL uses an 11-bit Priority ID and a 32-bit Acceptance Field to distinguish between node addresses and content indicators, streamlining the communication process.
3. CANsec: Securing the CAN Bus
While CAN XL introduces improvements in speed and data handling, it remains susceptible to attacks like spoofing, sniffing, replay, and resource exhaustion. CANsec was developed to address these vulnerabilities by securing CAN communication through authentication, encryption, and integrity checks at the data link layer (Layer 2 of the OSI model, as shown in Figure 1).
Figure 1 - CANsec frame format and classification in the OSI layer model.
Threats Addressed by CANsec:
- Spoofing: An attacker impersonates a network node by sending fraudulent CAN frames. CANsec counters this by authenticating all modifiable fields in the CAN XL frame using a secret key.
- Sniffing: Attacks that intercept CAN frames to gather sensitive information. CANsec encrypts the user data fields, making intercepted data unreadable.
- Replay: Malicious actors resend previously captured frames to trigger unintended actions, such as unlocking a door. CANsec uses an alternating freshness value to ensure that each frame is unique, preventing replay attacks.
- Resource Exhaustion: Attackers overload the receiver's CPU with authentication tasks by sending invalid frames. CANsec offloads the authentication process to hardware, preventing CPU overload and ensuring continued functionality.
Figure 2 - CANsec Secure Zone (SZ) Concept
4. Proof of Concept – Testing CANsec’s Performance
Fraunhofer IPMS conducted a proof of concept (PoC) to evaluate CANsec's performance, using CAN bus cores available from CAST. The CAN-CTRL IP core supports CAN XL, while the CAN-SEC IP core provides the security features. Both IP cores were connected to a host system, with the CAN-SEC core managing encryption and authentication processes.
Figure 3 - Proof of Concept with CAN-SEC and CAN-CTRL IP cores
In the PoC, data frames were transmitted at the maximum CAN XL bit rate of 20 Mbps, using 256-bit keys for encryption. Even in this worst-case scenario, the CANsec protocol showed minimal delays in data transmission. For example, the time to authenticate and encrypt a frame was only 2.7 microseconds, while transmission and reception took 73 microseconds. Decryption and verification on the receiver side added just 2.3 microseconds, meaning the overall impact on transmission time was negligible. See Figure 4.
Figure 4 - CANsec transmission sequence
Buffer memory was used to store and manage frames during transmission, ensuring a continuous data stream without additional latency. This setup allowed for efficient processing even when transmitting large amounts of data. Figure 5 in the full white paper illustrates that the duration of authentication and encryption is consistently shorter than the actual frame transmission time, confirming that CANsec can operate without negatively impacting performance.
Figure 5 - Comparison of encryption and transmission time of the CAN XL frame transmission time of the CAN XL frame as a function of the user data length
Exceptional Cases: In rare instances, additional latency may occur, such as when a very short frame is followed by a much longer frame. However, this effect is only observed at transmission speeds exceeding 10 Mbps, making it uncommon in most real-world applications, where nodes typically operate at lower speeds.
5. Conclusion: The Future of Secure Automotive Communication
As zonal E/E architectures become the standard for modern vehicles, the need for efficient and secure communication systems grows. While AUTOSAR's SecOC offers robust protection for signal-based communication, it can cause high CPU utilization, particularly in complex, software-defined vehicles.
CANsec provides a more resource-efficient alternative, operating at the lower layers of the OSI model to secure CAN XL frames without introducing significant overhead. The PoC demonstrated that CANsec can protect data transmission against common cyber threats without adding latency or reducing bandwidth, even under demanding conditions.
This makes CANsec an ideal solution for securing the CAN bus in next-generation vehicle architectures, where real-time communication and data security are critical to both performance and safety.
Explore CAST IP here
- CAN-SEC CANsec Acceleration Engine
- CAN-CTRL: CAN 2.0 & CAN-FD Bus Controller
- TSN-SW Multiport TSN Ethernet Switch
