Truck & Off-Highway Engineering - October 2022 - 28

SECURING CAN NETWORKS IN
COMMERCIAL VEHICLES
Long life platforms, integration of several subassemblies,
software complexity for end-to-end security, and the
lack of a secure communication standard are among the
unique challenges facing CV manufacturers.
A CAN transceiver with built-in security functions can avoid the complexity of
end-to-end security solutions that are especially hard to implement on CVs.
by Karthik Sivaramakrishnan
C
ommercial road vehicles are the backbone of the modern
consumer economy. Almost any business from construction,
to energy, to online retail at some point relies on the delivery
of goods by commercial vehicles, which in turn are becoming
increasingly connected both to the external world and to
each other via telematics. This enables CV owners to optimize and
manage their fleets via platooning for safety and efficiency improvements
as well as cost and fuel-consumption reduction to meet the
increasingly stringent CO2
emissions requirements necessitated by
climate change. However, the increased connectivity brings with it an
increase in cyberattack surfaces and CV fleets are prime targets for
cybercrime due to the high value of the cargo they carry, and their
importance to large businesses and the greater economy.
While CV manufacturers are familiar with and prepared for the risk of
physical attacks - typically carried out on one vehicle, such as odometer
manipulation or theft - they may risk being caught by surprise at
the scale and impact of what is possible with remote cyberattacks.
Hackers can exploit a vehicle's wireless network or internet connection
to gain entry into the vehicle's communication network and compromise
security to access a vehicle's CAN (Controller Area Network) and
take over remote management of the vehicle while it is in motion.
Modern ECUs in commercial vehicles run on millions of lines of
code, which opens up vulnerabilities for compromising them. Even
conservative estimates predict a bug every 1000 lines of code. A
range of activities can then be carried out with malicious intent from
28 October 2022
fraudulent manipulation of data to complete control of
safety-critical functions such as steering, acceleration
and braking. Location tracking and theft also are
among the potential motivations for hackers to inject
malicious CAN data frames into the CAN network.
UNECE R155: Mandatory
cybersecurity compliance
Risks of malicious cyberattacks are relatively new to
commercial vehicles, and industry experts are looking at
several approaches to mitigate these risks. However,
there is already the expectation from regulatory bodies
such as UNECE (United Nations Economic Commission
for Europe) that it is no longer a question of if there is
an attack but when there is an attack on a vehicle network.
This has resulted in mandatory cybersecurity
compliance regulation R155, which is applicable at first
for new vehicle types but then for all vehicles on the
road, increasing the sense of urgency for the implementation
of cybersecurity measures within vehicles that
will be on the road in one of the 54 countries that are
party to the agreement.
R155 has explicit requirements, such as " The vehicle
shall verify the authenticity of the messages it receives, "
TRUCK & OFF-HIGHWAY ENGINEERING
NXP
Truck & Off-Highway Engineering - October 2022

Table of Contents for the Digital Edition of Truck & Off-Highway Engineering - October 2022
