CANcrypt Use Cases

Meeting the EU CRA and IEC 62443

CANcrypt is a defense-in-depth building block for regulatory compliance. The EU Cyber Resilience Act and IEC 62443 expect communication to be authenticated and, where confidentiality matters, encrypted. CANcrypt delivers that protection at the link layer, so a product can meet the authenticated-and-encrypted expectation on the bus without redesigning its application protocol. It sits alongside the other controls in a layered security architecture rather than replacing them. For how these layers compose into a single strategy, see the CAN Security Reference at:
Defense in Depth for CAN.

Complete Authentication and Encryption

Because CANcrypt can authenticate and, when configured for full confidentiality, encrypt every addressed data unit a node sends, it protects all communication rather than a hand-picked subset of messages. For CAN and CAN FD that makes it the only option today that delivers complete confidentiality across the network: every secured frame is unreadable to an observer and is rejected if it has been altered. Where a system needs assurance that nothing on the bus can be read or forged, this is the posture to run. Frame-level authentication and encryption is one defensive shell among several; the CAN Security Reference describes this in section:
Frame Security.

Zoning and Segmentation

Not every network needs protection everywhere. When the requirement is limited to part of the system, CANcrypt can run on the exposed segments alone. Following the zoning and segmentation approach of IEC 62443, a designer divides the network into zones by risk and applies SPsec only where it is needed, for a example a segment that reaches a diagnostic port or an external connection, while leaving low-risk internal segments untouched. A security bridge connects a protected zone to the rest of the system, which keeps the cost and the overhead of security proportional to the actual exposure.
Such an example is shown in the title figure where a construction machine has an exposed network wiring section along a beam. As all other sections are protected from physical access, only the exposed section uses secured communication. For the system-level method this follows, see the CAN Security Reference at
Zoning and Segmentation.

Secure Heartbeat as a Breach Indicator

Some attacks happen below the protocol, at the physical or link level: rather than forging a message, an attacker forces a single device off the bus, for example by cutting its connection or overwhelming it. CANcrypt makes that visible. Every participant in the secure state publishes an authenticated Secure Heartbeat on a fixed cycle, so if a unit is knocked off the bus its heartbeat stops arriving, and that missing heartbeat is the first indication of an attack. The sublayer reports it as a security event to the host application, so a drop-off that would otherwise look like a loose connection becomes a signal worth acting on. Treating a lost heartbeat as a monitored security event fits the approach described on the CAN Security Reference at
Anomaly and Event Monitoring.

Frequently Asked Questions

Does CANcrypt help meet the EU Cyber Resilience Act?

Yes. CANcrypt authenticates and, where configured, encrypts communication at the link layer, which is the authenticated-and-encrypted protection the EU Cyber Resilience Act and IEC 62443 expect for data in motion. It is one defense-in-depth layer within a wider security architecture.

Can CANcrypt protect only part of a network?

Yes. Following zoning and segmentation, you can run SPsec only on the exposed segments and connect them to the rest of the system through a security bridge, keeping the overhead proportional to the actual risk.