Embedded Systems Academy

Turning Compliance into a Market Differentiator

The Shift Has Already Begun

Full CRA enforcement begins in December 2027, but purchasing departments will already soon start auditing suppliers about planned compliance. Early adopters have a window to build long-term relationships based on trust and readiness.

Customers will soon ask:

• Do you have a CRA technical file?
• Can you provide an SBOM?
• How and for how long will you provide updates?
• What’s your vulnerability disclosure process?

If you can answer swiftly and confidently, your product becomes more than compliant, it becomes attractive.

Defense in Depth Starts at the Component Level

CRA embeds specific cybersecurity principles, especially defense in depth: limiting attack surfaces, managing access, validating inputs, secure updates, and ongoing vulnerability management.

Even minor components can be attack vectors. An unmaintained module or undocumented interface can compromise a full system. Your customers want components that help them build secure systems. Your documentation must show that you’re part of the solution.

Short-Term Effort, Long-Term Advantage

Yes, CRA adds some effort:

• Documenting processes
• Clarifying support periods
• Generating SBOMs
• Setting up secure update mechanisms

But these are reusable across product lines. And they become selling points:
“We provide a pre-filled CRA technical file, saving you time and audit effort.”
Soon, CRA alignment will be part of RFQs, especially in regulated industries. Early movers will already have what’s needed.

How to Start Now

You don’t need a full conformity assessment yet. Start with these:

1. Draft the basic technical documentation: risk analysis, update policy, SBOM, and contact point.
2. Educate your team: make sure product and sales staff can explain how you support CRA obligations.
3. Label your products: terms like “CRA-ready” or “CRA-aligned” will gain traction fast.

Conclusion: Be the Easy Choice

CRA isn’t just a legal requirement, it’s a new trust signal. Vendors who invest in documentation and defense in depth today won’t just be compliant, they’ll be strategic partners.

Integrators will ask: does your component help us get CRA-certified?

If the answer is yes, you’re the easy choice.

If you want to stay updated on our upcoming CRA training classes, follow us on LinkedIn or check this blog regularly. We’ll share practical tips, updates, and announce training availability as we go live.

Consider joining one of our upcoming presentations by our tutors Olaf Pfeiffer, Christian Keydel and Peter Scheydt. We will share latest insights on cybersecurity regulations and secure communication in embedded networks. If you’re working with CAN, CAN FD, CANopen, or other resource-constrained communication systems, these talks contain vital information about regulatory requirements and potential solutions.

Upcoming Presentations

1. Consequences of the Latest Cybersecurity Acts and Regulations for CAN CC and CAN FD Systems

• CiA Member Days, Frankfurt – February 26, 2025
• Embedded World Conference, Nuremberg – March 13, 2025

New cybersecurity regulations also effect non-Internet embedded networks! This talk explores how evolving laws, including the EU Cyber Resilience Act (CRA), impact CAN, CAN FD, and other small-packet networks. Learn about security-by-design approaches, compliance strategies, and best practices to safeguard your embedded communication systems against modern threats.

2. Minimizing TLS: TLS-PSK variations for Secure Communication in Resource-Constrained Embedded Networks

• Embedded World Conference, Nuremberg – March 13, 2025

Traditional security protocols often introduce too much overhead for low-power, small-packet networks like RS485 or CAN based systems. This presentation introduces TLS-PSK variations optimized for resource-limited environments. Discover how you can enable strong encryption, authentication, and integrity while minimizing processing time, memory usage, and bandwidth consumption.

Key take-a-ways

• Stay ahead of new cybersecurity regulations impacting embedded networks
• Learn practical security solutions for CAN, CAN FD, and other fieldbus systems
• Gain insights from real-world application examples

Mark your calendars and join us!

Links:

• https://can-cia.org/about-us/member-services/cia-member-days-2025
• https://events.weka-fachmedien.de/embedded-world-conference/program

As we step into 2025, the team at EmSA (Embedded Systems Academy) extends our warmest wishes for a prosperous and successful New Year to all our customers and partners!

We have been working on cybersecurity options for embedded small-packet networks for years, but adoption has been slow. Most of our customers know that they need to invest in “some security” eventually. However, without real customer demand or immediate regulatory pressure, the implementation of cybersecurity measures has lagged.

In 2025, we at EmSA plan to publish several white papers to help you “get a grip” on the security aspects of your embedded applications using embedded networks. There will also be a number of non-cryptographic measures applicable to CAN and CANopen networks to help achieve at least one of the lower security levels.

For those who need to go “all the way,” we will offer cryptographic solutions for CAN FD, CANopen FD, RS232 connections, and other embedded small-packet networks.

Follow us on this blog, our LinkedIn page, and our YouTube channel to stay up to date with security measures for small-packet networks.

Learn from Arm’s Christopher Seidl and NXP’s Kyle Dando as they explore how different software layers interact to create efficient industrial systems.

Chris Keydel from EmSA will talk about industrial networking with CANopen and how to integrate Micro CANopen Plus into your own application using Open-CMSIS-Packs.

Perfect for embedded software developers eager to expand their understanding of Open-CMSIS-Packs.

Register now and reserve your spot: https://okt.to/BdKjSE

We are pleased to introduce the latest software update for the CANgineBerry, which now includes a Python example aimed at simplifying network management for developers working across Linux, Windows, and macOS. This new example uses the provided CANopen Manager firmware as an efficient way to visualize and manage devices on a CANopen network.

Unlike basic CAN interfaces (only passing through CAN frames), the CANgineBerry handles the entire CANopen Manager functionality. This allows the module to automatically scan the network, identify new devices, and configure the appropriate Process Data Objects (PDOs) without requiring manual intervention. Through this automated functionality, users can directly access the Object Dictionary entries for both the Manager and the connected devices, reducing the need for writing complex code.

The Python example showcases these features through a lightweight graphical user interface (GUI). Once connected to a CANgineBerry, the script accesses detected devices, retrieves their details on demand, and presents them in an intuitive display. No matter the platform—Linux, macOS, or Windows—this tool provides rapid access to multiple devices on your CANopen network.

By delegating low-level CANopen management tasks to the CANgineBerry, developers are free to concentrate on higher-level application development. The Python-based GUI makes the configuration and monitoring of CANopen networks easy and gives you instant control over your devices.

This update further reinforces CANgineBerry’s position as more than a CAN bus interface. It remains a robust solution that simplifies CANopen network management, providing both flexibility and user-friendliness for embedded systems developers.

To download the example, go to: https://cangineberry.com/

In a blog entry from last year, we announced a “Two-year project for security of CANopen and other small-packet networks.” It is now time to give you an update on where we are with our SPsec (Securing Small-Packet Networks) project.

It comes as no surprise that adding security to small-packet networks like CAN, I2C, LIN, Modbus, and other fieldbuses is a challenge. The small-packet sizes offer only limited space for security information like an authentication tag and often, these networks are handled by microcontrollers with limited computational and memory resources. We are now aiming at protecting all communication in such a network when our initial goal was to protect only selected communication channels. The reason here is that for many industrial applications, recent acts and regulations like the European Cyber Resilience Act (CRA) will require security-by-design in the near future. For several use cases, they will also request that all data at rest and in motion is both authenticated and encrypted.

We defined the following SPsec key points and cryptographic primitives:

• Minimal hardware requirements of participating MCUs
• Cryptographic functions used
• Point-to-point security for configurations or communications with an limited amount of communication channels
• Time-based rolling key derivation for automated refreshing of keys
• Group security for multicast network technologies like CAN

For more detailed information see our white paper “Cybersecurity Primitives for Small-Packet Networks“.

Our first proof-of-concept implementation will be based on the PCAN-Router FD from PEAK-System. These devices have two CAN (or CAN FD) interfaces from which we use one for unprotected communication from a host system. The router implements a SPsec sub layer and uses the second interface for the secure communication. This allows for easy test and debugging, as there will be one CAN bus with the protected and one with the unprotected communication allowing a direct comparison.

Later the SPsec sub layer will be added to our Micro CANopen source code and integrated into various CANopen or CANopen FD devices for further testing.

Stay informed by following this blog or our linkedin page for up-to-date developments.

The current status of the EU Cyber Resilience Act (CRA) is that manufacturers of devices with digital elements or any software have until 2027 to comply with the outlined rules and regulations. These include compliance issues like overall risk assessment, documentation and incident reporting – which have a huge organizational impact. Technology details mentioned in the CRA are limited, so there is some interpretation as to what it all means for embedded systems and fieldbus communication. When it comes to specifics, the annex talks about how to treat data in transit:

Text excerpts from Annex I, 1. (3) (c) and (d) (emphasis ours):

• Products shall protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms.
• Products shall protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, as well as report on corruptions.

In other words:

• When communicating or storing (to non-volatile memory) relevant data then encrypt it.
• When communicating or storing (to non-volatile memory) any data then authenticate it.

There is not much room for exceptions here, discussing what is relevant might be challenging. If it is not relevant, then why communicate or store it in the first place?

There might be some relief in Annex I, 1. (1) which says:

• Products shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.

This can be a way out for some applications if in the risk assessment a security expert can show that there is no risk in not protecting certain data. Nevertheless, the security assessment must also reflect the following two statements:

1. Apply security-by-design to the entire lifecycle (min 5 years), from development process to production, deployment, and use/maintenance.
2. Products integrated in or connected to a larger electronic information system can serve as an attack vector for malicious actors.

These two statements have a huge impact on all microcontroller communication like plain UART, RS-485, CAN or other fieldbuses. The second statement boils down to not making a difference between important and lesser important communication. Even the lesser important communication may serve as an attack vector to the system.

The first statement requires layered security mechanisms given that protecting a single aspect won’t be sufficient. Taking CAN as an example, let us have a look at the known three stages of most common attacks on CAN systems:

1. Get access to the CAN communication.
   For example by accessing the CAN wires or hijacking a device (or interface to another network) already connected.
2. Monitor the CAN communication to learn from it.
   The attacker learns which CAN frames are used for what.
3. Inject or replay CAN communication to maliciously trigger behaviour.
   The attacker “takes over” certain aspects of the system.

By protecting any one of these three stages, the attacker’s success can be thwarted, and the system might seem “secure”. However, what if in the foreseeable future an attacker finds a way around that single protection? Security-by-design requires that we pay attention to all possible stages of an attack and do not focus on a single point of potential failure.

In any future risk assessment of a system using any form of communication (fieldbus or application specific communications), manufacturers will need to show which steps they took to protect all aspects:

1. Which steps were taken to minimize physical access?
   How easy is it to access the network wires? Can diagnostic ports be protected? Which interfaces to other networks are there? How are they protected?
2. Which steps were taken to keep communication confidential?
   To prevent attackers from learning anything about the system, encrypt all relevant communication.
3. Which steps were taken to ensure communication integrity?
   To prevent attackers from manipulating frames, authenticate all relevant communication.

In summary, to be EU Cyber Resilience Act compliant, a lot of the future fieldbus communication needs to be both authenticated and encrypted. To simplify the risk assessment and documentation, this should be done for all communication. Otherwise, manufacturers need to be prepared to have a security expert document every unprotected communication as to why this specific data set is irrelevant enough so that even if read or manipulated it won’t possibly constitute a cybersecurity risk.

Follow this blog and/or our LinkedIn page to learn about latest related developments including our upcoming security solutions for CAN, CAN FD, CANopen and CANopen FD.

This year, Nuremberg’s doors open for the Embedded World (#ew24) from April 9th to April 11th. From EmSA, Peter, Chris and Olaf will be at the event all three days. If you want to talk to us about topics like CAN, CANopen, J1939 and CAN security, meet us at the booth of Peak-System, hall 1, booth 304.

As every year, the conference also features a CAN session. This year it is session “SESSION 2.2 CONNECTIVITY SOLUTIONS | CAN” (April 9th, starting at 1:45PM) with the following presentations:

Thilo Schuhmann: Standardized Cybersecurity in CAN-Based Systems

This paper concentrates on cybersecurity requirements specific to embedded systems employing Controller Area Network (CAN) communication, encompassing CAN, CAN FD, and the emerging CAN XL. Our primary focus lies on CAN XL, which incorporates CANsec, a data link layer add-on facilitating message authentication and encryption,in the data plane. In the control plane the specification of the CANsec Key Agreement protocol (CKA) is defining for key exchange and agreement mechanisms to allow broadcast communication for the authenticated and encrypted messages.

Reiner Zitzmann: Improved Network Start-up for Dynamically Changing Embedded CAN Systems

Controller Area Network (CAN) networks often serves as the conduit for data exchange; on the very deeply embedded level. Devices, connected to these embedded networks may be dynamically added or removed, by the end user. Thus these devices need to show a certain degree of plug and play behavior. Host controllers must have the ability to rapidly identify these devices. Unlike current implementations, the enhanced Layer Setting Services (LSS) enable CAN/CANopen devices to convey their identity to the host controller or LSS manager. This eliminates the need for laborious searches to determine the presence and type of newly added devices. The presentation shows the functioning of the improved Layer Setting Services, and practical use cases.

Olaf Pfeiffer: Collaborative Design of Security Measures for CAN and CANopen Systems

The rise of connected devices in the embedded world has intensified the need for strong security measures, especially in Controller Area Network (CAN) and CANopen systems. These technologies are crucial in a wide range of applications such as industrial automation, automotive systems, and medical equipment. Given the limited resources available in CAN protocols, security often becomes a challenging aspect to address effectively. This paper presents a joint project between Hochschule Offenburg and Embedded Systems Academy, focusing on overcoming these security challenges.
We argue that collaboration among multiple partners is essential for the design and implementation of effective, robust security measures. Our proposed security framework brings together expertise from various stakeholders to identify vulnerabilities, assess potential threats, and formulate countermeasures. A significant aspect of our project is the aim to standardize these security measures through the CAN in Automation (CiA) organization. This makes the security framework transparent and open for public review.
The framework is optimized for CANopen but can also be used by CAN, CAN FD, CANopen FD and other higher-layer protocols.
This paper will outline the architecture of our security framework, showing its applicability to a broader range of CAN or CANopen based applications.

You can’t make it to Nuremberg?

For the latest news and developments in CAN, CANopen and CAN Security, follow us here: https://www.linkedin.com/company/embedded-systems-academy/

For more info on these topics, also see our video collection at https://www.em-sa.com/video

Prompt: a fairy tale style drawing of an electronics laboratory with a window showing a winter scene. Left DALL-E, right: Midjourney.

Dear Customers, Partners, and Followers,

As we approach the conclusion of 2023, we want to take a moment to reflect on the year that has passed and share our excitement for what lies ahead in the new year.

The past year has been one of recovery and adaptation. We’ve observed some easing in supply chain issues. While we are not yet back to pre-pandemic levels of supply reliability, the improvements we’ve seen give us hope and confidence as we move forward.

An exciting highlight of this past year has been our collaborative CAN security project with Hochschule Offenburg. Our collaboration with their experts has been a journey of shared knowledge and mutual learning. Their academic approach, combined with our practical industry experience, creates a synergy that helps us provide CAN security solutions at multiple levels.

This two-year endeavour has now received a grant, ensuring the resources required to take our products and services to the next level. This project focuses on enhancing the security of CAN and CAN FD systems as well as all protocols running on it, such as J1939 and CANopen. All results of this partnership will be published. Follow this blog or our LinkedIn page for more information.

One of the most notable changes this year has been our first steps of making use of artificial intelligence. For a small company like ours, the opportunities are very promising. Without dedicated departments for technical documentation, graphic design, or marketing, our engineers have been wearing multiple hats. The introduction of AI tools into these tasks has been transformative, allowing our talented engineers to refocus their expertise on what they do best – developing outstanding products.

If you are interested in learning more about how we utilize AI, see Olaf’s article on his LinkedIn page.

We are excited to step into the new year with a renewed focus on engineering excellence. We look forward to continuing our journey together, solving customers’ challenges, and seizing new opportunities.

Thank you for being a part of our story. Here’s to a prosperous and innovative new year!

Warm regards,

Andy, Chris, and Olaf

Together with the Institute of Reliable Embedded Systems and Communication Electronics (ivESK, Prof. Sikora of Offenburg University), the Embedded Systems Academy has been awarded a research grant for a collaborative project focusing on embedded network security. The project is dedicated to developing a security framework for small-packet networks, with a specific emphasis on CAN and CANopen systems.

The initiative, internally referred to as “Inter-Layer Multi-Participant Security for Small-Packet Networks,” can be integrated within existing network layer protocols and offers multi-party security. It is adaptable to various small-packet network protocols used in embedded systems. Beyond CAN, CAN FD, CANopen and CANopen FD, it can also be used for I2C or RS-485 based systems. The project aims to combine established security mechanisms in a novel way and adapt them suitable for deeply embedded systems, devices and networks, where resources, such as memory, computing power, data rates and frame length are very much constraint.

The project’s goal is to ensure that the results are openly available and can be reused by the Special Interest Group “Safety/Security” within CiA (CAN in Automation).

We plan to regularly publish updates on our project’s progress. A first presentation is scheduled for the embedded world Conference in Nuremberg: On April 9th, 2024, we will present the paper “Collaborative Design of Security Measures for CAN and CANopen Systems” in the connectivity track, session 2.2 on CAN. If you are interested in contributing to the specification process or in beta-testing early implementations, please feel free to contact us (contact form on this web page or mail to info@esacademy.de).

This Project is supported by the Federal Ministry for Economic Affairs and Climate Action (BMWK) on the basis of a decision by the German Bundestag.