Embedded Systems Academy

The CRA will significantly affect all digital products, including those based on the Controller Area Network (CAN) and using protocols like CANopen. Under the CRA, manufacturers must manage and report vulnerabilities with clear severity scoring. This applies not only to newly developed products but also to products already placed on the EU market.

To support companies in this transition, Embedded Systems Academy continuously publishes white papers that address the different aspects of CAN security and CRA compliance. Currently three papers are published at:
https://www.esacademy.com/en/library/security-white-papers.html

The first, Security Justification for Classical CAN Systems (EmSA-WP-101), explains under which circumstances lightweight or non-cryptographic measures can be sufficient. It shows how techniques like physical access control and event monitoring can provide compliance where full cryptography is impractical. The paper maps these measures against IEC 62443, BSI TR-02102 and CRA requirements and presents structured arguments that auditors can follow.

The second, Interface Driven Security Evaluation for Sensors (EmSA-WP-102), analyses how the choice of sensor interfaces, from memory bus and SPI/I²C to CAN, changes the security evaluation. The central message is that risk depends more on the exposure of the interface than on the protocol itself. Deeply embedded CAN systems may be sufficiently secure. But exposed systems, such as wiring accessible behind easily opened panels, often require additional mitigations. Methods could be as simple as timing checks but also involve cryptography like an authenticated heartbeat. The paper aligns these evaluations with IEC 62443, ISO/IEC 27005 and CRA expectations.

The third, Common Vulnerability Scoring System (CVSS) for CAN (EmSA-WP-103), provides guidance on applying CVSS v4.0 to CAN devices. Because CRA requires vulnerabilities to be reported with standardized severity scores, this paper adapts the CVSS methodology to include CAN-specific considerations. It explains how confidentiality, integrity and availability impacts should be assessed at both node and system levels. It demonstrates how measures such as event monitoring or cryptographic authentication can reduce scores from high to low risk.

These papers are a practical toolkit for organizations producing CAN nodes or machinery using CAN systems. By adopting these approaches now, companies can prepare for the CRA with confidence and ensure that their products remain secure and compliant.

As we step into 2025, the team at EmSA (Embedded Systems Academy) extends our warmest wishes for a prosperous and successful New Year to all our customers and partners!

We have been working on cybersecurity options for embedded small-packet networks for years, but adoption has been slow. Most of our customers know that they need to invest in “some security” eventually. However, without real customer demand or immediate regulatory pressure, the implementation of cybersecurity measures has lagged.

Well, in 2025 and the following years, regulatory pressure will become increasingly urgent. Once you examine the detailed consequences of NIS-2, the EU Cyber Resilience Act (products sold in the EU must comply by end of 2027), and standards like IEC 62443, it becomes clear that this is not just a hill of security measures to climb — for several industries, it will be a mountain.

There are 47 security requirements listed in IEC 62443-4-1, which all need to be addressed and documented, if compliance to IEC 62443 is required. The Cyber Resilience Act is less detailed, but still has some 20+ requirements to address. Each requirement needs to be taken “care of” and it needs to be documented what has been done to take care of it.

In 2025, we at EmSA plan to publish several white papers to help you “get a grip” on the security aspects of your embedded applications using embedded networks. There will also be a number of non-cryptographic measures applicable to CAN and CANopen networks to help achieve at least one of the lower security levels.

For those who need to go “all the way,” we will offer cryptographic solutions for CAN FD, CANopen FD, RS232 connections, and other embedded small-packet networks.

Follow us on this blog, our LinkedIn page, and our YouTube channel to stay up to date with security measures for small-packet networks.