CANbus - CAN bus protocol and industrial network security
CANbus/CANopen (ISO 11898) - differential bus architecture, broadcast without authentication, CAN gateways as segmentation points. OT Protocol Encyclopedia.
Jozef Sulwinski 
CAN (Controller Area Network) is a communication protocol developed in 1986 by Bosch for in-vehicle communication. Originally designed to replace complex wiring harnesses in automobiles, CAN quickly found applications far beyond the automotive industry - in industrial automation (CANopen), mobile machinery (SAE J1939), medical devices, railway systems, and building automation. The standard is defined in ISO 11898 and covers both the physical layer (differential bus) and the data link layer (CSMA/CR arbitration).
CANopen, based on CAN, is an application profile defined by CiA (CAN in Automation) and widely used in CNC machines, robots, packaging systems, and elevators.
Protocol architecture
CAN operates on a differential bus with non-destructive bitwise arbitration - a unique feature that allows multiple nodes to transmit simultaneously, with message priority resolved at the hardware level without collisions.
| Parameter | CAN 2.0A / 2.0B | CAN FD |
|---|---|---|
| Physical layer | Differential bus (CAN_H, CAN_L), ISO 11898-2 | Same as CAN 2.0 |
| Speed | Up to 1 Mbps (CAN 2.0), typically 125-500 kbps | Up to 8 Mbps (data phase) |
| Topology | Bus with 120 ohm terminators | Same as CAN 2.0 |
| Authentication | None | None |
| Encryption | None | None |
| Integrity | CRC-15 (2.0) / CRC-17/21 (FD) | Same |
| Identifier | 11-bit (2.0A) or 29-bit (2.0B) | 11/29-bit |
| Payload | 0-8 bytes | 0-64 bytes |
| Range | Up to 1000 m (at 50 kbps), 40 m (at 1 Mbps) | Same as CAN 2.0 |
Key CAN features from a security perspective:
- Broadcast - every frame sent on the bus is visible to all nodes. There is no addressing - frames are identified by their identifier (CAN ID), and each node decides which identifiers it accepts
- No sender address - a CAN frame contains no information about who sent it. The receiver has no way to verify the source
- Priority arbitration - lower CAN ID = higher priority. An attacker with a low CAN ID node can dominate the bus
Applications beyond automotive
In the context of OT and industrial automation, CAN/CANopen is used in:
- CNC machines and robots - communication between the controller and servo drives, encoders, I/O modules
- Packaging and printing machines - axis synchronization, actuator control
- Elevators and escalators - communication between the cabin controller, doors, and drive
- Special vehicles - construction machinery, agricultural equipment, military vehicles (SAE J1939)
- Medical systems - diagnostic equipment, surgical robots
TIP
In industrial environments, CANbus is often “hidden” inside machines - not visible on OT network diagrams but accessible through diagnostic ports (OBD-II connectors in vehicles, service ports on machines). Every CAN diagnostic port is a potential entry point to the machine’s internal bus.
Security assessment
CAN was designed with reliability and determinism in closed embedded systems in mind, not communication security. The complete absence of security mechanisms is a consequence of the assumption that the bus is physically enclosed within a machine or vehicle housing.
Fundamental vulnerabilities:
- No authentication - any node on the bus can send frames with any CAN ID. There is no way to verify whether a frame comes from an authorized source
- No encryption - data transmitted in plaintext. Connecting a CAN analyzer (e.g. PCAN-USB, cost approx. 200 EUR) allows full eavesdropping
- Broadcast without filtering - every node sees all frames on the bus
- No sender identification - the protocol does not include a source address field. An attacker can impersonate any node
- Bus-off attack - deliberately generating errors can force a node into the bus-off state (disconnection from the bus), effectively eliminating it from communication
Attack scenarios on CAN in industrial environments:
- Spoofing - injecting frames with the controller’s CAN ID - servo drives execute the attacker’s commands
- Fuzzing - sending random CAN frames to provoke unpredictable machine behavior
- Replay - recording a sequence of CAN frames during normal operation and replaying them in a different context
- DoS through bus domination - continuously transmitting frames with the highest priority (CAN ID 0x000) blocks communication for all other nodes
Segmentation and protection
Protecting CAN networks relies on physical isolation, CAN gateways as control points, and anomaly monitoring.
CAN gateways as segmentation points:
- CAN domain separation - a CAN gateway connects two or more bus segments, selectively forwarding frames based on CAN ID. This is the most important segmentation mechanism
- Gateway-level filtering - whitelist of allowed CAN IDs in each direction. The gateway blocks frames with unexpected identifiers in a given segment
- Rate limiting - the gateway can limit the frequency of frames with a given CAN ID, detecting flooding attempts
- Galvanic isolation - CAN gateways should provide galvanic isolation between segments
Physical protection:
- Diagnostic ports - CAN service connectors (OBD-II, ports on machine cabinets) should be physically secured and accessible only to authorized personnel
- Machine enclosures - in CNC machines and robots, the CAN bus is inside the enclosure. Enclosure integrity control (locks, tamper sensors) protects against physical access
- Cables - CAN cable routes in enclosed channels, especially sections between control cabinets
Monitoring and detection:
- CAN IDS - intrusion detection systems dedicated to CAN (e.g. Argus, Upstream) analyze bus traffic and detect anomalies - new CAN IDs, unusual frequencies, out-of-schedule frames
- Logging - recording CAN traffic at the gateway for post-incident analysis
- Baseline comparison - normal CAN communication is highly repetitive (cyclic frames with fixed identifiers) - deviations from the pattern are easy to detect
Detailed guidelines for zones and conduits in OT networks are described in our article on OT network segmentation.
TIP
CAN XL (a new CiA standard) and CAN FD with SecOC extensions (Secure Onboard Communication, AUTOSAR) introduce frame authentication using CMAC (Cipher-based MAC). If you are designing a new machine, SecOC is the direction providing cryptographic integrity for CAN communication.
Open source tools
| Tool | Language | Description | Link |
|---|---|---|---|
| can-utils | C (Linux) | CLI toolset for SocketCAN - capturing, sending, and analyzing CAN frames | GitHub |
| python-can | Python | Library for CAN bus communication - support for multiple hardware interfaces | GitHub |
| SavvyCAN | C++ (GUI) | Graphical CAN traffic analyzer - visualization, filtering, and frame reverse engineering | GitHub |
TIP
can-utils: candump can0 captures all frames on the interface, cansend can0 123#DEADBEEF sends a frame - basic tools for CAN bus auditing in a Linux environment.
Sources
- ISO 11898-1:2015 - CAN data link layer and physical signalling
- CAN in Automation (CiA) - CANopen standardization organization
- NIST SP 800-82 Rev. 3 - Guide to OT Security
- AUTOSAR SecOC - Secure Onboard Communication for CAN
- SAE J1939 - CAN protocol for heavy vehicles and machinery
Need help in this area?
Our experts will help you assess the risk and plan next steps.