CANopen Lift, CRA and cyber security

Cybercrime is the world’s third-largest economy after the U.S. and China: estimates put it at $ 10.5 trillion next year. Therefore, cybersecurity is a hot topic - also for CAN-networked systems as used in many lift control systems.

The fear is that someone may connect a device to the network, which corrupts the communication functionality and causes malfunctions in the lift’s behaviour. There are other scenarios, but this is not the topic of this article.

By Holger Zeltwanger

National, regional, and international authorities have already released regulations on cyber security. One of them is the European Cyber Resilience Act (CRA): This is a legal framework that describes the cybersecurity requirements for hardware and software products, which have to be met in Europe.

Manufacturers are now obliged to take measures against cyber-attacks throughout a digital product’s entire life cycle (see our article "Greater cyber security for products"). What manufacturers and users need to do in detail is still unclear. There are many questions and uncertainties. CAN networks consist of hardware and software, meaning they are also affected by the European Cyber Resilience Act.

CAN networks are not per se protected against cyber-attacks. Cybersecurity needs to be added. In other words: a CAN interface is like a door without a lock. Depending on the application and risks of attacks, you need to apply appropriate measures. The internationally standardized OSI (Open Systems Interconnection) model describes corresponding security measures (ISO 7498-2:1989). It models the secure communication between networked entities. Theoretically, each of the seven layers can implement security measures.

Cyber security in CiA

CANopen Lift is specified in the CiA document series 417. Devices developed according to it may need additional functions to be protected against cyber-attacks.

Within the nonprofit CiA (CAN in Automation) organization, there are currently two groups dealing with cyber security:
• The Special Interest Group (SIG) 01 of Interest Group (IG) 04 is developing the CANsec sublayer for CAN XL. It is intended to implement it in the CAN-XL controllers in hardware.
• In July this year the SIG "Higher-layer protocol" Security was established. The aim is to specify security measures for the higher OSI layers (Layer 3 to Layer 7), which are based on the data protection protocols CAN-CC and CAN FD (a software solution). Using them for lift networks should also be possible.

In the case of CAN-CC frame telegrams with a maximum data field length of 8 byte, compromises will no doubt be necessary. If you need higher protection, migration to the CANopen FD protocol, supporting payloads up to 64 byte, is a good option. The CiA Technical Committee of the CiA is modelling these two options as specified in ISO 7489-2. When all these tasks have been performed, the CANopen Lift experts can adapt these solutions to the CiA 417 documents.

The author is CiA Managing Director.

CAN in Automation (CiA): The registered association CAB in Automation (CiA) was established on the suggestion of Holger Zeltwanger in on 5 March 1992. Today, it has over 700 members and serves as a neutral platform for users and manufacturers of the Controller Area Network. The association developed the CANopen Lift Protocol (CiA 417), which permits standardized networking of lift components.

can-cia.org

Political discussion needed: There is also a need to discuss the political dimension of these matters. In my opinion, it could be that in special applications a mechanical access protection is sufficient, e.g., if the CANopen lift networks are inaccessible (for example in the shaft or buildings not open to the public). In other applications, an end-to-end protection might be adequate (the communication is transparent, as it were).

If an attacker has access to the CAN network lines, defensive measures are required. When the lift control system is connected via external interfaces to diagnostic systems or emergency call services, firewalls are required to avoid attacks to the CAN communication – just as you need to lock all doors and even windows in your house to make it harder for thieves.

Sometimes, locks on internal doors improve the overall security. This means, CAN-to-CAN bridges as used in most CANopen Lift network systems should implement firewalls, too.