CANgineBerry

CANopen Security Anomaly Detection Available soon

A dedicated CANgineBerry firmware turns the module into a passive security monitor for classical CANopen networks. It watches the bus for traffic that does not match the expected pattern and reports each anomaly as an event over the serial port. The host, for example a Raspberry Pi, records these events into an auditable log of security incidents.

This firmware is in preparation and will be available soon.

Because detection runs on the independent 32-bit microcontroller of the CANgineBerry, it continues with tight timing and stays active even while the host is busy or still booting.

CAN Dragon security monitoring

What It Detects

The firmware learns or is configured with the normal behavior of the network and then watches for deviations, including:

  • Unexpected bus load. A sudden or sustained rise in bus load above the level the network normally produces can indicate flooding, a misbehaving node, or injected traffic. This is the only security measure available against denial-of-service (DoS) attacks on the bus. It cannot prevent them, but it at least detects and reports them.
  • Out-of-time occurrences. Many CANopen frames are periodic. If a message normally arrives every 100 ms and at some point the time between two such frames is smaller than, for example, 60 ms, it could well be that an additional frame has been injected. The firmware flags this timing anomaly so it can be investigated.
  • Missing or late frames. A periodic frame or heartbeat that stops arriving, or arrives much later than expected, can signal a node failure, a disconnection, or an attempt to silence a device.
  • Unexpected identifiers. Frames carrying CAN identifiers that are not part of the configured network point to a foreign or rogue node on the bus.

Auditable Security Logging

Each detected anomaly is sent over the UART as a structured event. On the host the events can be timestamped and written to an append-only log, giving operators an auditable record of security events for incident review and as supporting evidence for modern regulation such as the EU Cyber Resilience Act and IEC 62443.

Detection on the module and logging on the host are kept separate. The CANgineBerry observes the bus and raises events; the host decides how to store, forward, and act on them.

Frequently Asked Questions

What anomalies can the firmware detect?

Unexpected bus load, out-of-time occurrences (for example an injected frame arriving too soon after a periodic message), missing or late frames, and frames carrying CAN identifiers that are not part of the configured network.

Can it stop a denial-of-service attack?

No. Detecting unexpected bus load is the only available measure against denial-of-service attacks on the bus. It cannot prevent the attack, but it detects and reports it so operators can respond.

How are detected anomalies reported?

Each anomaly is sent as a structured event over the UART. The host, for example a Raspberry Pi, timestamps the events and writes them to an append-only log, producing an auditable record of security events.

Is the anomaly-detection firmware available now?

It is in preparation and will be available soon. It applies the CAN Dragon approach to anomaly and event monitoring on classical CANopen.