J193991A_202503: Security Recommendations for Interfaces to On-Vehicle Networks

Features

Issuing Committee: Truck and Bus Control and Communications Network Committee

Scope

Content

This document provides recommendations to vehicle manufacturers, ECU developers, and other device suppliers in securing the SAE J1939 network from cybersecurity risks. This document focuses on security measures related to on-vehicle network architecture and security measures for communication interfaces between devices, ECUs, or networks. The focus is on security related to network communications on the vehicle side of off-vehicle interfaces, such as the SAE J1939-13 connector.

The recommendations in this document aim to address cybersecurity risks presented by communication between the vehicle and the rest of the supporting ecosystem via the vehicle networks. The risk focus is on safety and operational risks, although other risks are possible. This document should be used as a reference to current best practices for addressing off-vehicle communication security.

This document focuses on recommendations related to the Secure Architecture and Secure Connectivity aspects of vehicle security; it is the first in a family of security-related documents. Recommendations for secure on-board communications between ECUs and any other on-vehicle device will be defined in another document. While Secure ECU is out of scope for this document, this document does include some Secure ECU recommendations only to the extent needed to support the recommendations of topics that are in scope.

Some of the described guidelines and measures described in this document include:

Overview of the SAE J1939 layered security model
Secure Architecture
1. ○
  Domain Separation
2. ○
  Vehicle Messaging Matrix (VMM) to document all network messaging
3. ○
  Multi-level security (MLS) policy, based on VMM, to control message flow between domains
Secure Connectivity
1. ○
  Gateways and firewalls to isolate on-vehicle networks from off-vehicle networks and control message flow of incoming messages from off-vehicle
2. ○
  Firewall-based diagnostic services control
3. ○
  ECU-based diagnostic services control
An alert service for reporting detected imposter messaging activity

It is recognized that not every application of SAE J1939 networks requires the same level of cybersecurity measures. Techniques to determine the level of cybersecurity measures required are out of scope for this document. Generally, higher-risk applications require higher levels of cybersecurity measures.

Generally, there are three forms of communication methodologies used in current vehicles:

1
Open access to communication buses – security included inside each networked ECU
2
Communication buses isolated via a gateway – central security interconnect ECU
3
Combinations of (1) and (2)

This document provides guidelines for securing communications with any off-board device for vehicles utilizing any of these methodologies.

Meta Tags

Topics: Architecture
Vehicle networking
Cybersecurity

Details

DOI: https://doi.org/10.4271/J193991A_202503

Pages: 21

Citation: SAE International Recommended Practice, Security Recommendations for Interfaces to On-Vehicle Networks, SAE Standard J193991A_202503, Issued March 2025, https://doi.org/10.4271/J193991A_202503.

Additional Details

Publisher: SAE International

Published: Mar 19

Product Code: J193991A_202503

Content Type: Recommended Practice

Status: Issued

Language: English

J1939-91A

2025-03-19

J193991A_202503 Security Recommendations for Interfaces to On-Vehicle Networks

Issued

03/19/2025

Revisions