Automotive researchers and industry experts have extensively documented vulnerabilities arising from unauthorized in-vehicle communication through academic research, industry investigations, sponsored events, and learnings from real-world attacks. While current cybersecurity endeavors in the heavy-duty (HD) vehicle space focus on securing conventional communication technologies such as the controller area network (CAN), there is a notable deficiency in defensive research concerning legacy technologies, particularly those utilized between trucks and trailers. In fact, state-of-the-art attacks on these systems have only come to public attention through official disclosures and public presentations as recently as 2020.

To address these risks, this paper introduces a system-wide security concept called Legacy Intrusion Detection System (LIDS) for heavy-duty vehicle applications utilizing the SAE J1708/J1587 protocol stack. LIDS relies on coordinated network gateways at each host and employs specialized J1587 security messages to alert other hosts of anomalies. Each gateway uses configurable busload, access control, and transmission rate parameters to perform signature-based and anomaly-based detection on inbound and outbound network traffic for its host.

This paper also presents the development process of the gateway and summarizes the experiments conducted to satisfy the hardware, software, and security requirements imposed by the J1708/J1587 stack and the LIDS concept. Subsequently, we deploy, test, and evaluate LIDS on a retrofitted dual air brake system simulator (DABSS) at CSU's Powerhouse Energy Campus. Under the assumptions presented, the experiments show that LIDS is effective against message spoofing attacks originating from a compromised host or rogue device and flooding attacks from hosts. However, LIDS' effectiveness against flooding attacks from rogue nodes depends on the designer's false positive tolerance. This research builds upon learnings in prior work while incorporating guidelines outlined in SAE J3061. To the best of current knowledge, this publication marks the first presentation of cybersecurity defense research on the SAE J1708/J1587 protocol stack.