Inproceedings
Low-overhead and Non-invasive Electromagnetic Side-Channel Monitoring for Forensic-ready Industrial Control Systems
Contribution Summary
This work explores the potential of using electromagnetic (EM) radiation emitted by industrial control systems (ICS) network infrastructure as a window to detect network-based threats and act as a trigger mechanism to activate the forensic readiness features of the ICS infrastructure. The authors propose an approach to monitor ICS network infrastructure using unintentional EM radiation emitted by Ethernet network cables during their regular operation. An empirical evaluation highlights that it is possible to detect various types of denial of service (DoS) attacks through EM emission patterns of Ethernet cables with considerable accuracy. The work introduces an architecture for the ICS infrastructure to be forensic-ready with minimal computational resources while being independent and non-invasive to the infrastructure itself.
Keywords: Industrial control systems; Electromagnetic side-channel analysis; Network security; Forensic readiness; Low-overhead monitoring; Non-invasive detection; Denial of service attacks
Abstract
Industrial control systems (ICS) are the backbone of modern manufacturing facilities. Due to the distributed nature of ICS hardware in their deployment environment, they are often networked through Ethernet, opening up a window for network-based attacks. Preventive security measures, such as constant packet capture and inspection, are impractical due to the computational overhead required. Therefore, computationally feasible trigger mechanisms are needed that can activate security, as well as on-demand forensic readiness features, in the infrastructure. This work proposes an approach to monitor ICS network infrastructure using unintentional electromagnetic (EM) radiation emitted by Ethernet network cables during their regular operation. An empirical evaluation highlights that it is possible to detect various types of denial of service (DoS) attacks through EM emission patterns of Ethernet cables with considerable accuracy (HTTP Flood = 99.70%, TCP Flood = 73.22%, UDP Flood = 69.95%). Based on the experimental findings, this work introduces an architecture for the ICS infrastructure to be forensic-ready with minimal computational resources while being independent and non-invasive to the infrastructure itself.
BibTeX
@inproceedings{weerasinghe2025EM-SCAForensicReadinessICS,
author={Weerasinghe, Buddhima and Sayakkara, Asanka and De Zoysa, Kasun and Scanlon, Mark},
title="{Low-overhead and Non-invasive Electromagnetic Side-Channel Monitoring for Forensic-ready Industrial Control Systems}",
booktitle={Digital Forensics Doctoral Symposium},
series={DFDS 2025},
year=2025,
month=04,
isbn = {97984007107662504},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
doi={10.1145/3712716.3712722},
url={https://doi.org/10.1145/3712716.3712722},
location={Brno, Czech Republic},
abstract={Industrial control systems (ICS) are the backbone of modern manufacturing facilities. Due to the distributed nature of ICS hardware in their deployment environment, they are often networked through Ethernet, opening up a window for network-based attacks. Preventive security measures, such as constant packet capture and inspection, are impractical due to the computational overhead required. Therefore, computationally feasible trigger mechanisms are needed that can activate security, as well as on-demand forensic readiness features, in the infrastructure. This work proposes an approach to monitor ICS network infrastructure using unintentional electromagnetic (EM) radiation emitted by Ethernet network cables during their regular operation. An empirical evaluation highlights that it is possible to detect various types of denial of service (DoS) attacks through EM emission patterns of Ethernet cables with considerable accuracy (HTTP Flood = 99.70%, TCP Flood = 73.22%, UDP Flood = 69.95%). Based on the experimental findings, this work introduces an architecture for the ICS infrastructure to be forensic-ready with minimal computational resources while being independent and non-invasive to the infrastructure itself.}
}