Low-overhead and Non-invasive Electromagnetic Side-Channel Monitoring for Forensic-ready Industrial Control Systems

Weerasinghe, Buddhima; Sayakkara, Asanka; De Zoysa, Kasun; Scanlon, Mark

Authors: Weerasinghe, Buddhima; Sayakkara, Asanka; De Zoysa, Kasun and Scanlon, Mark

Publication Date: April 2025

Publication Name: Digital Forensics Doctoral Symposium

Abstract:

Industrial control systems (ICS) are the backbone of modern manufacturing facilities. Due to the distributed nature of ICS hardware in their deployment environment, they are often networked through Ethernet, opening up a window for network-based attacks. Preventive security measures, such as constant packet capture and inspection, are impractical due to the computational overhead required. Therefore, computationally feasible trigger mechanisms are needed that can activate security, as well as on-demand forensic readiness features, in the infrastructure. This work proposes an approach to monitor ICS network infrastructure using unintentional electromagnetic (EM) radiation emitted by Ethernet network cables during their regular operation. An empirical evaluation highlights that it is possible to detect various types of denial of service (DoS) attacks through EM emission patterns of Ethernet cables with considerable accuracy (HTTP Flood = 99.70%, TCP Flood = 73.22%, UDP Flood = 69.95%). Based on the experimental findings, this work introduces an architecture for the ICS infrastructure to be forensic-ready with minimal computational resources while being independent and non-invasive to the infrastructure itself.

Download:

BibTeX Entry:

@inproceedings{weerasinghe2025EM-SCAForensicReadinessICS,
author={Weerasinghe, Buddhima and Sayakkara, Asanka and De Zoysa, Kasun and Scanlon, Mark},
title="{Low-overhead and Non-invasive Electromagnetic Side-Channel Monitoring for Forensic-ready Industrial Control Systems}",
booktitle={Digital Forensics Doctoral Symposium},
series={DFDS 2025},
year=2025,
month=04,
isbn = {97984007107662504},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
doi={10.1145/3712716.3712722},
url={https://doi.org/10.1145/3712716.3712722},
location={Brno, Czech Republic},
abstract={Industrial control systems (ICS) are the backbone of modern manufacturing facilities. Due to the distributed nature of ICS hardware in their deployment environment, they are often networked through Ethernet, opening up a window for network-based attacks. Preventive security measures, such as constant packet capture and inspection, are impractical due to the computational overhead required. Therefore, computationally feasible trigger mechanisms are needed that can activate security, as well as on-demand forensic readiness features, in the infrastructure. This work proposes an approach to monitor ICS network infrastructure using unintentional electromagnetic (EM) radiation emitted by Ethernet network cables during their regular operation. An empirical evaluation highlights that it is possible to detect various types of denial of service (DoS) attacks through EM emission patterns of Ethernet cables with considerable accuracy (HTTP Flood = 99.70%, TCP Flood = 73.22%, UDP Flood = 69.95%). Based on the experimental findings, this work introduces an architecture for the ICS infrastructure to be forensic-ready with minimal computational resources while being independent and non-invasive to the infrastructure itself.}
}