On the Limits of EM Based Detection of Control Logic Injection Attacks In Noisy Environments

The difficulty in applying traditional security mechanisms in Industrial Control System (ICS) environments makes a large portion of these mission-critical assets vulnerable to cyber attacks. Therefore, there is a dire need for the development of novel security mechanisms specifically designed to protect such critical systems. Recently a lot of attention has been given to mechanisms that exploit the EM emanations of devices for defense purposes. Such practices may lead to the development of robust external and non-intrusive anomaly detection systems. Nevertheless, the majority of current work in the area neglects to consider the implications of real-life environments, particularly environmental noise. In this work, we explore the limits of EM-based anomaly detection towards identifying injection attacks in control logic software in noisy environments. Our study conducted upon both synthetically generated and real signals identified that indeed environmental noise might significantly degrade the accuracy of the anomaly detection process. Experiments done upon synthetic data indicated that assuming that signals are captured with high sampling rates, even minor code injections can be detected with above-90% accuracy in noisy environments where SNR is up to −2dB. This is true even if naive detection methods are considered. Moreover, experiments done using a real-life testbed attest that even single-instruction injections can be detected with near-perfect accuracy in relatively clean environments. Finally, noise-elimination techniques can drastically improve the reliability of the detection mechanism even in noisy environments.