Detecting abnormal behaviour in critical embedded systems

As part of the Nanoelec project, CEA-Leti has developed the eArgos solution, which enhances the cybersecurity of embedded systems for so-called critical applications by analysing their behaviour. This software solution collects internal signals from the connected device at the hardware level (processor, memory, etc.), the operating system, applications and business data. This data is then fed into an AI system that detects any deviation from expected behaviour.
Date
February, 20 2026

Detecting abnormal behaviour in critical embedded systems

Embedded systems within critical infrastructure are prime targets for cyber-attackers. As they are more vulnerable than traditional IT systems, they pose a significantly higher risk of economic, material and human losses. This applies to critical industrial sectors such as transport, connected medical devices, Industry 4.0, defence and space, as well as smart cities and networks.

As part of the Nanoelec project, CEA-Leti has developed the eArgos solution, which enhances the cybersecurity of embedded systems for so-called critical applications by analysing their behaviour. This software solution collects internal signals from the connected device at the hardware level (processor, memory, etc.), the operating system, applications and business data. This data is then fed into an AI system that detects any deviation from expected behaviour.

Designed to help security operations centres make the decisions necessary to secure their systems, the eArgos software detects abnormal behaviour in real time and alerts the control server to the detected threat according to a predefined severity scale.

eArgos features several innovations that protect connected devices from cyberattacks – particularly zero-day attacks exploiting vulnerabilities that have not yet been identified or patched:

the extraction of internal signals

 

Centre: an industrial PLC controlling a physical process, which can be viewed on the lower screen and monitored by a SCADA system (upper screen). Left-hand console: launches attacks that affect the PLC and the physical process. Right-hand console: displays the threat level to the PLC in real time.
Presentation of eArgos at Tech&Fest 2026 (Grenoble, February 2026) (c) CEA

Open Science

As part of the Nanoelec project, CEA-Leti has developed the eArgos solution, which enhances the cybersecurity of embedded systems for so-called critical applications by analysing their behaviour. This software solution collects internal signals from the connected device at the hardware level (processor, memory, etc.), the operating system, applications and business data. This data is then fed into an AI system that detects any deviation from expected behaviour.

Hendrics

Bibliographie

  • Breux, V., Thevenon, P.-H. (2025). Hardware Performance Counters for Anomaly Detection in Embedded Devices. HS3 workshop co-located at the ESORICS 2025 conference
  • Arnoud, L. et al. (2025). HENDRICS: A Hardware-in-the-Loop Testbed for Enhanced Intrusion Detection, Response and Recovery of Industrial Control Systems. ANUBIS workshop co-located at the ESORICS 2025 conference.