Illustration of stealthy cyber attack on control system

Invisible Threats: How Stealthy Attacks Are Changing Control Systems

Samir D’Costa in Tech & Innovation September 2025 • 5 min read.

"Explore the rising danger of stealthy attacks on control systems and how new detection methods can make your systems resilient."

For years, control systems operated in a world where the main challenges were system disturbances and uncertainty. But those days are gone. Now, we need to think about how designers can protect against attackers, who are smart and determined to exploit any weakness in our systems and control frameworks.

Control systems have turned into prime targets for attackers, largely because they’re accessible, impactful, and often poorly monitored. Many large-scale industrial control systems are adopting Ethernet-like technology, which makes communication easier but also opens them up to the same cyber attacks that plague banking and database companies. These systems are crucial to industries and city infrastructure, so damaging them can have huge consequences. Often, these setups are so complex that attackers can meddle without getting caught.

Much of the research on attack detection has focused on designing methods to keep a close eye on systems and spot anomalies. These methods come from the field of fault detection but have been adapted to deal with strategic, adversarial “faults.” A key part of this effort is understanding the limits of these detectors, especially identifying attacks that are stealthy and can bypass them. That’s crucial for benchmarking detector performance.

What Makes an Attack Stealthy?

Illustration of stealthy cyber attack on control system

The term “stealthy” can mean different things. Some attacks don’t trigger alarms at all, what we call zero-alarm attacks. Others change the alarm rate only slightly, known as perturbation attacks. An attack is considered hidden when it perfectly mimics the normal alarm rate of the system. Some attacks exploit parts of the system that are uncontrollable or unobservable, meaning they don’t show up in measurements or estimated states. Replay attacks also count as stealthy because they feed old, recorded data back into the system, making everything seem normal.

Consider a scenario where an attacker can alter sensor measurements. By adding a carefully crafted “attack” to the output, they can manipulate the system's perceived state. This is particularly concerning because it allows the attacker to gain arbitrary control over the system's effective output. Since our detection approach relies on fault detection, we need an estimator to predict how the system should behave. In this context, we use a steady-state Kalman filter, a tool to estimate the system’s current state based on incoming data. This filter helps us spot discrepancies that might indicate an attack.

Zero-Alarm Attacks: These attacks are designed to keep the system's distance measure below a certain threshold, so no alarms are triggered.
Hidden Attacks: These attacks generate alarms at the same rate as normal system operation, making them difficult to detect using standard methods.
Replay Attacks: Replaying past data to evade current monitoring.
Unobservable/Uncontrollable Mode Attacks: Attacks on parts of a system that are difficult to monitor or control.

To compare the impact of different stealthy attacks, we need a way to measure their effect on the system. A common metric is to look at the set of states that the system can reach under attack. We can use mathematical techniques, like Linear Matrix Inequalities (LMIs), to find outer bounds on these reachable states. These methods help us estimate the range of possible system states when an attack is underway, providing a clearer picture of the attack's potential impact.

Why This Matters

We’ve explored methods for detecting stealthy attacks on control systems, focusing on attacks designed to evade traditional detection methods. By comparing zero-alarm and hidden attacks, and using LMI methods to estimate system behavior, we've shown the need to defend control systems. This work lays the foundation for new strategies and detection systems, improving the security of industrial control systems in an era where digital threats are always growing.

About this Article -

This article was crafted using a human-AI hybrid and collaborative approach. AI assisted our team with initial drafting, research insights, identifying key questions, and image generation. Our human editors guided topic selection, defined the angle, structured the content, ensured factual accuracy and relevance, refined the tone, and conducted thorough editing to deliver helpful, high-quality information.See our About page for more information.

This article is based on research published under:

DOI-LINK: 10.23919/acc.2018.8431300, Alternate LINK

Title: A Comparison Of Stealthy Sensor Attacks On Control Systems

Journal: 2018 Annual American Control Conference (ACC)

Publisher: IEEE

Authors: Navid Hashemi, Carlos Murguia, Justin Ruths

Published: 2018-06-01

Everything You Need To Know

What are stealthy attacks in the context of control systems, and why are they a significant concern?

Stealthy attacks in control systems refer to sophisticated cyber threats designed to evade detection. These attacks can take various forms, including zero-alarm attacks, where no alarms are triggered; perturbation attacks, which slightly alter the alarm rate; hidden attacks, which mimic the normal alarm rate; and replay attacks, which feed old data into the system to mask malicious activity. Understanding these different types of stealthy attacks is crucial for developing effective defense strategies.

What differentiates zero-alarm attacks from hidden attacks in control systems, and how do these differences impact detection strategies?

Zero-alarm attacks are a type of stealthy attack designed to keep the system's distance measure below a certain threshold, ensuring that no alarms are triggered. This makes them particularly difficult to detect using traditional monitoring methods. In contrast, hidden attacks generate alarms at the same rate as normal system operation, blending in with routine system behavior. While both aim to evade detection, they do so through different mechanisms, requiring distinct detection approaches.

How do replay attacks work in control systems, and what role does the steady-state Kalman filter play in detecting or preventing these attacks?

Replay attacks involve feeding old, recorded data back into the system, making everything appear normal and masking any malicious activity. This type of attack bypasses current monitoring by presenting historical data as real-time input. The steady-state Kalman filter, used to estimate the system's current state, can be vulnerable to replay attacks if the replayed data falls within the filter's expected range of normal operation. Detecting replay attacks requires analyzing data patterns and comparing them against expected system behavior to identify inconsistencies.

How are Linear Matrix Inequalities (LMIs) used to assess the impact of stealthy attacks on control systems, and why is this important?

Linear Matrix Inequalities (LMIs) are mathematical techniques used to find outer bounds on the reachable states of a system under attack. By estimating the range of possible system states when an attack is underway, LMIs provide a clearer picture of the attack's potential impact. This information is crucial for assessing the severity of the attack and developing targeted defense strategies. Without methods like LMIs, understanding the full scope of an attack's impact would be significantly more challenging, hindering effective response and mitigation efforts.

How has the adoption of Ethernet-like technology impacted the cybersecurity of industrial control systems, and what are the implications?

The increasing adoption of Ethernet-like technology in industrial control systems enhances communication but also exposes these systems to cyber attacks. Unlike traditional systems that primarily faced system disturbances and uncertainty, modern control systems must contend with sophisticated adversaries. These systems are attractive targets due to their accessibility, potential impact, and often inadequate monitoring. The shift towards interconnectedness necessitates robust security measures to protect critical infrastructures from potential cyber threats, preventing disruptions and maintaining operational integrity.