Papers
Topics
Authors
Recent
Search
2000 character limit reached

Covert Control Attacks: Mechanisms & Countermeasures

Updated 4 July 2026
  • Covert control attacks are defined as stealthy manipulations of actuator and sensor signals that drive systems away from their nominal trajectories while evading standard detection mechanisms.
  • They employ techniques like coordinated sensor-actuator injection, kernel-based signal compensation, and covert channels (e.g., UDP modulation, MESM) to sustain low-and-slow control.
  • Detection strategies leverage both control-signal-based residuals and data-driven, distributed observer frameworks to expose subtle deviations from normal system behavior.

Covert control attacks are attacks on a control loop or on control-related communication mechanisms that pursue a damaging objective while remaining undetected by monitoring logic, operators, or security controls. In networked control systems, the canonical form is coordinated manipulation of actuation and sensing so that the physical plant is driven away from its nominal trajectory while the signals seen by the controller remain nominal. In networked discrete-event systems, the same idea appears as covert sensor or actuator attacks synthesized to stay within the monitor’s accepted language. In network and software infrastructures, the term also covers covert channels that sustain exfiltration or low-bandwidth command-and-control by modulating throughput, synchronization, or mutual exclusion behavior rather than packet contents or protocol semantics (Sa et al., 2016, Tai et al., 2021, Soderi et al., 2024, Shen et al., 2022).

1. Conceptual scope and taxonomy

A central distinction in this literature is between cybernetic covertness and physical covertness. The former concerns low probability of detection by software, network, or residual-based monitoring; the latter concerns physical effects that “can not be easily noticed or identified by a human observer.” In the service-degradation formulation, the attack does not aim at short-term shutdown or destruction, but at overshoots, steady-state offsets, reduced efficiency, or reduced mean time between failure over mid/long horizons (Sa et al., 2016).

Within feedback-control settings, a general structural abstraction is the kernel attack. In the unified control-and-detection framework, an integrity attack is stealthy for observer-based residuals precisely when the attacked input-output pair lies in the plant kernel space, and replay attacks, zero-dynamics attacks, and covert attacks are all special forms of that class (Ding et al., 2021). In the additive actuator/sensor model, the plant input actually applied is u(k)=uc(k)+au(k)u(k)=u_c(k)+a_u(k), the reported output is yc(k)=y(k)ay(k)y_c(k)=y(k)-a_y(k), and covertness is achieved when the induced pair is consistent with nominal plant behavior (Binfet et al., 14 May 2026).

The same strategic objective appears in DES. There, covertness is expressed as language indistinguishability with respect to a networked monitor: a covert sensor attack is one for which the monitor never reaches its attack-detected state before the plant reaches a damage state. Damage-reachable and damage-nonblocking covert attacks are then synthesized as supervisor-synthesis problems under partial observation (Tai et al., 2021).

A broader systems view includes covert channels that do not alter the plant directly but maintain covert control or exfiltration paths. In WANs, this is realized by bit-rate modulation of legitimate-looking UDP traffic; in operating systems, by timing/blocking behavior of events, timers, mutexes, semaphores, file locks, and flock (Soderi et al., 2024, Shen et al., 2022). This suggests that “covert control attack” spans both direct plant manipulation and covert communication mechanisms that sustain low-and-slow control.

Setting Covert mechanism Representative source
Networked control systems actuator injection plus sensor compensation (Sa et al., 2016, Li et al., 2020, Binfet et al., 14 May 2026)
Networked DES covert sensor replacement, deletion, insertion under monitor constraints (Tai et al., 2021, Lin et al., 2021)
WAN covert channel UDP bit-rate modulation, high bit rate = 1, low bit rate = 0 (Soderi et al., 2024)
OS/software covert channel blocking-time modulation via MESMs (Shen et al., 2022)

2. Threat models and enabling knowledge

Most model-based covert control attacks assume network access to the control loop. In the NCS service-degradation model, the attacker can eavesdrop on both forward and feedback streams, capture u(k)u(k) and y(k)y(k) over a finite window, and act as a man-in-the-middle on at least one stream to inject data. The attacker knows the structure of the plant and controller transfer functions, but not initially their coefficients; those are estimated through a System Identification attack, a subtype of Cyber-Physical Intelligence attack (Sa et al., 2016).

The system-identification stage is not merely reconnaissance. It is the enabling step for controlled covert degradation. In the DC-motor case, the attacker estimates

C(z)=c1zc2z1,G(z)=g1z+g2z2g3z+g4,C(z)=\frac{c_1 z-c_2}{z-1}, \qquad G(z)=\frac{g_1 z+g_2}{z^2-g_3 z+g_4},

using an optimization-based discrete-time identification procedure with the Backtracking Search Optimization Algorithm, and then designs an attack transfer function M(z)M(z) on the identified closed loop (Sa et al., 2016).

DES work relaxes this assumption. In “Observation-Assisted Heuristic Synthesis of Covert Attackers Against Unknown Supervisors,” the plant model is known but the supervisor is unknown; instead, the attacker has a finite, prefix-closed set of observations OO from the closed loop and synthesizes a covert attacker that is robust against all supervisors consistent with OO (Lin et al., 2021). This is significant because it shifts covert attack synthesis from full controller knowledge to partial behavioral knowledge.

Communication-oriented covert channels require a different capability profile. In CONNECTION, the attacker has code execution on two endpoints in different LANs across an MPLS WAN, can generate arbitrary UDP packets, can sniff traffic at the receiver, but does not control routers, MPLS infrastructure, or security middleboxes. The critical capability is to control the amount of data sent per symbol interval and to measure the resulting throughput at the receiver (Soderi et al., 2024).

3. Core attack constructions

The most classical covert construction is coordinated actuator and sensor manipulation. In the smart-grid formulation,

u~ti=uti+at,\tilde{u}^i_t = u^i_t + a_t,

and the attacker compensates the induced output bias by subtracting

γ=CiBiat,\gamma = C_i B_i a_t,

so that the reported measurement becomes

yc(k)=y(k)ay(k)y_c(k)=y(k)-a_y(k)0

For nonlinear subsystems, the same idea is implemented by simulating the expected next measurement under normal control and replacing the true compromised measurement with the simulated one (Li et al., 2020).

In the kernel-attack formulation, stealthiness is captured by

yc(k)=y(k)ay(k)y_c(k)=y(k)-a_y(k)1

which is exactly the covert-attack condition in the additive model. This explains why replay, zero-dynamics, and covert attacks evade any LTI detector of the form yc(k)=y(k)ay(k)y_c(k)=y(k)-a_y(k)2: they keep the attacked input-output pair in the plant kernel space (Ding et al., 2021).

In service-degradation attacks, the injected actuation is often represented by a covert transfer function inserted in the forward path,

yc(k)=y(k)ay(k)y_c(k)=y(k)-a_y(k)3

Two constructions are studied in detail. For transient stress, the attacker uses a static gain yc(k)=y(k)ay(k)y_c(k)=y(k)-a_y(k)4 to force a 50% overshoot. For steady-state bias, the attacker uses

yc(k)=y(k)ay(k)y_c(k)=y(k)-a_y(k)5

to induce a yc(k)=y(k)ay(k)y_c(k)=y(k)-a_y(k)6 steady-state error while maintaining stability and reasonable settling time (Sa et al., 2016).

DES formulations replace transfer-function synthesis with automata-theoretic synthesis. The attacker may replace, delete, or insert compromised observable events, subject to bounded attack length, partial observation, non-FIFO observation channels, and bounded delays. Covertness is formalized by avoiding states where the monitor reaches the empty-set detection state before plant damage. The supremal covert sensor attack exists in the networked setup and can be computed by a normality-property-based synthesis approach (Tai et al., 2021).

Encrypted control does not eliminate the covert pattern. In the encrypted-controller setting, the same attack equations remain valid: yc(k)=y(k)ay(k)y_c(k)=y(k)-a_y(k)7 The attacker maintains an attack state yc(k)=y(k)ay(k)y_c(k)=y(k)-a_y(k)8 with

yc(k)=y(k)ay(k)y_c(k)=y(k)-a_y(k)9

so that the remote controller sees the nominal output trajectory. A finite-length covert attack is then obtained by a cooldown phase that drives u(k)u(k)0 through controllability (Binfet et al., 14 May 2026).

4. Covert channels for exfiltration and command-and-control

CONNECTION realizes covert communication by bit-rate modulation of legitimate-looking UDP traffic. Logical 1 is encoded as a high bit-rate burst and logical 0 as a low bit-rate burst. With payload sizes u(k)u(k)1 and u(k)u(k)2, the amplitude ratio is

u(k)u(k)3

The receiver groups packets by IP id and destination port, counts fragments per symbol, and demodulates using the threshold

u(k)u(k)4

A fixed 16-bit preamble supports synchronization. The channel is modeled as a Binary Symmetric Channel with capacity

u(k)u(k)5

and experiments report about 5 bps and a maximum spectral efficiency of u(k)u(k)6, with robustness against tested jitter, delay, corruption, packet dropping, and up to 10 Mbps of background UDP traffic (Soderi et al., 2024).

MES-Attacks instead use mutual exclusion and synchronization primitives as the covert medium. Trojan and Spy processes encode bits in blocking time on Event, Timer, FileLockEx, Mutex, Semaphore, and flock. The covert channels are constructed at software level and evaluated in local, cross-sandbox, and cross-VM settings. Reported transmission rates reach 13.105 kb/s in the local scenario, 12.383 kb/s in the cross-sandbox scenario, and 6.552 kb/s in the cross-VM scenario, with bit error rates under u(k)u(k)7 (Shen et al., 2022).

These mechanisms are not plant attacks in the narrow control-theoretic sense, but they are directly relevant to covert control because they provide stealthy exfiltration and low-bandwidth C2 paths that can support persistent implants, botnets, or APT operations. The WAN throughput-envelope channel and the MESM-based channel also expose a common property: the information carrier is not payload semantics but a controlled side effect of a legitimate mechanism.

5. Detection, diagnosis, localization, and accommodation

A recurring result is that standard observer-based residuals are insufficient. Kernel attacks are structurally undetectable when detection relies only on u(k)u(k)8. The unified framework addresses this by adding control-signal-based residuals, showing that all kernel attacks can be structurally detected when both observer-based residuals and control-signal-based residuals are used (Ding et al., 2021).

Data-driven detection offers a complementary route. In the IEEE 14-bus smart-grid study, a hybrid framework combines an autoencoder, an LSTM-RNN, and a DNN. AE and RNN are trained on normal data only; residuals u(k)u(k)9 are concatenated with measurements and passed to a multiclass DNN to distinguish normal operation, covert attacks, and faults, and to localize the attacked or faulty bus. In the coarse 3-class view, the reported y(k)y(k)0 scores for the AE+RNN+DNN framework are 0.9619 for normal, 0.9782 for attack, and 0.9524 for fault (Li et al., 2020).

Distributed architectures can reveal locally covert attacks by exploiting interconnection. In interconnected systems, each subsystem runs a decentralized UIO and a distributed observer. A locally covert attack on subsystem y(k)y(k)1 is invisible to y(k)y(k)2 because y(k)y(k)3 equals the nominal output, but it perturbs neighbors through the interconnection terms y(k)y(k)4. Neighbors use their distributed residuals to detect the anomaly, estimate the attacker’s internal state through a least-squares problem involving y(k)y(k)5 and y(k)y(k)6, reconstruct the injected input y(k)y(k)7 by system inversion, and then apply the accommodation law

y(k)y(k)8

to mitigate the abnormal behavior (Barboni et al., 2020).

This body of work corrects a common misconception: covert attacks are not “undetectable” in an absolute sense. They are undetectable only with respect to a specific monitoring architecture. Enlarging the observation space, exploiting interconnection, or learning spatio-temporal structure can restore detectability.

6. Countermeasures, limits, and current directions

Countermeasure design splits into passive monitoring, active perturbation, coding, and cryptographic integrity. In multiplicative watermarking, the central security metric is the output-to-output y(k)y(k)9-gain from the residual output C(z)=c1zc2z1,G(z)=g1z+g2z2g3z+g4,C(z)=\frac{c_1 z-c_2}{z-1}, \qquad G(z)=\frac{g_1 z+g_2}{z^2-g_3 z+g_4},0 to the performance output C(z)=c1zc2z1,G(z)=g1z+g2z2g3z+g4,C(z)=\frac{c_1 z-c_2}{z-1}, \qquad G(z)=\frac{g_1 z+g_2}{z^2-g_3 z+g_4},1. Without watermarking, this gain is unbounded against covert attacks. With appropriately designed multiplicative watermarking filters, and under the stated sufficient condition on unstable zeros, the gain becomes finite, meaning covert attacks cannot cause arbitrarily large performance degradation while keeping residual energy bounded (Gallo et al., 2021).

Dynamic coding attacks the problem at the channel-structure level. In the discrete-time LTI CPS setting, covert attacks are possible when the attacked actuator and sensor channels satisfy relative-degree and Markov-parameter conditions. Under certain conditions and assuming the existence of one secure input and two secure output communication channels, a dynamic coding scheme based on encoder-decoder dynamics prevents adversaries from executing covert cyber-attacks (Taheri et al., 9 Dec 2025).

Encrypted control, by contrast, is not a sufficient defense. Public-key homomorphic encryption is inherently malleable: the same homomorphisms that enable encrypted control also enable ciphertext manipulation by an attacker. As a result, encrypted controllers remain vulnerable to covert attacks, even without knowledge of an unencrypted model. The proposed remedy is verifiable computation integrated with modern homomorphic cryptosystems, asymptotically secure and incurring no communication overhead (Binfet et al., 14 May 2026).

Process-aware detection is another current direction. In water treatment, a covert man-in-the-middle attacker uses system identification to deploy a covert controller that injects actuator signals and compensating sensor spoofing. PASAD, which models the temporal structure of a single sensor time series via a lag-embedded signal subspace, is reported to outperform CUSUM under change-of-reference covert attacks, especially under noise and moderate model mismatch (Mattos et al., 6 Nov 2025).

Taken together, these results show that covert control attacks are not a single technique but a design pattern. They combine system knowledge, channel access, and a stealth criterion tailored to a specific monitor. Their practical significance lies precisely in that coupling: as detection becomes more process-aware, distributed, or integrity-enforced, the attack must reproduce more of the system’s internal structure to remain covert, and the feasible covert set contracts accordingly.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Covert Control Attacks.