We consider the problem of generating sensor spoofing attacks on feedback controllers. The attacker has the option of remaining in a stealth mode -wherein it spoofs some sensor but only by an amount that is indistinguishable from noise. Later, the attacker can launch a full attack and try to force the system to get into an unsafe region. Using bounded model checking on an example adaptive cruise controller, we show that (1) remaining in a stealth mode is not very benefecial for the attacker,

more »

... (2) there is a phase transition between two classes of attacks: attacks that are small and indistinguishable, but that are unable to make the system unsafe by themselves, and attacks that are large, and possibly easily detected, but that easily take the system to an unsafe state. The preliminary experiments suggest that a control system is most vulnerable when it is just engaged (at discrete switches). Moreover, if it is guarded with a safety envelope based monitor and can ignore sensor data that is outside the safety envelope, then it is relatively difficult to compromise safety of such a control system by just sensor spoofing.