The Leaky Actuator: A Provably-covert Channel in Cyber Physical Systems

Strict regulations and security practices of critical cyber-physical systems, such as nuclear plants, require complete isolation between their data-acquisition zone and their safety and security zones. Isolation methods range from firewall devices, to 'data diodes' that only allow one-way communication. In this work we explore a possible threat bypassing existing isolation methods by communicating through the physical process. Specifically, we show how a corrupt actuator in one zone can send covert information to a sensor in a different zone, breaking the isolation. This may allow an attack where the actuator is intentionally malfunctioning, and the sensor is intentionally masking the malfunction. Furthermore, we show that under certain assumptions, such communication can be provably covert. Namely, it cannot be efficiently detected, by current and future detection systems. This has important implications for the design of security and safety mechanisms for critical cyber-physical systems.