Process-Aware Covert Channels Using Physical Instrumentation in Cyber-Physical Systems

Prashanth Krishnamurthy, Farshad Khorrami, Ramesh Karri, David Paul-Pena, Hossein Salehghaffari

Research output: Contribution to journalArticlepeer-review


We propose using the analog emissions of physical instrumentation (e.g., actuators, sensors, and mechanical structures) in a cyber-physical system (CPS) to send or leak information without impacting the CPS process characteristics. We show that one can use the analog emissions as covert channels to send information to a remote receiver without altering the functioning of the CPS by considering the dynamics of the controller and its closed-loop characteristics. We demonstrate the control-theoretic approach using the Tennessee Eastman (TE) controller benchmark implemented in a hardware-in-the-loop simulator. Two feedback loops (out of 18) in the TE process are implemented on a programmable logic controller (PLC) driving a geared motor. Assuming that a malware has compromised this PLC, we show that the malware can use the acoustic emissions of a motor controlling a valve in a feedback control loop as a covert channel. This secret transmission over the covert acoustic channel can be done without affecting the stability, performance, and signal characteristics of the closed-loop process. An attacker can exfiltrate sensitive information, such as the proprietary gains or the thresholds used in the controller and the system passwords using covert channels.

Original languageEnglish (US)
Pages (from-to)2761-2771
Number of pages11
JournalIEEE Transactions on Information Forensics and Security
Issue number11
StatePublished - Nov 2018


  • Cyber physical system
  • embedded systems
  • hardware performance counters

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications


Dive into the research topics of 'Process-Aware Covert Channels Using Physical Instrumentation in Cyber-Physical Systems'. Together they form a unique fingerprint.

Cite this