ICSFlux: Using Physics to Uncover Cyberthreats
The factories, water utilities, and power systems that keep daily life running rest on the assumption that as long as no one breaks into the computers that run the equipment, the equipment stays safe.
Logically this makes sense and has been backed up by past security research. However, researchers at Georgia Tech have found hidden paths in cyber-physical systems that attackers can use to disrupt or even destroy them.
To find these hidden paths before an attacker does, the researchers built a testing tool called ICSFlux. This new tool leans on the physics used by the industrial process and maps out the system to find new threats that were once thought impossible.
ICSFlux was deployed across 11 different programmable logic controllers in six industrial sectors, including chemical manufacturing, water treatment, power grids, aircraft, desalination, and waste processing. The process uncovered twenty genuine safety violations.
In one case drawn from a chemical-plant simulation, an attack path uncovered by the tool drove a reactor past its safe pressure limit and into a simulated explosion. By using nothing but valid operator commands, the team took the reactor from a completely normal and stable state to critical territory.
Because the method relies only on the physics of a process and not on the details of any one controller, the same tool worked across all six sectors without being rebuilt, and it reduced the search space by roughly 50%.
Burak Sahin, a Ph.D. student at Georgia Tech and the study's lead author, found that by sending a series of perfectly normal, fully authorized commands, intruders can slowly nudge a physical process toward a dangerous state.
“These systems are usually judged safe as long as nobody hacks into them,'' Sahin said. “What we found is that an attacker who can send everyday commands, the same ones a normal operator sends, can patiently steer the process toward a failure. No single command looks wrong, which is exactly why the usual defenses miss it.''
Most existing tools assume an attacker can rewire the controller or change the software inside it. In the real world, those controllers are locked down and cannot be touched. ICSFlux takes the opposite and more realistic view. It treats the controller as a sealed box that cannot be opened and works only with the commands an operator is normally allowed to send.
Rather than measuring how much of a controller's software it has exercised, the usual yardstick for this kind of testing, ICSFlux measures how close the physical system is getting to an unsafe limit and steers its testing in that direction.
“Two different sensor readings can run through the exact same code and still send a reactor in completely different directions,'' Sahin said. “Looking only at the software tells you nothing about whether the physical system is safe. We had to follow the physics, not the code.''
One of the study's most important takeaways emerged when the researchers tightened the safety margins to see whether caution alone would help. Even when every command stayed within approved limits, the way the controller reacted to a steady stream of small adjustments could still cause pressure to overshoot and the reactor to fail. In other words, staying inside the rules was not always enough.
All of the team's experiments were carried out on secured, controlled test beds. The work was conducted with Georgia Tech's Cyber-Physical Systems Security Lab, whose research spans the security of cyber-physical systems from industrial programmable logic controllers to marine, automotive, and drone platforms. Georgia Tech's Cyber Forensics Innovation Laboratory, a team of researchers who work together to further the investigation of advanced cyber crimes and the analysis and prevention of next-generation malware attacks, also contributed to the paper.
The labs are a collaboration between the School of Cybersecurity and Privacy and the School of Electrical and Computer Engineering.
Fuzzing the Physical Space: Physics-Aware Testing of Black-Box Industrial Control Systems' was accepted to the 2026 IEEE Symposium on Security and Privacy. In addition to Sahin, the team includes Ph.D. students David Oygenblik, Mingxuan Yao, and Yizhi Huang as well as Associate Professors Brendan Saltaformaggio, and Saman Zonouz.
