A feedback gain matrix that keeps the closed-loop eigenvalues stable can still blow up the system's transient response by orders of magnitude—that's the central finding of a new formalization of Gain Manipulation Attacks (GMA) on agentic cyber-physical systems.
The Parameter Channel That Bypasses Classical Monitors
Agentic CPS architectures open a new attack surface: parameter-update pathways that don't exist in conventional feedback loops. The authors identify feedback gains as the highest-leverage target because a single gain matrix determines closed-loop eigenvalue placement for the entire system. Malicious updates can shift eigenvalues without triggering residual-based anomaly detectors, since the attack operates on parameters, not sensor or actuator signals.
The paper structures this threat around a three-axis attacker model—what the attacker knows, what they control, and when they act—and produces a taxonomy of Gain Manipulation Attacks (GMA). That taxonomy is the map for penetration testers and safety engineers who need to know where to look before something breaks.
Two Ways to Break a System Without Destabilizing It
Two impact classes emerge from the analysis. First, stability-margin erosion: sustained gain drift slowly pushes eigenvalues toward the unit circle, eating away robustness margins until a small disturbance causes collapse. Second, transient amplification: a one-shot gain replacement that preserves asymptotic stability but causes a voltage spike, torque surge, or position overshoot far beyond safe operating limits.
The critical insight: stability verification alone cannot bound the physical impact of such attacks. A stability-preserving gain replacement can still produce transient amplification that exceeds safe limits, meaning a system certified as stable can kill someone during an attack that never trips a stability alarm.
Worst-Case Certificates and the Road to Detection
The authors derive stealthiness conditions and worst-case impact certificates using Bauer-Fike eigenvalue bounds and the Kreiss matrix theorem. These tools give engineers analytic guarantees for the maximum transient energy an attacker can inject without destabilizing the system. Preliminary detection directions are sketched, and a vehicle lateral dynamics example grounds the math in a concrete threat—a car whose steering controller gain is secretly swapped while the eigenvalues stay put.
Expect embedded security standards to start requiring transient bounds alongside eigenvalue checks.
Source: Stability Without Safety: Gain Manipulation Attacks on Agentic Cyber-Physical Systems
Domain: arxiv.org
Comments load interactively on the live page.