Securing AI Agents in CPS: Survey Advances Deepfake Threat Defenses and MCP

Researchers are increasingly concerned with the security of artificial intelligence agents operating within cyber-physical systems (CPS), as these systems become more prevalent. Mohsen Hatami, Van Tuan Pham, and Hozefa Lakadawala, from the Department of Electrical & Computer Engineering at Binghamton University, alongside Yu Chen, present a comprehensive survey addressing the novel threats arising from agent integration into CPS environments. This work is significant because it moves beyond conventional cybersecurity concerns to examine vulnerabilities stemming from environmental interactions, sophisticated deepfake attacks, and the expanding attack surface created by emerging protocols. By employing the SENTINEL framework and a real-world smart grid case study, the authors demonstrate the limitations of current detection methods and advocate for robust, provenance-based trust mechanisms to ensure the reliability of AI-enabled CPS.

Recent advances in generative AI now enable the creation of sophisticated deepfakes and semantic manipulations that can compromise an agent’s perception, reasoning, and interaction with the physical world. Simultaneously, emerging protocols like the Model Context Protocol (MCP) are expanding the attack surface through dynamic tool use and cross-domain context sharing, creating new vulnerabilities within these complex systems. This research presents a comprehensive survey of security threats targeting agents in CPS, with a particular emphasis on environmental interactions, deepfake-driven attacks, and vulnerabilities introduced by MCP.

The team achieved a systematic review of the literature using the SENTINEL framework, a lifecycle-aware methodology designed to integrate threat characterization, feasibility analysis under CPS constraints, defense selection, and continuous validation. This framework provides a structured approach to translating security research into deployable solutions tailored to specific CPS contexts, acknowledging the unique demands of real-time performance, limited computational resources, and safety-critical operations. Through an end-to-end case study grounded in a real-world smart grid deployment, researchers quantitatively illustrate how timing limitations, environmental noise, and the costs associated with false-positive detections constrain the effectiveness of deployable defenses. Experiments show that relying solely on detection mechanisms is insufficient for ensuring safety in critical CPS applications.
The study reveals the crucial role of provenance- and physics-grounded trust mechanisms, alongside defense-in-depth architectures, in building robust and reliable AI-enabled systems. Researchers highlight a taxonomy of deepfake modalities, visual, audio, textual, and behavioral, and demonstrate how each can compromise agents or system functions within a CPS environment. This work establishes that a holistic approach, integrating threat modeling with resource constraint analysis and operational requirements, is essential for designing trustworthy AI-enabled infrastructures. The research introduces the SENTINEL framework as a six-phase methodology, guiding system designers from initial threat assessment through validation planning and continuous adaptation. This framework enables practitioners to systematically match security mechanisms to their specific deployment contexts, offering actionable guidance for building resilient systems. Furthermore, the study outlines open challenges and future research directions, emphasizing the need to balance real-time performance, generalization capabilities, privacy considerations, and the ever-evolving tactics of adaptive adversaries in the realm of AI-enabled CPS.

SENTINEL framework for CPS AI security evaluation provides

Researchers developed the SENTINEL framework, a six-phase methodology designed to systematically evaluate and address security threats in AI-enabled cyber-physical systems (CPS). The study pioneered a lifecycle-aware approach integrating threat characterisation, feasibility analysis under CPS constraints, defence selection, and continuous validation procedures. Initially, scientists characterised potential threats targeting AI agents, specifically focusing on environmental interactions, deepfake attacks, and vulnerabilities arising from the Model Context Protocol (MCP). Following threat identification, the team performed feasibility analyses, meticulously assessing how these threats could manifest within the unique constraints of CPS environments, including real-time performance demands and limited computational resources.

To demonstrate the framework’s efficacy, the research employed an end-to-end case study situated within a real-world smart grid deployment. This setup allowed scientists to quantitatively illustrate the impact of timing, noise, and false-positive costs on the deployability of various defence mechanisms. Experiments revealed that relying solely on detection mechanisms proved insufficient for safety-critical CPS applications, highlighting the need for more robust solutions. The team then selected and combined appropriate defence strategies, guided by the SENTINEL framework, to create defence-in-depth architectures tailored to the specific smart grid context.

Crucially, the study harnessed provenance- and physics-grounded trust mechanisms to enhance system resilience. Researchers meticulously validated the chosen defences through rigorous testing, establishing a continuous adaptation process to address evolving threats. This validation process involved detailed measurement of system performance under adversarial conditions, assessing both the effectiveness of the defences and their impact on overall system operation. The approach enables practitioners to systematically align security mechanisms with specific deployment contexts by integrating threat modelling with resource constraint analysis and operational requirements, ultimately advancing the development of trustworthy AI-enabled CPS.

Deepfakes and manipulation threaten cyber-physical systems significantly

Scientists have identified critical security vulnerabilities in agents operating within cyber-physical systems (CPS), particularly concerning environmental interactions and the emerging Model Context Protocol (MCP). The research details how deepfake and semantic manipulation attacks can compromise agent perception and reasoning, extending beyond traditional cyber or physical threats. Experiments revealed that textual deepfake attack vectors within MCP manifest in several forms, including tool poisoning occurring in 5.5% of servers tested, and prompt injection exhibiting high prevalence with medium detection difficulty. Data shows behavioural deepfakes, AI-generated emulations of agent behaviours, pose significant risks by exploiting protocol interfaces to mimic legitimate interactions.

Researchers recorded that sensor spoofing, a key vulnerability within MCP ecosystems, can cause unsafe actuations in industrial control systems by crafting statistically plausible sensor streams. Analyses indicate that these emulations achieve high success rates in protocol-based systems, necessitating enhanced governance. Specifically, studies of Global Navigation Satellite System (GNSS) spoofing demonstrate that deep models can craft complex waveforms, subverting localization-dependent decisions unless provenance and cross-sensor corroboration are enforced. The team measured the effectiveness of adversarial time-series attacks, finding they degrade multivariate detectors and forecasting-residual schemes with small, causality-respecting edits.

Large-scale sensor network work demonstrated that distributed false-data injection, framed as normal fluctuations, can bypass conventional residual tests, with detection improving only when spatio-temporal structure is explicitly modelled. Forensic analyses of industrial control systems documented “low-and-slow” perturbations exploiting sensor noise envelopes, enabling subtle set-point shifts without triggering alarms. Results demonstrate that anomaly mimicry, where attackers synthesise trajectories closely resembling normal operational patterns, thrives under distribution shift and coordinated multichannel perturbations. Contemporary surveys in multivariate time-series anomaly detection report persistent generalization gaps, while generative-model-based studies show detectors can be driven toward false negatives when attackers optimise reconstructions to match normal manifolds. This work highlights the importance of provenance- and physics-grounded trust mechanisms and defense-in-depth architectures for trustworthy AI-enabled CPS.

SENTINEL framework for CPS security threats offers a

Researchers have conducted a comprehensive survey of security threats targeting agents within cyber-physical systems (CPS), focusing on environmental interactions, deepfake attacks, and vulnerabilities arising from the Model Context Protocol (MCP). The study introduces the SENTINEL framework, a lifecycle-aware methodology designed to integrate threat characterization, feasibility analysis considering CPS constraints, defense selection, and continuous validation. This framework moves beyond traditional cybersecurity approaches by explicitly addressing the unique challenges posed by the interplay between the cyber and physical worlds. The findings demonstrate that effective defenses must account for real-world limitations such as timing constraints, noise, and the costs associated with false positives, particularly in critical CPS applications.

Through a case study involving a smart grid deployment, the authors illustrate that detection mechanisms alone are insufficient for secure decision-making. They emphasize the crucial role of provenance- and physics-grounded trust mechanisms, alongside defense-in-depth architectures, for building trustworthy AI agents in CPS. Acknowledging limitations, the authors identify ongoing challenges in MCP, including the need for adaptive protocols that evolve alongside deepfake technology and the computational overhead associated with provenance tracking. Future research directions include exploring hybrid blockchain architectures for decentralized provenance, multi-modal detection fusion, and edge-compatible implementations of MCP to enable real-time operation on resource-constrained devices. Collaborative efforts between academia and industry are also proposed to standardize ethical AI use and foster interoperability, ultimately aiming to strengthen MCP as a secure foundation for CPS in the face of escalating threats.