Securing AI Agents in Cyber-Physical Systems: A Survey of Environmental Interactions, Deepfake Threats, and Defenses
Mohsen Hatami, Van Tuan Pham, Hozefa Lakadawala, Yu Chen
TL;DR
This survey addresses how deepfakes threaten AI-enabled CPS and argues that detection alone is insufficient. It introduces the SENTINEL lifecycle framework to systematically characterize threats, assess CPS constraints, select defenses, and validate deployments, with continuous adaptation. A key contribution is the MCP-focused threat taxonomy and defense architecture, including provenance, environmental anchors, and physics-grounded validation demonstrated in the ANCHOR-Grid case study. The work highlights open challenges and actionable directions for integrating cross-domain defenses to achieve trustworthy, safety-critical AI-enabled CPS.
Abstract
The increasing integration of AI agents into cyber-physical systems (CPS) introduces new security risks that extend beyond traditional cyber or physical threat models. Recent advances in generative AI enable deepfake and semantic manipulation attacks that can compromise agent perception, reasoning, and interaction with the physical environment, while emerging protocols such as the Model Context Protocol (MCP) further expand the attack surface through dynamic tool use and cross-domain context sharing. This survey provides a comprehensive review of security threats targeting AI agents in CPS, with a particular focus on environmental interactions, deepfake-driven attacks, and MCP-mediated vulnerabilities. We organize the literature using the SENTINEL framework, a lifecycle-aware methodology that integrates threat characterization, feasibility analysis under CPS constraints, defense selection, and continuous validation. Through an end-to-end case study grounded in a real-world smart grid deployment, we quantitatively illustrate how timing, noise, and false-positive costs constrain deployable defenses, and why detection mechanisms alone are insufficient as decision authorities in safety-critical CPS. The survey highlights the role of provenance- and physics-grounded trust mechanisms and defense-in-depth architectures, and outlines open challenges toward trustworthy AI-enabled CPS.
