Securing AI Agents in Cyber-Physical Systems: A Survey of Environmental Interactions, Deepfake Threats, and Defenses

TL;DR

This survey reviews security threats to AI agents in cyber-physical systems, focusing on environmental interactions, deepfake attacks, and defense strategies, emphasizing the complexity of safeguarding AI in real-world CPS environments.

Contribution

It introduces the SENTINEL framework for threat characterization and defense evaluation, and provides a case study demonstrating the challenges of deploying defenses in smart grid CPS.

Findings

Timing, noise, and false-positive costs limit defense deployment.

Detection alone is insufficient for safety-critical CPS.

Provenance and physics-grounded trust mechanisms enhance security.

Abstract

The increasing integration of AI agents into cyber-physical systems (CPS) introduces new security risks that extend beyond traditional cyber or physical threat models. Recent advances in generative AI enable deepfake and semantic manipulation attacks that can compromise agent perception, reasoning, and interaction with the physical environment, while emerging protocols such as the Model Context Protocol (MCP) further expand the attack surface through dynamic tool use and cross-domain context sharing. This survey provides a comprehensive review of security threats targeting AI agents in CPS, with a particular focus on environmental interactions, deepfake-driven attacks, and MCP-mediated vulnerabilities. We organize the literature using the SENTINEL framework, a lifecycle-aware methodology that integrates threat characterization, feasibility analysis under CPS constraints, defense selection, and continuous validation. Through an end-to-end case study grounded in a real-world smart grid deployment, we quantitatively illustrate how timing, noise, and false-positive costs constrain deployable defenses, and why detection mechanisms alone are insufficient as decision authorities in safety-critical CPS. The survey highlights the role of provenance- and physics-grounded trust mechanisms and defense-in-depth architectures, and outlines open challenges toward trustworthy AI-enabled CPS.