MCPS-VeriSec: Model-based Security of Medical Cyber-Physical Systems
Lead Research Organisation:
King's College London
Department Name: Informatics
Abstract
Medical conditions requiring treatment via implantable and wearable devices are becoming increasingly prevalent in the UK and worldwide. Examples include arrhythmia treatment with cardiac devices and glucose regulation in diabetes with artificial pancreas systems. Such devices have experienced dramatic technological advancements, evolving into complex computing systems - which we call medical cyber-physical systems (medCPSs) - that include control algorithms for automated therapy delivery as well as internet connectivity for remote patient monitoring and communication with smart devices and clinical systems.
The complexity of medCPSs introduces broad attack surfaces that can jeopardize patient safety. This is exacerbated by the rapid adoption of machine learning (ML) to aid therapy decisions, which are particularly susceptible to stealthy adversarial inputs.
Prior work on medCPS security has mainly focused on the practical feasibility of the attacks (e.g., how to use a radio transmitter to reconfigure the device), resulting in simple, easy to detect, attacks (such as suspending therapy). This leads us to ask whether more sophisticated attacks can be derived that, for instance, are stealthier or better tailored to the target patient. Our aim is to investigate these and other previously unexplored dimensions in medCPS security.
In MCPS-VeriSec we propose to develop a framework to provide verified defence mechanisms against stealthy attacks on medCPSs, sensor spoofing attacks specifically. We will take a model-based approach to enable systematic exploration of the attack space and safety threats. In particular, we will focus on the following directions:
- Pareto-optimal attacks and defences. There is a natural trade-off between attack effectiveness (i.e., how much it disrupts the intended therapy) and stealthiness (how hard it is to detect). MCPS-VeriSec will enable automated synthesis of Pareto-optimal attacks (i.e., for which said trade-off is optimal) and corresponding defences. This can be viewed as a multi-objective (MO) two-player game, which we will solve by introducing a novel MO variant of generative adversarial nets.
- Defense mechanisms. We will consider two coordinated defences, designed to respectively detect and mitigate malicious signal perturbations.
- Verified defences. We propose to apply formal verification to certify the safety probability of the defences, using the verification results to retrain and enhance the defences. In particular, we will introduce the first probabilistic verification method of its kind to support reasoning about causal effects, which we will use to precisely assess the effectiveness of the defences w.r.t. the no-attack condition.
- Personalization. We will derive personalized attacks and defences by incorporating information about the victim's physiological state and medical device into the medCPS model used for synthesis. Leveraging our model-based approach, we will explore a range of adversary capabilities, from white-box attacks (synthesized using models with full and accurate information about the victim) to black-box attacks (using surrogate or uncertain models).
We will apply our approach to two of the most prevalent medCPSs: ICDs (Implantable Cardioverter Defibrillators) for cardiac arrhythmia treatment and artificial pancreas control algorithms for insulin therapy. For each case study, we will compare the robustness to adversarial attacks of traditional (non-ML) device controllers against ML-based ones.
MCPS-VeriSec will be the first in the medical context to investigate Pareto attacks, victim personalization, ML vulnerabilities, and formally verified defenses, thereby targeting the soon-to-come generation of connected and ML-enabled medical devices. The novel synthesis and verification methods resulting from this project will be highly relevant not just for medical applications, but for the field of model-based CPS security in general.
The complexity of medCPSs introduces broad attack surfaces that can jeopardize patient safety. This is exacerbated by the rapid adoption of machine learning (ML) to aid therapy decisions, which are particularly susceptible to stealthy adversarial inputs.
Prior work on medCPS security has mainly focused on the practical feasibility of the attacks (e.g., how to use a radio transmitter to reconfigure the device), resulting in simple, easy to detect, attacks (such as suspending therapy). This leads us to ask whether more sophisticated attacks can be derived that, for instance, are stealthier or better tailored to the target patient. Our aim is to investigate these and other previously unexplored dimensions in medCPS security.
In MCPS-VeriSec we propose to develop a framework to provide verified defence mechanisms against stealthy attacks on medCPSs, sensor spoofing attacks specifically. We will take a model-based approach to enable systematic exploration of the attack space and safety threats. In particular, we will focus on the following directions:
- Pareto-optimal attacks and defences. There is a natural trade-off between attack effectiveness (i.e., how much it disrupts the intended therapy) and stealthiness (how hard it is to detect). MCPS-VeriSec will enable automated synthesis of Pareto-optimal attacks (i.e., for which said trade-off is optimal) and corresponding defences. This can be viewed as a multi-objective (MO) two-player game, which we will solve by introducing a novel MO variant of generative adversarial nets.
- Defense mechanisms. We will consider two coordinated defences, designed to respectively detect and mitigate malicious signal perturbations.
- Verified defences. We propose to apply formal verification to certify the safety probability of the defences, using the verification results to retrain and enhance the defences. In particular, we will introduce the first probabilistic verification method of its kind to support reasoning about causal effects, which we will use to precisely assess the effectiveness of the defences w.r.t. the no-attack condition.
- Personalization. We will derive personalized attacks and defences by incorporating information about the victim's physiological state and medical device into the medCPS model used for synthesis. Leveraging our model-based approach, we will explore a range of adversary capabilities, from white-box attacks (synthesized using models with full and accurate information about the victim) to black-box attacks (using surrogate or uncertain models).
We will apply our approach to two of the most prevalent medCPSs: ICDs (Implantable Cardioverter Defibrillators) for cardiac arrhythmia treatment and artificial pancreas control algorithms for insulin therapy. For each case study, we will compare the robustness to adversarial attacks of traditional (non-ML) device controllers against ML-based ones.
MCPS-VeriSec will be the first in the medical context to investigate Pareto attacks, victim personalization, ML vulnerabilities, and formally verified defenses, thereby targeting the soon-to-come generation of connected and ML-enabled medical devices. The novel synthesis and verification methods resulting from this project will be highly relevant not just for medical applications, but for the field of model-based CPS security in general.
Organisations
- King's College London (Lead Research Organisation)
- University of Trieste (Collaboration)
- University of Pennsylvania (Collaboration)
- Stony Brook University (Collaboration, Project Partner)
- IMPERIAL COLLEGE LONDON (Collaboration)
- KING'S COLLEGE LONDON (Collaboration)
- Diabetes Neuromathix Pty. Ltd (Project Partner)
- CLOSED LOOP Systems s.r.o. (Project Partner)
Publications
Giacomarra F
(2025)
Certified Guidance for Planning with Deep Generative Models
Hosseini M
(2025)
LTL Verification of Memoryful Neural Agents
Kazemi M
(2024)
Assume-Guarantee Reinforcement Learning
Kazemi M
(2025)
Counterfactual Influence in Markov Decision Processes
Kazemi M
(2025)
Causal Temporal Reasoning for Markov Decision Processes
in Research Directions: Cyber-Physical Systems
Kazemi, M.
(2022)
Causal Temporal Reasoning for Markov Decision Processes
in arXiv
Krish V
(2024)
Biosignal Authentication Considered Harmful Today
Krish V
(2023)
Synthesizing Pareto-Optimal Signal-Injection Attacks on ICDs
in IEEE Access
Kuipers T
(2025)
Conformal Off-Policy Prediction for Multi-Agent Systems
Related Projects
| Project Reference | Relationship | Related To | Start | End | Award Value |
|---|---|---|---|---|---|
| EP/W014785/1 | 30/06/2022 | 30/08/2022 | £424,397 | ||
| EP/W014785/2 | Transfer | EP/W014785/1 | 29/09/2022 | 31/12/2025 | £424,397 |
| Title | Assume-Guarantee Reinforcement Learning |
| Description | An approach based on the assume-guarantee paradigm where the optimal control for the individual components of a complex environment is synthesized in isolation by making assumptions about the behaviors of neighboring components, and providing guarantees about their behavior. |
| Type Of Material | Computer model/algorithm |
| Year Produced | 2024 |
| Provided To Others? | Yes |
| Impact | N/A |
| URL | https://zenodo.org/records/10377136 |
| Title | BioForge |
| Description | An approach that leverages a cycle-consistent generative adversarial network to synthesize realistic physiological signals for a given user without relying on simultaneously collected supervision data. The approach is used to demonstrate vulnerabilities of authentication systems based on cardiovascular biosignals. |
| Type Of Material | Computer model/algorithm |
| Year Produced | 2024 |
| Provided To Others? | Yes |
| Impact | N/A |
| URL | https://github.com/Ethos-lab/biosignal-auth-harmful |
| Title | Certified Guidance |
| Description | An algorithm to certify deep generative models used for planning tasks. The algorithm identifies sub-regions of the latent space of the model such that the resulting generative model has 100% probability of satisfying some temporal logic property of interest. |
| Type Of Material | Computer model/algorithm |
| Year Produced | 2025 |
| Provided To Others? | Yes |
| Impact | none |
| URL | https://arxiv.org/pdf/2501.12815 |
| Title | Counterfactual Influence |
| Description | When counterfactual paths deviate from observed ones, observations don't inform the counterfactual world any longer (i.e., counterfactuals reduce to interventions). This happens for the popular Gumbel-max structural causal models used for Markov Decision Processes (MDPs). Our approach derives counterfactual policies that are both optimal and are guaranteed to remain "under the influence of observations". |
| Type Of Material | Computer model/algorithm |
| Year Produced | 2024 |
| Provided To Others? | No |
| Impact | N/A |
| URL | https://github.com/ddv-lab/counterfactual-influence-in-MDPs |
| Title | InjectICD |
| Description | model-based framework for the systematic construction of stealthy signal-injection attacks that can thwart ICD control software |
| Type Of Material | Computer model/algorithm |
| Year Produced | 2023 |
| Provided To Others? | No |
| Impact | N/A |
| URL | https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10002343 |
| Title | MA-COPP |
| Description | A method for reliable off-policy prediction in high-dimensional settings characterized by multiple interacting agents and long prediction horizons |
| Type Of Material | Computer model/algorithm |
| Year Produced | 2024 |
| Provided To Others? | Yes |
| Impact | none |
| URL | https://arxiv.org/pdf/2403.16871v2 |
| Title | Probabilistic CounterFactual Temporal Logic (PCFTL) |
| Description | A new probabilistic temporal logic (and corresponding decision procedures) for the verification of Markov Decision Processes (MDP). PCFTL is the first to include operators for causal reasoning, allowing us to express interventional and counterfactual queries. |
| Type Of Material | Computer model/algorithm |
| Year Produced | 2023 |
| Provided To Others? | No |
| Impact | N/A |
| URL | https://doi.org/10.1017/cbp.2025.2 |
| Title | Sim_ICD |
| Description | A framework for closed-loop simulation of ICD therapy, integrating advanced PDE-based cardiac electrophysiology models with virtual models of implantable cardiac devices |
| Type Of Material | Computer model/algorithm |
| Year Produced | 2025 |
| Provided To Others? | Yes |
| Impact | none |
| URL | https://github.com/janet-9/SimICD |
| Description | Collaboration with Dr Bishop, School of Biomedical Engineering & Imaging Sciences, King's College London |
| Organisation | King's College London |
| Country | United Kingdom |
| Sector | Academic/University |
| PI Contribution | PhD student in my team is developing methods for closed-loop simulation and optimization of ICD therapy (See Sim_ICD under `models' category) |
| Collaborator Contribution | Providing support and training on PDE models for cardiac electrophysiology |
| Impact | 1 submitted paper. 1 code library |
| Start Year | 2023 |
| Description | Collaboration with Dr Francesca Cairoli |
| Organisation | University of Trieste |
| Country | Italy |
| Sector | Academic/University |
| PI Contribution | Worked on a method for the certification of deep generative models used in planning tasks. Contributions: idea conception, method design, experiment design, paper writing |
| Collaborator Contribution | Worked on a method for the certification of deep generative models used in planning tasks. Contributions: method design and development, experiment design and execution, paper writing |
| Impact | 1 paper accepted |
| Start Year | 2024 |
| Description | Collaboration with Dr Rahmati, Department of Computer Science, Stony Brook University |
| Organisation | Stony Brook University |
| Country | United States |
| Sector | Academic/University |
| PI Contribution | We are actively collaborating on research on the security of cardiac devices and biometrics. We have developed a method for deriving stealthy signal injection attacks, published in the IEEE Access journal. We have studied vulnerabilities of biosignal-based authentication deriving cross-context attacks (using generative models) that successfully fool a variety of authentication systems based on cardiovascular signals (e.g., ECG, PPG). |
| Collaborator Contribution | We are actively collaborating on research on the security of cardiac devices and biometrics. We have developed a method for deriving stealthy signal injection attacks, published in the IEEE Access journal. We have studied vulnerabilities of biosignal-based authentication deriving cross-context attacks (using generative models) that successfully fool a variety of authentication systems based on cardiovascular signals (e.g., ECG, PPG). |
| Impact | 2 papers published |
| Start Year | 2022 |
| Description | Collaboration with Prof Lo Muscio |
| Organisation | Imperial College London |
| Country | United Kingdom |
| Sector | Academic/University |
| PI Contribution | Collaborated on methods for the verification of neural agents and for uncertainty-aware explainability Contributions: idea conception, method design and development, experiment design and execution, paper writing |
| Collaborator Contribution | Collaborated on methods for the verification of neural agents and for uncertainty-aware explainability Contributions: idea conception, method design and development, experiment design and execution, paper writing |
| Impact | 1 paper published, 1 paper submitted |
| Start Year | 2023 |
| Description | Collaboration with Prof Mangharam, Department of Electrical and Systems Engineering, University of Pennsylvania |
| Organisation | University of Pennsylvania |
| Country | United States |
| Sector | Academic/University |
| PI Contribution | Our team conceived the idea, designed and implemented the method, designed and performed experiments, wrote accompanying research paper and presented this at a conference |
| Collaborator Contribution | Our partner's team contributed to the design and implementation of the method and experiments, contribute to writing accompanying research paper and presented this at a conference |
| Impact | 1 published paper |
| Start Year | 2023 |