Title:  Physics-Aware Cybersecurity for Industrial Control Systems: A Unified Path from Testing to Hardening to Integrity 

Date: Monday, Dec. 8th, 2025 

Time: 2:00 PM to 3:00 PM EST

Location: Coda 0903 Ansley

Burak Sahin

Computer Science Ph.D. student

School of Cybersecurity and Privacy

Georgia Institute of Technology

Committee:

Dr. Saman Zonouz (advisor), School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Mustaque Ahamad, School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Brendan Saltaformaggio, School of Cybersecurity and Privacy, Georgia Institute of Technology

Abstract: 

Industrial Control Systems (ICS) present a unique challenge: the same PLC software stack is deployed across radically different physical processes, yet each process has its own dynamics, safety boundaries, and temporal behaviors. Cyber-wise, these systems appear identical—the same runtime, memory layout, and control logic interfaces, but physically, they behave nothing alike. Because real ICS failures emerge from how software interacts with process dynamics, effective security must specialize to the underlying physical process rather than generalize from shared software. My research addresses this foundational gap by developing physics-aware cybersecurity frameworks that adapt testing, hardening, and runtime integrity to each plant’s unique physical requirements. This foundational mismatch is addressed by building physics-aware cybersecurity frameworks that adjust their analysis and defenses to each plant’s unique physical process. Across fuzzing, debloating, and runtime integrity, my work centers on a unifying principle: security for ICS cannot be one-size-fits-all, because the physical processes they control are not one-size-fits-all.

I begin with ICSFlux, a physics-aware fuzzing framework that shifts the focus from software execution paths to physical-state evolution. Rather than assuming vulnerabilities emerge from malformed inputs or code-level bugs, ICSFlux reasons about the temporal dynamics of the physical process itself. By computing how physical states evolve toward unsafe conditions, ICSFlux tailors its exploration to each system’s physical model and secure physical operations. Two plants running the same PLC software will produce entirely different physical interactions and failures. ICSFlux automatically adapts to each underlying physical process, revealing multi-cycle, physics-driven vulnerabilities that are invisible to IT-centric testing.

Building on the insight that identical software deployments can have radically different physical requirements, I develop ICSFit, a debloating framework that reduces PLC runtime code by analyzing what the specific physical mission actually requires. Conventional binary debloating assumes that unused code is defined by cyber-level reachability. ICSFit instead uses the control logic and its associated physical process to determine which firmware components are physically meaningful for the plant’s operation. This allows safe removal of large segments of code—from boot-time routines to unused protocol handlers, yielding a hardened PLC runtime tailored to the unique physical system it controls.

Finally, I introduce ICS-PFI (Physics-Flow Integrity), a new class of runtime protection that anchors control-flow integrity not in static CFG structure, but in the physical plausibility of controller execution. Traditional CFI treats all deployments of the same PLC as identical. ICS-PFI recognizes that what counts as a legitimate control-flow path depends on the physical process: two sequences of logic may be software-legal yet physically impossible or unsafe. ICS-PFI enforces that controller execution remains consistent with the expected evolution of the underlying physical system, detecting attacks that preserve CFG correctness but violate physical semantics.

Together, these systems create a cohesive, physics-aware approach to ICS security. By acknowledging that common software controls diverse physical processes, my research develops defenses that adapt to each plant’s unique physical dynamics rather than forcing industrial systems into IT-style abstractions. My long-term vision is to establish a scientific foundation for cyber-physical security - one where testing, hardening, and runtime guarantees are aligned with the realities of industrial operations, ensuring safer and more resilient critical infrastructure.