Covert man-in-the-middle (MitM) attacks against water treatment facilities pose severe threats to public health and industrial safety, yet remain difficult to detect using conventional monitoring. Method: This paper proposes a system-identification-based modeling framework for covert MitM attacks, employing a second-order linear time-invariant (LTI) model with input delay to capture plant dynamics and synthesizing controller-injection attacks that evade standard anomaly detection. It further integrates Process-Aware Statistical Anomaly Detection (PASAD) to quantitatively assess how model mismatch and process noise impact attack stealthiness. Contribution/Results: Experiments demonstrate that such attacks retain high stealthiness under realistic model uncertainty and noise, while existing detection mechanisms exhibit significantly increased false-negative rates. The study uncovers the intrinsic coupling among plant models, attack strategies, and detection algorithms in industrial control systems (ICS), establishing a quantitative theoretical framework and empirical benchmark for ICS security evaluation.

Cyberattacks targeting critical infrastructure — such as water treatment facilities — represent significant threats to public health, safety, and the environment. This paper introduces a systematic approach for modeling and assessing covert man-in-the-middle (MitM) attacks that leverage system identification techniques to inform the attack design. We focus on the attacker’s ability to deploy a covert controller, and we evaluate countermeasures based on the Process-Aware Stealthy Attack Detection (PASAD) anomaly detection method. Using a second-order linear time-invariant with time delay model, representative of water treatment dynamics, we design and simulate stealthy attacks. Our results highlight how factors such as system noise and inaccuracies in the attacker’s plant model influence the attack’s stealthiness, underscoring the need for more robust detection strategies in industrial control environments.