137AI > Data Risks > OT/ICS Telemetry Deception
OT/ICS Telemetry Deception
OT/ICS telemetry deception is the data risk where operational technology and industrial control system telemetry is falsified so that AI decision-support systems and human operators receive data that does not reflect physical reality. Telemetry includes sensor readings, process data, status signals, and the broader operational data streams that flow from physical industrial systems. When this telemetry is manipulated, the systems and people that depend on it make decisions based on a false picture of physical reality. The attack class is established in industrial control system security under the term false data injection; the AI-specific dimension is that AI systems are increasingly the consumers of OT/ICS telemetry and have no independent way to know the telemetry is false.
The category is related to but distinct from work covered separately. OT/ICS Integration Controls covers the engineering controls for OT/ICS integration. Cyber-Physical Compromise covers compromise producing physical consequences broadly. Data Transit Security covers data-in-motion protection. Critical Infrastructure Compromise covers infrastructure attacks broadly. This page covers the specific data risk where telemetry is falsified so the data AI systems and operators rely on misrepresents physical reality.
What Telemetry Deception Is
Telemetry deception is the falsification of operational data so that the data misrepresents physical reality. Understanding the attack class requires understanding what telemetry does and why falsifying it produces specific harm.
Telemetry connects physical reality to decision-making. Industrial systems generate continuous telemetry — temperatures, pressures, flow rates, voltages, positions, statuses, and broader operational measurements. The telemetry is the bridge between what is physically happening and the decisions that operators and automated systems make. Decisions depend on telemetry accurately representing physical reality.
Telemetry deception breaks the bridge. When telemetry is falsified, the connection between physical reality and decision-making is broken. Operators and automated systems make decisions based on the false telemetry rather than the actual physical state; the decisions may be inappropriate for the actual physical state.
The false data injection framing is established in the security literature. False data injection attacks (FDIA) is a term of art particularly in power systems security research, addressing attacks that inject false measurements into state estimation and control systems. The broader telemetry deception category includes FDIA alongside sensor spoofing, process data manipulation, and broader telemetry falsification.
Telemetry deception is distinct from telemetry disruption. Disrupting telemetry — preventing it from flowing — produces obvious failure that operators can detect. Deceiving telemetry — replacing accurate telemetry with plausible false telemetry — may not produce obvious failure; the systems continue operating, just on false data. The deception is specifically concerning because it may not be detected.
The plausibility dimension is what makes deception effective. Telemetry deception that produces obviously impossible readings is detectable; telemetry deception that produces plausible false readings within normal ranges may evade detection. Effective telemetry deception produces false data that looks normal.
The category addresses both targeted and broad telemetry deception. Targeted deception falsifies specific telemetry to produce specific effects; broad deception falsifies substantial telemetry to produce systematic misrepresentation. Both patterns produce the underlying risk.
The Two-Target Structure
Telemetry deception has two distinct targets — human operators and automated systems including AI. The two-target structure matters because the deception affects both and because the defenses differ.
Deceiving human operators produces inappropriate human decisions. Operators monitoring industrial systems through telemetry displays make decisions based on what the displays show; falsified telemetry produces operator decisions appropriate to the false picture rather than the actual physical state. The operators may not act on actual problems the false telemetry conceals, or may act inappropriately based on false problems the telemetry shows.
Deceiving automated control systems produces inappropriate automated action. Control systems that act on telemetry — adjusting processes, triggering responses, executing control logic — act based on the telemetry they receive. Falsified telemetry produces automated control action appropriate to the false picture rather than the actual physical state.
Deceiving AI decision-support systems produces a specific category of concern. AI systems for forecasting, optimization, anomaly detection, and predictive maintenance increasingly consume OT/ICS telemetry. AI systems receiving falsified telemetry produce AI outputs based on the false picture; the AI has no independent way to know the telemetry is false.
The combined two-target deception is specifically dangerous. Sophisticated telemetry deception may deceive both operators and automated systems simultaneously — the Stuxnet pattern. Operators see normal telemetry; automated systems receive normal telemetry; the actual physical state diverges from what everyone and everything monitoring it believes.
The defenses differ across targets. Operator-focused defenses include training, procedures, and cross-checking practices; automated system defenses include physics-based validation, redundancy, and anomaly detection. Comprehensive defense addresses both target categories.
The AI target is increasingly significant. As AI decision-support becomes more substantial in OT/ICS contexts, the AI target becomes a larger portion of the overall telemetry deception risk. AI-specific telemetry deception defenses become correspondingly more important.
Why AI Consumption Changes the Risk
AI consumption of OT/ICS telemetry changes the telemetry deception risk profile in specific ways. The changes warrant direct treatment because they affect what defense infrastructure is required.
AI consumes telemetry at scale. AI systems may consume telemetry from substantial numbers of sensors across substantial infrastructure; the scale of AI telemetry consumption exceeds what human operators monitor. The scale means telemetry deception affecting AI systems may affect substantial decision-making.
AI lacks independent physical verification. Human operators may have physical intuition, site knowledge, and the ability to physically inspect; AI systems consuming telemetry have only the telemetry. AI systems have no independent way to know telemetry is false unless specifically designed with verification infrastructure.
AI may act on telemetry faster than human review. Automated AI decision-support and AI-mediated control may act on telemetry before human review; the speed means telemetry deception may produce effects before human cross-checking could catch it.
AI may aggregate telemetry deception effects. AI systems aggregating telemetry across substantial infrastructure may aggregate the effects of telemetry deception; falsified telemetry from multiple sources may compound in AI outputs.
AI training may be affected by telemetry deception. AI systems trained on historical telemetry may have learned from telemetry that included deception; the training contamination produces AI behavior reflecting the historical deception. The detailed treatment of training data concerns appears in the broader data risks coverage.
AI may produce confident outputs from deceived telemetry. AI decision-support systems may produce confident-seeming outputs based on falsified telemetry; the confidence may not reflect the underlying data uncertainty that telemetry deception introduces.
AI anomaly detection may be specifically targeted. AI anomaly detection systems are a specific defense against telemetry deception; sophisticated deception may specifically target the anomaly detection to ensure the deception is not flagged.
The AI consumption dimension means telemetry deception is increasingly a data integrity problem for AI systems specifically, not only a conventional ICS security problem. The framing affects what defense infrastructure operators deploying AI on OT/ICS telemetry need.
Categories of Telemetry Deception
Telemetry deception operates through several distinct categories with different attack points and different defense considerations.
| Category | Attack Point | Distinctive Considerations |
|---|---|---|
| Sensor-level spoofing | The physical sensor or its immediate signal path | Physical access or signal manipulation; the telemetry is false from the point of generation; difficult to detect downstream |
| In-transit manipulation | The communication path between sensor and consuming system | Manipulation of telemetry in motion; addressed partly by transit security; man-in-the-middle patterns |
| Historian and data store manipulation | The data historian, time-series database, or store where telemetry is retained | Manipulation of stored telemetry affects historical analysis and AI training; retroactive falsification possible |
| Control system manipulation | The PLC, RTU, or control system that processes and relays telemetry | The Stuxnet pattern; compromised control systems relay false telemetry while concealing actual state |
| False data injection | State estimation and control inputs, particularly in power systems | Established attack class in power systems research; injects false measurements that evade bad-data detection |
| Replay attacks | The telemetry stream, replaying previously-captured legitimate telemetry | Replayed legitimate telemetry conceals current state; the replayed data is genuine but no longer accurate |
| Aggregation-point manipulation | SCADA systems, telemetry gateways, and aggregation infrastructure | Manipulation at aggregation affects substantial downstream telemetry; high-value attack point |
| AI pipeline manipulation | The data pipeline feeding telemetry into AI systems | Manipulation specifically targeting AI consumption; may target AI preprocessing, feature extraction, or model inputs |
The categories may combine in sophisticated attacks. The Stuxnet pattern combined control system manipulation with concealment that affected what operators and monitoring systems observed; comprehensive defense addresses the multiple attack points rather than focusing on any single category.
The Stuxnet Pattern
Stuxnet is the canonical telemetry deception case and warrants direct treatment because it established the pattern that subsequent analysis builds on.
Stuxnet, discovered in 2010, targeted Iranian uranium enrichment centrifuges. The malware manipulated the centrifuge control systems to damage the centrifuges through inappropriate operation. The telemetry deception dimension was central to the attack's effectiveness.
The deception concealed the attack from operators. While Stuxnet manipulated centrifuge operation, it simultaneously fed operators normal-looking telemetry. Operators monitoring the centrifuges saw telemetry indicating normal operation while the centrifuges were actually being damaged. The deception meant operators did not intervene because they did not know intervention was needed.
The deception concealed the attack from automated safety systems. Stuxnet's manipulation extended to the automated systems that would normally detect and respond to abnormal operation; the deception meant automated safety responses did not trigger.
The pattern is generalizable. The Stuxnet pattern — manipulate physical operation while feeding false telemetry that conceals the manipulation from both operators and automated systems — is the canonical telemetry deception pattern. Subsequent telemetry deception analysis treats this as the reference pattern.
The AI extension of the pattern is direct. The Stuxnet pattern applied to AI-monitored systems would feed false telemetry to AI decision-support and AI monitoring systems alongside operators; AI systems would produce outputs based on the false picture just as operators did.
The sophistication dimension is significant. Stuxnet represented substantial sophistication and resources; the telemetry deception was carefully constructed to be plausible. The case demonstrates that sophisticated adversaries can construct telemetry deception that evades detection.
The pattern informs defense. Defending against the Stuxnet pattern requires defenses that do not depend solely on the telemetry the attack can manipulate; physics-based validation, independent verification, and broader defenses that provide ground truth beyond the manipulable telemetry.
Documented Incidents
Multiple documented incidents inform contemporary telemetry deception understanding.
Stuxnet (discovered 2010) established the telemetry deception pattern as discussed above. The incident remains the canonical reference for sophisticated telemetry deception.
The Triton/Trisis attack (2017) targeted safety instrumented systems at a Saudi petrochemical facility. The malware specifically targeted the Triconex safety controllers; the attack had potential to disable safety systems and could have produced telemetry deception affecting safety-critical monitoring. The incident demonstrated specific targeting of safety-critical OT systems.
The Ukraine power grid attacks (2015 and 2016) involved attacks on Ukrainian electrical infrastructure. The 2015 attack included manipulation of operator interfaces and systems; operators faced a degraded ability to understand and respond to the grid state. The incidents demonstrated telemetry and operator-interface manipulation in critical infrastructure attacks.
False data injection attack research has substantially developed the academic understanding. Research particularly in power systems security has documented how false data injection can evade conventional bad-data detection in state estimation; the research demonstrates that sophisticated FDIA can be constructed to evade detection.
Sensor spoofing research across multiple domains has demonstrated sensor-level deception. Research on GPS spoofing, lidar spoofing, sensor signal manipulation, and broader sensor spoofing demonstrates that sensor-level telemetry deception is feasible across multiple sensor types.
Industrial cybersecurity incident reporting through CISA, sector ISACs, and broader reporting infrastructure documents ongoing OT/ICS incidents including incidents with telemetry deception dimensions.
Water system intrusion incidents including the 2021 Oldsmar, Florida water treatment intrusion demonstrated attacker access to systems controlling physical processes; while the Oldsmar incident was detected by an operator, it illustrated the broader pattern of attacker access to process control.
The aggregate documented landscape continues to develop. The combination of established incidents and ongoing research informs both the threat understanding and defense development.
Why AI Decision-Support Amplifies the Risk
AI decision-support in OT/ICS contexts amplifies telemetry deception risk in specific ways. The amplification warrants direct treatment because it affects what specific concerns AI deployment in OT/ICS contexts produces.
Poisoned forecasting produces systematically wrong predictions. AI forecasting systems for grid demand, equipment behavior, process outcomes, and broader forecasting consume telemetry; telemetry deception affecting the forecasting input produces forecasts based on the false picture. The wrong forecasts may drive substantial operational decisions.
Masked anomalies escape AI anomaly detection. AI anomaly detection is a specific defense against various OT/ICS problems; telemetry deception that produces plausible false telemetry may prevent the anomaly detection from flagging actual problems. The deception specifically defeats a defense.
Automated wrong actions follow from deceived decision-support. AI decision-support that drives automated action — adjusting processes, triggering responses — produces automated action based on deceived telemetry. The automated action may be inappropriate for the actual physical state.
Optimization toward wrong objectives follows from deceived telemetry. AI optimization systems for process efficiency, energy management, and broader optimization optimize based on telemetry; deceived telemetry produces optimization toward objectives defined by the false picture.
Predictive maintenance failures follow from deceived telemetry. AI predictive maintenance consumes equipment telemetry to predict maintenance needs; deceived telemetry may produce missed maintenance predictions (actual problems concealed) or false maintenance predictions (false problems shown).
Compounding across AI systems amplifies effects. OT/ICS environments with multiple AI systems consuming shared telemetry may have telemetry deception compound across the multiple systems; the compound effect exceeds single-system impact.
Training contamination produces persistent effects. AI systems trained on telemetry that included deception may have persistent behavior reflecting the historical deception; the contamination persists beyond the specific deception incident.
The aggregate amplification means AI deployment in OT/ICS contexts requires specific attention to telemetry deception. AI decision-support provides substantial operational value but introduces the telemetry deception amplification that operators must address.
Detection Challenges
Detecting telemetry deception is operationally difficult in ways that affect what defense approaches are viable.
Plausible deception evades range-based detection. Detection that flags out-of-range telemetry catches implausible deception; deception producing plausible in-range telemetry evades range-based detection.
Sophisticated FDIA evades bad-data detection. Research has demonstrated that false data injection can be constructed to evade the bad-data detection built into state estimation systems; the conventional bad-data detection is not sufficient against sophisticated FDIA.
Single-source detection cannot establish ground truth. Detection based on the telemetry itself cannot establish whether the telemetry is accurate; the telemetry is the only information the single-source detection has.
The deception may target the detection. Sophisticated telemetry deception may specifically target the detection infrastructure to ensure the deception is not flagged; the Stuxnet pattern included concealment from detection systems.
Temporal sophistication evades time-based detection. Deception that evolves gradually, or that mimics normal temporal patterns, may evade detection that looks for sudden changes.
AI-based detection may itself be deceived. AI anomaly detection consuming the same potentially-deceived telemetry faces the same fundamental problem; AI detection is not immune to telemetry deception.
The detection limits mean defense cannot rely solely on detecting the deception. Comprehensive defense combines detection with approaches that provide ground truth independent of the manipulable telemetry.
Defense Infrastructure
Defense against telemetry deception combines multiple infrastructure layers. The combination addresses the detection limits by not relying solely on detecting the deception.
Sensor authentication establishes that telemetry comes from legitimate sensors. Cryptographically authenticated sensors, signed telemetry, and broader sensor authentication infrastructure support verification that telemetry originates from legitimate sources. The detailed treatment of attestation appears in Identity & Cryptographic Attestation.
Physics-based validation checks telemetry against physical models. Physical reality follows physical laws; telemetry that violates physical consistency — energy balance, mass balance, thermodynamic constraints, physical relationships between measurements — can be flagged regardless of whether individual readings are in range. Physics-based validation provides ground truth that pure data analysis does not.
Redundancy and cross-validation compare independent telemetry sources. Multiple independent sensors measuring related quantities allow cross-validation; deception affecting one source may be flagged by inconsistency with independent sources. Redundancy raises the bar for successful deception.
Transit security protects telemetry in motion. The detailed treatment appears in Data Transit Security. Transit security addresses the in-transit manipulation category specifically.
Historian integrity protection addresses stored telemetry. Integrity protection for telemetry historians and time-series stores addresses the historian manipulation category and protects the historical telemetry that AI training depends on.
Anomaly detection identifies unusual telemetry patterns. AI anomaly detection and conventional anomaly detection provide a detection layer; the detection operates alongside the ground-truth approaches rather than as sole defense. The detailed treatment appears in Monitoring & Anomaly Detection.
Network segmentation bounds attacker access. OT/ICS network segmentation including the IT/OT boundary, the Purdue model architecture, and broader segmentation bounds what attackers can access. The detailed treatment appears in OT/ICS Integration Controls.
Out-of-band verification provides telemetry-independent ground truth. Physical inspection, independent measurement, and broader out-of-band verification provide ground truth that the manipulable telemetry cannot affect.
AI-specific input validation addresses the AI pipeline. AI systems consuming OT/ICS telemetry benefit from input validation that checks telemetry plausibility before AI consumption; the validation addresses the AI pipeline manipulation category.
The aggregate defense infrastructure combines multiple layers. No single layer is sufficient; the combination of authentication, physics-based validation, redundancy, transit security, and broader infrastructure produces defense that the detection limits alone would not.
Frameworks
Multiple frameworks provide structured methodology relevant to telemetry deception defense.
IEC 62443 provides the foundational industrial cybersecurity framework. The framework addresses OT/ICS security across system levels with substantial provisions relevant to telemetry integrity, network security, and broader industrial cybersecurity.
NIST SP 800-82 provides guidance for industrial control system security. The framework addresses ICS-specific security considerations including provisions relevant to telemetry integrity.
NIST Cybersecurity Framework provides broader cybersecurity framework with OT/ICS application. The framework operates across Identify, Protect, Detect, Respond, Recover with telemetry deception defense addressed across the functions.
The Purdue Enterprise Reference Architecture provides the reference model for OT/ICS network segmentation. The model informs the network segmentation that bounds attacker access to telemetry infrastructure.
Sector-specific frameworks address telemetry security in specific critical infrastructure sectors. Electricity sector frameworks including NERC CIP, water sector frameworks, oil and gas frameworks, and broader sector frameworks provide sector-specific infrastructure.
The ISA/IEC 62443 series provides detailed standards across the industrial cybersecurity domain with substantial telemetry-relevant provisions.
Emerging AI-specific OT frameworks address the AI dimension of OT/ICS security. The frameworks continue to develop as AI deployment in OT/ICS contexts expands.
The aggregate framework landscape provides substantial infrastructure for telemetry deception defense. The frameworks address conventional OT/ICS security with the AI-specific dimension as developing extension.
What Detection Cannot Guarantee
Telemetry deception defense has substantial limits that operators should engage directly.
Detection cannot catch all sophisticated deception. Sophisticated, well-resourced adversaries can construct telemetry deception that evades available detection; the Stuxnet and FDIA research demonstrate this.
Physics-based validation has limits. Physics-based validation catches deception that violates physical consistency; deception carefully constructed to maintain physical consistency may evade physics-based validation.
Redundancy can be defeated by coordinated deception. Redundancy catches deception affecting subsets of sources; coordinated deception affecting all redundant sources consistently may evade redundancy-based detection.
Sensor authentication does not address compromised legitimate sensors. Sensor authentication verifies telemetry comes from legitimate sensors; it does not address legitimate sensors that have themselves been compromised to produce false readings.
Historical telemetry deception may have already contaminated AI training. Telemetry deception that occurred before detection may have already affected AI systems trained on the contaminated telemetry.
The detection-defense asymmetry favors sophisticated attackers. Well-resourced attackers can invest in deception sophistication; defenders face the broader challenge of defending all telemetry. The asymmetry produces residual risk.
The aggregate defense limits produce specific implications. Mature operators combine telemetry deception defense with broader resilience including assuming some deception may succeed, designing systems to limit the consequence of deceived telemetry, and maintaining response capability for when deception is discovered.
Specific Concerns for Operators
Operators deploying AI on OT/ICS telemetry face several recurring considerations.
Telemetry inventory addresses what telemetry AI systems actually consume. Operators benefit from explicit inventory of telemetry sources, telemetry pipelines, and AI telemetry consumption.
Sensor authentication infrastructure supports telemetry source verification. Operators implement sensor authentication appropriate to their telemetry infrastructure.
Physics-based validation supports ground-truth checking. Operators implement physics-based validation that checks telemetry against physical models.
Redundancy design supports cross-validation. Operators design sensor redundancy that supports cross-validation of telemetry.
AI input validation addresses the AI pipeline specifically. Operators implement validation of telemetry before AI consumption.
Network segmentation bounds attacker access. Operators implement OT/ICS network segmentation that bounds access to telemetry infrastructure.
Monitoring addresses detection of telemetry anomalies. Operators implement monitoring appropriate to telemetry deception detection while recognizing detection limits.
Resilience design limits the consequence of deceived telemetry. Operators design systems so that deceived telemetry produces bounded rather than catastrophic consequences.
Incident response preparation addresses telemetry deception incidents. Operators prepare response infrastructure for when telemetry deception is discovered.
Training data integrity addresses the AI training dimension. Operators address the integrity of historical telemetry that AI training depends on.
The Reframe
OT/ICS telemetry deception falsifies the data stream that connects physical reality to decision-making, so that operators and AI systems make decisions based on a false picture of physical state. AI consumption changes the risk because AI consumes telemetry at scale, lacks independent physical verification, and may act faster than human cross-checking — the Stuxnet pattern of feeding false telemetry while concealing actual physical state applies directly to AI-monitored systems. Defense cannot rely on detecting the deception alone; it requires physics-based validation, redundancy, and out-of-band verification that provide ground truth independent of the manipulable telemetry.
Related Coverage
Data Risks | OT/ICS Integration Controls | Cyber-Physical Compromise | Critical Infrastructure Compromise