As the industry becomes increasingly digitized, critical infrastructure is relying more and more on artificial intelligence to monitor its condition and prevent failures. This is particularly true of Structural Health Monitoring (SHM) systems, which are capable of detecting defects in structures such as rails, bridges, or industrial equipment.
A team of researchers at CEA-List has just provided an experimental answer to this question by demonstrating a backdoor attack against an SHM system in which the trigger originates from the physical world. Unlike conventional cyberattacks, this robust and stealthy attack is triggered not by malicious code, but by signals originating from the physical world.
This work represents the first experimental demonstration of its kind worldwide, concretely exploring the boundary between digital systems and real-world infrastructure. It was conducted as part of the European KINAITICS project, dedicated to studying threats to cyber-physical systems.
In an SHM system, a network of sensors collects physical signals (guided waves, vibrations, etc.) to detect and locate defects in a structure. This data is then analyzed by deep learning models capable of estimating the position and size of a defect.
The researchers studied a so-called backdoor attack scenario. The principle involves introducing, during model training, a specific pattern—called a trigger—associated with an erroneous output. The model then functions normally in most cases, but produces an incorrect prediction as soon as this pattern appears.
In the digital realm, this type of attack is already well-documented by cybersecurity research. But its deployment in the physical world remains much more complex, as the interaction between the trigger and the actual defect alters the measured signals.
To explore this threat, the CEA-List team developed an experimental platform equipped with piezoelectric sensors and trained a neural network to estimate the position and size of defects on a metal plate. The researchers then introduced a physical trigger—an object placed on the structure—capable of deceiving the AI model.
The results show that a model “poisoned” in this way can continue to behave normally when processing standard data while failing to detect a real defect in the presence of the trigger. In the experiments conducted, the attack succeeded in over 80% of cases in the physical world and exceeded 90% in the digital domain, while maintaining nominal behavior on normal data. In practical terms, the system may then consider a critical defect to be benign, illustrating the potential risk for AI-monitored infrastructures.
Using a simple physical trigger, the attack fooled the detection system in more than 80% of cases during experiments.
Beyond the demonstration, this work opens new avenues for securing industrial systems that incorporate AI. In particular, it highlights the need to develop methods capable of detecting or neutralizing this type of attack when AI interacts with physical phenomena.
Our researchers are now working on the evaluation and development of defense mechanisms tailored to next-generation cyber-physical environments, which remain largely unexplored in the scientific literature.
The findings represent an important step toward understanding the vulnerabilities of AI deployed in industrial environments.
Preliminary results from this work were presented at the Workshop on Machine Learning Security held in Paris on September 17, 2025.
Since then, these results have been further consolidated with a view to submitting a paper to a top-tier conference.
As AI becomes integrated into critical infrastructure, it is essential to anticipate new attack surfaces. This analysis represents a first step toward defense methods tailored to cyber-physical systems.
