This paper addresses the challenges of attack detection and identification in cyber-physical systems (CPS), which are prevalent in power systems, transportation networks, and critical infrastructures. The authors propose a mathematical framework for CPS, attacks, and monitors, and characterize fundamental monitoring limitations from system-theoretic and graph-theoretic perspectives. They design centralized and distributed attack detection and identification monitors and validate their findings through examples. The key contributions include: 1. **Mathematical Framework**: A unified modeling framework for CPS and attacks, including the concepts of detectability and identifiability. 2. **Fundamental Limitations**: Prove that an attack is undetectable if and only if it excites the zero dynamics of the system, and identify conditions for undetectable attacks based on system interconnection structure. 3. **Monitor Design**: Develop centralized and distributed monitors that are complete in detecting and identifying detectable and identifiable attacks. Centralized monitors leverage geometric control theory, while distributed monitors rely on techniques from distributed control and parallel computation. 4. **Illustrative Examples**: Demonstrate the effectiveness of the proposed methods through examples, including a state attack on a power system, output attacks on a power network, and detection performance on a large-scale network model. The paper highlights the importance of considering the specific vulnerabilities of CPS and provides a comprehensive approach to designing robust monitoring systems.This paper addresses the challenges of attack detection and identification in cyber-physical systems (CPS), which are prevalent in power systems, transportation networks, and critical infrastructures. The authors propose a mathematical framework for CPS, attacks, and monitors, and characterize fundamental monitoring limitations from system-theoretic and graph-theoretic perspectives. They design centralized and distributed attack detection and identification monitors and validate their findings through examples. The key contributions include: 1. **Mathematical Framework**: A unified modeling framework for CPS and attacks, including the concepts of detectability and identifiability. 2. **Fundamental Limitations**: Prove that an attack is undetectable if and only if it excites the zero dynamics of the system, and identify conditions for undetectable attacks based on system interconnection structure. 3. **Monitor Design**: Develop centralized and distributed monitors that are complete in detecting and identifying detectable and identifiable attacks. Centralized monitors leverage geometric control theory, while distributed monitors rely on techniques from distributed control and parallel computation. 4. **Illustrative Examples**: Demonstrate the effectiveness of the proposed methods through examples, including a state attack on a power system, output attacks on a power network, and detection performance on a large-scale network model. The paper highlights the importance of considering the specific vulnerabilities of CPS and provides a comprehensive approach to designing robust monitoring systems.