This study addresses the challenge of detecting replay and stealth attacks in networked cyber-physical systems when neither the system model nor its structure is known. To this end, it introduces TimesFM—a time-series foundation model—into model-free attack detection for the first time, proposing a zero-shot detection and data recovery method. By leveraging TimesFM to generate surrogate residuals, the approach identifies attacks without requiring any prior system knowledge and effectively reconstructs compromised measurement data. The work also derives the optimal stealth attack strategy against χ² detectors. Experimental results on the IEEE 14-bus power system demonstrate that the proposed method matches or surpasses conventional model-dependent approaches in detection performance while exhibiting strong data restoration capabilities.

This paper addresses the problem of attack detection in cyber-physical systems without any knowledge of the plant model or its structure. A remotely located plant transmits sensor measurements to an operator over a network that is assumed to be under attack. We consider two classes of attacks: model-free replay attacks and model-based stealthy attacks. For the latter, we derive closed-form expressions for the optimal stealthy attack policy against a $χ^2$ detector, for both linear and nonlinear systems. We then propose a model-structure-free detector based on TimesFM, a time-series foundation model developed by Google Research, which serves as a surrogate residual generator operating in a zero-shot fashion. We show empirically that the TimesFM-based detector achieves a comparable or superior attack detection performance. The efficacy of the proposed approach is demonstrated numerically on the IEEE 14-bus power system. We also demonstrate that TimesFM predictions can serve as a substitute for corrupted measurements, a practical mitigation technique when classical redundancy assumptions fail.