Cyber-physical systems are often used in critical applications, e.g. to automatically monitor patients or to control our smart grid. The security of these applications should be guaranteed, since a breach in such systems might have catastrophic consequences and cause also the loss of human lives. For these reasons, it is of utmost importance that the cyber part of CPSs is resistant against attacks. However, this is not sufficient. Cyber-physical systems are composed of two parts, a cyber part, very similar to the computational part of embedded systems, and a physical part. We know what are the threats to the cyber-part, and we know what can be the defense mechanisms for it. Is this knowledge sufficient to protect CPSs from security threats or CPSs are open to new attacks which can not be defeated with existing countermeasures?