Industrial asset control systems that operate physical systems (e.g., associated with power turbines, jet engines, locomotives, autonomous vehicles, etc.) are increasingly connected to the Internet. As a result, these control systems may be vulnerable to threats, such as cyber-attacks (e.g., associated with a computer virus, malicious software, etc.), that could disrupt electric power generation and distribution, damage engines, inflict vehicle malfunctions, etc. Current methods primarily consider threat detection in Information Technology (“IT,” such as, computers that store, retrieve, transmit, manipulate data) and Operation Technology (“OT,” such as direct monitoring devices and communication bus interfaces). Cyber-threats can still penetrate through these protection layers and reach the physical “domain” as seen in 2010 with the Stuxnet attack. Such attacks can diminish the performance of a control system and may cause a total shut down or even catastrophic damage to a plant. Currently, Fault Detection Isolation and Accommodation (“FDIA”) approaches only analyze sensor data, but a threat might occur in connection with other types of threat monitoring nodes. Also note that FDIA is limited only to naturally occurring faults in one sensor at a time. FDIA systems do not address multiple simultaneously occurring faults as in the case of malicious attacks. Moreover, an industrial asset control system may be associated with different normal operations during different modes of operation (e.g., warm-up mode, shutdown mode, etc.). As a result, data variations can be substantial and determining when a cyber threat is present based on operation of the control system may be difficult—especially when an asset can operate in a relatively large number of different modes (e.g., fifty or more modes). It would therefore be desirable to protect an industrial asset control system from cyber threats in an automatic and accurate manner.