This paper focuses on the performance analysis of cyber–physical systems under the stealthy deception attack. Two types of attack models, strictly stealthy attack and ϵ-stealthy attack, are considered. The strictly stealthy deception attack model is firstly formulated based on the difference equations of the normal and compromised systems. We then present a necessary and sufficient condition for the existence of the strictly stealthy deception attack. The design method for the attacker to achieve the strictly stealthy deception attack is also provided. Considering that the strictly stealthy attack strategy is associated with the undetectable points of the difference equations, we propose a computationally efficient algorithm to find such points. It is shown that these points form a subspace which can be obtained in finite recursion steps. The corresponding defense strategy is further designed by avoiding the initial state falling into the subspace. For ϵ-stealthy attack, a necessary condition is provided for its existence. Furthermore, due to the fact that the difference system matrix does not have an unstable eigenvalue, it is proved that the ϵ-stealthy attack does not exist. Simulation examples are presented to illustrate the theoretical results.