Distributed parameter cyber-physical systems (DPCPSs) are characterized by two features: 1) they exhibit spatio-temporal (distributed parameter) dynamics and 2) there exist cyber components in the form of communication channels between the physical plant and control system. DPCPSs are vulnerable to anomalies such as nonmalicious physical faults and malicious cyber-attacks. Although the safety and security aspects of CPSs modeled by ordinary differential equations (ODEs) have been extensively explored during the past decade, security of DPCPSs has not received its due attention despite its safety-critical nature. In this work, we explore anomaly diagnostics in DPCPSs from a system theoretic viewpoint. Specifically, we focus on DPCPSs modeled by linear parabolic partial differential equations (PDEs) subject to physical faults and cyber-attacks in the actuation channel. First, we explore the detectability of malicious anomalies (i.e., cyber-attacks) and derive conditions for stealthy attacks in the context of output-feedback-based monitoring. Such stealthy attacks essentially illustrate the fundamental limitations of feedback-based monitoring algorithms given perfect adversarial knowledge. Subsequently, focusing on the anomalies that are detectable, we develop a design framework for anomaly detection algorithms based on output injection observers. Such detection algorithm explicitly considers the conflicting objectives of robustness to uncertainties and sensitivity to anomalies in their design. Finally, theoretical analysis and simulation studies are performed to illustrate the effectiveness of the proposed approach.