Recent trends in Critical Infrastructures (CIs), e.g., power plants and energy smart grids, showed an increased use of commodity, off-the-shelf Information and Communication Technologies (ICT) hardware and software. Although this enabled the implementation of a broad palette of new features, the pervasive use of ICT, especially within the core of CIs, i.e., in Industrial Control Systems (ICSs), attracted a new class of attacks in which cyber disturbances propagate to the physical dimension of CIs. To ensure a more effective detection of cyber attacks against the ICS of CIs, we have developed SPEAR, a systematic approach that automatically configures anomaly detection engines to detect attacks that violate connection patterns specific to ICSs. The approach is validated by experimental scenarios including traffic traces from real industrial equipment and real malware (Stuxnet).