Formal Impact Metrics for Cyber-physical Attacks