Since the beginning of the 21th century, Industrial Control Systems (ICS) have been targeted by hackers. The main motives for the interest to ICS is the ease for performing cyberattacks and the potential damages inflicted to the system and its environment in case of success. The purpose of this paper is to propose an approach for detecting malicious orders in discrete-event system. Four types of attacks (direct, sequential, temporal and over-soliciting) that affect an industrial system are studied in this work. Based on the vulnerabilities in ICS and the positioning of other techniques, an innovative methodology is exposed in this paper to develop detection mechanisms based on the “automation-knowledge”. Thus, by using models of system with an improved notion of distance and trajectory, our filters based approach provides good results for detecting cyberattacks in lower levels of ICS architecture by analyzing the malicious nature of the orders sent. Different types of detection mechanisms based on the concept of distance and trajectory are detailed in this study. We also provide results on simulation examples and an industrial platform. To conclude, improvements of our approach are discussed.