The invention provides a method and a device for detecting a hidden attack of an industrial control system. The method comprises: acquiring three-dimensional information of the industrial control system at the current time; constructing a three-dimensional information sequence; performing normalization and window division on the three-dimensional information sequence to obtain a test sequence; ifthe format of a three-dimensional information vector in the test sequence is judged to conform to a preset rule and the three-dimensional information vector conforms to the content in a preset fuzzy database, learning that the content of the test sequence is normal; according to the normal content of the test sequence, inputting the test sequence to a pre-trained LSTM model, and outputting a predicted value of the three-dimensional information vector at the current time; identifying the difference between the predicted value and the true value of the three-dimensional information vector at thecurrent time, and generating an intrusion detection result according to a cascade detection method on time series. The method and the device can accurately identify hidden attacks that cannot be identified by the existing detection technologies.