Measuring Cyber-Physical Security in Industrial Control Systems via Minimum-Effort Attack Strategies