Recent research demonstrated that the superficially well-trained machinelearning (ML) models are highly vulnerable to adversarial examples. As MLtechniques are rapidly employed in cyber-physical systems (CPSs), the securityof these applications is of concern. However, current studies on adversarialmachine learning (AML) mainly focus on computer vision and related fields. Therisks the adversarial examples can bring to the CPS applications have not beenwell investigated. In particular, due to the distributed property of datasources and the inherent physical constraints imposed by CPSs, the widely-usedthreat models in previous research and the state-of-the-art AML algorithms areno longer practical when applied to CPS applications. We study the vulnerabilities of ML applied in CPSs by proposing ConstrainedAdversarial Machine Learning (ConAML), which generates adversarial examplesused as ML model input that meet the intrinsic constraints of the physicalsystems. We first summarize the difference between AML in CPSs and AML inexisting cyber systems and propose a general threat model for ConAML. We thendesign a best-effort search algorithm to iteratively generate adversarialexamples with linear physical constraints. As proofs of concept, we evaluatethe vulnerabilities of ML models used in the electric power grid and watertreatment systems. The results show that our ConAML algorithms can effectivelygenerate adversarial examples which significantly decrease the performance ofthe ML models even under practical physical constraints.