Cyber-Physical Systems (CPS) are integral to critical infrastructure, but their interconnected nature exposes them to sophisticated cyber threats. Traditional security mechanisms primarily focus on detecting direct manipulations of control signals or sensor data, leaving them vulnerable to more subtle attack vectors. This paper introduces a novel optimisation framework for modelling and executing stealthy computational delay attacks - -an attack class that subtly interferes with controller execution timing to degrade system performance while remaining undetected. Unlike conventional denial-of-service attacks, these stealthy attacks introduce delays selectively, ensuring that the controller fails to compute control signals in time without triggering standard anomaly detection mechanisms. We formulate the problem as a Mixed Integer Quadratically Constrained Programming (MIQCP) optimisation, allowing attackers to maximise system disruption while evading detection. Our framework is evaluated on two control systems: a simulated stable quadruple-tank process and a real-hardware implementation of an unstable Furuta pendulum. Experimental results demonstrate that even brief, undetected computational delays can lead to severe performance degradation and system destabilisation. These findings highlight the need for improved intrusion detection mechanisms that account for time-based threats, emphasising long-term activity monitoring and adaptive defence strategies to safeguard CPS integrity.