To ensure grid efficiency and reliability, power system operators continuously monitor the operational characteristics of the grid through a critical process called state estimation (SE), which performs the task by filtering and fusing various measurements collected from grid sensors. This study analyzes the vulnerability of the key operation module, namely ac-based SE, against potential cyber attacks on data integrity, also known as false data injection attack (FDIA). A general form of FDIA can be formulated as an optimization problem, whose objective is to find a stealthy and sparse data injection vector on the sensor measurements with the aim of making the state estimate spurious and misleading. Due to the nonlinear ac measurement model and the cardinality constraint, the problem includes both continuous and discrete nonlinearities. To solve the FDIA problem efficiently, we propose a novel convexification framework based on semidefinite programming (SDP). By analyzing a globally optimal SDP solution, we delineate the “attackable region” for any given set of measurement types and grid topology, where the spurious state can be falsified by FDIA. Furthermore, we prove that the attack is stealthy and sparse, and derive performance bounds. Simulation results on various IEEE test cases indicate the efficacy of the proposed convexification approach. From the grid protection point of view, the results of this study can be used to design a security metric for the current practice against cyber attacks, redesign the bad data detection scheme, and inform proposals of grid hardening. From a theoretical point of view, the proposed framework can be used for other nonconvex problems in power systems and beyond.