Cyber-physical systems (CPSs) are more vulnerable to false data injection (FDI) attacks. An attacker can launch an FDI attack at any chosen location in the CPS. It is required to analyze the system’s behaviour in the presence of FDI attacks rather than analyzing attacks at a specific location. In this paper, we consider security in CPS due to FDI attacks at a single as well as multiple locations. The CPS is modeled as a discrete linear time-invariant system with white Gaussian noise. The system is equipped with a Kalman filter as a state estimator and a Chi-square detector for attack detection. We studied FDI attacks at the sensor, actuator, and physical system. Attackers may guess the system parameters in the worst-case and remain undetectable by carefully designing the attack sequences. The attacker always attempts to increase the state estimation error in the system. Based on the system model, we have identified seven kinds of FDI attacks and analyzed their effects on the system’s security. It is found that the attacker can produce bounded errors in some cases and unbounded errors in some others. Simulation of the attacks on the system model is performed through numerical examples to illustrate their effectiveness.