Bad data injection (BDI) is one of the most threatening attacks in smart grid, as it may cause energy theft of end users, false dispatch on the distribution process, and device breakdown during power generation. In this paper, the BDI attack is defined as a cyber-physical attack which is a combination of two aspects: 1) on the cyber side, modern attack techniques are exploited to intrude and inject bad data into the information system; 2) on the physical side, attackers construct the bad data to bypass the traditional error detection in power systems. Related work on BDI construction and implementation are reviewed. An attack simulation is constructed to illustrate how to launch a BDI attack. The countermeasures against the BDI are also summarized from the views of cyber-orientation, physical-orientation. Finally, our work on cyber-physical fusion detection is presented.Index Terms--smart grid; security; bad data injection; cyberphysical fusion.