Generic framework to detect cyber threats in electric power grid

The invention claimed is: 1. A system to protect an electric power grid, comprising: a plurality of heterogeneous data source nodes each generating a series of current data source node values over time that represent a current operation of the electric power grid; and a real-time threat detection computer, coupled to the plurality of heterogeneous data source nodes, to: (i) receive the series of current data source node values and generate a set of current feature vectors, (ii) access an abnormal state detection model having at least one decision boundary created offline using a set of feature vectors, (iii) execute the abnormal state detection model and transmit a threat alert signal based on the set of current feature vectors and the at least one decision boundary; wherein the set of feature vectors includes at least one of: (i) normal feature vectors, and (ii) abnormal feature vectors and the real-time threat detection computer executes the abnormal state detection model; and wherein the system further comprises: a normal space data source storing, for each of the plurality of heterogeneous data source nodes, a series of normal data source node values over time that represent normal operation of the electric power grid; an abnormal space data source storing, for each of the plurality of data source nodes, a series of abnormal data source node values over time that represent an abnormal operation of the electric power grid; and an offline abnormal state detection model creation computer, coupled to the normal space data source and the abnormal space data source, to: (i) receive the series of normal data source node values and generate the set of normal feature vectors, (ii) receive the series of abnormal data source node values and generate the set of abnormal feature vectors, and (iii) automatically calculate and output the at least one decision boundary for the abnormal state detection model based on the set of normal feature vectors and the set of abnormal feature vectors. 2. The system of claim 1 , wherein at least one of the heterogeneous data source nodes is associated with at least one of: (i) social media data, (ii) wireless network data, (iii) weather data, (iv) information technology inputs, (v) critical sensor nodes of the electric power grid, (vi) actuator nodes of the electric power grid, (vii) controller nodes of the electric power grid, and (viii) key software nodes of the electric power grid. 3. The system of claim 2 , wherein information from each of the plurality of heterogeneous data source nodes is normalized and an output is expressed as a weighted linear combination of basis functions. 4. The system of claim 1 , wherein the real-time threat detection computer is further to generate: (i) a spoof indication, (ii) a system event indication, (iii) a location indication, (iv) an importance indication, and (v) an early warning indication. 5. The system of claim 1 , wherein at least one of the set of normal feature vectors and the set of abnormal feature vectors are associated with at least one of: (i) principal components, (ii) statistical features, (iii) deep learning features, (iv) frequency domain features, (v) time series analysis features, (vi) logical features, (vii) geographic or position based locations, (viii) interaction features, (ix) range, and (x) current value. 6. The system of claim 1 , wherein the abnormal state detection model is associated with at least one of: (i) an actuator attack, (ii) a controller attack, (iii) a data source node attack, (iv) a plant state attack, (v) spoofing, (vi) physical damage, (vii) unit availability, (viii) a unit trip, (ix) a loss of unit life, (x) asset damage requiring at least one new part, (xi) a stealthy attack not detectable by alarms, (xii) a load alternating attack, (xiii) a topology change attack, (xiv) a stability compromise attack, and (xv) a frequency compromise attack. 7. The system of claim 1 , wherein the abnormal state detection model including the at least one decision boundary is associated with at least one of: (i) a line, (ii) a hyperplane, and (iii) a non-linear boundary separating normal space and abnormal space. 8. The system of claim 1 , wherein the offline abnormal state detection model creation computer operates at a frequency between approximately once every six hours and once every eight hours. 9. The system of claim 1 , wherein the offline abnormal state detection model creation computer is associated with multi-modal, multi-disciplinary feature discovery. 10. The system of claim 1 , wherein the abnormal space data source stores both random abnormal data and targeted abnormal data. 11. The system of claim 1 , wherein the offline abnormal state detection model creation computer is associated with a power system model with static network information including at least one of: (i) network topology, (ii) impedance of power lines, (iii) transformer information, (iv) generator data, (v) load data, and (vi) bus information. 12. The system of claim 11 , wherein the power system model is a full differential-algebraic equation representation augmented with dynamic data including at least one of: (i) a sub-transient model for a generator asset, (ii) a motor model for a load, and (iii) a model for a high-power electronic device. 13. The system of claim 11 , wherein the offline abnormal state detection model creation computer uses a complex network theory analysis to distinguish a random event from a targeted event. 14. A computerized method to protect an electric power grid, comprising: retrieving, for each of a plurality of heterogeneous data source nodes, a series of normal data source node values over time that represent normal operation of the electric power grid; generating, offline, a set of normal feature vectors based on the normal data source node values; retrieving, for each of the plurality of data source nodes, a series of abnormal data source node values over time that represent an abnormal operation of the electric power grid; generating a set of abnormal feature vectors based on the abnormal data source node values; automatically calculating and outputting, by an offline abnormal state detection model creation computer, at least one decision boundary for an abnormal state detection model based on the set of normal feature vectors and the set of abnormal feature vectors; wherein the offline abnormal state detection model creation computer operates at a frequency between approximately once every six hours and once every eight hours; and wherein the method further comprises executing the offline abnormal state detection model and transmitting a threat alert signal based on the set of normal feature vectors and the set of abnormal feature vectors and the at least one decision boundary. 15. The method of claim 14 , wherein the offline abnormal state detection model creation computer is associated with multi-modal, multi-disciplinary feature discovery. 16. The method of claim 14 , wherein the abnormal space data source stores both random abnormal data and targeted abnormal data. 17. A non-transitory, computer-readable medium storing instructions that, when executed by a computer processor, cause the computer processor to perform a method associated with protection of an electric power grid, the method comprising: receiving, from a plurality of heterogeneous data source nodes, a series of current data source node values over time that represent a current operation of the electric power grid; accessing, by a real-time threat detection computer, an abnormal state detection