Energy Management Systems (EMS) face multi-stage security risks—including post-state-estimation stealthy attacks, real-time database (RTDB) tampering, and Human-Machine Interface (HMI) display anomalies—under dynamic cyber threats and system failures. Method: This paper proposes SoM-GI, the first generative AI framework for power system cybersecurity. It integrates visual tokenization, rule-based reasoning, and multimodal analysis (numerical, image, and textual data) to enable end-to-end, cross-stage threat detection across SCADA data flows. Contribution/Results: SoM-GI overcomes key limitations of conventional methods in spatial relationship modeling and HMI visual anomaly identification by pioneering the application of generative AI to power system security. Evaluated on the IEEE 14-Bus system, it accurately detects post-state-estimation attacks, RTDB manipulations, and HMI display distortions, achieving significant improvements in detection accuracy and robustness against evolving threats.

This paper elaborates on an extensive security framework specifically designed for energy management systems (EMSs), which effectively tackles the dynamic environment of cybersecurity vulnerabilities and/or system problems (SPs), accomplished through the incorporation of novel methodologies. A comprehensive multi-point attack/error model is initially proposed to systematically identify vulnerabilities throughout the entire EMS data processing pipeline, including post state estimation (SE) stealth attacks, EMS database manipulation, and human-machine interface (HMI) display corruption according to the real-time database (RTDB) storage. This framework acknowledges the interconnected nature of modern attack vectors, which utilize various phases of supervisory control and data acquisition (SCADA) data flow. Then, generative AI (GenAI)-based anomaly detection systems (ADSs) for EMSs are proposed for the first time in the power system domain to handle the scenarios. Further, a set-of-mark generative intelligence (SoM-GI) framework, which leverages multimodal analysis by integrating visual markers with rules considering the GenAI capabilities, is suggested to overcome inherent spatial reasoning limitations. The SoM-GI methodology employs systematic visual indicators to enable accurate interpretation of segmented HMI displays and detect visual anomalies that numerical methods fail to identify. Validation on the IEEE 14-Bus system shows the framework's effectiveness across scenarios, while visual analysis identifies inconsistencies. This integrated approach combines numerical analysis with visual pattern recognition and linguistic rules to protect against cyber threats and system errors.