This paper addresses the concept of a bias injection cyber-attack on the load frequency control loop of a single-area power plant. The system operates in islanded mode and evolves in the discrete-time domain. A convex and compact set of polyhedral state constraints represents a valid domain of safe operation under the effect of a stabilizing output-feedback dynamic controller. An alarm is triggered whenever the safety constraints are violated, alerting the control center to a potential system intrusion. An attacker succeeds in gaining access to the frequency sensor measurements and corrupts the data transferred to the automatic generation control unit, driving the electrical frequency to a safety-critical steady-state value without triggering an alarm. Simulation studies highlight the effect of the cyber-attack on the physical plant.