A Two-Stage Framework for Fault and Cyber Attack Detection in Line Current Differential Relays of Power Transmission Network

The increasing integration of digital platforms in power systems has enhanced protection capabilities but also introduced new vulnerabilities, particularly in critical components like Line Current Differential Relays (LCDRs). LCDRs offer fast, selective, and sensitive protection for high-voltage transmission lines, but their reliance on synchronized current measurements, communicated over potentially insecure networks, exposes them to cyber threats. Attackers can exploit this dependency through sophisticated attacks, namely False Data Injection Attacks (FDIA) and Time Synchronization Attacks (TSA), manipulating relay decisions and leading to unnecessary tripping, load shedding, and system instability. To address this challenge, this study proposes a two-stage detection and classification framework to distinguish between grid faults and cyber-attacks. The first stage employs an unsupervised Long Short-Term Memory autoencoder, trained solely on normal operational data, to detect anomalous deviations without requiring labeled attack data. Once an anomaly is detected, the second stage, which is based on a supervised Random Forest classifier, categorizes the event as either a physical fault or a specific type of cyberattack. The proposed framework is implemented and validated on the IEEE 14-bus system using the OPAL-RT HYPERSIM platform. Results demonstrate that the proposed framework can accurately detect and classify both faults and cyber-attacks while preserving the essential protective functions of the LCDR.