Next Article in Journal
Climbing the Pyramid: From Regional to Local Assessments of CO2 Storage Capacities in Deep Saline Aquifers of the Drava Basin, Pannonian Basin System
Previous Article in Journal
Economical Regulating Strategies Based on Enhanced EVM Model in Electric Substation Construction Projects
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Energies
Volume 18
Issue 14
10.3390/en18143796
energies-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Systematic Review

Cybersecurity Issues in Electrical Protection Relays: A Systematic Review

by
Giovanni Battista Gaggero
*,
Paola Girdinio
and
Mario Marchese
Department of Electrical, Electronics and Telecommunications Engineering and Naval Architecture (DITEN), University of Genoa, 16126 Genoa, Italy
*
Author to whom correspondence should be addressed.
Energies 2025, 18(14), 3796; https://doi.org/10.3390/en18143796
Submission received: 13 June 2025 / Revised: 10 July 2025 / Accepted: 15 July 2025 / Published: 17 July 2025
(This article belongs to the Special Issue Resilient Control Strategies for Cybersecurity and Safety in Smart Grid)
Browse Figure
Versions Notes

Abstract

The increasing digitalization of power systems has revolutionized the functionality and efficiency of electrical protection relays. These digital relays enhance fault detection, monitoring, and response mechanisms, ensuring the reliability and stability of power networks. However, their connectivity and reliance on communication protocols introduce significant cybersecurity risks, making them potential targets for malicious attacks. Cyber threats against digital protection relays can lead to severe consequences, including cascading failures, equipment damage, and compromised grid security. This paper presents a comprehensive review of cybersecurity challenges in digital electrical protection relays, focusing on four key areas: (1) a taxonomy of cyber attack models targeting protection relays, (2) the associated risks and their potential impact on power systems, (3) existing mitigation strategies to enhance relay security, and (4) future research directions to strengthen resilience against cyber threats.

1. Introduction

The integration of digital technology into power systems has significantly transformed the operation and management of electrical networks [1,2,3]. Among these advancements, digital electrical protection relays play a critical role in ensuring the reliability and safety of power system operations. These devices monitor electrical parameters, detect faults, and trigger circuit breakers to prevent equipment damage and minimize power outages [4]. Unlike their electromechanical predecessors, digital relays leverage microprocessors, communication protocols, and remote access capabilities to enhance precision, flexibility, and efficiency in power system protection. However, the digitalization of protection relays has also introduced a new dimension of vulnerabilities [5]. As these devices become interconnected through communication networks, they are increasingly exposed to cybersecurity threats. Cyber attacks on protection relays can lead to devastating consequences, including cascading power failures, equipment damage, and compromised grid stability. Attackers can exploit weak authentication mechanisms [6], outdated software [7], or insecure communication protocols [8] to disrupt relay operations, falsify data, or manipulate settings. Given the critical role of these devices in maintaining grid integrity, understanding and mitigating the associated cybersecurity risks is a matter of utmost importance.
Most cybersecurity studies focus on replicating general industrial control systems, often overlooking the distinct characteristics of electrical protection relays. As a result, vulnerabilities specific to relays—such as firmware tampering, protocol-level exploits, and timing-based attacks—remain poorly understood. This lack of targeted investigation can obscure the unique risks these critical devices present to power system security. This paper provides a comprehensive review of cybersecurity issues in digital electrical protection relays. It aims to synthesize the current body of knowledge on the topic by addressing four key aspects: (1) the taxonomy of attack models targeting protection relays, (2) the associated risks and potential impacts on power systems, (3) existing countermeasures to mitigate these threats, and (4) future research directions to enhance the security and resilience of digital protection relays. The paper also highlights research gaps, such as the lack of detailed attack models in complex protective schemes and the related limited threat analysis, as well as the lack of cybersecurity monitoring strategies. By analyzing these areas, the review seeks to provide valuable insights for researchers, industry practitioners, and policymakers striving to safeguard modern power systems against evolving cyber threats. To the best of our knowledge, this is the first paper to provide a review that specifically focuses on vulnerabilities of protection systems in the smart grid.
The paper is structured as follows. Section 2 explains the methodology used to review the existing literature on the topic. Section 3 analyzes the vulnerabilities and related impacts that affect protection relays. Section 4 reviews different approaches that have been presented in the literature to mitigate this risk. Section 5 discusses research gaps that emerged from this review and suggests some possible research directions. Finally, in Section 6, conclusions are drawn.

2. Methodology

This systematic review was conducted in accordance with the PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) guidelines [9]. A systematic approach was employed to identify and analyze relevant research articles to conduct a comprehensive review of cybersecurity issues in digital electrical protection relays. The methodology ensured the inclusion of high-quality and up-to-date literature to provide an accurate understanding of the topic. The key steps in the selection process of data sources and inclusion criteria are outlined in Figure 1.
The Scopus database was selected as the primary source for literature collection due to its extensive coverage of peer-reviewed journals, conference proceedings, and technical papers across various disciplines. The following inclusion criteria were applied to filter the relevant articles:
  • Publication Indexing: Only papers indexed in Scopus were considered to ensure quality and credibility.
  • Publication Date: Articles published within the last 10 years (2014–2024) were included to focus on recent advancements and emerging trends.
  • Relevance: The papers had to explicitly address topics related to digital electrical protection relays and their cybersecurity aspects.
The search was conducted using a combination of carefully selected keywords to ensure comprehensive coverage of the topic. The primary search query was constructed as follows: main topic keywords: “digital electrical relay”, “protection relay”, “intelligent relay”, “IED” (intelligent electronic device); cybersecurity-related keywords: “cybersecurity”, “cyber attack”, “vulnerability”, “risk”, “threat”, “countermeasure”; combined query example: “digital electrical relay” AND (cybersecurity OR “cyber attack” OR vulnerability OR threat).
The initial search yielded a broad set of articles, which were further refined through a multi-stage screening process: (1) Title and Abstract Screening: Articles were first screened based on their titles and abstracts to identify those addressing the intersection of digital electrical protection relays and cybersecurity. (2) Full-Text Review: The full text of the shortlisted papers was reviewed to ensure they met the inclusion criteria and provided substantive content on attack models, associated risks, countermeasures, or future research directions.
The final set of papers was categorized based on their primary focus areas, such as attack models, risk assessment, and countermeasures. This categorization facilitated a structured synthesis of the findings and enabled the identification of research gaps and future opportunities.

3. Vulnerabilities in Electrical Protections

We analyzed the papers in the literature that analyze the vulnerabilities of commonly used protection strategies in the power system. Table 1 resumes the selected papers, while a more detailed analysis is provided below.
Ref. [10] presents EVExchange, a relay attack specifically designed for V2G (Vehicle-to-Grid) communication. EVExchange allows an attacker to swap billing flows, charging a victim for the consumed energy. The document highlights that Plug and Charge may expose users to security threats. The paper proposes an extension of the ISO 15118 protocol that uses distance bounding to detect relay attack attempts, demonstrating its capability to identify relay attacks in various scenarios. A relay attack is a technique by which an attacker intercepts communication between two entities and replays it elsewhere in space and time via a proxy. Ref. [11] demonstrates a cyber attack involving the GOOSE (Generic Object-Oriented Substation Event) protocol of IEC 61850 [12]. IEC 61850 does not implement security measures for the payload of GOOSE and SV (Sampled Values) data relevant to safety. Exploiting cybersecurity vulnerabilities in the protocol and injecting falsified GOOSE data frames into the bay-level substation communication network triggers multiple protection relays in the power grid, leading to a blackout. Ref. [13] focuses on security issues related to electronic communication paths to protection relays. Relays are critical for the power system, and their settings determine the device’s response (or lack thereof). The report highlights that dial-up equipment installed for remote access to protection relay IEDs, now protected only by rarely changed passwords, represents an undesirable vulnerability. Ref. [14] focuses on the potential impact of cyber attacks on current relay protection schemes. Current schemes prioritize operational reliability but do not account for potential cyber attacks on the protection system. The paper defines three attack strategies on relay agents and analyzes their effectiveness in disrupting as many transmission lines as possible. The paper proposes two improvement methods: implementing a majority rule for trip confirmation and disabling remote trip requests on critical relays to limit false line trips and prevent cascading failures due to cyber attacks. Ref. [15] highlights that protection and control relays (IEDs) play a crucial role in substation protection, control, and monitoring functions. The implementation of Ethernet-based protocols in relays and the exchange of information over public and private networks have introduced cybersecurity concerns. The document emphasizes the importance of securing protocols with TLS (Transport Layer Security) to ensure confidentiality, integrity, and authenticity. Ref. [16] analyzes vulnerabilities in communication-based electrical protection systems. It discusses attack models targeting these systems and the impact of IEC 62351 implementation on these vulnerabilities. Relays, on the one hand, need communication among themselves to enhance security; on the other hand, this operation introduces a cybersecurity vulnerability. Ref. [17] aims to present monitoring methods for current-based relays (overcurrent and differential current relays) under cyber attack threats. Cyber attacks can interfere with digital protection relays by altering their command outputs to circuit breakers. The paper introduces a modeling approach incorporating randomness to simulate three common types of cyber attacks. Ref. [18] focuses on an indirect cyber-physical attack involving a circuit breaker and excitation system. Ref. [19] presents an integrated threat model for protection relay operations in substations, offering a comprehensive analysis of cyber attack techniques and strategies targeting GOOSE protocol vulnerabilities. The study evaluates the impact of cyber attacks on protection relay operations using six different cases. Ref. [20] focuses on evaluating the performance of distance relays and introduces an innovative, randomized modeling approach designed for three prevalent types of cyber attacks. The paper examines and mitigates False Data Injection (FDI) attacks and denial-of-service (DoS) incidents affecting power systems, particularly targeting protection systems. The paper emphasizes that identifying and distinguishing cyber attacks in the early stages is challenging due to their similarity to symmetrical faults and relay malfunctions in system operation. Ref. [21] presents a risk assessment method for evaluating the cybersecurity of power systems, considering the role of protection systems. It examines the impact of bus and transmission line protection systems in substations on the cyber–physical performance of power systems. The paper analyzes the relationship between protection device settings, protection logic, and circuit breaker logic. Ref. [22] summarizes various pilot protection schemes, including a permissive underreaching transfer trip, a permissive overreaching transfer trip, and line current differential, which are widely used in extra-high voltage transmission lines. The importance of separately evaluating communication for engineering access and pilot protection for vulnerability and risk mitigation is emphasized. Exposing the protection system to cyber attacks could be significantly reduced by disconnecting relays from all vulnerable communication systems, but this could negatively affect overall power system performance in the absence of cyber attacks.
Table 1. List of papers with citation, title, year, and type.
Table 1. List of papers with citation, title, year, and type.
CitationTitleYearType
[10]Evexchange: A relay attack on electric vehicle charging system2022Conference
[11]Cyber attacks on protective relays in digital substations and impact analysis2020Conference
[13]Cyber security issues for protective relays; c1 working group members of power system relaying committee2007Conference
[14]Cyber attacks on remote relays in smart grid2017Conference
[15]Cyber security—Securing the protection and control relay communication in substation2018Conference
[16]Cybersecurity issues in communication-based electrical protections2022Conference
[17]Impacts of Cyber Attack on Performance of Current-Based Relays in Transmission Lines2024Conference
[18]Indirect Cyber-Physical Attack with Combined Circuit Breaker and Excitation System2023Conference
[19]Modelling and analysing security threats targeting protective relayoperations in digital substations2023Conference
[20]Performance of Distance Relay Against Cyber Attack in Transmission Lines2024Conference
[21]Power system risk assessment in cyber attacks considering the role of protection systems2016Journal
[22]Cybersecurity for Distance Relay Protection2020Technical Report

3.1. Attacks on Electrical Protection Relays

From the previously considered paper, we provide a short taxonomy of known attacks on protection relays. In detail,
  • Relay Attacks: Relay attacks can be used to indirectly trip a relay by sending a trip request from a compromised primary relay to a backup relay and confirming the request with another compromised peer relay [14]. An attacker can also cause a cascading failure by tripping a set of relays [16]. Attackers can compromise a primary relay of a line and then directly trip the line. Attackers can manipulate the measured impedance of current transformers and/or voltage transformers, causing it to fall within the relay’s zone setting and triggering a trip command [20]. Attackers can modify relay settings such as threshold values, which can cause the relay to either fail to detect a fault or to trip unnecessarily due to a load increase [17]. Attackers can modify the zone setting values of relays, which may cause the relay to fail to detect a fault or to incorrectly interpret an increase in system load as a fault
  • Cyber Attacks via Network Communication: Man-in-the-middle attacks can be used to exploit vulnerabilities in the IEC 61850 standard, injecting spoofed GOOSE data frames into the substation communication network. Cyber attacks can manipulate GOOSE data in digital substations [11]. Attackers can gain access to the substation network by targeting the corporate information technology of the control center, stealing credentials of corporate user accounts with remote accessibility rights [19]. Denial-of-Service attacks can disrupt the communication between relays, causing them to trigger actions such as opening circuit breakers. False Data Injection Attacks involve injecting fabricated measurements or data into the relay system to cause false tripping or misoperation. Attackers can send false trip confirmations to relays, manipulating trust mechanisms. Attackers can replay measurements from previous fault conditions to the relay system or modify or drop response packets sent to a target relay, which could result in the attacker’s compromised relays being seen as trusted
  • Physical Attacks: Physical access to equipment, such as instrument transformers, allows the adjustment of tap settings, which results in incorrectly scaled measurements. Physical access to substations and relays provides the opportunity for attackers to practice on real equipment.

3.2. Potential Impacts on the Power System

We also categorize the impact of these vulnerabilities based on the impact they could have on the power system. In detail:
  • False Tripping: Cyber attacks can cause the false tripping of circuit breakers, leading to unnecessary disconnections of transmission lines or equipment. This can be achieved, for example, by manipulating current measurements and causing the measured impedance to fall within the relay’s zone. False tripping of multiple relays may result in cascading failures and widespread outages.
  • Missed Tripping: Cyber attacks can cause relays to fail to trip during actual fault conditions, which can result in damage to equipment or cause the fault to spread.
  • Cascading Failures and Blackouts: Coordinated attacks on multiple relays can lead to cascading failures and widespread blackouts. Cascading failures can be triggered when a set of relays is compromised. Attackers may target specific sets of lines that can trigger cascading failures.
  • Equipment Damage: Cyber attacks can result in equipment damage due to the failure of the protection system to operate properly during abnormal conditions. Failure to open a circuit breaker during a fault can cause significant damage to substation equipment.
  • System Instability and Inefficiency: The manipulation of control set points in relays can lead to instability in the power systems. Compromised relays and their communication can disrupt normal power system operations, leading to instability. Attacks can lead to increased oscillations and the probable tripping of generators

4. Countermeasures

We analyzed the papers in the literature that provide mitigation strategies for the previously discussed vulnerabilities. Table 2 resumes the selected papers, while a more detailed analysis is provided below.
Ref. [23] presents an Intrusion Attack Detection and Discrimination Framework based on deep learning to detect False Data Injection Attacks and replay attacks against Intelligent Electronic Devices in distance relays and distinguish them from real faults. The approach works alongside distance relays to issue the appropriate tripping command to circuit breakers and block trip commands induced by attacks. It integrates autoencoder and spiking neural network architectures in parallel, based on convolutional layers and trained with three-phase fault current and voltage signals, following the principles of distance protection relays. Ref. [24] proposes a resilient unit protection technique capable of distinguishing between physical internal faults and cyber intrusions in DC systems. The system does not require additional measurements (such as voltage), making it cost-effective. The approach is sensitive to high-resistance faults and robustness against white Gaussian noise and does not require training data, eliminating the need for large memory and complex architectures. The proposed system is based on the variation in the slope of current components. Ref. [25] presents a deep-learning-based cyber attack detection system for transmission line protection relays. The proposed cyber attack detection system is trained with different input sets depending on the protection relay principle being examined, such as distance, overcurrent, or differential protection relays. It is then employed to detect maliciously injected current and voltage measurements designed to trigger transmission line protection relays. The results demonstrate that deep-learning-based cyber attack detection in substations is feasible. Ref. [26] highlights the increasing need to make relays resilient to cyber attacks in modern power grids. Common techniques use cryptographic methods to prevent cyber attacks in the cyber layer, including encryption solutions for securing communication links, network traffic monitoring for suspicious system activities, management port activity monitoring, anti-malware processes, and access control policies. The paper proposes a second line of defense to detect and mitigate cyber attacks that bypass network-based techniques embedded in the cyber layer. Ref. [27] proposes a new method to prevent a current differential relay malfunction due to cyber attacks using synchronized data from Phasor Measurement Units (PMUs). The Wide Area Measurement System (WAMS) records disturbances, and dedicated PMU data is analyzed to determine whether the relay operation is due to a fault or a cyber attack. The method utilizes voltage data analysis and real-time current measurements to establish threshold values for normal relay operation and detect anomalies that may indicate a cyber attack. It incorporates exponential moving averages as an evaluation tool. Ref. [28] presents a machine-learning-based cyber attack detection model for distance relays. The model can detect False Data Injection and False Setting Injection attacks. The proposed methodology starts by processing current and voltage data, then applies Principal Component Analysis (PCA) to compute eigenvalues and eigenvectors. These data are subsequently used to train and test the Random Forest ensemble algorithm to classify faults, normal conditions, and attacks. Ref. [29] proposes an intrusion detection method for line current differential relays by comparing locally estimated and measured voltages at the terminal for both positive sequence and negative sequence. To estimate the local voltage for each sequence, the proposed technique uses an Unknown Input Observer, a state-space model of the faulty line, and remote and local measurements associated with that sequence. Ref. [30] presents an approach to detect False Data Injection Attacks and Time Synchronization Attacks and distinguish them from real faults. The proposed method consists of passive oscillator circuits installed in series with each converter. During faults, the resulting RLC circuit makes the POCs resonate and generate a damped sinusoidal component with a specific frequency. However, the specific frequency is not generated during FDI attacks. Ref. [31] proposes a cybersecurity defense system based on context information. The security filter authenticates and verifies designated multicast packets transmitted between protection and control devices by adding a Message Authentication Code called Galois MAC to extended IEC 61850 packets (e.g., GOOSE and SV). Ref. [32] proposes a new approach for detecting and mitigating cyber attacks on substation automation systems using cyber-physical security solutions based on domain-specific methods. The methods use protection coordination principles to cross-check protection setting changes and can perform real-time power system analysis to assess the impact of control commands. Ref. [33] examines the enhancement of cybersecurity resilience in overcurrent protection relays in distribution systems. It proposes a Random Forest algorithm to detect ongoing attacks. Ref. [34] considers cybersecurity attack scenarios targeting substation protection relays and explores methods to enhance substation cybersecurity by leveraging machine learning for detecting abnormal behaviors in transformer differential protection relays. The proposed method analyzes Operational Technology data obtained from substation current transformers to detect cyber attacks. Ref. [35] presents a defensive deception approach operating on protective relays in an electrical substation. It uses kernel drivers on a protective relay to create dynamic decoys consisting of emulated I/O boards and their associated hardware controllers. Ref. [36] focuses on the development of a cyber-resilient line current differential relay. Ref. [37] models three common attack types using the concept of randomization and detects them via MATLAB/SIMULINK software R2023a. in an IEEE three-machine nine-bus model applicable to real-world situations. It defines a new index called the Cyber Attack Detection Index. Wavelet analysis of current signals has proven reasonably effective for diagnosing cyber attacks that commonly compromise the power system. Ref. [38] proposes a new approach, called the Multi-Agent Distributed Deep Learning method, to address cyber attacks in distance relays within power networks. The introduced network is mapped to a multi-agent system, where relays and their communications act as agents, and the connections of the multi-agent system are considered a distributed system. Cyber attacks are estimated by analyzing voltages and currents of neighboring agents and local measurements. Ref. [39] presents a deep-learning-based anomaly detection system to prevent cyber attacks. The proposed anomaly detection system makes distance relay elements resilient to false tripping caused by cyber attacks. Ref. [40] proposes methods for recognizing emergency modes to be implemented in Intelligent Electronic Devices of digital substations.

5. Research Gaps and Future Directions

We highlight some aspects that should be further deepened in the field of electrical protection relays cybersecurity.
  • Limited Threat Analysis Specific to Protection Relays: most cybersecurity studies focus on general industrial control systems without tailored threat modeling for electrical protection relays. This leads to gaps in understanding relay-specific vulnerabilities such as firmware manipulation, protocol exploitation, and timing attacks. At the same time, there is a lack of standardized testing frameworks. There is no universal or widely accepted framework for testing the cybersecurity of protection relays under realistic attack scenarios. Existing testing approaches often fail to simulate diverse adversarial tactics.
  • Underexplored Attack Scenarios on Relay Coordination: Research rarely addresses how coordinated cyber attacks can disrupt relay coordination, leading to cascading failures or delayed fault clearing in interconnected power grids.
  • Inadequate Real-Time Detection Mechanisms: Current Intrusion Detection Systems for protection relays struggle with real-time anomaly detection due to resource limitations and the need for ultra-fast fault clearing in power systems.
  • Vulnerabilities in Legacy Systems and Insufficient Integration of Cybersecurity with Relay Functions: Cybersecurity measures are often treated as an add-on rather than being integrated into the design and functionality of protection relays. This compromises the reliability and speed required for grid protection. Many power systems still rely on legacy relays with limited or no built-in cybersecurity features. The risks posed by these outdated systems are understudied.
Time constraints in protection relays, especially with protocols like GOOSE (Generic Object-Oriented Substation Events), can indeed limit the feasibility of deploying intrusion detection systems. While real-time IDS for protection relays is a promising area, also thanks to new Deep-learning-based techniques [41], there are challenges where the stringent time constraints might make their implementation impractical or less effective. GOOSE messages, often used in critical protection schemes, require extremely low latencies (as low as 3–4 ms for high-priority events). Introducing an IDS that adds even minimal processing delays can jeopardize the relay’s ability to respond promptly to faults. Protection relays rely on deterministic communication; any delay caused by IDS could lead to faults not being cleared in time, risking cascading failures. Moreover, an IDS must have an extremely low false positive rate in protection relays to avoid unnecessary interruptions in the power system. Achieving this while operating in real time is a significant technical challenge. Are IDSs always possible? Not always. For time-critical protocols like GOOSE, traditional IDS may not be feasible in their current form due to the reasons above. However, there are potential approaches to address these challenges, that we discuss below.

Future Research Directions

In order to address the research gaps highlighted in the previous section, we list some possible research directions to strengthen the cybersecurity of electrical protection relays.
  • Open-source resources: The availability of public datasets would significantly improve the development of solutions for cybersecurity in protection relays. Currently, the lack of openly accessible, high-quality datasets tailored to electrical protection systems is a major bottleneck in advancing research and development in this field [42,43]. Public datasets containing examples of normal operations and cyber attack scenarios (e.g., relay spoofing, denial-of-service attacks, GOOSE message manipulation) allow for more precise threat modeling tailored to protection relays. Public datasets that include both cyber (e.g., network traffic logs) and physical (e.g., relay trip times, power flows) data enable research on the interplay between cyber attacks and physical grid impacts.
  • Resilient control algorithms: Resilient control strategies are an essential aspect of improving the cybersecurity of protection relays, especially in scenarios where intrusion detection systems are impractical due to time constraints or resource limitations. These methods focus on ensuring that the system continues to function effectively, even when facing cyber attacks or operational disruptions. For protection relays, this means maintaining their ability to detect and isolate faults while minimizing the impact of compromised components or malicious activities. One key principle of resilient control is ensuring that critical functions can operate in a “graceful degradation” mode. If a relay or its communication network is attacked, the system should remain operational in a reduced but stable state, avoiding total failure. For instance, if a relay’s communication is disrupted, it can revert to local, hardcoded protection mechanisms. Similarly, resilient control emphasizes fault tolerance by incorporating redundancy and algorithms that can detect and compensate for abnormal behavior caused by attacks. For example, relays can verify decisions against neighboring devices to identify potential inconsistencies or malicious actions. Another important feature is self-healing, which refers to automatic recovery mechanisms that mitigate the impact of cyber attacks. If spoofed or manipulated messages compromise relay communication, self-healing techniques can include resetting the communication channel or reauthenticating connections. Decentralized decision-making also plays a critical role. In cases where central control systems are affected, individual relays can make decisions autonomously based on local measurements, maintaining protection operations even without external instructions.
Moreover, there is a need for a standardization effort. The main standards for testing the cybersecurity of Intelligent Electronic Devices are IEC 62443 [44] and IEEE 1686 [45]. IEC 62443 offers a general framework for securing industrial automation systems, while IEEE 1686 defines functional security requirements for IEDs in substations, such as access control and logging. However, these standards do not specifically address the unique cybersecurity challenges of electrical protection relays. For example, they lack tests tailored to the critical real-time functions of relays, which must trip breakers within milliseconds.

6. Conclusions

The digitalization of electrical protection relays has enhanced power system reliability but has also introduced significant cybersecurity risks. This paper reviewed key challenges, including attack models, risk assessment, mitigation strategies, and future research directions.
Despite progress, critical gaps remain. Existing cybersecurity studies often overlook relay-specific threats like firmware manipulation, protocol exploitation, and timing attacks. The lack of standardized testing frameworks limits effective evaluation, while underexplored attack scenarios with relay coordination pose risks of cascading failures. Additionally, real-time detection mechanisms remain inadequate, struggling to balance accuracy with the fast response times required for grid protection.
Cybersecurity is often treated as an add-on rather than integrated into relay design, reducing its effectiveness. Legacy systems with minimal security features further heightened risks. Addressing these challenges requires tailored threat modeling, standardized testing, and AI-driven real-time detection. Future research should prioritize integrated security approaches and proactive defense mechanisms to enhance relay resilience. Collaboration among researchers, industry stakeholders, and policymakers will be crucial for securing modern power grids against evolving cyber threats.

Author Contributions

Conceptualization, G.B.G.; methodology, G.B.G.; validation, G.B.G.; investigation, G.B.G.; resources, P.G. and M.M.; data curation, G.B.G.; writing—original draft preparation, G.B.G.; writing—review and editing, G.B.G.; supervision, P.G. and M.M.; project administration, P.G. and M.M.; funding acquisition, P.G. and M.M. All authors have read and agreed to the published version of the manuscript.

Funding

This work was partially supported by project RAISE under the MUR National Recovery and Resilience Plan funded by the European Union—NextGenerationEU.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
GOOSEGeneric Object-Oriented Substation Event
SVSampled Values
V2GVehicle to grid
IEDIntelligent Electronic Device
PMUPhasor Measurement Unit
WAMSWide Area Measurement System

References

  1. Velini, A.; Minetti, M.; Bruno, S.; Bonfiglio, A.; Procopio, R.; La Scala, M. Renewable energy communities virtual islanding: A decentralized service to improve distribution grid security. Sustain. Energy Grids Netw. 2025, 42, 101700. [Google Scholar] [CrossRef]
  2. Minetti, M.; Fresia, M. A Review of Primary and Secondary Control for Islanded No-Inertia Microgrids. In Proceedings of the 2021 IEEE International Conference on Environment and Electrical Engineering and 2021 IEEE Industrial and Commercial Power Systems Europe (EEEIC/I&CPS Europe), Bari, Italy, 7–10 September 2021; pp. 1–7. [Google Scholar]
  3. Gaggero, G.; Piserà, D.; Girdinio, P.; Silvestro, F.; Marchese, M. From Microgrids to Virtual Power Plants: A Cybersecurity Perspective. In IoT Enabled-DC Microgrids; CRC Press: Boca Raton, FL, USA, 2024; pp. 103–120. [Google Scholar]
  4. Bonfiglio, A.; La Fata, A.; Minetti, M. A pattern recognition based tool for smart distribution networks reconfiguration. Electr. Power Syst. Res. 2025, 248, 111890. [Google Scholar] [CrossRef]
  5. Armellin, A.; Gaggero, G.B.; Cattelino, A.; Piana, L.; Raggi, S.; Marchese, M. Integrating OT data in SIEM platforms: An Energy Utility Perspective. In Proceedings of the 2023 International Conference on Electrical, Communication and Computer Engineering (ICECCE), Dubai, United Arab Emirates, 30–31 December 2023; pp. 1–7. [Google Scholar]
  6. Vaidya, B.; Makrakis, D.; Mouftah, H.T. Authentication and authorization mechanisms for substation automation in smart grid network. IEEE Netw. 2013, 27, 5–11. [Google Scholar] [CrossRef]
  7. Langer, L.; Skopik, F.; Smith, P.; Kammerstetter, M. From old to new: Assessing cybersecurity risks for an evolving smart grid. Comput. Secur. 2016, 62, 165–176. [Google Scholar] [CrossRef]
  8. Reda, H.T.; Ray, B.; Peidaee, P.; Anwar, A.; Mahmood, A.; Kalam, A.; Islam, N. Vulnerability and impact analysis of the IEC 61850 GOOSE protocol in the smart grid. Sensors 2021, 21, 1554. [Google Scholar] [CrossRef]
  9. Page, M.J.; McKenzie, J.E.; Bossuyt, P.M.; Boutron, I.; Hoffmann, T.C.; Mulrow, C.D.; Shamseer, L.; Tetzlaff, J.M.; Akl, E.A.; Brennan, S.E.; et al. The PRISMA 2020 statement: An updated guideline for reporting systematic reviews. BMJ 2021, 372, n71. [Google Scholar] [CrossRef]
  10. Conti, M.; Donadel, D.; Poovendran, R.; Turrin, F. Evexchange: A relay attack on electric vehicle charging system. In Proceedings of the European Symposium on Research in Computer Security; Springer: Cham, Switzerland, 2022; pp. 488–508. [Google Scholar]
  11. Rajkumar, V.S.; Tealane, M.; Ştefanov, A.; Palensky, P. Cyber attacks on protective relays in digital substations and impact analysis. In Proceedings of the 2020 8th IEEE Workshop on Modeling and Simulation of Cyber-Physical Energy Systems, Sydney, Australia, 21 April 2020; pp. 1–6. [Google Scholar]
  12. IEC 61850:2025; Series—Communication Networks and Systems for Power Utility Automation. International Electrotechnical Commission: Geneva, Switzerland, 2025.
  13. Ward, S.; O’Brien, J.; Beresh, B.; Benmouyal, G.; Holstein, D.; Tengdin, J.T.; Fodero, K.; Simon, M.; Carden, M.; Yalla, M.V.; et al. Cyber security issues for protective relays; c1 working group members of power system relaying committee. In Proceedings of the 2007 IEEE Power Engineering Society General Meeting, Tampa, FL, USA, 24–28 June 2007; pp. 1–8. [Google Scholar]
  14. Zhang, J.; Dong, Y. Cyber attacks on remote relays in smart grid. In Proceedings of the 2017 IEEE Conference on Communications and Network Security (CNS), Las Vegas, NV, USA, 9–11 October 2017; pp. 1–9. [Google Scholar]
  15. Sukumara, T.; Starck, J.; Vellore, J.; Kumar, E.; Harish, G. Cyber security—Securing the protection and control relay communication in substation. In Proceedings of the 2018 IEEE 71st Annual Conference for Protective Relay Engineers (CPRE), College Station, TX, USA, 26–29 March 2018; pp. 1–7. [Google Scholar]
  16. Gaggero, G.B.; Rossi, M.; Girdinio, P.; Marchese, M. Cybersecurity issues in communication-based electrical protections. In Proceedings of the 2022 IEEE International Conference on Electrical, Computer and Energy Technologies (ICECET), Prague, Czech Republic, 20–22 July 2022; pp. 1–6. [Google Scholar]
  17. Gupta, N.K.; Gangolu, S.; Kumar, H. Impacts of Cyber Attack on Performance of Current-Based Relays in Transmission Lines. In Proceedings of the 2024 IEEE International Conference on Computer, Electronics, Electrical Engineering & Their Applications (IC2E3), Srinagar Garhwal, India, 6–7 June 2024; pp. 1–6. [Google Scholar]
  18. Yadav, S.; Kishor, N.; Purwar, S.; Chakrabarti, S. Indirect Cyber-Physical Attack with Combined Circuit Breaker and Excitation System. In Proceedings of the IEEE EUROCON 2023—20th International Conference on Smart Technologies, Torino, Italy, 6–8 July 2023; pp. 204–209. [Google Scholar]
  19. Elrawy, M.F.; Hadjidemetriou, L.; Laoudias, C.; Michael, M.K. Modelling and analysing security threats targeting protective relay operations in digital substations. In Proceedings of the 2023 IEEE International Conference on Cyber Security and Resilience (CSR), Venice, Italy, 31 July–2 August 2023; pp. 523–529. [Google Scholar]
  20. Gupta, N.K.; Gangolu, S. Performance of Distance Relay Against Cyber Attack in Transmission Lines. In Proceedings of the 2024 IEEE 4th International Conference on Sustainable Energy and Future Electric Transportation (SEFET), Hyderabad, India, 31 July–3 August 2024; pp. 1–6. [Google Scholar]
  21. Liu, X.; Shahidehpour, M.; Li, Z.; Liu, X.; Cao, Y.; Li, Z. Power system risk assessment in cyber attacks considering the role of protection systems. IEEE Trans. Smart Grid 2016, 8, 572–580. [Google Scholar] [CrossRef]
  22. McDermott, T.E.; Doty, J.D.; O’Brien, J.G.; Eppinger, C.R.; Becejac, T. Cybersecurity for Distance Relay Protection; Technical Report; Pacific Northwest National Lab. (PNNL): Richland, WA, USA, 2020.
  23. Narang, J.K.; Bag, B. Deep learning-based integrated attack detection framework to protect distance relays against cyberattacks. Electr. Power Syst. Res. 2024, 231, 110346. [Google Scholar] [CrossRef]
  24. Gupta, K.; Mohanty, R.; Sahoo, S.; Panigrahi, B.K. Cyber intrusion detection for line current differential relays in DC distribution system. Sustain. Energy Grids Netw. 2023, 34, 101065. [Google Scholar] [CrossRef]
  25. Khaw, Y.M.; Jahromi, A.A.; Arani, M.F.; Sanner, S.; Kundur, D.; Kassouf, M. A deep learning-based cyberattack detection system for transmission protective relays. IEEE Trans. Smart Grid 2020, 12, 2554–2565. [Google Scholar] [CrossRef]
  26. Ameli, A.; Ayad, A.; El-Saadany, E.F.; Salama, M.M.; Youssef, A. A learning-based framework for detecting cyber-attacks against line current differential relays. IEEE Trans. Power Deliv. 2020, 36, 2274–2286. [Google Scholar] [CrossRef]
  27. Suman, A.A.; Sarangi, S. A Novel Approach for Cyber Attack Detection and Mitigation in Differential Relays Using WAMs Data. In Proceedings of the 2024 IEEE 4th International Conference on Sustainable Energy and Future Electric Transportation (SEFET), Hyderabad, India, 31 July–3 August 2024; pp. 1–6. [Google Scholar]
  28. Tripathi, A.M.; Yadav, R.; Pradhan, A.K. A Novel Approach for Enhancing Cyber Resiliency in Distance Relay using PCA and Random Forest. In Proceedings of the 2024 IEEE 15th International Conference on Computing Communication and Networking Technologies (ICCCNT), Kamand, India, 24–28 June 2024; pp. 1–5. [Google Scholar]
  29. Ameli, A.; Hooshyar, A.; El-Saadany, E.F.; Youssef, A.M. An intrusion detection method for line current differential relays. IEEE Trans. Inf. Forensics Secur. 2019, 15, 329–344. [Google Scholar] [CrossRef]
  30. Ameli, A.; Saleh, K.A.; Kirakosyan, A.; El-Saadany, E.F.; Salama, M.M. An intrusion detection method for line current differential relays in medium-voltage DC microgrids. IEEE Trans. Inf. Forensics Secur. 2020, 15, 3580–3594. [Google Scholar] [CrossRef]
  31. Sheng, S.; Chan, W.L.; Li, K.; Xianzhong, D.; Xiangjun, Z. Context information-based cyber security defense of protection system. IEEE Trans. Power Deliv. 2007, 22, 1477–1481. [Google Scholar] [CrossRef]
  32. Hong, J.; Nuqui, R.F.; Kondabathini, A.; Ishchenko, D.; Martin, A. Cyber attack resilient distance protection and circuit breaker control for digital substations. IEEE Trans. Ind. Inform. 2018, 15, 4332–4341. [Google Scholar] [CrossRef]
  33. Pola, S.; Jovanovic, M.; Azzouz, M.A.; Mirhassani, M. Cyber resiliency enhancement of overcurrent relays in distribution systems. IEEE Trans. Smart Grid 2023, 15, 4063–4076. [Google Scholar] [CrossRef]
  34. Jahromi, M.Z.; Jahromi, A.A.; Sanner, S.; Kundur, D.; Kassouf, M. Cybersecurity enhancement of transformer differential protection using machine learning. In Proceedings of the 2020 IEEE Power & Energy Society General Meeting (PESGM), Montreal, QC, Canada, 2–6 August 2020; pp. 1–5. [Google Scholar]
  35. Rrushi, J.L. Defending electrical substations against 0-day malware through decoy I/O in protective relays. In Proceedings of the 2017 IEEE 15th Intl Conf on Dependable, Autonomic and Secure Computing, 15th Intl Conf on Pervasive Intelligence and Computing, 3rd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress (DASC/PiCom/DataCom/CyberSciTech), Orlando, FL, USA, 6–10 November 2017; pp. 486–493. [Google Scholar]
  36. Ameli, A.; Hooshyar, A.; El-Saadany, E.F. Development of a cyber-resilient line current differential relay. IEEE Trans. Ind. Inform. 2018, 15, 305–318. [Google Scholar] [CrossRef]
  37. Yousefi kia, M.; Saniei, M.; Seifossadat, S.G. A novel cyber-attack modelling and detection in overcurrent protection relays based on wavelet signature analysis. IET Gener. Transm. Distrib. 2023, 17, 1585–1600. [Google Scholar] [CrossRef]
  38. Rajaee, M.; Mazlumi, K. Multi-agent distributed deep learning algorithm to detect cyber-attacks in distance relays. IEEE Access 2023, 11, 10842–10849. [Google Scholar] [CrossRef]
  39. Khaw, Y.M.; Jahromi, A.A.; FM, A.M.; Kundur, D.; Sanner, S.; Kassouf, M. Preventing false tripping cyberattacks against distance relays: A deep learning approach. In Proceedings of the 2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), Beijing, China, 21–23 October 2019; pp. 1–6. [Google Scholar]
  40. Kulikov, A.; Loskutov, A.; Bezdushniy, D. Relay protection and automation algorithms of electrical networks based on simulation and machine learning methods. Energies 2022, 15, 6525. [Google Scholar] [CrossRef]
  41. Gaggero, G.B.; Girdinio, P.; Marchese, M. Artificial Intelligence and Physics-Based Anomaly Detection in the Smart Grid: A Survey. IEEE Access 2025, 13, 23597–23606. [Google Scholar] [CrossRef]
  42. Gaggero, G.B.; Armellin, A.; Portomauro, G.; Marchese, M. Industrial control system-anomaly detection dataset (ICS-ADD) for cyber-physical security monitoring in smart industry environments. IEEE Access 2024, 12, 64140–64149. [Google Scholar] [CrossRef]
  43. Faramondi, L.; Flammini, F.; Guarino, S.; Setola, R. A hardware-in-the-loop water distribution testbed dataset for cyber-physical security testing. IEEE Access 2021, 9, 122385–122396. [Google Scholar] [CrossRef]
  44. IEC 62443-2-1:2024; Security for Industrial Automation and Control Systems: Part 2-1: Security Program Requirements for IACS Asset Owners. International Electrotechnical Commission: Geneva, Switzerland, 2024.
  45. IEEE Std 1686™-2022; Standard for Intelligent Electronic Devices Cyber Security Capabilities. Institute of Electrical and Electronics Engineers: Piscataway, NJ, USA, 2022.
Energies 18 03796 g001
Figure 1. PRISMA flowchart.
Figure 1. PRISMA flowchart.
Energies 18 03796 g001
Table 2. List of papers with citation, title, year, and type.
Table 2. List of papers with citation, title, year, and type.
CitationTitleYearType
[23]Deep learning-based integrated attack detection framework to protect distance relays against cyberattacks2024Journal
[24]Cyber intrusion detection for line current differential relays in DC distribution system2023Journal
[25]A deep learning-based cyberattack detection system for transmission protective relays2020Journal
[26]A learning-based framework for detecting cyber-attacks against line current differential relays2020Journal
[27]A Novel Approach for Cyber Attack Detection and Mitigation in Differential Relays Using WAMs Data2024Conference
[28]A Novel Approach for Enhancing Cyber Resiliency in Distance Relay using PCA and Random Forest2024Conference
[29]An intrusion detection method for line current differential relays2019Journal
[30]An intrusion detection method for line current differential relays in medium-voltage DC microgrids2020Journal
[31]Context information-based cyber security defense of protection system2007Journal
[32]Cyber attack resilient distance protection and circuit breaker control for digital substations2018Journal
[33]Cyber resiliency enhancement of overcurrent relays in distribution systems2023Journal
[34]Cybersecurity enhancement of transformer differential protection using machine learning2020Conference
[35]Defending electrical substations against 0-day malware through decoy I/O in protective relays2017Conference
[36]Development of a cyber-resilient line current differential relay2018Journal
[37]A novel cyber-attack modelling and detection in overcurrent protection relays based on wavelet signature analysis2023Journal
[38]Multi-agent distributed deep learning algorithm to detect cyber-attacks in distance relays2023Journal
[39]Preventing false tripping cyberattacks against distance relays: A deep learning approach2019Conference
[40]Relay protection and automation algorithms of electrical networks based on simulation and machine learning methods2022Journal
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Gaggero, G.B.; Girdinio, P.; Marchese, M. Cybersecurity Issues in Electrical Protection Relays: A Systematic Review. Energies 2025, 18, 3796. https://doi.org/10.3390/en18143796

AMA Style

Gaggero GB, Girdinio P, Marchese M. Cybersecurity Issues in Electrical Protection Relays: A Systematic Review. Energies. 2025; 18(14):3796. https://doi.org/10.3390/en18143796

Chicago/Turabian Style

Gaggero, Giovanni Battista, Paola Girdinio, and Mario Marchese. 2025. "Cybersecurity Issues in Electrical Protection Relays: A Systematic Review" Energies 18, no. 14: 3796. https://doi.org/10.3390/en18143796

APA Style

Gaggero, G. B., Girdinio, P., & Marchese, M. (2025). Cybersecurity Issues in Electrical Protection Relays: A Systematic Review. Energies, 18(14), 3796. https://doi.org/10.3390/en18143796

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop