Next Article in Journal
Electric Vehicle Model Predictive Control Energy Management Strategy: Theory, Applications, Perspectives and Challenges
Previous Article in Journal
GIS-Based Preliminary Evaluation for Exploration and Development of Hot Dry Rock Resources in the Central-Southern Subei Basin
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Energies
Volume 19
Issue 3
10.3390/en19030744
energies-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

A Review on Protection and Cybersecurity in Hybrid AC/DC Microgrids: Conventional Challenges and AI/ML Approaches

by
Farzaneh Eslami
*,
Manaswini Gangineni
,
Ali Ebrahimi
,
Menaka Rathnayake
,
Mihirkumar Patel
and
Olga Lavrova
*
Klipsch School of Electrical and Computer Engineering, New Mexico State University, Las Cruces, NM 88003-8001, USA
*
Authors to whom correspondence should be addressed.
Energies 2026, 19(3), 744; https://doi.org/10.3390/en19030744
Submission received: 19 December 2025 / Revised: 22 January 2026 / Accepted: 27 January 2026 / Published: 30 January 2026
(This article belongs to the Special Issue Microgrids and Distributed Energy Resources: Planning, Design, Protection, and Operation)
Browse Figures
Versions Notes

Abstract

Hybrid AC/DC microgrids (HMGs) are increasingly recognized as a solution for the transition toward future energy systems because they can combine the efficiency of DC networks with an AC system. Despite these advantages, HMGs still have challenges in protection, cybersecurity, and reliability. Conventional protection schemes often fail due to reduced fault currents and the dominance of power electronic converters in islanded or dynamically reconfigured topologies. At the same time, IEC 61850 protocols remain vulnerable to advanced cyberattacks such as Denial of Service (DoS), false data injection (FDIA), and man-in-the-middle (MITM), posing serious threats to the stability and operational security of intelligent power networks. Previous surveys have typically examined these challenges in isolation; however, this paper provides the first integrated review of HMG protection across three complementary dimensions: traditional protection schemes, cybersecurity threats, and artificial intelligence/machine learning (AI/ML)-based approaches. By analyzing more than 100 studies published between 2012 and 2024, we show that AI/ML methods in simulation environments can achieve detection accuracies of 95–98% with response times under 10 ms, while these values are case-specific and depend on the evaluation setting such as network scale, sampling configuration, noise levels, inverter control mode, and whether results are obtained in simulation, hardware in loop (HIL)/real-time digital simulator (RTDS), or field conditions. Nevertheless, the absence of standardized datasets and limited field validation remain key barriers to industrial adoption. Likewise, existing cybersecurity frameworks provide acceptable protection timing but lack resilience against emerging threats, while conventional methods underperform in clustered and islanded scenarios. Therefore, the future of HMG protection requires the integration of traditional schemes, resilient cybersecurity architectures, and explainable AI models, along with the development of benchmark datasets, hardware-in-the-loop validation, and implementation on platforms such as field-programmable gate array (FPGA) and μPMU.

1. Introduction

HMGs have recently emerged as a strategic framework for the transformation of modern power systems. By combining the flexibility of alternating current (AC) networks with the efficiency of direct current (DC) networks, HMGs enable the large-scale integration of renewable energy sources (RESs), energy storage systems (ESSs), and smart loads across multiple voltage levels [1,2,3]. This type of architecture plays a vital role in improving resilience, power quality, and operational reliability, especially in clustered microgrids and active distribution networks (ADNs) [4,5,6]. In addition to academic research, HMGs in industries are increasing in domains such as data centers, electric transportation, and mission critical microgrids, including hospitals, where high reliability and operational flexibility are essential.
Despite these advantages, protection against faults in HMGs is significantly more complex than in power systems. The reduction of fault currents due to power electronic converters (PECs), and the interaction between AC and DC subnetworks have limited the effectiveness of traditional schemes such as overcurrent relays (OCRs), distance relays, and differential relays [7,8,9,10]. In addition, the development of DC circuit breakers (DCCBs) and arc extinction technologies has created challenges related to cost and speed of interruption [11].
From communications and cybersecurity perspectives, the IEC 61850 standard [12] and its protocols, such as generic object-oriented substation events (GOOSE), sampled values (SVs), and manufacturing message specification (MMS), have reduced fault-clearing times. However, the lack of robust encryption and authentication mechanisms makes them vulnerable to cyberattacks such as DoS, FDIA, Replay Attacks, and MITM intrusions [13,14,15,16]. Recent studies show that intrusion detection systems (IDSs) based on AI and machine learning (ML), particularly Explainable AI (XAI), can detect such attacks with high accuracy. However, they have not been tested widely in HIL and RTDS environments, as well as in real-world industrial applications [17,18,19].
To address these limitations, a wide range of AI/ML-based approaches have been developed in recent years. These include feature engineering and signal processing techniques such as dq0 transformations, fast Fourier transform (FFT), and discrete wavelet transform (DWT) [20,21,22]; deep learning (DL) architectures such as convolutional neural networks (CNNs), recurrent neural networks (RNNs), and Transformers [23,24,25,26,27]; as well as hybrid models that integrate multiple paradigms [28,29,30,31,32]. Although these methods have shown promising accuracy and response times in simulation environments, their transfer to industrial practice is still hindered by the lack of real-world datasets, data set bias, and the absence of standard benchmarks [5,33,34,35,36].
The novelty of this paper lies in the presentation, for the first time, of a systematic and integrated review of HMG protection in three complementary domains: conventional fault and protection methods, cybersecurity threats, and AI/ML-based solutions. Whereas previous surveys have focused on only one of these areas. This article seeks to bridge the gap between academic research and industrial requirements, offering a comprehensive perspective on both the technical and cyber dimensions of HMG protection.
This article surveys more than 100 academic papers between 2012 and 2024, providing an in-depth overview of recent advances, challenges, and future paths in HMG protection. The remainder of the paper is organized as follows: Section 2 reviews HMG architectures and operational opportunities; Section 3 examines conventional faults and protection methods; Section 4 analyzes cybersecurity threats and mitigation strategies; Section 5 focuses on the role of AI/ML in fault detection and localization; Section 6 discusses open challenges and limitations; and finally, Section 7 present concluding remarks.

2. Architecture and Operational Configurations of Hybrid AC/DC Microgrids

A Hybrid AC/DC microgrid is a localized energy system composed of distributed generation (DG) units or distributed energy resources (DERs) together with local loads. It can operate in both grid-connected and islanded modes. The variability of DER outputs is an important function that affects the necessity of advanced management and control strategies to ensure system stability, quality, and reliability of the power system [2]. In this structure, AC and DC subgrids are interconnected through interlinking converters (ILCs) at one or more points of common coupling (PCCs), enabling controlled power exchange between the two domains [37]. Recent improvements in technology for energy generation, as well as in energy conversion technologies such as solid-state Transformers (SSTs), have opened new horizons for the integration of AC and DC energy sources.
The secure operation of HMG is faced with three fundamental challenges: (i) bidirectional power flow and dynamic topologies, (ii) the interaction of power electronic devices and fault current limitations, and (iii) the coordination of protection with communication and cybersecurity constraints. These factors not only change the fault characteristics but also restrict the effectiveness of conventional protection schemes.
1.
Bidirectional power flow and topology variability: In HMGs, the presence of AC and DC sub-networks connected by ILCs makes power flow inherently bidirectional and network paths quite dynamic. Changes in operating modes such as grid-connected, islanded, or clustered and load-sharing can change protection function [37,38,39].
2.
Power electronic interactions and fault current limitation: Unlike conventional synchronous generators, inverters and power electronic converters inherently limit fault currents due to semiconductor constraints and control strategies. While some studies report short-term fault currents in the range of 2–3 times the rated current for very brief durations, practical grid-connected inverters used in industrial applications typically limit fault currents to approximately 1.1–1.3 times the rated current, and rarely exceeding 1.5 p.u., often for durations below 20 ms [3,7,8]. As a result, current-based protection relays become less effective, making differential or impedance-based protection schemes more suitable [3].
3.
Protection coordination and cybersecurity concerns: The IEC 61850 standard and its GOOSE/SV/MMS messages have reduced single-phase fault clearing times to approximately 47 ms and reclosure times to about 74 ms [13]. Nevertheless, cyber vulnerabilities remain a pressing challenge. Attacks can disrupt protective functions even when relay settings are properly configured [14,15].

3. Conventional Faults and Protections in Hybrid AC/DC Microgrids

3.1. Fault Propagation and Topological Challenges

Fault behaviors in HMGs are considerably more complex than in conventional distribution systems due to the variety of sources, ILCs, and diverse loads. A fault can spread to the other through ILCs due to the lack of proper protection, resulting in multi-domain transient dynamics that make fault detection and isolation a major challenge.
Typically, the value of short-circuit capacity (SCC) in low-voltage (LV) compared to medium-voltage (MV) systems is higher and directly affects relay settings and coordination; therefore, the independent protection profiles and hierarchical coordination in the Microgrid Central Controller (MGCC) should be set up. On the other hand, based on the network topology, whether radial, ring, or meshed, plays a crucial role in the fault characteristics and values, and ultimately affects protection design.
  • In radial topologies, simplicity in design and protection coordination is a significant advantage; however, bidirectional power flow provides the protection needed to use directional and adaptive logic to maintain selectivity.
  • In ring topologies, the different parallel pathways can improve reliability; however, they also increase the likelihood of sympathetic tripping and make it difficult to clearly define fault boundaries without the use of a directional or differential protection scheme.
  • In meshed topologies, the presence of multiple AC/DC pathways and several interlink converters provides maximum operational flexibility and resource sharing. Nevertheless, protection coordination in such configurations relies heavily on high-speed communication and adaptive relay settings.
In summary, Table 1 classifies the common types of faults in HMGs and their corresponding protection implications. This table offers a comprehensive overview of fault environments, types, and related protection challenges, serving as the analytical foundation for the subsequent subsections.

3.2. Conventional AC Protections (OCR/DOCR, Distance, Differential)

In HMGs, AC side protection remains primarily based on classical relay schemes; however, topological variability affects the selectivity and reliability.
OCR/DOCR are simple and widely used, yet under islanded operation, their sensitivity significantly decreases due to the limited fault current contribution from inverter-dominated sources, sometimes falling below 30% of the nominal current. Moreover, bidirectional power flow can cause relay blinding in upstream devices. To mitigate these issues, recent studies have proposed adaptive OCRs whose settings dynamically adjust according to the network topology and the operational mode of DER [4,5,46,47,48].
Distance relays, which operate based on the measurement of apparent impedance, are highly effective for long transmission lines but prone to under-reach and over-reach errors in short microgrid feeders. Recent research [4] has introduced hybrid impedance-based models to enhance fault-location accuracy, in which the equivalent impedance at the relay point can be expressed as
Z e q V p g I R p = R f + j X f
where V p g and I R p denote, respectively, the pole-to-ground voltage and the relay-side current at the fault-detection frequency f d . This formulation enables precise estimation of fault location in both AC and DC sub-nets.
Differential protection provides the highest level of selectivity, with fault detection times typically in the range of 20–40 ms, making it ideal for critical components such as Transformers, buses, and switchgears [49,50]. Although it requires high-speed communication and accurate time synchronization, it offers accuracy and dependability.
Overall, OCR, distance, and differential schemes continue to play a key role in AC protection for HMGs. Nonetheless, in areas where inverters are used, the development of hybrid, adaptive, and data-driven approaches is essential to improve protection accuracy and resilience.

3.3. Conventional DC Protections (Arc Interruption, DC Circuit Breakers, and dI/dt–dV/dt Methods)

In DC systems, the absence of natural current zero-crossing makes arc extinction significantly more challenging than on AC sides [4,11,46,47]. Consequently, fuses and mechanical circuit breakers—with interruption times typically ranging from 5 to 30 ms—are often inadequate (see Figure 1). In contrast, hybrid DC breakers can interrupt faults within the range of 1–2 ms, while solid-state circuit breakers (SSCBs) achieve effective operation in a few tens of microseconds [10,42].
In DC microgrids, derivative-based protection techniques, such as those relying on the rate of change of current or voltage (di/dt and dv/dt), are widely engaged for fast fault detection [11,25,51,52]. These methods can identify unexpected variations in current or voltage within less than 1 ms; however, accurate threshold setting and noise immunity remain key challenges [4,29].
The transient current after a fault can be expressed as:
d i ( t ) d t = v C ( 0 ) L i L ( 0 ) R L
where v C ( 0 ) is the initial voltage of the DC-link capacitor and i L ( 0 ) is the initial current of the inductor. This formulation indicates that the initial rate of change of current is governed by the interplay between the stored energy in the DC-link capacitor and the resistive–inductive characteristics of the fault path. Consequently, a large d i d t may occur when the line inductance is small or when the capacitor voltage is high, conditions commonly observed in converter-based DC microgrids. Such dependence on initial system states implies that fixed-threshold derivative schemes may fail to provide reliable discrimination under varying operating conditions, thereby reinforcing the need for adaptive or data-driven threshold selection.
Recent studies have proposed multi-source data fusion to enhance detection reliability. For instance, refs. [29,53,54] indicate that combining electrical and switching information through Bayesian networks, Dempster–Shafer evidence theory, and compressed sensing can reduce the fault-detection error rate to below 5%.
As discussed in this section, many faults in hybrid AC/DC microgrids originate from physical and electro-electronic phenomena, including short circuits, converter-related disturbances, and fast DC transients. However, modern microgrids also rely heavily on communication and digital control layers for monitoring, coordination, and protection actions. This dependence introduces another class of non-physical disturbances, such as communication failures and cybersecurity attacks, that can manipulate, delay, or disrupt critical signals and consequently degrade protection performance or system stability. Therefore, the next section provides a detailed discussion of cybersecurity threats in hybrid AC/DC microgrids and the corresponding protection and mitigation approaches.

4. Cybersecurity in Hybrid AC/DC Microgrids

Cybersecurity has become an important issue in hybrid and smart grid environments, as the operation of the power system increasingly relies on the resilience of its digital and communication layers. Even relatively minor intrusions have the potential to grow into much larger disturbances, sometimes leading to local malfunctions but in other cases leading to broader outages that affect system stability and reliability [17]. As hybrid AC and DC microgrids have continued to advance, the nature of these risks has continued to evolve. Recent modernization efforts have moved utilities away from traditional hardware-based communication toward Ethernet-oriented networks built around the IEC 61850 standard. This transition has supported faster data exchange and greater interoperability across devices. The initial versions of the standards lacked explicit security provisions, a limitation that has since been linked to several documented vulnerabilities [55].
Interlinking converters (ILCs) that connect AC and DC subnetworks become especially important in this context. Because they play a coordinating role across domains, they can unintentionally provide a pathway through which a cyberattack can affect both sides of the microgrid simultaneously. While most existing studies primarily examine cyberattacks at the communication or protocol level, their implications for the control dynamics and physical stability of the DC subgrid, particularly through the DC-link voltage regulation loop, have not been systematically analyzed. This gap becomes especially critical in the context of FDIAs, whose cross-domain impact can compromise both operational security and dynamic stability in hybrid AC/DC microgrids [56]. A key distinction also exists between disturbances caused by technical issues, such as coordination errors or current-related limitations, and those caused by deliberate cyberattacks. While traditional faults stem from physical conditions, attacks can intentionally falsify or manipulate the same signals to mislead system operators or protection devices. This difference makes it clear that conventional protection schemes alone cannot address emerging threats, and additional cybersecurity layers are necessary to safeguard system operation [14,15].
For this reason, relying solely on IEC 61850 [12] is not sufficient for ensuring a secure architecture. Over the past decade, a broad set of international and national standards has been introduced to fill these gaps. Some standards concentrate on securing communication protocols and data exchange (for example, IEC 62351 [57]), others outline security principles for industrial control system architectures (such as IEC 62443 [58] and NIST SP 800-82 [59]), and additional frameworks focus on organizational policies and regulatory guidance (e.g., the NIST Cybersecurity Framework and national regulations) [60]. Table 2 summarizes the scope and contributions of these standards and highlights how they collectively reinforce the cybersecurity posture of microgrids and emerging smart grids.

4.1. Architecture and Communication Layers in Smart Grids

The architecture of smart grids is multi-layered and supports a wide range of data exchanges, from individual households to centralized utility control rooms. This architecture is categorized into three main tiers: the home area network (HAN), the neighborhood area network (NAN), and the wide area network (WAN).
At the HAN level, customer-side devices, such as smart meters, communication gateways, and home energy management systems (HEMSs), gather detailed consumption information and relay it to upstream systems. In the NAN layer, these individual data streams are collected and passed to regional nodes using technologies like Wireless Smart Utility Network (Wi-SUN), Power Line Communication (PLC), or local routing devices [65]. When viewed from the system level, the wide area network essentially serves as the channel through which utility control platforms communicate with equipment in the field. These applications include supervisory control and data acquisition (SCADA), energy management systems, and distribution management systems, each of which depends on steady access to information coming from substations, distributed energy resources, and phasor measurement units. The wide area network therefore plays a central role, since these devices rely on stable long-distance communication to support real-time monitoring and coordinated control across the grid [55,66,67].
Within these layers of the communication architecture, the selection of protocols has a strong influence on how the grid performs and how secure it remains in practice. In the Process Bus, for instance, sampled value messages are used to transmit detailed current and voltage information at very short intervals, while GOOSE messages are intended for fast protection actions and are usually delivered within a few milliseconds [13,14,15]. These protocols were designed to satisfy demanding real-time requirements, but they were introduced before security considerations became central. As a result, they can be exposed to risks such as false data injection. On the Station Bus, the Manufacturing Message Specification protocol is widely used to support supervisory activities, device configuration, and routine monitoring. Although its communication speed is lower than that of the Process Bus, this protocol offers a useful degree of flexibility for managing information across the system. This performance gap, combined with the reality that the protocol predates many of today’s cybersecurity concerns, has made it necessary in most deployments to introduce supplementary protective measures in order to maintain both reliable and secure operation [66].
For long-distance communication between substations and control centers, protocols such as IEC 60870-5-104 [68] and Distributed Network Protocol 3 (DNP3) are still the dominant choices. These protocols offer broad control and monitoring capabilities and remain deeply embedded in many existing utility infrastructures. However, like several earlier-generation communication standards, they were not originally designed with cybersecurity in mind. As a result, they are inherently susceptible to threats such as DoS and replay attacks. Their continued use, therefore, requires the integration of security add-ons, most notably the IEC 62351 [57] suite or protection through layered network-security architectures. At the lower communication tiers, legacy protocols such as Modbus present similar challenges. They provide essential operational functionality but lack fundamental features such as encryption and authentication. In practice, this often makes them prime targets for exploitation, reinforcing the need for secure gateway devices, strict segmentation, and other network-hardening measures.
Within the advanced metering infrastructure (AMI), protocols such as device language message specification (DLMS)/companion specification for energy metering (COSEM), IEEE 2030.5 [69], and the Smart Energy Profile (SEP 2.0) serve as the primary mechanisms for communication between smart meters and load-management platforms. These protocols support bidirectional interaction with consumers and provide the technical backbone for demand-response programs. Despite their broad adoption, they must handle an ever-growing volume of metering data while simultaneously protecting sensitive customer information, the two challenges that continue to strain AMI deployments. For the exchange of synchrophasor measurements, IEEE C37.118.2 [70] remains the dominant standard. Its operation relies heavily on accurate timing supplied through GPS or Precision Time Protocol (PTP). However, this dependence on external time references introduces a significant vulnerability. If the timing source is manipulated or disrupted, the entire phasor data stream can be compromised. As shown in recent studies, this makes the protocol particularly exposed to time synchronization attacks (TSAs) or location reference attacks (LRAs) [17,66,67,71].
Overall, the way communication protocols are distributed across the various network layers highlights that each layer comes with its own timing demands, operational roles, and security expectations. To make these distinctions clearer, Table 3 summarizes the typical use cases of each protocol alongside their allowable latency ranges, common cybersecurity risks, and the protective measures most suitable for each category. As the table shows, higher-level protocols such as IEC 60870-5-104 [68] and DNP3 operate with relatively generous latency budgets and can therefore accommodate more computationally intensive security tools, including virtual private networks (VPNs) or transport layer security (TLS) encryption. In contrast, Process Bus protocols such as GOOSE and SV must function within extremely tight time margins, often on the order of a few milliseconds or even less. Because these messages are so time sensitive, they cannot accommodate substantial processing delays. As a result, their security is usually strengthened through lighter but effective measures, for example, by using network segmentation, selective software-defined networking (SDN)-based traffic control, or checks on message metadata such as sequence numbers. When viewed together, these considerations show that each layer of the communication architecture presents a different exposure to cyber risk and therefore requires protection strategies that reflect its specific operational and timing requirements.

4.2. Taxonomy of Cyberattacks in Smart Grids

As the traditional power infrastructures transition to cyber–physical systems (CPS) and advanced communication standards such as IEC 61850 [12] and IEC 60870-5-104 [68] are widely integrated, the attack surface in smart grids has increased substantially. Under these conditions, vulnerabilities could emerge from the data-link layer up to the application layer, allowing a wide range of possible attacks. Recent experimental evidence indicates that laboratory platforms can reproduce cyber–physical attack scenarios with reasonable fidelity, providing a valuable means for emulating complex disturbances and adversarial behaviors in a controlled environment [72]. This section organizes these threats into four main categories: (i) service-disruption attacks, (ii) message manipulation and spoofing, (iii) timing and location attacks, and (iv) malware, supply-chain, and insider threats. Each category is discussed with attention to its underlying technical mechanisms, supporting laboratory demonstrations, quantitative performance impacts, and the mitigation strategies most frequently recommended in the literature, as summarized in Figure 2.

4.2.1. Denial-of-Service (DoS/DDoS) Attacks

DoS and DDoS attacks are among the most frequent and disruptive threats encountered in industrial control and power networks. Survey-based analysis estimates that they account for almost 35–40% of reported cybersecurity incidents [71]. These attacks work by generating excessive unauthorized traffic or saturating the bandwidth, ultimately causing sharp increases in latency, packet loss, and jitter. Such disruptions directly compromise the real-time requirements of protection and control messages in power systems. Multiple studies have demonstrated that IEC 60870-5-104 [68] and IEC 61850 [12] protocols (including GOOSE, SV, and MMS) are particularly vulnerable to these attacks [15].
One of the most widely used metrics for assessing network performance during a DoS attack is the change in average latency, defined as
Δ Latency = t ¯ attack t ¯ baseline ,
This measure captures the additional delay introduced in packet transmission relative to normal operating conditions. When the Δ Latency becomes large, it signals that the real-time requirements of protection messages such as GOOSE are no longer being met. Such delays can compromise the dependability of both protection and control functions.
Another critical metric is the Packet Loss Ratio (PLR), defined as:
PLR = Packets Lost Packets Sent × 100 % ,
which represents the proportion of packets lost during transmission under attack conditions. A high PLR indicates the loss of mission-critical data and potential malfunctions of intelligent electronic devices (IEDs), where as higher values indicate irregular packet arrivals, leading to miscoordination among IEDs and degraded stability of protection systems.
Experimental studies reported in the literature illustrate how disruptive these attacks can be. In one investigation, a flooding attack that consumed nearly 85% of the available bandwidth caused GOOSE frame delivery to become unstable, leading to noticeable interruptions in the behavior of IEDs. By comparison, when the network was saturated at about 40%, no such disturbances were observed, underscoring the sensitivity of protection traffic to congestion [15]. A field study conducted in a Norwegian digital substation showed similar effects: the DoS attack reduced the usable communication capacity by roughly 49% to 68% and increased end-to-end delay from approximately 1 ms to more than 1.3 ms [67]. These values exceed the limits typically considered acceptable for real-time protection systems.
Recent advances have increasingly turned to machine-learning techniques to enhance the detection of DoS attacks. In [17], the authors developed detection models for IEC60870-5-104 [68] traffic using features such as packet-retransmission rate, byte-flow rate, and the number of retransmitted packets per second. These statistical measures proved effective in distinguishing normal traffic from attack scenarios, with reported detection accuracies approaching 98.7%.

4.2.2. Message Manipulation and Spoofing: FDIA, Replay, and MITM

The second category of cyberattacks includes FDIA, Replay attacks, and MITM attacks. In FDIA, adversaries manipulate measurement data or network states to bypass bad data detection (BDD) mechanisms and mislead the control center [14,19]. Replay attacks consist of retransmitting previously valid messages, thereby triggering spurious protection or control actions [14,15]. In MITM attacks, the adversary inserts themselves into the communication path, allowing them to intercept, observe, or even alter the exchanged messages. Such interference can cause supervisory systems to behave unpredictably or deviate from their intended operation [13,14,15].
Experimental studies have confirmed the severity of these threats. In one HIL setup, for example, an MITM attack on an electric vehicle charging station caused the charger to disconnect, even though the human–machine interface (HMI) continued to show normal operation. This clearly demonstrates how MITM attacks can break the link between the operator’s situational awareness and the actual physical state of the system. To appreciate the impact of such disruptions, it is useful to first consider the system’s behavior under normal conditions. In documented HIL experiments, GOOSE-based protection coordination cleared a single-phase fault in roughly 47 ms and restored service within about 74 ms, values that are commonly regarded as representative benchmarks for real-time protection performance [13].
Against this baseline, the disruptive effects of targeted attacks on GOOSE traffic become much easier to quantify. High sequence-number (stNum) attacks, for instance, can cause receivers to discard legitimate messages, leading to missed or delayed protection commands. Semantic spoofing alters the actual content of the message, such as measurement values or control states and may provoke inappropriate or hazardous control actions. Replay attacks, on the other hand, resend previously valid messages, causing the system to respond to events that are no longer occurring [15]. Even small increases in delay or subtle manipulation of message triggers introduced through these attacks can obstruct time-critical protection functions, significantly elevating the risk to both system stability and operational safety.
In hybrid AC/DC microgrids, the impact of FDIA is especially critical because ILCs tightly couple AC-side measurements, power exchange commands, and DC-side energy buffering through the DC-link dynamics [56]. As a result, an FDIA launched on the AC side can propagate through the ILC control loops and manifest as DC-link voltage excursions or oscillatory behavior, even if the DC-side sensors remain uncompromised [73,74].
A compact way to interpret this mechanism is through the DC-link balance, which can be written as
C d c d V d c d t = I i n I o u t ,
where C d c is the DC-link capacitance, I i n is shaped by the ILC control action, and I o u t reflects the DC-side demand. In practice, the voltage regulation loop relies on feedback signals that may be obtained locally or via communication-assisted estimation, making the loop vulnerable to data manipulation.
Under FDIA, the feedback signal can be biased, for example
V ˜ d c = V d c + a ( t ) ,
where a ( t ) denotes the injected false data. This bias alters the perceived regulation error and can drive the controller to request an inappropriate power/current transfer across the ILC, effectively injecting a non-physical disturbance into the DC-link dynamics. Stability-oriented studies on DC microgrids show that even small injected biases can degrade stability margins and trigger oscillatory instabilities, particularly in the presence of tightly regulated loads and converter dynamics [73].
A second pathway is FDIA on AC-side signals used for synchronization or power estimation. Conceptually, if the ILC relies on an estimated active power signal, an attacker can introduce
P ˜ a c = P a c + Δ P attack ( t ) ,
which translates into an effective disturbance in equation (5). In DC microgrid cluster studies, compromised measurements and communication links were shown to mislead controllers and lead to inappropriate decisions that can ultimately create stability issues [74].
Replay and MITM attacks can produce comparable cross-domain effects through timing and integrity violations rather than direct bias injection. Replay attacks may reintroduce stale, but syntactically valid setpoints or measurements into ILC coordination loops, causing delayed or asynchronous power exchange that amplifies DC-link ripple and degrades voltage regulation. MITM attacks enable selective modification or filtering of AC-side measurements or ILC setpoints, which can desynchronize coordinated controllers (or create inconsistent views between supervisory and local controllers), effectively introducing hidden bias and delay into the DC-link regulation path [74,75].
In the context of detection, hybrid learning-based methods have shown considerable potential. One example is the multi-view cross-correlation (MVCC)-based technique, which was able to identify attack vectors that had evaded traditional BDD checks in 92.55% of the cases, all while maintaining a processing time below 4 ms. This performance indicates that the approach remains compatible with the strict real-time requirements of IEC 61850 systems [19].

4.2.3. Time and Location Attacks: TSA and LRA

Time and location-based attacks focus on compromising the integrity of synchronization signals and the spatial information used by cyber–physical devices. In a time synchronization attack (TSA), for instance, an adversary manipulates timing references such as GPS or network time protocol (NTP), causing shifts in the measured phase angle ( Δ θ ) and frequency ( Δ f ). These distortions can interfere with state estimation and disrupt the logic underlying protection and control decisions [55,71]. To illustrate the effect of such timing deviations, the active power transferred between two buses can be expressed as:
P = V 1 V 2 X sin ( δ ) , δ ^ = δ + Δ θ ,
and the corresponding deviation in transmitted power is approximated by
Δ P V 1 V 2 X cos ( δ ) Δ θ .
This analytical model illustrates that even modest phase-angle deviations can introduce significant errors in estimating power transfer. Such vulnerabilities are critical for phasor measurement units (PMUs) and wide-area monitoring systems (WAMS), both of which depend on highly accurate time synchronization to function correctly.
In an LRA, the attacker falsifies the reported location of a device or node, which can disrupt functions such as demand–response coordination and the placement or operation of DERs. Assessing the impact of such attacks typically involves monitoring phase-angle and frequency deviations, as well as tracking false-alarm rates in systems that rely on multiple synchronization sources. Previous studies have shown that under TSA conditions, PMUs can misinterpret system oscillations and stability metrics, potentially leading to incorrect assessments of grid conditions [71].

4.2.4. Malware, Supply Chain, and Insider Threats

Malware, supply-chain compromise, and insider misuse represent some of the most serious security risks faced by modern digital power systems. Malware may infiltrate infrastructures through engineering workstations or compromised software updates. Supply chains can introduce tampered hardware or software and privileged access intentionally or unintentionally that can pose significant threats to system security [55,65].
These risks are amplified in DER environments and IoT-enabled infrastructures, where device heterogeneity and pervasive connectivity enlarge the attack surface for malware propagation, contaminated updates, and supply-chain infiltration. Such heterogeneity provides more pathways for malware to propagate, for compromised updates to spread, and for supply-chain vulnerabilities to take hold.

4.2.5. Emerging and Hybrid Cyberattacks

In recent years, emerging and hybrid cyberattacks have attracted growing attention within the power-system cybersecurity community. These attacks do not necessarily constitute new standalone categories, instead combining multiple traditional techniques into coordinated, multi-stage campaigns that are more persistent and difficult to detect. For instance, social engineering and phishing attacks exploit human vulnerabilities among SCADA or AMI operators, often acting as the entry point for deeper compromises, enabling follow-on actions such as malware installation or privilege escalation [67,71].
APTs further extend this concept by combining methods such as malware injection, FDIA, and MITM techniques over prolonged periods. The well-known Stuxnet attack remains a benchmark example of cyber–physical threats [55]. At the same time, hardware and side-channel attacks have emerged as new avenues for compromising digital power systems by exploiting the physical implementation of cryptographic algorithms. Methods such as electromagnetic analysis or power-consumption profiling can reveal cryptographic keys stored in IEDs or smart meters [14]. In parallel, AI-driven attacks are becoming an increasingly relevant threat vector. By using machine-learning models such as generative adversarial networks (GANs) or reinforcement-learning agents, attackers can craft synthetic data or traffic patterns that closely mimic legitimate behavior, enabling them to bypass traditional intrusion-detection mechanisms [19].
Finally, hybrid information technology (IT)—operational technology (OT) attacks illustrate how the boundary between information and operational technologies is becoming increasingly blurred. In such cases, an intrusion may begin in the IT domain. Through ransomware, phishing, or exploitation of enterprise servers and the subsequent spread into OT environments, where it can disrupt SCADA systems, DER management platforms, or substation automation processes [55]. Collectively, these emerging and hybrid attack patterns reflect the evolving sophistication of adversaries and underscore the need for integrated risk modeling and adaptive defense mechanisms in modern smart grids.

4.3. Defensive Methods and Risk Mitigation

Cybersecurity in digital power systems, including substation automation, DERs, and hybrid microgrids can only be sustained and scaled effectively when protections are implemented across three complementary layers: (i) process and management-level foundations aligned with international frameworks, (ii) technical defenses at the network/system level, including cryptographic and key management mechanisms, and (iii) intelligent detection and response enabled by IDS/IPS solutions and machine learning/artificial intelligence algorithms. This multilayered structure, supported by comprehensive surveys and field studies, establishes a roadmap for the progressive integration of defenses while simultaneously addressing real-time operational requirements and the computational constraints of IEDs.

4.3.1. Process and Management Foundations

Management frameworks establish the governance and operational backbone of cyber defense; without them, even the most sophisticated technical measures cannot guarantee long-term resilience. The NIST cybersecurity framework (CSF) is organized around its five core functions, namely Identify, Protect, Detect, Respond, and Recover. This serves as a key reference model for assessing and improving organizational security maturity (Figure 3). National assessments of the U.S. power sector show that many utilities still operate at a “partially implemented” level, with recurring weaknesses in areas such as supply-chain oversight, data protection, event detection, and recovery planning [76]. Mapping technical controls to the CSF’s five functions offers a structured pathway for deploying, integrating, and maintaining effective cybersecurity measures across the power system environment [55,71].
In parallel, IEC 62443 [58] provides a defense-in-depth framework for industrial control and OT environments, emphasizing both logical and physical segmentation of components. Its guidance on zone–conduit design, patch management, and device-level security requirements is particularly important for digital substations and DER infrastructures [66]. ISO 27019 [63], an energy-sector adaptation of ISO 27001 [61], offers additional sector-specific controls that help align the operational practices of transmission operators, distribution utilities, and DER stakeholders. Complementing these standards, IEEE 1547 [64] establishes interoperability and safety requirements for DERs. When applied collectively, these frameworks form a comprehensive foundation for policy development, role definition, and secure interconnection procedures within modern distribution networks [65].

4.3.2. Technical Defenses: Segmentation, SDN, Zero-Trust, Lightweight Cryptography, and Timing Integrity

Technical controls in digital power networks must be engineered with careful attention to real-time requirements and the communication patterns defined by IEC 61850 [12]. Virtual local area network (VLAN) segmentation (IEEE 802.1Q [77]) at Layers 2 and 3 helps reduce the overall attack surface by isolating GOOSE, SV, and MMS traffic and restricting the broadcast domain in which these frames can propagate.
Beyond conventional segmentation, SDN enables fine-grained enforcement of policies based on protocol features such as Ethertype, Application Identifier (APPID), stNum, and seqNum. With this level of control, SDN can secure authorized GOOSE communication paths, regulate transmission rates, and block unauthorized message injections or replay attempts [15].
At the architectural level, adopting a Zero Trust approach, which removes all forms of implicit trust and requires mutual authentication among IEDs, merging units, and human–machine interfaces, significantly reduces the possibility of an attacker moving laterally within the system. This approach is further strengthened by enforcing least privilege access, separating engineering pathways from operational traffic, and isolating management services through out-of-band communication channels [65].
Key management and lightweight cryptographic techniques remain essential for communication flows with strict latency requirements, such as GOOSE and SV messages. The use of lightweight signature and hashing algorithms, specifically designed for devices with limited processing capacity, preserves message integrity and authenticity while remaining within real-time operational constraints [14].
From a timing perspective, it is important to continuously monitor phase shifts and delays in GPS and PTP synchronization signals, as doing so helps detect and counter TSAs and LRAs. Ensuring the integrity of these timing sources enables operators to identify anomalies at an early stage and reduces the risk of control malfunctions triggered by such attacks [71].
To evaluate these controls in practical settings, HIL experiments and hybrid testbeds that incorporate real IEDs have shown that end-to-end latency must remain within a range of only a few tens of milliseconds in order to maintain reliable system operation.

4.3.3. Detection and Response: IDS/IPS and Machine Learning/Artificial Intelligence

Once management and technical controls are established, an analytical layer based on IDS, IPS, and data-driven algorithms provides an additional line of defense for identifying anomalies and cyberattacks. Research shows that combining IDS and IPS mechanisms with machine learning methods not only improves the detection of traditional attack types but also strengthens resilience against newer and more complex threat scenarios. Chapter V will examine IDS and IPS architectures, the machine learning techniques commonly used in this context, and the practical challenges of implementing these solutions within real-time power network environments.

4.4. AI/ML for Fault Recognition and Localization

As hybrid AC/DC microgrids grow more complex, conventional protection methods are facing significant limitations. Lower fault current levels, the rapidly changing behavior of power electronic converters, and the increasingly layered nature of network topologies all make it difficult for traditional protective relays to detect faults both accurately and quickly. These challenges underscore the need for more advanced protection strategies that incorporate AI and machine learning. AI-based methods allow real-time data from PMUs, μPMUs, and smart sensors to be analyzed in a way that captures the nonlinear characteristics of the system, enabling faster and more accurate fault detection. In addition, data-driven models improve the precision of fault localization in situations where conventional techniques often encounter uncertainty or conflicting indicators.

4.4.1. Machine Learning Methods

Machine learning has been one of the earliest data-driven techniques adopted for power system protection. Traditional algorithms such as support vector machines (SVMs), k-nearest neighbors (KNNs), decision trees (DT), random forest (RF), and AdaBoost have been extensively applied across many studies to carry out essential protection tasks, including fault detection, fault classification, and fault location [7,78,79].
The appeal of these algorithms stems from their relative simplicity and greater interpretability compared to deep learning models. In most practical implementations, raw voltage and current signals are first processed through mathematical transformations such as the FFT, DWT, Hilbert–Huang Transform (HHT), or d q 0 and symmetrical component frameworks, and the resulting features are then supplied to machine learning models [16,48,78]. As noted in [80], the effectiveness of these approaches is strongly influenced by the quality of the selected features; in fact, much of the performance improvement reported in the literature can often be attributed to the preprocessing stage rather than the classification algorithm itself.
Studies indicate that random forest and AdaBoost generally offer stronger robustness and higher accuracy across a wide range of operating conditions, while SVM tends to perform well with nonlinear data but often requires greater computational effort [78]. In contrast, lightweight classifiers such as KNN and decision trees work effectively when the dataset is relatively small, but their accuracy tends to decline notably as the dimensionality of the data increases [7,81].
Overall, these methods are valuable in settings where data availability is limited and rapid decision-making is essential. However, their heavy reliance on feature engineering and their limited ability to generalize to unseen operating conditions remain significant drawbacks. In feature-engineering-based approaches, raw voltage and current signals are first transformed into more compact and meaningful representations through mathematical transforms to reveal hidden patterns. Studies have shown that the proper combination of features and classifiers plays a decisive role in the final accuracy. For example, the combination of wavelet scattering and SVM achieved over 95% accuracy in the IEEE-34 network, while the use of symmetrical current components with SVM yielded about 99.7% accuracy.
Among conventional algorithms, as summarized in Table 4, each method presents specific advantages and drawbacks. In general, feature engineering, in addition to ML approaches, are lighter and more suitable for limited-data or real-time applications compared with deep learning methods, although their heavy reliance on handcrafted features and lower accuracy under unfamiliar conditions are notable challenges. Consequently, recent research trends are shifting toward deep learning or hybrid DL/ML models to achieve higher generalization and robustness. Although many classifiers report similarly high accuracy values. Their practical performance in protection-oriented applications differs significantly under realistic operating conditions such as measurement noise, topology changes, class imbalance, and limited observability. Consequently, robustness, computational burden, scalability, and interpretability often become more decisive than nominal accuracy alone. This emphasizes the necessity of selecting classification models not only based on reported accuracy but also on their operational resilience and deployment constraints.
Another signal-based approach, known as the traveling wave (TW) method, relies on the analysis of transient voltage and current fronts. Owing to its relative independence from fault current magnitude and its sub-millisecond response time, it is considered an efficient option for rapid fault location in distribution networks and microgrids. In this method, the occurrence of faults generates high-frequency transient fronts that can be detected through single-ended or multi-ended measurements [36].
To enhance accuracy under noisy conditions, combinations of time–frequency analysis and machine learning have been reported. Frameworks such as DWT + RF and dynamic mode decomposition (DMD) + RF are among the most notable, demonstrating fault detection and localization accuracies of 97–100% in standard IEEE-34 networks and 12.47 kV systems [84,85]. Similarly, combinations such as stationary wavelet transform (SWT) + morphological method (MM) and Shapelet+ linear discriminant analysis (LDA) achieved 96–99% accuracy and location errors below 1% of the line length under moderate noise levels (signal-to-noise ratio (SNR) ≈ 25–45 dB) [86,87].
Recent numerical studies indicate that in the presence of grid-forming inverters (GFMI), switching noise and inductor capacitor inductor (LCL) filter design directly affect the signal-to-noise ratio and the stability of fault detection [32]. Comprehensive reviews emphasize that traveling-wave-based methods—from wavelet and HHT to morphology and ML can reduce detection time to below 1 ms and fault-location error to a few tens of meters. However, they still face challenges such as the need for MHz level sampling rates, precise synchronization, and high implementation cost [36].
Table 5 summarizes traveling-wave-based methods for fault protection in distribution networks. Signal-driven TW approaches—particularly when combined with time– frequency feature extraction techniques (DWT/SWT, MM, DMD, shapelets) and powerful classifiers (RF, SVM, LDA)—can achieve highly accurate single-ended and multi-ended fault localization with minimal delay.
Future research directions include: (i) development of cost-effective, high-speed measurement hardware; (ii) model calibration for networks with dynamic topology and high penetration of IBRs/GFMIs; (iii) creation of standardized field datasets for benchmarking; and (iv) co-design of algorithms and hardware under real-time constraints to facilitate the transition from electromagnetic transient (EMT) studies to industrial implementation [36,84].
An important insight from the reviewed AI/ML literature is that the reported performance is highly dependent on the underlying experimental design. Studies that rely solely on EMT-type simulations often report higher accuracy, largely because such environments provide cleaner signals and allow full control over the generated scenarios. In contrast, HIL/RTDS platforms and field-oriented datasets naturally introduce communication delays, sensor imperfections, and unmodeled disturbances, which tend to reduce classification stability [73,74]. Performance is also sensitive to fault modeling assumptions, particularly the considered fault resistance range, fault inception angle, and converter operating mode, all of which directly affect the separability of fault signatures [73]. Moreover, evaluation practices vary considerably across studies: while some rely on balanced datasets and within-feeder validation, others consider class imbalance, unseen topologies, or cross-feeder testing, conditions under which nominal accuracy may decline despite strong laboratory performance. Finally, different metrics are often emphasized, including accuracy, F1-score, sensitivity/recall, false-trip rate, and detection time [75]. In addition, the notion of response time is not defined consistently across studies and may refer either to inference time only or to end-to-end latency that also includes feature extraction windows, communication delays, and actuation time [73]. As a result, a model optimized solely for accuracy may still be unsuitable for protection if it leads to excessive false operations or violates real-time constraints. For this reason, this review interprets reported performance in the context of dataset realism, scenario complexity, and evaluation protocols, and highlights robustness and operational feasibility alongside nominal accuracy.

4.4.2. Deep Learning Methods

Deep learning approaches have become one of the dominant trends in the protection of distribution networks and microgrids. The key advantage of this class lies in its ability to automatically extract features from raw voltage and current signals or from derived representations such as spectra, time–frequency maps, and park vector images. This capability improves the accuracy of fault detection and classification while also reducing the dependence on manual feature engineering [7,89]. However, these advantages come with notable challenges. Deep models typically require substantial computational resources, large volumes of labeled training data, and often exhibit sensitivity to changes in system topology or operating conditions [7,90].
From an architectural standpoint, different deep learning models offer distinct advantages depending on the nature of the data and the specific protection task. Convolutional neural networks (CNNs) are most widely used for handling image-like representations and time–frequency transforms such as short-time Fourier transform (STFT) and continuous wavelet transform (CWT), and even one-dimensional CNNs have proven effective for analyzing raw waveform data [30,89]. In contrast, RNNs and their advanced variants, including long short-term memory (LSTM) and gated recurrent unit (GRU), are well-suited for capturing temporal dependencies and dynamic behavior, making them particularly effective for applications such as long-term load trend analysis and transient fault detection [22,91]. Hybrid models that combine CNN and RNN components leverage the strengths of both approaches, extracting spatial or local features while simultaneously modeling temporal dynamics, which leads to improved accuracy in complex fault scenarios [22,92,93].
In recent years, Transformer models with attention mechanisms have gained prominence as strong alternatives, offering notable robustness when dealing with noisy or incomplete data [24,94]. Capsule networks (CapsNets) have likewise demonstrated improved performance in fault localization, as their architecture preserves the hierarchical spatial relationships that are often lost during conventional pooling operations [95]. In parallel, adaptive neuro-fuzzy inference systems (ANFISs) combine neural-network learning with fuzzy logic principles, providing greater interpretability, an attribute that is particularly important for practical protection applications in industry [91].
Deep learning has been applied to a wide range of protection tasks, including short-circuit fault detection and classification [33,89], detection of high-impedance faults (HIFs) [24,90,94,96,97], identification of evolving faults [22], faulty-feeder detection in special grounding systems (SPGs) [93], and accurate fault location based on distance or network nodes [30,95]. Various model architectures, including CNN–Park Vector, CWT/DMD–CNN, and 1D-CNN, have demonstrated classification accuracies in the range of 93–99% and fault-location errors below 1% of the line length [30,89,95,98]. Transformer-based approaches that analyze PMU data with harmonic features have reported accuracies close to 98% while maintaining strong robustness to noise [24]. In addition, lightweight CNN models using STFT representations have achieved response times under 115 ms even when deployed on low-power hardware platforms [99].
To mitigate the challenges posed by limited training data, approaches such as GANs, Siamese networks, and contrastive learning frameworks have been employed to generate synthetic samples and support transfer learning. These methods have achieved accuracies of around 80% even when real datasets are scarce [100]. In addition, advanced hybrid architectures, including Transformer–CNN and CNN–CapsNet, models have shown improved accuracy and better data efficiency under noisy conditions when compared with more conventional techniques [94,95]. To provide a structured comparison of the main deep learning paradigms adopted in protection-oriented applications, Table 6 summarizes the most commonly used architectures, their key characteristics, strengths, and limitations. Unlike traditional machine learning models, deep networks are strongly influenced by the choice of input representation, network depth, and training strategy. Consequently, their reported performance is not only a function of model architecture but also of data availability, preprocessing pipelines, and the underlying grid configuration. This motivates a taxonomy-based comparison rather than a single-metric ranking.
Although many deep learning methods report similarly high accuracy values, their practical behavior differs substantially under realistic operating conditions. In particular, CNN-based models excel at extracting localized patterns from waveform or time–frequency representations, whereas recurrent and attention-based architectures are more effective at capturing long-term temporal dependencies and system dynamics. Hybrid architectures further improve robustness by jointly modeling spatial and temporal features, but at the cost of increased computational complexity. Moreover, architectures such as CapsNet and ANFIS emphasize structural preservation and interpretability, respectively, which are critical for fault localization and industrial acceptance. These observations indicate that nominal accuracy alone is insufficient for selecting a protection model; instead, robustness to noise, adaptability to topology changes, computational feasibility, and explainability must be jointly considered.
From this body of research, several key design insights can be derived. First, time–frequency mappings such as STFT, CWT, and empirical wavelet Transform (EWT) provide highly informative input representations for CNN based models, while optimized designs of 1D-CNN and Transformer architectures enable direct raw-signal processing with comparable accuracy [30,94]. Second, hybrid architectures such as CNN-LSTM, CNN-CapsNet, and Transformer-CNN offer significantly higher robustness and generalization than standalone models [22,93,94,95]. Third, lightweight edge-oriented models optimized for embedded deployment show great potential for detecting high-impedance faults (HIF) and achieving real-time protection in microgrids, offering over 98% accuracy and latency below 150 ms [24,94,96,99]. Finally, industrial implementation of these models requires calibration for dynamic topologies, development of standardized field datasets, application of transfer and federated learning, and algorithm-hardware co-design under real-time constraints [7,100].

4.4.3. Graph-Based Methods

Graph-based models have recently become an important direction in distribution network protection because they can represent the system in a way that naturally captures its topology, its connectivity rules, and the spatial and temporal relationships between different components. By describing the network as a graph, with buses as nodes and lines as edges, these methods embed the actual physical layout of the system directly into the learning process [28,101,102]. Within this field, several types of graph neural networks (GNNs) have been widely explored. GraphSAGE builds node representations by sampling and aggregating information from neighboring nodes [103]. Graph attention networks (GATs) use attention mechanisms to give different importance to different neighbors [98]. Variational graph autoencoders (VGAE) learn compact latent descriptions of graph-structured data [93].
Spatiotemporal graph convolutional networks (STGCNs), which bring together both network topology and time-varying system behavior, have achieved particularly strong results for tasks such as fault detection and fault location [92,104].
Practical studies show that these architectures, even when using limited but synchronized PMU and micro-PMU data, achieve higher accuracy and greater robustness to noise and operating variability than classical approaches [28,102]. For instance, the integration of VGAE and GraphSAGE in the IEEE-123 feeder achieved fault location accuracy of 97.81% (F1 = 0.9732), while maintaining resilience to fault resistance up to 50 Ω and the presence of distributed generation [28]. Similarly, the application of multi-head GAT in a 125-bus network demonstrated superior fault classification and localization compared to baseline models such as graph convolutional networks (GCN) and multi-layer perceptron (MLP), with enhanced robustness to topology changes and fault resistance variations [101]. Other architectures such as gated graph neural networks (GGNNs) have been developed to improve generalization across feeders, enabling a trained model to accurately predict fault locations in previously unseen feeders. As summarized, these studies collectively demonstrate that graph-based models, when provided with sufficient quality and density of PMU/μPMU data, naturally exploit network topology, offering greater resilience to reconfiguration and operational changes compared to topology-agnostic approaches [28,101,102,105,106].

4.5. AI-Based Protection of Hybrid AC/DC Microgrids

As discussed in previous sections, in hybrid microgrids, particularly in DC segments, fault currents propagate extremely rapidly, and the absence of a natural current zero-crossing makes arc extinction and selective protection more difficult. Moreover, the presence of bidirectional converters and coupling points between the AC and DC sections further complicates fault detection and isolation. Consequently, traditional impedance or overcurrent relays often fail to provide the level of responsiveness and reliability required in these conditions.
AI-based techniques that analyze raw signals, time–frequency representations, or high frequency features have made it possible to detect and locate both high and low impedance faults with much faster response times. A wide range of studies shows that AI methods from classical algorithms such as artificial neural networks (ANNs), SVM, and KNN to more advanced architectures like CNN, RNN, and reinforcement learning consistently offer higher accuracy and better adaptability than impedance-based or traveling wave-based approaches, particularly under diverse operating conditions and high levels of DER penetration. However, these advantages come with important challenges: AI models often require large labeled datasets, rely on costly measurement infrastructure, and face ongoing issues related to model explainability [7,40,81,107].
To mitigate the lack of labeled data, two effective approaches have been reported: multi-task latent learning (MTLS-LR) using distribution-level phasor measurement unit (D-PMU) data in HIL environments, which improves stability and accuracy under noise [108]; and GAN combined with contrastive learning on pulse-reflection signals, which reduces the need for feature engineering and enhances robustness [109].
At the architectural level, hybrid frameworks (e.g., RL combined with CNN-LSTM-Attention chains) have achieved fault-loss reduction of up to ≈69% and improved HIF/LIF detection accuracy, albeit with higher reliance on PMUs and computational overhead [110]. Similarly, an ANN + KNN classifier applied to active distribution networks reported spatial root mean square error (RMSE) < 100 m and faulty-section accuracy > 99% (≈98% for asynchronous data), though retraining is required when topology changes [111]. In general, hybrid learning optimization frameworks, despite their sensing and computational costs, have created a meaningful bridge between data-driven modeling and physical operational constraints [96,104,110,112].
To close the gap between research and real-world implementation, three key directions are proposed: (i) model calibration and adaptation under variable topology and operating conditions; (ii) adoption of transfer, semi-supervised, and contrastive learning for data-scarce scenarios; and (iii) algorithm–hardware co-design under limited sensor budgets and real-time constraints [108,109,111]. The sensor deployment strategy (PMU/μPMU) and data architecture (local-to-coordinated) practically determine the performance ceiling; nevertheless, graph-based and hybrid designs have raised this ceiling even under limited-sensor conditions [102,105,106,110,111,112].
Table 7 summarizes key findings from recent research on AI-based protection of hybrid AC/DC microgrids. It shows that machine learning and deep learning methods not only achieve sub-millisecond fault detection times but also reach fault detection and localization accuracies exceeding 95–99% in most cases. Despite these promising results, practical deployment still faces technical and operational challenges, which will be discussed in the following section.

4.6. Artificial Intelligence in Cybersecurity for Power System Protection

With the growing digitalization of substations and the broad adoption of IEC 61850 communication protocols, cybersecurity has become an essential component of modern power system protection. Threats such as Denial of Service, false data injection, replay attacks, and saturation attacks can interfere with protective coordination, lead to incorrect relay operations, and ultimately compromise overall system stability. Within this context, Artificial Intelligence (AI) offers a promising approach for the rapid and accurate detection of cyber intrusions and for strengthening the resilience of smart grid protection schemes.
One effective approach uses principal component analysis (PCA) together with XAI to detect DoS attacks. PCA reduces the dimensionality of large network traffic datasets and makes the analysis more efficient. XAI then identifies which features, such as packet delay, message repetition rate, or changes in flow structure, are most important for detecting an attack. This added transparency improves operator confidence in how the model reaches its decisions. According to the Table 8 shows that approaches based on PCA and XAI can achieve detection accuracies above 97 percent while requiring only modest computational resources [17].
For IEC 61850 Sampled Values traffic, machine learning based intrusion detection systems that use classifiers such as SVM and random forest have achieved accuracies above 95% under a range of fault and attack conditions [18]. To address data integrity attacks, ensemble learning methods that combine several base learners have shown greater robustness and higher detection accuracy, often above 96% even in noisy environments [19].
At the protocol level, GOOSE messages continue to be among the most vulnerable elements of the system. False injection attacks and saturation attacks can disrupt protection coordination and lead to incorrect relay behavior. The combination of SDN, VLAN-based segmentation, and machine learning-based monitoring has created a multilayer security architecture that supports real-time supervision of GOOSE traffic and provides effective mitigation against these threats [15].
Comprehensive surveys [71] show that most artificial intelligence-based cybersecurity research has concentrated on the detect and protect functions within the NIST Cybersecurity Framework, while the respond and recover functions have received far less attention. New technologies such as Blockchain, Federated Learning, and combined AI methods are expected to support these less developed areas and enhance the overall resilience of power system cybersecurity.
In summary, artificial intelligence, particularly through ensemble learning, explainable artificial intelligence, and transfer learning, offers a strong foundation for building practical cyber defense mechanisms in intelligent substations. However, several major challenges remain. These include the limited availability of real attack data, the need for strict real-time responsiveness, and the difficulty of ensuring that models generalize well across different network topologies. Together, these factors continue to hinder progress from laboratory-based demonstrations to large-scale industrial deployment.

5. Technical Challenges in Hybrid AC/DC Microgrids Protection

5.1. Challenges of Conventional Protection Schemes in Hybrid AC/DC Microgrid

From the above discussions, it is observed that protection in HMG is not only a matter of hardware or electrical parameters. It has developed into a multidimensional challenge that extends dynamic system behavior, measurement data quality, and communication layers. Even advanced technologies like inter-domain differential relays, solid-state circuit breakers, and adaptive control schemes have notably enhanced protection performance, but several fundamental constraints still prevent reliable and coordinated protection in hybrid grid environments.
(1)
Limited sensing and observability: The fault dynamics in HMGs are contingent upon the real-time operational status of converters and multi-domain power pathways. In such conditions, local or sparse measurements rarely provide a complete picture of the fault event. The absence of synchronized measurements (e.g., μPMUs) often leads to incomplete situational awareness and unreliable fault decisions.
(2)
Instability of adaptive settings: In a system where network topology, converter control modes (grid-following/grid-forming), and load conditions continuously change, even conventional adaptive relays quickly become outdated. As a result, coordination between protection layers in islanded or dynamic operation cannot be consistently maintained.
(3)
Weak coordination between AC and DC domains: A disturbance originating in one domain, particularly in the DC link, can propagate to the other as thermal or voltage transients. When AC and DC protections operate independently, their asynchronous responses may lead to false tripping or loss of selectivity [4,6].
(4)
Decision-making under noisy and uncertain conditions: In converter-dominated systems, fault current magnitudes may reach only about 1.2-2 times the rated current, while sensor noise remains at a similar scale. Fixed-threshold-based logic, therefore, becomes unreliable, and the protection system must dynamically adapt to uncertain and evolving conditions [4,5,8].
In general, the most protection difficulties in HMGs are not caused by the equipment or hardware itself, but by an incomplete, data-driven understanding of how the various system domains behave together. The next generation of protection systems will rely on smart, predictive, and adaptable methods that deliver real-time system insight across both AC and DC networks, ultimately moving us toward protection systems that are self-learning and resilient.

5.2. Cybersecurity and Reliability Challenges in Hybrid AC/DC Microgrids

Although notable progress has been made in adopting common standards and strengthening communication, cybersecurity continues to be a key vulnerability in modern HMG systems [55,71]. Unlike conventional power system grids, any failure or cyberattack in either the DC or AC domain can spread through ILCs and compromise the entire system’s stability [13,67].
(1)
Balancing security and real-time operation: Hybrid microgrids need time-sensitive protocols like IEC 61850 [12] that can send protection messages in 3 to 10 milliseconds. However, integrating robust encryption or access control schemes can introduce delay outside the allowed limits [14,15,66]. The key challenge is to design mechanisms that maintain both high cyber resilience and real-time operation simultaneously [13,67].
(2)
Increase in cross-domain attack avenues: The bidirectional power and data flow enables a cyberattack in one domain (for example, AC) to propagate to the other via the ILCs [13,55]. This phenomenon, known as cross-domain propagation, creates additional vulnerabilities that require coordinated action between AC/DC control systems and cybersecurity mechanisms [60,67].
(3)
Lack of real-world datasets for AI-based incident detection: Although machine learning and AI techniques demonstrate high detection accuracy in simulation studies [15,17,19], the lack of realistic datasets, particularly for attacks such as FDIA and replay on IEC 61850 [12] creates a constraint for industrial environments [66,71]. Establishing standardized HIL/RTDS benchmark datasets is still essential for reliable validation [5,82].
(4)
Trade-off between transparency and algorithmic complexity: XAI models like Shapley additive explanations (SHAP) and Grad-CAM make operators more confident by making it clear why the model made a certain prediction [42,53,117,118]. However, incorporating these techniques into deep architectures under strict real-time constraints continues to pose challenges [19]. Future research should focus on AI models that are both understandable and lightweight, ensuring they remain high speed without sacrificing transparency [71].
(5)
Heterogeneity of standards and cybersecurity maturity: Global studies highlight uneven cybersecurity maturity across countries. In Norway, DoS attacks have driven protection delays from 1 ms to over 1.3 s [67], whereas in the United States, integration challenges and workforce training gaps continue to be significant obstacles [60]. These differences highlight the importance of developing unified international cybersecurity standards for DERs and HMGs [55,71].
(6)
Limited evaluation of reliability metrics: Most studies focus only on detection accuracy or minimizing latency [15,17,19], whereas higher-level indicators such as mean time to recovery (MTTR), overall availability, and operational resilience are hardly ever analyzed [76]. Including full reliability assessments must be integrated into cybersecurity validation to assure realistic, field-ready protection performance [71].
Finally, progress depends on security, reliability, timing, and co-design, where layered defenses, advanced IDS/IPS strategies, HIL-based testing, and standardized cross-domain coordination together enhance both the security and operational resilience in hybrid AC/DC microgrids [55,60,67].

5.3. Limitations of AI/ML-Based Protection Approaches

Despite remarkable progress in the application of AI for the protection of HMGs, the transition from research results to industrial implementation still faces several fundamental barriers. The first and most persistent limitation arises from the data gap and the lack of poor generalization capability of models. Most reported studies rely on synthetic or simulation-based datasets that do not capture the complexity of practical measurements [5,24,33,34,35,40,82,84,90,99,119]. Consequently, models that achieve high accuracy under controlled laboratory conditions often exhibit reduced stability in field environments. This issue reflects a deficiency not only in algorithm design but also in data engineering and real data accessibility. Developing open, standardized, and multi-source datasets that represent realistic fault and operational scenarios remains a critical prerequisite for industrial validation [84,119].
A second major constraint involves the non-stationary and dynamic behavior of microgrids. In hybrid systems with rapidly changing topology, distributed generation, and fluctuating load profiles, static machine learning models cannot maintain performance consistency [7,40,81,100,108,111]. Most existing algorithms work for datasets, whereas power system data evolve continuously with operational changes.
Another challenge is related to real-time operation. While simulation studies often report response times below a few milliseconds, implementing such models on constrained hardware (e.g., μPMUs, FPGAs, or IEDs) remains non-trivial [11,100,103,120]. Limited computational power, memory capacity, and network delays significantly hinder real-time execution. Therefore, the practical pathway forward lies in algorithm–hardware co-design, where model architecture is optimized from the outset with physical and temporal constraints in mind. In addition, models must be capable of graceful degradation under data loss or communication failure, ensuring functional stability instead of abrupt malfunction.
A further limitation concerns interpretability and operational trust. Although deep learning models deliver impressive accuracy, their black-box nature poses serious obstacles to acceptance in safety-critical industrial systems. The lack of standardized interpretability metrics and model governance indicators prevents operators from auditing or trusting AI-based protection schemes [17,19,42,53,116,117,118]. Advancing toward XAI and systematic documentation of decision logic is essential to ensure accountability and transparency in protection decisions.
Finally, cybersecurity and evaluation standardization remain underdeveloped. AI-based models are inherently vulnerable to data spoofing, synchronization attacks, and sensor faults. At the same time, the absence of unified benchmarks for assessing detection accuracy, latency, and resilience complicates fair comparison across studies. The creation of open evaluation scenarios—particularly those integrating cyberattack and fault events—would enable reproducible and transparent assessment, bridging the gap between laboratory performance and real-world reliability [15,71].
Overall, these limitations indicate that the core challenges of intelligent protection lie not within algorithms themselves but in the broader ecosystem of data, adaptability, trust, and standardization. Addressing these four dimensions will be decisive for transforming AI from an academic tool into a reliable component of next-generation protection systems.

5.4. Emerging Directions and Remaining Challenges

Several emerging research pathways show the potential to redefine the next generation of HMG protection; however, each remains constrained by technological and operational immaturity. First, realistic validation through HIL and RTDS represents the critical bridge between simulation and field testing. Most existing studies are confined to idealized software environments that neglect communication delays, sensor saturation, and transient nonlinearities [5,40,80,82]. Wider adoption of HIL/RTDS testbeds could resolve this gap, though the cost and complexity of experimental design have limited scalability. Collaborative test platforms and multi-stage evaluation protocols could standardize this validation process across research institutions and industries.
A second research path focuses on deployment and optimized hardware design. As distributed architectures gain importance, localized decision-making near the measurement point becomes essential to minimize latency and reduce dependency on centralized servers [11,100,103,120]. Developing compact, and hardware-friendly models, together with edge-level MLOps frameworks for safe updates and lifecycle management, is fundamental to achieving reliable field deployment. By integrating data from PMUs, μPMUs, and SCADA systems, these models provide a holistic representation of the grid’s dynamic state. However, their high computational cost and heavy reliance on labeled data still limit industrial scalability [30,31,32,54,86,106,121].
From a resilience standpoint, cyber–physical co-design is emerging as a unified approach to integrate security mechanisms directly into the protective decision logic. Instead of treating cybersecurity and protection as separate domains, co-design frameworks align intrusion detection, anomaly analysis, and fault isolation within a single coordinated architecture. Nevertheless, conflicting objectives—such as minimizing false trips versus maximizing attack sensitivity—remain unresolved, calling for standardized thresholds and unified performance metrics for cyber–physical protection [17,19,71].
Lastly, ensuring model lifecycle governance stands as a long-term necessity. AI models inevitably degrade over time due to data drift, topology evolution, and sensor aging. Without formal retraining policies, performance audits, and documentation standards, protection systems risk silent failure [7,81,108,111]. Addressing this challenge requires rethinking how AI-based protection systems are deployed in practice. Rather than fully replacing conventional protection schemes, AI should be designed as a complementary layer that enhances classical logic-based methods while preserving their deterministic reliability. Moreover, AI models should be able to recognize out-of-distribution operating conditions, i.e., scenarios that fall outside their training domain. In such cases, the system should either alert the operator or gracefully revert to conventional protection logic, thereby preventing unsafe autonomous decisions. Finally, the human dimension of trust must not be overlooked. Operator skepticism often stems not only from the black-box nature of AI, but also from insufficient training. Periodic and structured training programs are therefore essential to familiarize operators with the capabilities, limitations, and correct interpretation of AI-based protection outputs. Together, these aspects emphasize that trust cannot be established through accuracy metrics alone, but through hybrid system design, uncertainty awareness, and human-centered operation.
In summary, these emerging pathways emphasize a paradigm shift from “algorithmic accuracy” toward “operational trust.” The true maturity of intelligent protection systems will not depend solely on improved architectures, but on the creation of an integrated chain linking realistic data acquisition, real-time deployment, explainability, cybersecurity, human-centered operation, and long-term model governance.

6. Future Directions for Hybrid AC/DC Microgrid Protection and Cybersecurity

6.1. Standardized Benchmarks and Realistic Validation

One of the key prerequisites for transitioning AI/ML-based protection methods from research studies to industrial systems is the availability of real datasets and standardized evaluation frameworks. A comprehensive review [5,24,33,34,35,36,40,80,82,84,90,99,112,119,122] determines that most existing studies still rely on IEEE benchmark systems and simulation data. While such datasets allow preliminary comparison of algorithms, they are unable to adequately represent the field’s complexities, such as sensor noise, communication delays, and dynamic topology changes.
To fill this gap, future research should focus on developing standardized framework datasets that include not only typical fault scenarios (SLG, LL, LLG, and DC faults) but also cybersecurity incidents such as DoS, FDIA, Replay, and spoofing attacks. Such unified frameworks would enable a comparison of protection algorithms and IDSs while facilitating more robust and cyber-resilient designs.
Moreover, widespread deployment of HIL and RTDS testbeds is essential for industrial-grade validation, as these platforms can simulate measurement limitations and time delays [5,40,80,82]. To reduce the gap between simulation and reality, structured collaboration between academia and industry should be promoted. Grid operators must facilitate data sharing under secure and confidential frameworks, while international organizations should define a common standard structure. Only through such coordination can we achieve credible validation, valuable evaluation, and industrial acceptance of intelligent protection schemes.

6.2. Evolution of AI/ML: From Centralized to Federated and Continual Learning

Most current AI/ML methods for HMGs protection utilize a centralized architecture where sensor and μPMU data are transmitted to a central processing unit [11,17,19,46,51,100,103,120]. This approach faces serious challenges in practice, including bandwidth limitations, privacy concerns, and vulnerability to cyberattacks. Federated learning allows models to be trained locally at each node or subgrid, with only model parameters shared with a central server. This approach eliminates the need for raw data exchange and improves both privacy and resilience. Recent studies show that federated models can achieve accuracy comparable to centralized systems while reducing communication costs.
Another critical advancement is continual learning, which helps maintain model performance even when network behavior changes due to variable loads, DER penetration, and frequent topology changes. Continual learning allows model updates with new data, maintaining stability without full retraining cycles [46,51].
Finally, transfer learning enables the adaptation of pretrained models, significantly reducing training time and labeled data requirements. Therefore, the future path of intelligent protection should shift from traditional centralized architectures toward distributed, federated, and continual frameworks that ensure both scalability and real-world reliability.

6.3. Next-Generation Hardware Implementation (Edge, FPGA, μPMU, ASICs)

Achieving real-time, energy-efficient AI/ML implementation for HMG protection requires hardware innovation beyond algorithmic development. Although GPU-based systems provide high computational power, they are impractical for large-scale applications due to cost, energy consumption, and size constraints [11,100,103,120].
Recent work demonstrates that CNN and LSTM models on FPGAs can reduce response time from over 10 ms to approximately 2–3 ms while lowering energy consumption by up to 40% [11,103]. However, FPGA flexibility remains limited for emerging architectures such as Transformers and GNNs.
At the distribution level, next-generation μPMUs enable local execution of ML models for fault detection. Studies indicate that such devices can identify local faults with over 95% accuracy while reducing communication dependency [100,120]. Looking ahead, the combination of application-specific integrated circuits (ASICs), FPGAs, and μPMUs represents a viable pathway toward compact, fast, and trustworthy protection systems.
In future designs, energy efficiency and hardware life-cycle sustainability should also become central design metrics.

6.4. Cyber–Physical Co-Design and Security Frameworks

A major limitation of current hybrid microgrid protection research lies in the separation between physical and cyber layers. In many studies, protection and cybersecurity are treated as isolated domains, despite the inherently intertwined nature of modern threats [17,19,55,71].
Experimental evidence [13,14,15] shows that attacks such as DoS, FDIA, and MITM can disrupt protection coordination even when relays are properly configured. Conversely, HIL/RTDS studies [5,40,80,82] have demonstrated that adding security layers such as IDS or encryption can increase the latency of GOOSE and SV messages, potentially violating the sub–10 ms time constraint.
To reconcile between speed and security, several approaches have been proposed:
  • Integration of IEC 62351 with IEC 61850 protocols for authentication and encryption;
  • Use of SDN and VLAN architectures to segregate protection traffic and reduce injection attacks;
  • Development of hybrid IDSs (AI/ML + signature-based) with enhanced explainability (XAI);
  • Application of blockchain for key management and trust establishment among IEDs.
Together, these strategies form a defense-in-depth framework that enhances both physical resilience and cyber robustness. Future work should focus on optimizing the latency–security balance through adaptive and cooptimized cyber–physical architectures.

6.5. Toward a Global Roadmap and Regional Adaptation

While many technical and cybersecurity challenges in hybrid microgrids are universal, their implementation strategies must be adapted to regional infrastructure, economic capacity, and policy context [60,67,71].
Developed countries are focusing on advanced technologies such as SDN, blockchain, XAI, and distributed μPMUs, benefiting from robust communication infrastructure and high investment levels. In contrast, developing countries face limited resources and require more capacity-building frameworks.
From a scalability and topology perspective, studies [30,31,32,54,86,106,111,121] indicate that large-scale and clustered microgrids require advanced models such as GNNs and Transformers to capture complex spatio-temporal dependencies.
Overall, future directions indicate that HMGs’ protection must evolve from algorithmic accuracy toward operational trust, integrated security, and adaptive intelligence. Current challenges, such as balancing latency and cybersecurity, the lack of real data, and the need for explainability, remain as open research questions. Overcoming these barriers will require convergence between technological innovation, international standardization, and regional policy harmonization to realize the next generation of intelligent, resilient, and sustainable energy infrastructures.

7. Conclusions

This paper has presented a comprehensive review of HMG by examining more than 100 studies, covering key aspects of architectures, conventional protection, AI/ML-based approaches, and cybersecurity. Unlike prior reviews, this work provides an integrated framework that jointly considers both technical and cyber perspectives.
The findings indicate that while classical protection methods remain effective in certain scenarios, there are some limitations, such as blinding relays, sympathetic tripping, and reduced accuracy under islanded operation. On the other hand, AI/ML and deep learning approaches have achieved accuracies above 95% in simulations but are still hindered by challenges such as a lack of real-world data, dataset bias, and limited field validation. Furthermore, existing security standards, like IEC 62351 [57], have not yet fully addressed the operational needs of HMGs.
In terms of implications, this review highlights that the future trajectory should focus on standardized and open datasets, HIL/RTDS-based testing, and a combination of AI and XAI frameworks to ensure transparency and industrial acceptance. Accordingly, this work can serve as a key reference for both researchers and practitioners, guiding the development of secure, resilient, and sustainable hybrid microgrids.

Author Contributions

Conceptualization, F.E.; Methodology, F.E.; Formal analysis, F.E.; Investigation, F.E.; Writing—review & editing, M.G., A.E., M.R., M.P. and O.L.; Visualization, F.E. All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported by funding from the Electric Utility Management Program (EUMP) at the New Mexico State University.

Data Availability Statement

The original contributions presented in this study are included in the article. Further inquiries can be directed to the corresponding author.

Conflicts of Interest

The authors declare no conflicts of interest.

List of Abbreviations

AbbreviationMeaning
ACAlternating Current
ADNsActive Distribution Networks
AIArtificial Intelligence
AMIAdvanced Metering Infrastructure
ANFISAdaptive Neuro-Fuzzy Inference System
ANNArtificial Neural Network
ANSSIAgence Nationale de la Sécurité des Systèmes d’Information
APPIDApplication Identifier
APTsAdvanced Persistent Threats
ASICsApplication-Specific Integrated Circuits
ATLAdversarial Transfer Learning
BDDBad Data Detection
BESSBattery Energy Storage System
CAFCyber Assessment Framework
CapsNets         Capsule Networks
CNNsConvolutional Neural Networks
COSEMCompanion Specification for Energy Metering
CPSCyber–Physical systems
CSFCybersecurity Framework
CWTContinuous Wavelet Transform
D-PMUDistribution-level Phasor Measurement Unit
DCDirect Current
DCCBsDevelopment of DC Circuit Breakers
DDoSDistributed Denial-of-Service
DERsDistributed Energy Resources
DGDistributed Generation
DFIGDoubly-Fed Induction Generator
DLDeep Learning
DLMSDevice Language Message Specification
DMDDynamic Mode Decomposition
DNP3Distributed Network Protocol 3
DOCRDirectional Over Current Relay
DoSDenial of Service
DTDecision Trees
DWTDiscrete Wavelet Transform
EMTElectromagnetic Transient
ESSsEnergy Storage Systems
EWTEmpirical Wavelet Transform
FDIAFalse Data Injection
FFTFast Fourier Transform
FPGAField-Programmable Gate Array
FRTFault Ride Through
GANsGenerative Adversarial Networks
GATGraph Attention Network
GCNGraph Convolutional Network
GFMIGrid-Forming Inverters
GGNNsGated Graph Neural Networks
GNNsGraph Neural Networks
GOOSEGeneric Object-Oriented Substation Event
GPSGlobal Positioning System
GRUGated Recurrent Unit
HANHome Area Network
HEMSHome Energy Management Systems
HHTHilbert–Huang Transform
HIFHigh-impedance Faults
HILHardware-in-the-Loop
HMGsHybrid AC/DC microgrids
HMIHuman–Machine Interface
HRGHigh Resistance Grounding
HRGFHigh-Resistance Grounding Falut
HSEHealth and Safety Executive
IBRsInverter-Based Resources
ICSIndustrial Control System
IEDsIntelligent Electronic Devices
IECInternational Electrotechnical Commission
IEEEInstitute of Electrical and Electronics Engineers
IGBT                 Insulated Gate Bipolar Transistor
ILCsInterlinking Converters
IDSIntrusion Detection Systems
IPSsIntrusion Prevention Systems
ISOInternational Organization for Standardization
ITInformation Technology
KNNk-Nearest Neighbor
LCLInductor Capacitor Inductor
LDALinear Discriminant Analysis
LLLine-to-Line Fault
LLGLine-to-Line-to Ground Fault
LLLThree-Phase Fault
LLLGThree-Phase-to Ground
LRAsLocation Reference Attacks
LRGLow-Resistance Grounding
LSTMLong Short-Term Memory
LVLow-Voltage
MITMMan-in-the-Middle
MGCCMicrogrid Central Controller
MLMachine Learning
MLPMulti-Layer Perceptron
MMMorphological Method
MMSManufacturing Message Specification
MOSFETMetal Oxide-Semiconductor Field-Effect Transistor
MTLS-LRMulti-Task Latent Learning
MTTRMean Time to Recovery
MVMedium-Voltage
MVCCMulti-View Cross-Correlation
NANNeighborhood Area Network
NCSCNational Cyber Security Centre
NDZNon-Detection Zone
NISTNational Institute of Standards and Technology
NIST SPNIST Special Publication
NRELNational Renewable Energy Laboratory
NTPNetwork Time Protocol
OCRsOvercurrent Relays
OSROne Class Support Vector Machine
OTOperational Technology
PCAPrincipal Component Analysis
PCCsPoints of Common Coupling
PECsPower Electronic Converters
PGPole-to-Ground
PKIPublic Key Infrastructure
PLCPower Line Communication
PLRPacket Loss Ratio
PMUsPhasor Measurement Units
POPIAProtection of Personal Information Act
PPPole-to-Pole
PTPPrecision Time Protocol
RESsRenewable Energy Sources
RFRandom Forest
RMSERoot Mean Square Error
RNNsRecurrent Neural Networks
RTDSReal-Time Digital Simulator
RTURemote Terminal Unit
SCCShort-Circuit Capacity
SCADA            Supervisory Control and Data Acquisition
SDNSoftware-Defined Networking
SEPSmart Energy Profile
SHAPShapley Additive explanations
SLGSingle-Line-to Ground Fault
SNRSignal-to-Noise Ratio
SPGSpecial Grounding System
SSTSolid-State Transformer
SSCBsSolid-State Circuit Breakers
STFTShort-Time Fourier Transform
STGCNsSpatiotemporal Graph Convolutional Networks
SVsSampled Values
SVMsSupport Vector Machines
SWTStationary Wavelet Transform
TLSTransport Layer Security
TSAsTime Synchronization Attacks
TWTraveling Wave
VGAEsVariational Graph Autoencoders
VLANVirtual Local Area Network
VPNVirtual Private Network
WAMSsWide-Area Monitoring Systems
WANWide Area Network
Wi-SUNWireless Smart Utility Network
XAIExplainable Artificial Intelligence
μPMUsMicro-PMUs

References

  1. Hamanah, W.M.; Hossain, M.I.; Shafiullah, M.; Abido, M.A. AC Microgrid Protection Schemes: A Comprehensive Review. IEEE Access 2023, 11, 76842–76868. [Google Scholar] [CrossRef]
  2. Singh, P.; Kumar, U.; Choudhary, N.K.; Singh, N. Advancements in Protection Coordination of Microgrids: A Comprehensive Review of Protection Challenges and Mitigation Schemes for Grid Stability. Prot. Control Mod. Power Syst. 2024, 9, 156–183. [Google Scholar] [CrossRef]
  3. Ortmann, M.; Maryama, V.; Camurça, L.; Gili, L.; Suarez-Solano, D.; Dantas, D.; Finamor, G.; da Silva, V.; Munaretto, L.; Ruseler, A.; et al. Architecture, components and operation of an experimental hybrid ac/dc smart microgrid. In Proceedings of the 2017 IEEE 8th International Symposium on Power Electronics for Distributed Generation Systems (PEDG), Florianopolis, Brazil, 17–20 April 2017; pp. 1–8. [Google Scholar] [CrossRef]
  4. Bhargav, R.; Gupta, C.P.; Bhalja, B.R. Unified Impedance-Based Relaying Scheme for the Protection of Hybrid AC/DC Microgrid. IEEE Trans. Smart Grid 2022, 13, 913–927. [Google Scholar] [CrossRef]
  5. Mirsaeidi, S.; Dong, X.; Shi, S.; Wang, B. AC and DC microgrids: A review on protection issues and approaches. J. Electr. Eng. Technol. 2017, 12, 2089–2098. [Google Scholar]
  6. Sarangi, S.; Sahu, B.; Rout, P. Distributed generation hybrid AC/DC microgrid protection: A critical review on issues, strategies, and future directions. Int. J. Energy Res. 2020, 44, 3347–3364. [Google Scholar] [CrossRef]
  7. Rezapour, H.; Jamali, S.; Bahmanyar, A. Review on Artificial Intelligence-Based Fault Location Methods in Power Distribution Networks. Energies 2023, 16, 4636. [Google Scholar] [CrossRef]
  8. De La Cruz, J.; Gómez-Luna, E.; Ali, M.; Vasquez, J.; Guerrero, J. Fault Location for Distribution Smart Grids: Literature Overview, Challenges, Solutions, and Future Trends. Energies 2023, 16, 2280. [Google Scholar] [CrossRef]
  9. Wang, Y.; Huang, Y.; Zeng, X.; Wei, G.; Zhou, J.; Fang, T.; Chen, H. Faulty Feeder Detection of Single Phase-Earth Fault Using Grey Relation Degree in Resonant Grounding System. IEEE Trans. Power Deliv. 2017, 32, 55–61. [Google Scholar] [CrossRef]
  10. Meghwani, A.; Srivastava, S.; Chakrabarti, S. A Non-unit Protection Scheme for DC Microgrid Based on Local Measurements. IEEE Trans. Power Deliv. 2017, 32, 172–181. [Google Scholar] [CrossRef]
  11. Yadav, N.; Tummuru, N.R. Short-Circuit Fault Detection and Isolation Using Filter Capacitor Current Signature in Low-Voltage DC Microgrid Applications. IEEE Trans. Ind. Electron. 2022, 69, 8491–8500. [Google Scholar] [CrossRef]
  12. IEC 61850; Communication Networks and Systems for Power Utility Automation. IEC: Geneva, Switzerland, 2025. Available online: https://webstore.iec.ch/en/publication/6028 (accessed on 26 January 2026).
  13. Hemmati, M.; Palahalli, M.H.; Storti Gajani, G.; Gruosso, G. Impact and Vulnerability Analysis of IEC61850 in Smartgrids Using Multiple HIL Real-Time Testbeds. IEEE Access 2022, 10, 103275–103285. [Google Scholar] [CrossRef]
  14. Hussain, S.M.S.; Ustun, T.S.; Kalam, A. Security threats and possible safeguard mechanisms under IEC 61850 environment. In Proceedings of the 2020 International Conference on Smart Grids and Energy Systems (SGES), Perth, Australia, 23–26 November 2020; pp. 767–772. [Google Scholar] [CrossRef]
  15. Silveira, M. IEC 61850 Network Cybersecurity: Mitigating GOOSE Message Vulnerabilities. In Proceedings of the 6th Annual PAC World Americas Conference, Raleigh, NC, USA, 20–22 August 2019. [Google Scholar]
  16. Shafiullah, M.; AlShumayri, K.A.; Alam, M.S. Machine learning tools for active distribution grid fault diagnosis. Adv. Eng. Softw. 2022, 173, 103279. [Google Scholar] [CrossRef]
  17. Saif, S.; Sarker, A.T.; Islam, A.K.M.N. Enhancing DoS Detection in SmartGrid: Leveraging ML Using PCA and Explainable AI. In Proceedings of the 2024 6th International Conference on Electrical Engineering and Information & Communication Technology (ICEEICT), Dhaka, Bangladesh, 2–4 May 2024; pp. 1014–1019. [Google Scholar] [CrossRef]
  18. Ustun, T.S.; Hussain, S.M.S.; Yavuz, L.; Onen, A. Artificial Intelligence Based Intrusion Detection System for IEC 61850 Sampled Values Under Symmetric and Asymmetric Faults. IEEE Access 2021, 9, 56486–56495. [Google Scholar] [CrossRef]
  19. Goyel, H.; Swarup, K.S. Data Integrity Attack Detection Using Ensemble-Based Learning for Cyber–Physical Power Systems. IEEE Trans. Smart Grid 2023, 14, 1198–1209. [Google Scholar] [CrossRef]
  20. Arsoniadis, C.G.; Nikolaidis, V.C. A machine learning based fault location method for power distribution systems using wavelet scattering networks. Sustain. Energy Grids Netw. 2024, 40, 101551. [Google Scholar] [CrossRef]
  21. Barkhi, M.; Pourhossein, J.; Hosseini, S. Integrating fault detection and classification in microgrids using supervised machine learning considering fault resistance uncertainty. Sci. Rep. 2024, 14, 28466. [Google Scholar] [CrossRef]
  22. Mampilly, B.; Sheeba, V. An empirical wavelet transform based fault detection and hybrid convolutional recurrent neural network for fault classification in distribution network integrated power system. Multimed. Tools Appl. 2024, 83, 77445–77468. [Google Scholar] [CrossRef]
  23. Shafei, A.P.; Silva, J.A.; Monteiro, J. Convolutional neural network approach for fault detection and characterization in medium voltage distribution networks. e-Prime—Adv. Electr. Eng. Electron. Energy 2024, 10, 100820. [Google Scholar] [CrossRef]
  24. Cieslak, D.; Moreto, M.; Lazzaretti, A.; Macedo-Júnior, J.R. High impedance fault classification in microgrids using a transformer-based model with time series harmonic synchrophasors under data quality issues. Neural Comput. Appl. 2024, 36, 14017–14034. [Google Scholar] [CrossRef]
  25. Salehimehr, S.; Miraftabzadeh, S.M.; Brenna, M. A Novel Machine Learning-Based Approach for Fault Detection and Location in Low-Voltage DC Microgrids. Sustainability 2024, 16, 2821. [Google Scholar] [CrossRef]
  26. Krivohlava, Z.; Chren, S.; Rossi, B. Failure and fault classification for smart grids. Energy Inform. 2022, 5, 33. [Google Scholar] [CrossRef]
  27. Okumus, H.; Nuroglu, F.M. A random forest-based approach for fault location detection in distribution systems. Electr. Eng. 2021, 103, 257–264. [Google Scholar] [CrossRef]
  28. Fan, M.; Xia, J.; Zhang, H.; Zhang, X. Fault Location Method of Distribution Network Based on VGAE-GraphSAGE. Processes 2024, 12, 2179. [Google Scholar] [CrossRef]
  29. Yu, H.; Zhang, Z.; Wang, H.; Li, S. Fault location method for DC distribution network based on multivariate information fusion. Electr. Power Syst. Res. 2024, 233, 110518. [Google Scholar] [CrossRef]
  30. Shi, X.; Xu, Y. A fault location method for distribution system based on one-dimensional convolutional neural network. In Proceedings of the 2021 IEEE International Conference on Power, Intelligent Computing and Systems (ICPICS), Shenyang, China, 29–31 July 2021; pp. 333–337. [Google Scholar] [CrossRef]
  31. Baloch, S.; Muhammad, M.S. An Intelligent Data Mining-Based Fault Detection and Classification Strategy for Microgrid. IEEE Access 2021, 9, 22470–22479. [Google Scholar] [CrossRef]
  32. Miyagishima, F.; Lavrova, O.; Augustine, S.; Ranade, S.; Reno, M.J.; Hernandez-Alvidrez, J. Numerical Analysis of Traveling Waves in Power Systems with Grid Forming Inverters. In Proceedings of the 2022 North American Power Symposium (NAPS), Salt Lake City, UT, USA, 9–11 October 2022; pp. 1–5. [Google Scholar] [CrossRef]
  33. Bhagwat, A.; Dutta, S.; Jadoun, V.K.; Veerendra, A.S.; Sahu, S.K. A customised artificial neural network for power distribution system fault detection. IET Gener. Transm. Distrib. 2024, 18, 2105–2118. [Google Scholar] [CrossRef]
  34. Wang, T.; Zhang, C.; Hao, Z.; Monti, A.; Ponci, F. Data-driven fault detection and isolation in DC microgrids without prior fault data: A transfer learning approach. Appl. Energy 2023, 336, 120708. [Google Scholar] [CrossRef]
  35. Yang, N.C.; Yang, J.M. Fault Classification in Distribution Systems Using Deep Learning With Data Preprocessing Methods Based on Fast Dynamic Time Warping and Short-Time Fourier Transform. IEEE Access 2023, 11, 63612–63622. [Google Scholar] [CrossRef]
  36. Wilches-Bernal, F.; Bidram, A.; Reno, M.J.; Hernandez-Alvidrez, J.; Barba, P.; Reimer, B.; Montoya, R.; Carr, C.; Lavrova, O. A Survey of Traveling Wave Protection Schemes in Electric Power Systems. IEEE Access 2021, 9, 72949–72969. [Google Scholar] [CrossRef]
  37. Lede, A.M.R.; Molina, M.G.; Martinez, M.; Mercado, P.E. Microgrid architectures for distributed generation: A brief review. In Proceedings of the 2017 IEEE PES Innovative Smart Grid Technologies Conference—Latin America (ISGT Latin America), Quito, Ecuador, 20–22 September 2017; pp. 1–6. [Google Scholar] [CrossRef]
  38. Wu, P.; Huang, W.; Tai, N.; Liang, S. A novel design of architecture and control for multiple microgrids with hybrid AC/DC connection. Appl. Energy 2018, 210, 1002–1016. [Google Scholar] [CrossRef]
  39. Ortiz, L.; Orizondo, R.; Águila, A.; González, J.W.; López, G.J.; Isaac, I. Hybrid AC/DC microgrid test system simulation: Grid-connected mode. Heliyon 2019, 5, e02862. [Google Scholar] [CrossRef]
  40. Stefanidou-Voziki, P.; Sapountzoglou, N.; Raison, B.; Dominguez-Garcia, J. A review of fault location and classification methods in distribution grids. Electr. Power Syst. Res. 2022, 209, 108031. [Google Scholar] [CrossRef]
  41. Moloi, K.; Ndlela, N.W.; Davidson, I.E. Fault Classification and Localization Scheme for Power Distribution Network. Appl. Sci. 2022, 12, 11903. [Google Scholar] [CrossRef]
  42. Zhang, L.; Tai, N.; Huang, W.; Liu, J.; Wang, Y. A review on protection of DC microgrids. J. Mod. Power Syst. Clean Energy 2018, 6, 1113–1127. [Google Scholar] [CrossRef]
  43. Verbe, S.C.; Shigenobu, R.; Takahashi, A.; Taoka, H.; Ito, M. Fault detection and synchronization control in hybrid DC/AC microgrids using grid-forming inverter DC-link controller. Energy Rep. 2024, 12, 1449–1463. [Google Scholar] [CrossRef]
  44. Mehdi, A.; Ul Hassan, S.; Haider, Z.; Arefaynie, A.D.; sol Song, J.; Kim, C.H. A systematic review of fault characteristics and protection schemes in hybrid AC/DC networks: Challenges and future directions. Energy Rep. 2024, 12, 120–142. [Google Scholar] [CrossRef]
  45. Krishnamurthy, P.; Thangavel, S.; Dhanalakshmi, R.; Khushi, S.N. Fault Classification in Power System with Inverter-Interfaced Renewable Energy Resources Using Machine Learning. J. Control Autom. Electr. Syst. 2024, 35, 1019–1038. [Google Scholar] [CrossRef]
  46. Cisneros-Saldana, J.I.D.; Samal, S.; Begovic, M.M.; Samantaray, S.R. On Protection Schemes for AC Microgrids: Challenges and Opportunities. IEEE Trans. Ind. Appl. 2024, 60, 4843–4854. [Google Scholar] [CrossRef]
  47. de la Cruz, J.; Wu, Y.; Candelo-Becerra, J.E.; Vásquez, J.C.; Guerrero, J.M. Review of Networked Microgrid Protection: Architectures, Challenges, Solutions, and Future Trends. CSEE J. Power Energy Syst. 2024, 10, 448–467. [Google Scholar] [CrossRef]
  48. Basher, B.G.; Ghanem, A.; Abulanwar, S.; Hassan, M.K.; Rizk, M.E. Fault classification and localization in microgrids: Leveraging discrete wavelet transform and multi-machine learning techniques considering single point measurements. Electr. Power Syst. Res. 2024, 231, 110362. [Google Scholar] [CrossRef]
  49. Wei, X.; Wang, X.; Gao, J.; Yang, D.; Wei, K.; Guo, L. Faulty Feeder Detection for Single-Phase-to-Ground Fault in Distribution Networks Based on Transient Energy and Cosine Similarity. IEEE Trans. Power Deliv. 2022, 37, 3968–3979. [Google Scholar] [CrossRef]
  50. Wang, W.; Gao, X.; Fan, B.; Zeng, X.; Yao, G. Faulty Phase Detection Method Under Single-Line-to-Ground Fault Considering Distributed Parameters Asymmetry and Line Impedance in Distribution Networks. IEEE Trans. Power Deliv. 2022, 37, 1513–1522. [Google Scholar] [CrossRef]
  51. Yang, W.J.; Yin, X.Q.; Tao, J.; Zhang, H.Y. Fault current constrained impedance-based method for high resistance ground fault location in distribution grid. Electr. Power Syst. Res. 2024, 227, 109998. [Google Scholar] [CrossRef]
  52. Augustine, S.; Reno, M.J.; Brahma, S.M.; Lavrova, O. Fault current control and protection in a standalone DC microgrid using adaptive droop and current derivative. IEEE J. Emerg. Sel. Top. Power Electron. 2020, 9, 2529–2539. [Google Scholar] [CrossRef]
  53. Wei, M.; Shi, F.; Zhang, H.; Jin, Z.; Terzija, V.; Zhou, J.; Bao, H. High Impedance Arc Fault Detection Based on the Harmonic Randomness and Waveform Distortion in the Distribution System. IEEE Trans. Power Deliv. 2020, 35, 837–850. [Google Scholar] [CrossRef]
  54. Aslan, Y. An alternative approach to fault location on power distribution feeders with embedded remote-end power generation using artificial neural networks. Electr. Eng. 2012, 94, 125–134. [Google Scholar] [CrossRef]
  55. Hentea, M. A Perspective on Research Initiatives in Cybersecurity Engineering for Future SmartGrids. In Proceedings of the 2022 IEEE International Conference on Electro Information Technology (eIT), Mankato, MN, USA, 19–21 May 2022; pp. 352–357. [Google Scholar] [CrossRef]
  56. Najafzadeh, M.; Ahmadiahangar, R.; Husev, O.; Roasto, I.; Jalakas, T.; Blinov, A. Recent Contributions, Future Prospects and Limitations of Interlinking Converter Control in Hybrid AC/DC Microgrids. IEEE Access 2021, 9, 7960–7984. [Google Scholar] [CrossRef]
  57. IEC 62351; Power Systems Management and Associated Information Exchange—Data and Communications Security. IEC: Geneva, Switzerland, 2025. Available online: https://webstore.iec.ch/en/publication/6912 (accessed on 26 January 2026).
  58. IEC 62443-3-3; Industrial Communication Networks—Network and System Security—Part 3-3: System Security Requirements and Security Levels. IEC: Geneva, Switzerland, 2024. Available online: https://webstore.iec.ch/en/publication/62883 (accessed on 26 January 2026).
  59. NIST SP 800-82; Guide to Operational Technology (OT) Security. NIST: Gaithersburg, MD, USA, 2023. Available online: https://csrc.nist.gov/pubs/sp/800/82/r3/final (accessed on 26 January 2026).
  60. Electric Power Research Institute (EPRI). Implementing the IEC 61850 Substation Automation Standard; Technical Report 3002006451; EPRI: Palo Alto, CA, USA, 2015. [Google Scholar]
  61. ISO/IEC 27001; Information Security, Cybersecurity and Privacy Protection—Information Security Management Systems—Requirements. ISO/IEC: Geneva, Switzerland, 2022. Available online: https://www.iso.org/standard/82875.html (accessed on 26 January 2026).
  62. IEEE Std 1686; IEEE Standard for Substation Intelligent Electronic Devices (IEDs) Cyber Security Capabilities. IEEE: New York, NY, USA, 2013. Available online: https://standards.ieee.org/standard/1686-2013.html (accessed on 26 January 2026).
  63. ISO/IEC 27019; Information Technology—Security Techniques—Information Security Controls for the Energy Utility Industry. ISO/IEC: Geneva, Switzerland, 2024. Available online: https://www.iso.org/standard/85056.html (accessed on 26 January 2026).
  64. IEEE Std 1547; IEEE Standard for Interconnection and Interoperability of Distributed Energy Resources with Associated Electric Power Systems Interfaces. IEEE: New York, NY, USA, 2018. Available online: https://standards.ieee.org/standard/1547-2018.html (accessed on 26 January 2026).
  65. Dzobo, O.; Tivani, L.; Mbatha, L. A review on cybersecurity for distributed energy resources: Opportunities for South Africa. J. Infrastruct. Policy Dev. 2024, 8, 8631. [Google Scholar] [CrossRef]
  66. Kumar, S.; Abu-Siada, A.; Das, N.; Islam, S. Review of the Legacy and Future of IEC 61850 Protocols Encompassing Substation Automation System. Electronics 2023, 12, 3345. [Google Scholar] [CrossRef]
  67. Yildirim Yayilgan, S.; Holik, F.; Abomhara, M.; Abraham, D.; Gebremedhin, A. An Approach for Analyzing Cyber Security Threats and Attacks: A Case Study of Digital Substations in Norway. Electronics 2022, 11, 4006. [Google Scholar] [CrossRef]
  68. IEC 60870-5-104; Telecontrol Equipment and Systems—Part 5-104: Transmission Protocols—Network Access for IEC 60870-5-101 Using Standard Transport Profiles. IEC: Geneva, Switzerland, 2006. Available online: https://webstore.iec.ch/en/publication/25035 (accessed on 26 January 2026).
  69. IEEE Std 2030.5; IEEE Standard for Smart Energy Profile Application Protocol. IEEE: New York, NY, USA, 2018. Available online: https://standards.ieee.org/standard/2030_5-2018.html (accessed on 26 January 2026).
  70. IEEE Std C37.118.2; IEEE Standard for Synchrophasor Data Transfer for Power Systems. IEEE: New York, NY, USA, 2011. Available online: https://standards.ieee.org/standard/C37_118_2-2011.html (accessed on 26 January 2026).
  71. Achaal, B.; Adda, M.; Berger, M.; Ibrahim, H.; Awde, A. Study of smart grid cyber-security, examining architectures, communication networks, cyber-attacks, countermeasure techniques, and challenges. Cybersecurity 2024, 7, 10. [Google Scholar] [CrossRef]
  72. Venkataramani, A.A.; Morgenstern, C.W.; Rong, Y.; Wolfe, P.F.W.; Janice, B.A.; Kolodziej, K.E.; Bliss, D.W. Low-Cost Measurement Setup for Power Amplifier Characterization and Digital Pre-distortion: Challenges and Implementation. In Proceedings of the 2024 IEEE Radar Conference (RadarConf24), Denver, CO, USA, 6–10 May 2024; pp. 1–6. [Google Scholar] [CrossRef]
  73. Cecilia, A.; Sahoo, S.; Dragičević, T.; Costa-Castelló, R.; Blaabjerg, F. On Addressing the Security and Stability Issues Due to False Data Injection Attacks in DC Microgrids—An Adaptive Observer Approach. IEEE Trans. Power Electron. 2022, 37, 2801–2814. [Google Scholar] [CrossRef]
  74. Tan, S.; Xie, P.; Guerrero, J.M.; Vasquez, J.C. False Data Injection Cyber-Attacks Detection for Multiple DC Microgrid Clusters. Appl. Energy 2022, 310, 118425. [Google Scholar] [CrossRef]
  75. Li, C.; Wang, X.; Chen, X.; Han, A.; Zhang, X. Data-Driven Attack Detection Mechanism Against False Data Injection Attacks in DC Microgrids Using CNN-LSTM-Attention. Symmetry 2025, 17, 1140. [Google Scholar] [CrossRef]
  76. Molina, J.D.; Buitrago, L.F.; Zapata, J.A. Methodology for the Evaluation of Cybersecurity in the Colombian Power System. In Proceedings of the 2023 IEEE Colombian Conference on Communications and Computing (COLCOM), Bogota, Colombia, 26–28 July 2023; pp. 1–6. [Google Scholar] [CrossRef]
  77. IEEE Std 802.1Q; IEEE Standard for Local and Metropolitan Area Networks–Bridges and Bridged Networks. IEEE: New York, NY, USA, 2018. Available online: https://standards.ieee.org/standard/802_1Q-2018.html (accessed on 26 January 2026).
  78. Zaben, M.M.; Worku, M.Y.; Hassan, M.A.; Abido, M.A. Machine Learning Methods for Fault Diagnosis in AC Microgrids: A Systematic Review. IEEE Access 2024, 12, 20260–20298. [Google Scholar] [CrossRef]
  79. Ibrahim, M.H.; Badran, E.A.; Abdel-Rahman, M.H. Detect, Classify, and Locate Faults in DC Microgrids Based on Support Vector Machines and Bagged Trees in the Machine Learning Approach. IEEE Access 2024, 12, 139199–139224. [Google Scholar] [CrossRef]
  80. Vaish, R.; Dwivedi, U.; Tewari, S.; Tripathi, S. Machine learning applications in power system fault diagnosis: Research advancements and perspectives. Eng. Appl. Artif. Intell. 2021, 106, 104504. [Google Scholar] [CrossRef]
  81. Srivastava, I.; Bhat, S.; Vardhan, B.V.S.; Bokde, N.D. Fault Detection, Isolation and Service Restoration in Modern Power Distribution Systems: A Review. Energies 2022, 15, 7264. [Google Scholar] [CrossRef]
  82. Forouzesh, A.; Golsorkhi, M.; Savaghebi, M.; Baharizadeh, M. Support Vector Machine Based Fault Location Identification in Microgrids Using Interharmonic Injection. Energies 2021, 14, 2317. [Google Scholar] [CrossRef]
  83. Awasthi, S.; Singh, G.; Ahamad, N. Classifying Electrical Faults in a Distribution System Using K-Nearest Neighbor (KNN) Model in Presence of Multiple Distributed Generators. J. Inst. Eng. (India) Ser. B 2024, 105, 621–634. [Google Scholar] [CrossRef]
  84. Jimenez-Aparicio, M.; Reno, M.J.; Hernandez-Alvidrez, J. Fast Traveling Wave Detection and Identification Method for Power Distribution Systems Using the Discrete Wavelet Transform. In Proceedings of the 2023 IEEE Power & Energy Society Innovative Smart Grid Technologies Conference (ISGT), Washington, DC, USA, 16–19 January 2023; pp. 1–5. [Google Scholar] [CrossRef]
  85. Wilches-Bernal, F.; Jiménez-Aparicio, M.; Reno, M.J. A Machine Learning-based Method using the Dynamic Mode Decomposition for Fault Location and Classification. In Proceedings of the 2022 IEEE Power & Energy Society Innovative Smart Grid Technologies Conference (ISGT), New Orleans, LA, USA, 24–28 April 2022; pp. 1–5. [Google Scholar] [CrossRef]
  86. Jimenez-Aparicio, M.; Wilches-Bernal, F.; Reno, M.J. Local, Single-Ended, Traveling-Wave Fault Location on Distribution Systems Using Frequency and Time-Domain Data. IEEE Access 2023, 11, 74201–74215. [Google Scholar] [CrossRef]
  87. Biswal, M.; Pati, S.; Ranade, S.J.; Lavrova, O.; Reno, M.J. Exploring the use of Shapelets in Traveling Wave based Fault Detection in Distribution Systems. In Proceedings of the 2022 IEEE Texas Power and Energy Conference (TPEC), College Station, TX, USA, 28 February–1 March 2022; pp. 1–6. [Google Scholar] [CrossRef]
  88. Wilches-Bernal, F.; Jiménez-Aparicio, M.; Reno, M. An Algorithm for Fast Fault Location and Classification Based on Mathematical Morphology and Machine Learning. In Proceedings of the 2022 IEEE Power & Energy Society Innovative Smart Grid Technologies Conference (ISGT), New Orleans, LA, USA, 24–28 April 2022; pp. 1–5. [Google Scholar] [CrossRef]
  89. Zhou, M.; Kazemi, N.; Musilek, P. Distribution Grid Fault Classification and Localization using Convolutional Neural Networks. Smart Grids Energy 2024, 9, 24. [Google Scholar] [CrossRef]
  90. Li, X. High impedance fault location in power distribution systems using deep learning and micro phasor measurements units (PMU). Multiscale Multidiscip. Model. Exp. Des. 2024, 7, 1045–1056. [Google Scholar] [CrossRef]
  91. Mbey, C.F.; Foba Kakeu, V.J.; Boum, A.T.; Yem Souhe, F.G. Fault detection and diagnosis in power distribution systems using hybrid intelligent methods. J. Eng. 2023, 2023, 680–691. [Google Scholar] [CrossRef]
  92. Yildiz, T.; Abur, A. Convolutional Neural Network-assisted fault detection and location using few PMUs. Electr. Power Syst. Res. 2024, 235, 110705. [Google Scholar] [CrossRef]
  93. Yuan, J.; Jiao, Z. Faulty feeder detection for single phase-to-ground faults in distribution networks based on patch-to-patch CNN and feeder-to-feeder LSTM. Int. J. Electr. Power Energy Syst. 2023, 147, 108909. [Google Scholar] [CrossRef]
  94. Rai, P.; Londhe, N.D.; Raj, R. Fault classification in power system distribution network integrated with distributed generators using CNN. Electr. Power Syst. Res. 2021, 192, 106914. [Google Scholar] [CrossRef]
  95. Mirshekali, H.; Keshavarz, A.; Dashti, R.; Hafezi, S.; Shaker, H.R. Deep learning-based fault location framework in power distribution grids employing convolutional neural network based on capsule network. Electr. Power Syst. Res. 2023, 223, 109529. [Google Scholar] [CrossRef]
  96. Grcić, I.; Pandžić, H. High-Impedance Fault Detection in DC Microgrid Lines Using Open-Set Recognition. Appl. Sci. 2025, 15, 193. [Google Scholar] [CrossRef]
  97. Yang, S.; Jiao, Y.; Chen, Q.; Li, H.; Zhou, L.; Zhu, H. A Single-Phase to Ground Fault Identification Method Based on Extremely Low Frequency Current Detection in Distribution Grids. IEEE Trans. Power Deliv. 2022, 37, 5214–5223. [Google Scholar] [CrossRef]
  98. Rizeakos, V.; Bachoumis, A.; Andriopoulos, N.; Birbas, M.; Birbas, A. Deep learning-based application for fault location identification and type classification in active distribution grids. Appl. Energy 2023, 338, 120932. [Google Scholar] [CrossRef]
  99. Sirojan, T.; Lu, S.; Phung, B.; Zhang, D.; Ambikairajah, E. Sustainable Deep Learning at Grid Edge for Real-Time High Impedance Fault Detection. IEEE Trans. Sustain. Comput. 2022, 7, 346–357. [Google Scholar] [CrossRef]
  100. Fornás, J.G.; Jaraba, E.H.; Estopiñan, A.L.; Saldana, J. Detection and Classification of Fault Types in Distribution Lines by Applying Contrastive Learning to GAN Encoded Time-Series of Pulse Reflectometry Signals. IEEE Access 2022, 10, 110521–110536. [Google Scholar] [CrossRef]
  101. Liang, L.; Zhang, H.; Cao, S.; Zhao, X.; Li, H.; Chen, Z. Fault location method for distribution networks based on multi-head graph attention networks. Front. Energy Res. 2024, 12, 1395737. [Google Scholar] [CrossRef]
  102. Mo, H.; Peng, Y.; Wei, W.; Xi, W.; Cai, T. SR-GNN Based Fault Classification and Location in Power Distribution Network. Energies 2023, 16, 433. [Google Scholar] [CrossRef]
  103. Haydaroğlu, C.; Gümüş, B. Fault Detection in Distribution Network with the Cauchy-M Estimate—RVFLN Method. Energies 2023, 16, 252. [Google Scholar] [CrossRef]
  104. Dashtdar, M.; Hussain, A.; Al Garni, H.Z.; Mas’ud, A.A.; Haider, W.; AboRas, K.M.; Kotb, H. Fault Location in Distribution Network by Solving the Optimization Problem Based on Power System Status Estimation Using the PMU. Machines 2023, 11, 109. [Google Scholar] [CrossRef]
  105. Hu, J.; Hu, W.; Chen, J.; Cao, D.; Zhang, Z.; Liu, Z.; Chen, Z.; Blaabjerg, F. Fault Location and Classification for Distribution Systems Based on Deep Graph Learning Methods. J. Mod. Power Syst. Clean Energy 2023, 11, 35–51. [Google Scholar] [CrossRef]
  106. de Freitas, J.T.; Coelho, F.G.F. Fault localization method for power distribution systems based on gated graph neural networks. Electr. Eng. 2021, 103, 2259–2266. [Google Scholar] [CrossRef]
  107. Awasthi, S.; Singh, G.; Ahamad, N. Fault Identification in Distributed Generation System Using Shallow ANN Model. J. Inst. Eng. (India) Ser. B 2024, 105, 131–145. [Google Scholar] [CrossRef]
  108. Gilanifar, M.; Wang, H.; Cordova, J.; Ozguven, E.E.; Strasser, T.I.; Arghandeh, R. Fault classification in power distribution systems based on limited labeled data using multi-task latent structure learning. Sustain. Cities Soc. 2021, 73, 103094. [Google Scholar] [CrossRef]
  109. Mirshekali, H.; Dashti, R.; Keshavarz, A.; Shaker, H.R. Machine Learning-Based Fault Location for Smart Distribution Networks Equipped with Micro-PMU. Sensors 2022, 22, 945. [Google Scholar] [CrossRef]
  110. Bhatnagar, M.; Yadav, A.; Swetapadma, A. Integrating Distributed Generation and Advanced Deep Learning for Efficient Distribution System Management and Fault Detection. Arab. J. Sci. Eng. 2024, 49, 7095–7111. [Google Scholar] [CrossRef]
  111. Jamali, S.; Bahmanyar, A.; Ranjbar, S. Hybrid classifier for fault location in active distribution networks. Prot. Control Mod. Power Syst. 2020, 5, 17. [Google Scholar] [CrossRef]
  112. Kurup, A.R.; Summers, A.; Bidram, A.; Reno, M.J.; Martínez-Ramón, M. Ensemble models for circuit topology estimation, fault detection and classification in distribution systems. Sustain. Energy Grids Netw. 2023, 34, 101017. [Google Scholar] [CrossRef]
  113. Deb, A.; Jain, A.K. An effective data-driven machine learning hybrid approach for fault detection and classification in a standalone low-voltage DC microgrid. Electr. Eng. 2024, 106, 6199–6212. [Google Scholar] [CrossRef]
  114. Abdelsalam, A.A.; Salem, A.A.; Oda, E.S.; Eldesouky, A.A. Islanding Detection of Microgrid Incorporating Inverter Based DGs Using Long Short-Term Memory Network. IEEE Access 2020, 8, 106471–106486. [Google Scholar] [CrossRef]
  115. Baghaee, H.R.; Mlakić, D.; Nikolovski, S.; Dragicević, T. Support Vector Machine-Based Islanding and Grid Fault Detection in Active Distribution Networks. IEEE J. Emerg. Sel. Top. Power Electron. 2020, 8, 2385–2403. [Google Scholar] [CrossRef]
  116. Yu, J.J.Q.; Hou, Y.; Lam, A.Y.S.; Li, V.O.K. Intelligent Fault Detection Scheme for Microgrids With Wavelet-Based Deep Neural Networks. IEEE Trans. Smart Grid 2019, 10, 1694–1703. [Google Scholar] [CrossRef]
  117. Yu, Y.; Li, M.; Ji, T.; Wu, Q.H. Fault location in distribution system using convolutional neural network based on domain transformation. CSEE J. Power Energy Syst. 2021, 7, 472–484. [Google Scholar] [CrossRef]
  118. Swaminathan, R.; Mishra, S.; Routray, A.; Swain, S.C. A CNN-LSTM-based fault classifier and locator for underground cables. Neural Comput. Appl. 2021, 33, 15293–15304. [Google Scholar] [CrossRef]
  119. Dehghani, F.; Nezami, H. A new fault location technique on radial distribution systems using artificial neural network. In Proceedings of the 22nd International Conference and Exhibition on Electricity Distribution (CIRED 2013), Stockholm, Sweden, 10–13 June 2013; pp. 1–4. [Google Scholar] [CrossRef]
  120. Luo, X.; Zhang, L.; Shan, H.; Ji, T. Traveling wave velocity independent fault location scheme with adaptive mathematical filters for distribution network. Electr. Power Syst. Res. 2022, 209, 108040. Available online: https://standards.ieee.org/ieee/1547.2/7166/ (accessed on 26 January 2026). [CrossRef]
  121. Dagar, A.; Gupta, P.; Niranjan, V. Microgrid protection: A comprehensive review. Renew. Sustain. Energy Rev. 2021, 149, 111401. [Google Scholar] [CrossRef]
  122. Wang, B.; Cui, X. Nonlinear Modeling Analysis and Arc High-Impedance Faults Detection in Active Distribution Networks with Neutral Grounding via Petersen Coil. IEEE Trans. Smart Grid 2025, 13, 1888–1898. [Google Scholar] [CrossRef]
Energies 19 00744 g001
Figure 1. Typical waveforms of DC-link voltage and fault current during L–L and L–G faults.
Figure 1. Typical waveforms of DC-link voltage and fault current during L–L and L–G faults.
Energies 19 00744 g001
Energies 19 00744 g002
Figure 2. Different type of cyberattack in smart grid.
Figure 2. Different type of cyberattack in smart grid.
Energies 19 00744 g002
Energies 19 00744 g003
Figure 3. The function of the management framework in cybersecurity defense.
Figure 3. The function of the management framework in cybersecurity defense.
Energies 19 00744 g003
Table 1. Classification of faults in hybrid AC/DC microgrids and their protection implications.
Table 1. Classification of faults in hybrid AC/DC microgrids and their protection implications.
EnvironmentFault TypeKey SignatureProtection ImplicationRefs.
AC SubnetSingle-line-to-ground (SLG), line-to-line (LL), line-to-line-to-ground (LLG), three-phase/
three-phase-to-ground (LLL/LLLG)		High fault currents (5–15 kA) in grid-connected operation; limited to ∼1.2–2.0 pu in islanded mode; possible unbalance and negative-sequence contentOvercurrent relay/
directional overcurrent relay (OCR/DOCR) under-reach in islanded operation; distance relay under/over-reach; need for adaptive settings and complementary schemes		[4,5,8,40,41]
DC SubnetPole-to-pole (PP), pole-to-ground (PG), series/parallel
arc faults		High d i / d t (0.5–5 kA/ms); fast V d c sag; behavior strongly dependent on grounding (high-resistance grounding (HRG) → small current, low-resistance grounding (LRG)/solid → large current, ungrounded/
diode-grounded →
difficult detection)		Requires interruption < 2 ms; challenges in HRGF detection; severe stress on DC circuit breakers; arc persistence without natural current zero[5,10,11,42]
AC/DC Link (ILC)Converter faults, commutation failure, DC-link faultsInstantaneous overcurrents; bidirectional propagation of disturbances between AC and DC; thermal stress on insulated gate bipolar transistor (IGBT)/metal-oxide semiconductor field-effect transistor (MOSFET); DC-link capacitor discharge transientsTightly coordinated AC + DC protection required; risk of converter failure and transient instability; benefits from fault ride through (FRT)-capable control
in ILCs		[4,5,43,44,45]
Clustered MGsInternal/external
fault ambiguity; unintentional islanding		Multiple parallel current paths; frequent topology reconfiguration; communication delays affecting coordinationDifficult fault-boundary discrimination; sympathetic tripping; need for communication-/
logic-assisted or AI-aided adaptive coordination		[4,5,6]
Table 2. Summary of key standards and guidelines related to cybersecurity in microgrids and DERs.
Table 2. Summary of key standards and guidelines related to cybersecurity in microgrids and DERs.
SourceFocus/ScopeKey Notes
IEC 61850 [12]Real-time communication in power systemsFoundation for data exchange in microgrids; early versions lacked intrinsic security mechanisms.
IEC 62351 [57]Securing data exchange in power systemsComplements IEC 61850 [12] by introducing encryption, authentication, and integrity protection to mitigate message spoofing and manipulation.
IEC 62443 [58]Security of industrial automation and control systemsPrimary reference for ICS cybersecurity; widely applied to DER industrial components and aligned with ISO 27001 [61] principles.
NIST SP 800-82/SP 800-53 [59]ICS security and comprehensive
security controls		Provides a holistic cybersecurity framework and an extensive catalog of technical, operational, and management controls.
NIST Cybersecurity FrameworkRisk management and organizational processesSupports threat identification, risk assessment, and resilience planning across cyber–physical energy systems.
IEEE Std 1686 [62]Security requirements for intelligent electronic
devices (IEDs)		Defines minimum security capabilities to prevent unauthorized access, configuration tampering, and intrusion.
ISO 27019 [63]Security in energy systemsAdapts IT security controls to process control environments specific to the energy sector.
ANSSI/NCSC/HSENational and
European guidelines		Focus on regulatory compliance and cyber assessment frameworks (CAFs) for critical infrastructures.
IEEE 1547 [64]DER interconnection with distribution networksAddresses electrical interconnection requirements; cybersecurity considerations are largely absent.
NREL/SandiaResearch initiatives and complementary guidelinesProvide DER-focused research outputs and supplemental guidance incorporating general cybersecurity principles.
National regulations (e.g., POPIA, Cybersecurity and Cybercrimes Acts)Data protection and
legal framework		Establish legal obligations for personal data protection and criminalize cyberattacks on critical systems.
Table 3. Protocol mapping with latency budget, typical attacks, and mitigation strategies.
Table 3. Protocol mapping with latency budget, typical attacks, and mitigation strategies.
Protocol/LayerTypical ApplicationLatency BudgetCommon AttacksMitigation/ControlsRefs.
IEC 61850—SV (Process Bus)Current/voltage sampling<1 ms (microsecond-level)Replay, MITM, frame manipulation, floodingVLAN segregation, SDN flow rules, stNum/sqNum plausibility checks[13,14,15]
IEC 61850—GOOSE (Process Bus)Protection trips, interlocking3–10 msFlooding, high stNum spoofing, replayVLAN/SDN isolation, anomaly-based IDS, IEC 62351-6[13,15]
IEC 61850—MMS (Station Bus)Monitoring, configurationTens of msMITM, credential theftTLS (when latency is tolerable), NAC (802.1X), RBAC[14,66]
IEC 60870-5-104 (WAN Telecontrol)Remote SCADA/
telecontrol		100 ms–secondsDoS/DDoS,
replay, MITM		VPN/IPsec, IEC 62351-5,
rate limiting		[17,67]
DNP3 (Legacy WAN/Field)Distribution automation100 ms–secondsReplay, spoofingSecure DNP3 (DNP3-SA), firewall rules[66,67]
Modbus
(Legacy Field)		Legacy RTU/IEDSecondsSpoofing, replayProtocol gateway hardening, industrial firewalls, whitelisting[66,67]
AMI (DLMS/COSEM, IEEE 2030.5, SEP 2.0)Metering, demand responseSeconds–minutesMalware in gateway, privacy leakage, supply-chainPKI for meters, firmware signing, privacy-by-design[65,71]
Phasor—IEEE C37.118.2Wide-area
phasor measurements		Tens of msTSA, LRA, DoSCross-checking time sources (GPS/PTP), VPNs[67,71]
Table 4. Comparison of commonly used ML classifiers in power system protection.
Table 4. Comparison of commonly used ML classifiers in power system protection.
ModelCore IdeaStrengthsLimitationsBest ApplicationAccuracy (%)Sample
Studies
SVMMargin maximization between classesHigh accuracy with limited and nonlinear dataHigh computational cost; parameter tuning requiredSmall-to-medium datasets with engineered features92–97% (feature-dependent)[20,21,82]
KNNVoting based on nearest neighborsSimple; no
complex training		Poor scalability; sensitive to
feature scaling		Small networks or preliminary tests88–94% (scale-sensitive)[48,80,83]
DTIf–then rule-
based tree		Interpretable; fastProne to overfitting in deep treesApplications requiring transparency85–99% (scenario-dependent)[78,80]
RFEnsemble of decision trees (bagging)Stable; noise-tolerantLarger model;
less interpretable		Noisy datasets; diverse operating conditions93–99.9% (noise-robust)[27,81]
AdaBoostSequential boosting of weak learnersHigh accuracy with compact modelsSensitive to noise and outliersClean datasets; fine decision boundaries95–99%
(outlier-sensitive)		[78,80]
MLP
(Shallow ANN)		Nonlinear function approximationFlexible; effective with rich featuresMore data required; risk of overfittingComplex features with limited data compared to DL90–100% (data-hungry)[7,78,83]
Note: Accuracy values are reported as typical ranges extracted from representative studies under different network sizes, noise levels, and validation settings.
Table 5. Comparison of traveling-wave-based methods in distribution network protection.
Table 5. Comparison of traveling-wave-based methods in distribution network protection.
MethodKey FeatureAdvantagesLimitationsSample Studies
DWT + RFHigh-level wavelet analysis with ML integrationHigh sensitivity;
fast execution		Requires MHz level sampling infrastructure[84]
SWT + MMCombined time–frequency domain processingHigh location accuracy; robust against noiseRequires computationally heavy EMT simulations[86]
Shapelet + LDASignal subsequence extraction and classificationLower complexity; robust to measurement noiseValidated mainly on simple single-
phase models		[87]
DMD + RFDynamic pattern extraction from transient signalsHigh classification accuracy; reduced localization errorValidated only on small-scale
distribution networks		[85]
MM + RFShort-window transient data (100 μs)Reported 100% accuracy; ≈13 m location errorRequires ultra-high sampling rates (≈10 MHz)[88]
Table 6. Comparison of deep learning-based methods in distribution network and microgrid protection.
Table 6. Comparison of deep learning-based methods in distribution network and microgrid protection.
MethodKey FeatureAdvantagesLimitationsAccuracySample Studies
CNN (1D/2D)Automatic spatial and local feature extraction from raw or
transformed signals		High accuracy; strong capability for waveform and time–frequency representationsHigh training cost; sensitive to domain shift93–99%[30,89,94]
RNN (LSTM/GRU)Temporal dependency modeling in
sequential data		Effective for transient and evolving fault detectionSlow convergence; vanishing gradient issues92–98%[22,91]
CNN–RNN HybridJoint spatial–
temporal learning		High robustness; improved generalizationHigh architectural complexity;
tuning overhead		95–99%[22,92,93]
TransformerAttention-based global dependency modelingStrong robustness to noise; scalable to
PMU data		Computationally intensive; data-hungry96–99%[24,94]
CapsNetPreserves hierarchical spatial relationshipsImproved fault localization; reduced information lossHigh memory cost; limited field validation94–99%[95]
ANFISNeuro-fuzzy reasoning with interpretabilityExplainable decisions; suitable for industrial useLimited scalability; manual rule tuning90–97%[91]
GAN/ Siamese/ ContrastiveSynthetic data generation and few-shot learningImproves performance under data scarcityTraining instability; validation difficulty80–92%[100]
Table 7. Summary of recent AI-based protection studies in hybrid AC/DC microgrids.
Table 7. Summary of recent AI-based protection studies in hybrid AC/DC microgrids.
System/DataKey TechniqueAccuracyResponse TimeDataset/ScenariosAdvantagesLimitationsRef.
DC MG (PV + BESS, 10 kHz)OSR + NN99.99% HIF detectionReal-time200 normal +
21 HIF cases		No need for real HIF dataOnly resistive load; no real data[96]
LVDC (600 V, PV + EV + hybrid storage)CS + RT + LSTM>93% fault location∼1 msP–G, P–P faults (1.5–5  Ω )Ultra-fast; no communication requiredSimulation only; precise IEDs required[25]
Stand-alone DC MGBagged Trees + C-kNN∼98–100% classification<1 msSimulated fault scenariosLocal data only; noise-robustLimited fault types; simulation-only[113]
Multi-terminal
DC grid		ATL + CNN + Att-BLSTM>90% detectionFew msPerturbed normal → pseudo-faultNo real fault data requiredSensitive to parameter tuning; simulation-only[34]
IEEE 14-bus DC (modified)SVM +
Bagged Trees (single-point)		95–100% location; ∼100% classificationFew ms723 scenarios (P–G, P–P)Reduced sensor costNoise-dependent; simulation-only[79]
Hybrid MG
(DG + inverter +
PV/DFIG)		LSTM +
2nd harmonic		>97% islanding detection<100 msSimulation + laboratory dataHigh accuracy and fast responseLimited lab data; heavy preprocessing[114]
Real PV plant (23.8 kWp)SVM∼100% detection<100 msReal + simulated dataReduced NDZ; field validatedRequires custom IEDs[115]
CERTS MG + IEEE-34 (0.48 kV)DWT + DNN>99% classi-
fication; ∼97.8% fault type		0.35 msBranch currents 3.84 kHzRobust to SNR ≥ 30 dBLarge dataset; tuning required[116]
5-bus DC grid (GFMI)TW + LCL filterSwitching frequency 4–10 kHzImproved SNR (21–27 dB)Simulation-only; no real data[32]
Survey
(AC/DC grids)		TW + Wavelet/
Kalman/ML		Sub-1 ms; tens of meters<1 msSimulation and pilot studiesFault-current independentHigh cost; MHz-level sampling required[36]
Table 8. AI-based cybersecurity techniques for power system protection.
Table 8. AI-based cybersecurity techniques for power system protection.
Scenario/ProtocolAI TechniqueAccuracyKey AdvantageLimitationRef.
DoS attacks in
smart grids		PCA + XAI≈97%Effective dimensionality reduction with explainable decisionsLimited dataset diversity[17]
IEC 61850 SV under fault/attack conditionsML (SVM, RF)>95%Accurate detection of data-level cyberattacksSimulation-only evaluation[18]
Data integrity attacks in CPSEnsemble learning>96%High robustness under noisy and uncertain dataFew real-world
attack samples		[19]
GOOSE protocol attacksSDN-assisted MLDefense-in-depth with reduced attack surfaceHigh deployment and integration cost[15]
Comprehensive smart grid surveyAI, blockchain, NIST CSFHolistic multi-layer cybersecurity frameworkLimited focus on response and recovery stages[71]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Eslami, F.; Gangineni, M.; Ebrahimi, A.; Rathnayake, M.; Patel, M.; Lavrova, O. A Review on Protection and Cybersecurity in Hybrid AC/DC Microgrids: Conventional Challenges and AI/ML Approaches. Energies 2026, 19, 744. https://doi.org/10.3390/en19030744

AMA Style

Eslami F, Gangineni M, Ebrahimi A, Rathnayake M, Patel M, Lavrova O. A Review on Protection and Cybersecurity in Hybrid AC/DC Microgrids: Conventional Challenges and AI/ML Approaches. Energies. 2026; 19(3):744. https://doi.org/10.3390/en19030744

Chicago/Turabian Style

Eslami, Farzaneh, Manaswini Gangineni, Ali Ebrahimi, Menaka Rathnayake, Mihirkumar Patel, and Olga Lavrova. 2026. "A Review on Protection and Cybersecurity in Hybrid AC/DC Microgrids: Conventional Challenges and AI/ML Approaches" Energies 19, no. 3: 744. https://doi.org/10.3390/en19030744

APA Style

Eslami, F., Gangineni, M., Ebrahimi, A., Rathnayake, M., Patel, M., & Lavrova, O. (2026). A Review on Protection and Cybersecurity in Hybrid AC/DC Microgrids: Conventional Challenges and AI/ML Approaches. Energies, 19(3), 744. https://doi.org/10.3390/en19030744

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop