IEC 61850 Sampled Values (SV) communication lacks authentication and encryption, rendering it vulnerable to malicious injection attacks that may cause protective relay misoperation or failure-to-trip; existing detection methods neglect the risk of communication disruption induced by defensive actions. This paper proposes an integrated SV attack defense framework unifying statistical modeling and deep learning: it precisely characterizes network latency using an exponentially modified Gaussian distribution and employs a hybrid LSTM–Elman neural network for probabilistic anomaly detection. For the first time, active filtering and source localization are performed concurrently upon detection. The method achieves near-zero false-positive rates and low latency overhead. It is rigorously validated across industrial Intelligent Electronic Devices (IEDs), hardware-in-the-loop (HIL) testbeds, and virtualized platforms, demonstrating high accuracy, strong robustness, and readiness for practical deployment.

The digital transformation of power systems is accelerating the adoption of IEC 61850 standard. However, its communication protocols, including Sampled Values (SV), lack built-in security features such as authentication and encryption, making them vulnerable to malicious packet injection. Such cyber attacks can delay fault clearance or trigger unintended circuit breaker operations. While most existing research focuses on detecting cyber attacks in digital substations, intrusion prevention systems have been disregarded because of the risk of potential communication network disruptions. This paper proposes a novel method using hybrid statistical-deep learning for the detection, prevention, and source localization of IEC 61850 SV injection attacks. The method uses exponentially modified Gaussian distributions to model communication network latency and long short-term memory and Elman recurrent neural network to detect anomalous variations in the estimated probability distributions. It effectively discards malicious SV frames with minimal processing overhead and latency, maintains robustness against communication network latency variation and time-synchronization issues, and guarantees a near-zero false positive rate in non-attack scenarios. Comprehensive validation is conducted on three testbeds involving industrial-grade devices, hardware-in-the-loop simulations, virtualized intelligent electronic devices and merging units, and high-fidelity emulated communication networks. Results demonstrate the method's suitability for practical deployment in IEC 61850-compliant digital substations.