This study addresses the vulnerability of sampled value (SV)-based protection systems in IEC 61850 digital substations to highly stealthy coordinated false data injection attacks (FDIAs), which can induce maloperation or failure to operate, thereby jeopardizing grid security. The authors develop an industrial-grade power hardware-in-the-loop (PHIL) experimental platform to emulate an adversary with both physical and cyber capabilities at the bay level, demonstrating for the first time the feasibility of multi-parameter, physically consistent FDIAs within a real-time, closed-loop environment involving actual intelligent electronic devices (IEDs). To enhance resilience, they propose a defense mechanism leveraging trusted independent communication channels and cross-validation of SV data within the protection logic, addressing gaps in existing standard security measures. Experimental results confirm that the proposed approach effectively mitigates stealthy attacks and significantly improves the security and reliability of SV-based protection systems in realistic operational scenarios.

This paper assesses the resilience of IEC 61850 digital substations under False Data Injection Attacks (FDIAs) targeting the Sampled Values (SV) protocol. The multicast nature of SV, while enabling time-critical automation, exposes substations to cyber intrusions capable of disrupting protection functions and causing large-scale outages. To evaluate these risks, coordinated attack vectors involving both physical and cyber access at the bay level are experimentally analyzed using an advanced setup based on industrial-grade intelligent electronic devices (IEDs). The proposed attacks simultaneously manipulate multiple electrical parameters in a coordinated and physically consistent manner. Experimental results confirm the feasibility of stealthy multi-vector FDIAs that can trigger false protection actions, conceal real faults, or block protection mechanisms while maintaining realistic signal behavior. The Power Hardware-in-the-Loop (PHIL) testbed enables closed-loop evaluation under strict timing, communication, and protection logic constraints, reflecting real device behavior beyond simulation and controller-level HIL environments. The findings reveal critical vulnerabilities in SV-based protection schemes that directly affect grid reliability, particularly under realistic attacker positioning. To address these challenges, a defense strategy covering deterrence, prevention, detection, mitigation, and resilience is analyzed, with emphasis on bay-level infrastructure. Furthermore, a resilience-oriented method based on trusted independent channels and cross-verification of SV data within the protection logic is outlined as a complementary countermeasure for scenarios where existing standardized security mechanisms are insufficient.