This work addresses the vulnerability of transformer current differential relays (TCDRs) to stealthy cyberattacks that can trigger false tripping. To enhance cybersecurity in smart grid protection systems, the study introduces, for the first time, lightweight large language models—such as DistilBERT—for real-time attack detection. By converting multidimensional current measurements into textual representations and leveraging fine-tuning combined with prompt engineering, the proposed approach enables efficient identification of malicious activities across models including DistilBERT, GPT-2, and DistilBERT enhanced with LoRA. Experimental results demonstrate that DistilBERT achieves a 97.6% attack detection rate under various attack scenarios—such as time synchronization attacks and false data injection—while maintaining robustness against measurement noise, sub-6-millisecond inference latency, and strong generalization capabilities, thus offering a high-accuracy, low-latency solution for secure relay operation.

This paper presents a large language model (LLM)-based framework that adapts and fine-tunes compact LLMs for detecting cyberattacks on transformer current differential relays (TCDRs), which can otherwise cause false tripping of critical power transformers. The core idea is to textualize multivariate time-series current measurements from TCDRs, across phases and input/output sides, into structured natural-language prompts that are then processed by compact, locally deployable LLMs. Using this representation, we fine-tune DistilBERT, GPT-2, and DistilBERT+LoRA to distinguish cyberattacks from genuine fault-induced disturbances while preserving relay dependability. The proposed framework is evaluated against a broad set of state-of-the-art machine learning and deep learning baselines under nominal conditions, complex cyberattack scenarios, and measurement noise. Our results show that LLM-based detectors achieve competitive or superior cyberattack detection performance, with DistilBERT detecting up to 97.62% of attacks while maintaining perfect fault detection accuracy. Additional evaluations demonstrate robustness to prompt formulation variations, resilience under combined time-synchronization and false-data injection attacks, and stable performance under realistic measurement noise levels. The attention mechanisms of LLMs further enable intrinsic interpretability by highlighting the most influential time-phase regions of relay measurements. These results demonstrate that compact LLMs provide a practical, interpretable, and robust solution for enhancing cyberattack detection in modern digital substations. We provide the full dataset used in this study for reproducibility.