This study addresses the vulnerability of virtual microgrids to cyberattacks targeting the secondary control layer, a critical concern due to their reliance on distributed communication. To tackle this challenge, the authors develop the first MATLAB/Simulink-based virtual microgrid platform integrated with programmable attack injection capabilities, enabling the generation of a multi-class, labeled attack dataset. A high-accuracy LightGBM intrusion detection model is trained on this dataset, achieving 99.72% accuracy (F1: 99.62%) in multi-class classification and 94.8% accuracy (F1: 94.3%) in binary classification. Furthermore, knowledge distillation is employed to compress the model for edge deployment, resulting in a lightweight version that achieves inference latency of only 54–67 milliseconds per thousand samples—demonstrating its suitability for efficient operation on resource-constrained microgrid controllers.

Modern microgrids depend on distributed sensing and communication interfaces, making them increasingly vulnerable to cyber physical disturbances that threaten operational continuity and equipment safety. In this work, a complete virtual microgrid was designed and implemented in MATLAB/Simulink, integrating heterogeneous renewable sources and secondary controller layers. A structured cyberattack framework was developed using MGLib to inject adversarial signals directly into the secondary control pathways. Multiple attack classes were emulated, including ramp, sinusoidal, additive, coordinated stealth, and denial of service behaviors. The virtual environment was used to generate labeled datasets under both normal and attack conditions. The datasets trained Light Gradient Boosting Machine (LightGBM) models to perform two functions: detecting the presence of an intrusion (binary) and distinguishing among attack types (multiclass). The multiclass model attained 99.72% accuracy and a 99.62% F1 score, while the binary model attained 94.8% accuracy and a 94.3% F1 score. A knowledge-distillation step reduced the size of the multiclass model, allowing faster predictions with only a small drop in performance. Real-time tests showed a processing delay of about 54 to 67 ms per 1000 samples, demonstrating suitability for CPU-based edge deployment in microgrid controllers. The results confirm that lightweight machine learning based intrusion detection methods can provide fast, accurate, and efficient cyberattack detection without relying on complex deep learning models. Key contributions include: (1) development of a complete MATLAB-based virtual microgrid, (2) structured attack injection at the control layer, (3) creation of multiclass labeled datasets, and (4) design of low-cost AI models suitable for practical microgrid cybersecurity.