Various studies have demonstrated that the collaborative false command injection (FCI) and false sensory data injection (FDI) attacks can go undetected by the existing detection methods and result in serious cascading failures. Therefore, fast attack-recovery under attacks are gaining importance. However, previous researches cannot know which data are contaminated and real system state cannot be evaluated, which leads to serious misalignment of attack-recovery. In this paper, we propose a novel and effective method based on physical invariants among heterogeneous control commands and sensory data to locate the maliciously modified command or compromised sensor. First, we analyze changes in invariants under different single attacks and depict how to detect the collaborative attack and locate attack targets by utilizing broken invariants. Second, considering localization becomes difficult when multiple attacks may be launched simultaneously to disrupt different components, we build the causal network by utilizing the physical invariants and develop a causal-network-based algorithm to fast locate compromised objects. Finally, our numerical results validate the effectiveness of our proposed methods and algorithms. Our work will build the foundation to achieve real-time and accurate recovery under attacks. [ABSTRACT FROM AUTHOR]