CN115913642A - Network threat protection method and device for power substation - Google Patents
Network threat protection method and device for power substation Download PDFInfo
- Publication number
- CN115913642A CN115913642A CN202211281373.1A CN202211281373A CN115913642A CN 115913642 A CN115913642 A CN 115913642A CN 202211281373 A CN202211281373 A CN 202211281373A CN 115913642 A CN115913642 A CN 115913642A
- Authority
- CN
- China
- Prior art keywords
- asset
- assets
- flow
- substation
- intelligent substation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 230000009471 action Effects 0.000 claims abstract description 19
- 230000002159 abnormal effect Effects 0.000 claims abstract description 16
- 230000004044 response Effects 0.000 claims abstract description 12
- 238000012545 processing Methods 0.000 claims abstract description 11
- 241000700605 Viruses Species 0.000 claims abstract description 8
- 238000001514 detection method Methods 0.000 claims abstract description 6
- 238000004590 computer program Methods 0.000 claims description 17
- 238000004458 analytical method Methods 0.000 claims description 16
- 230000005856 abnormality Effects 0.000 claims description 3
- 230000000903 blocking effect Effects 0.000 claims description 3
- 239000000284 extract Substances 0.000 claims description 3
- 230000009545 invasion Effects 0.000 claims description 3
- 238000005259 measurement Methods 0.000 claims description 3
- 230000001012 protector Effects 0.000 claims description 3
- 230000002547 anomalous effect Effects 0.000 claims description 2
- 230000002265 prevention Effects 0.000 claims 6
- 239000000203 mixture Substances 0.000 claims 1
- 239000002994 raw material Substances 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 10
- 230000000875 corresponding effect Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 238000012986 modification Methods 0.000 description 7
- 230000004048 modification Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000004519 manufacturing process Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000005192 partition Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000000052 comparative effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000011010 flushing procedure Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000033001 locomotion Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a method and a device for protecting network threats of an electric power transformer substation, which comprises the steps of analyzing a system configuration file of an intelligent transformer substation in the intelligent transformer substation, extracting assets in the intelligent transformer substation, and forming an asset table of the intelligent transformer substation; analyzing the real-time flow, acquiring real-time asset information, and marking abnormal assets on the intelligent substation asset list to obtain an asset list; setting the action generated by the assets in the asset table as a pass tag, and setting the action generated by the assets which are not in the asset table as a packet loss tag; and setting an emergency response threshold value for the packet loss label, and if the illegal access flow hit exceeds the threshold value, closing the interface management state to realize network threat protection. The flow accessed by unauthorized assets is controlled through the table entries, access threat detection is continuously carried out, and processing is carried out according to the interface emergency disposal module, so that threats such as virus propagation, malicious attack and the like from illegal terminals are avoided in advance.
Description
Technical Field
The invention relates to the technical field of transformer substation protection, in particular to a method and a device for protecting network threats of an electric power transformer substation.
Background
The informationization and industrialization of the power energy industry are deeply integrated, the internet of things are rapidly developed, especially the application of an intelligent power grid is deep, potential safety hazards existing in an industrial control protocol are increasingly prominent, at present, a power monitoring system network is safely constructed according to a partition and domain division idea of 'safe partition, network special, transverse isolation and longitudinal authentication', and the boundary safety is mainly emphasized. At the present of the rapid development of smart grid construction, the power monitoring system also has high dependence on electronic information and computer networks, and simultaneously faces greater and greater industrial control safety risks, and once safety accidents occur, the safety of power production is greatly influenced.
For safety operation and maintenance risks of a transformer substation, for example, an operation and maintenance engineer accesses a notebook which is not subjected to safety processing, malicious programs which bring viruses into a transformer substation production network or on the notebook, malicious attacks on accessed station control layer network assets, and the like, there is an urgent need for an electric power safety switching device which is provided with a function of flexibly dealing with illegally accessed assets at an access network level.
Disclosure of Invention
This section is for the purpose of summarizing some aspects of embodiments of the invention and to briefly introduce some preferred embodiments. In this section, as well as in the abstract and title of the application, simplifications or omissions may be made to avoid obscuring the purpose of the section, the abstract and the title, and such simplifications or omissions are not intended to limit the scope of the invention.
The present invention has been made in view of the above-mentioned conventional problems.
Therefore, the invention provides a method and a device for protecting network threats of a power substation, which can solve the problem that the substation is attacked maliciously.
In order to solve the technical problems, the invention provides the following technical scheme that a method and a device for protecting the network threat of the power transformer substation comprise the following steps:
analyzing an intelligent substation system configuration file in an intelligent substation, extracting assets in the substation and forming an intelligent substation asset table;
analyzing the real-time flow, acquiring real-time asset information, and marking abnormal assets on the intelligent substation asset list to obtain an asset list;
setting the action generated by the assets in the asset table as a pass tag, and setting the action generated by the assets which are not in the asset table as a packet loss tag;
and setting an emergency response threshold value for the packet loss label, and if the illegal access flow hit exceeds the threshold value, closing the interface management state to realize network threat protection.
As an optimal scheme of the method and the device for protecting the network threat of the power substation, the method comprises the following steps: the intelligent substation asset table comprises the measurement and control device, the IED and IP, MAC, type and description of the terminal host substation assets.
As an optimal scheme of the method and the device for protecting the network threat of the power substation, the method comprises the following steps: the abnormal asset marking comprises analyzing the flow of circulation through the network threat protection device of the power transformer substation, acquiring IP and MAC information in a data packet, marking the flow of the asset table of the intelligent transformer substation,
if the assets are in the table and the flow exists, marking the assets as normal;
if the assets are in the table and flow does not exist, marking abnormality, and determining that invalid asset information exists in the intelligent substation file at the moment;
and if the assets are not in the asset table, determining that the asset information is omitted from the intelligent substation file.
As a preferred scheme of the method and the device for protecting the network threat of the power substation, the method comprises the following steps: the marking of the anomalous asset may also include,
when the assets are abnormal, alarming is needed, and at the moment, information is reported to an administrator for processing;
and when the assets are normal, forming the normal assets into an individual asset list to be used as a follow-up management and control basis.
As an optimal scheme of the method and the device for protecting the network threat of the power substation, the method comprises the following steps: flushing the IP/MAC corresponding to the assets in the asset table to the chip access control list item,
the legal asset action is set to pass, the access control list with the largest ID of the table entry is set to be all lost packets, and all data packets can be guaranteed to hit the access control list, so that safety protection is performed;
blocking asset access flow of IP or MAC which is not in the table entry, counting and counting hit access control list entries, and recording detailed information for subsequent analysis and emergency disposal;
and performing access control on assets in the network to prevent illegal access, thereby preventing further network attack and virus invasion.
As an optimal scheme of the method and the device for protecting the network threat of the power substation, the method comprises the following steps: the setting of the emergency response threshold includes,
counting hit statistics of the packet loss access control list, and setting an emergency response threshold;
if the illegal access flow hit exceeds the threshold value, the illegal accessor is indicated to try to access all the time, the shutdown operation is carried out on the physical interface of the accessor, the interface management state is closed, the operation belongs to the authority of a non-administrator, the operation cannot be carried out online again, and the access way of the intruder is completely and automatically cut off;
if the assets are accessed illegally, when the abnormal flow is found, a large amount of detection messages can be generated, and at the moment, the corresponding interfaces are turned off, so that the attack sources are blocked in time.
As an optimal scheme of the method and the device for protecting the network threat of the power substation, the method comprises the following steps: the obtaining of the list of assets includes,
analyzing file data of the intelligent substation to obtain an intelligent substation asset list;
receiving packets through an interface, analyzing real-time flow to obtain a flow IP and an MAC;
comparing the acquired asset list of the intelligent substation with the flow IP and the MAC;
judging whether the intelligent substation assets have flow;
if the flow exists, setting the flow as an effective asset, and generating an access control list item;
if the flow does not exist, setting the flow as invalid assets, and reporting an alarm.
The utility model provides an electric power substation network threat protector which characterized in that: comprises an intelligent substation analysis module, a flow learning module, an asset comparison analysis module and an interface emergency disposal module,
the intelligent substation analysis module analyzes an intelligent substation system configuration file in the intelligent substation, extracts assets in the substation and forms an intelligent substation asset table;
the flow learning module analyzes the real-time circulating flow to acquire real-time asset information, and performs flow marking on the abnormal assets of the intelligent substation asset table to acquire an asset list;
the asset comparison and analysis module sets the action generated by the asset in the asset table as a pass tag and sets the action generated by the asset which is not in the asset table as a packet loss tag;
and the interface emergency handling module sets an emergency response threshold value for the packet loss label, and closes the interface management state if the illegal access flow hit exceeds the threshold value, so that network threat protection is realized.
A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method as described above when executing the computer program.
A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method as set forth above.
The invention has the beneficial effects that: the invention provides a method and a device for protecting network threats of a power substation. And then converting the checked asset list into a chip access control list item, and solving the problems that the number of assets in the station is large, the corresponding relation is not easy to comb, and the access control list deployment strategy is difficult. The flow accessed by unauthorized assets is controlled through the table entries, access threat detection is continuously carried out, and processing is carried out according to the interface emergency disposal module, so that threats such as virus propagation, malicious attack and the like from illegal terminals are avoided in advance.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise. Wherein:
fig. 1 is a flowchart of a method and an apparatus for protecting against cyber threats of an electrical substation according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating an access control list item generating method and apparatus for protecting against network threats of an electrical substation according to an embodiment of the present invention;
fig. 3 is a safety protection flowchart of a method and an apparatus for protecting against cyber threats of an electrical substation according to an embodiment of the present invention;
fig. 4 is an internal structural diagram of a computer device of a method and an apparatus for protecting against cyber threats of a power substation according to an embodiment of the present invention;
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, specific embodiments accompanied with figures are described in detail below, and it is apparent that the described embodiments are a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced otherwise than as specifically described herein, and it will be appreciated by those skilled in the art that the present invention may be practiced without departing from the spirit and scope of the present invention and that the present invention is not limited by the specific embodiments disclosed below.
Furthermore, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one implementation of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
The present invention will be described in detail with reference to the drawings, wherein the cross-sectional views illustrating the structure of the device are not enlarged partially in general scale for convenience of illustration, and the drawings are only exemplary and should not be construed as limiting the scope of the present invention. In addition, the three-dimensional dimensions of length, width and depth should be included in the actual fabrication.
Also in the description of the present invention, it should be noted that the terms "upper, lower, inner and outer" and the like indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, which are only for convenience of description and simplification of description, but do not indicate or imply that the device or element referred to must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms first, second, or third are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The terms "mounted, connected and connected" in the present invention are to be understood broadly, unless otherwise explicitly specified or limited, for example: can be fixedly connected, detachably connected or integrally connected; they may be mechanically, electrically, or directly connected, or indirectly connected through intervening media, or may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Example 1
Referring to fig. 1 to 3, a first embodiment of the present invention provides a method and an apparatus for protecting against cyber threats of a power substation, including:
102, analyzing a system configuration file of an intelligent substation in the intelligent substation, extracting assets in the substation and forming an asset table of the intelligent substation;
the SCD file is an intelligent substation asset table file, and the ACL is an access control list.
Specifically, an SCD file in an intelligent substation is imported into a power safety exchange device, and after file analysis, information such as IP, MAC, type and description of assets in the substation, such as substation assets such as a measurement and control device, an IED and a terminal host, is extracted to form an SCD asset table. This link can simplify the process of asset collection, which is equivalent to quickly forming an asset list through the SCD file, rather than by manual entry.
the electric power safety switching device analyzes the circulated flow to acquire information such as IP (Internet protocol), MAC (media access control) and the like in the data packet. Carrying out flow marking on the SCD asset table, and if the assets are in the table and flow exists, marking to be normal; and if the traffic does not exist, marking an exception, and at the moment, indicating that invalid asset information exists in the SCD file. If the assets are not in the asset table, the SCD file is indicated to miss the asset information. Both of the two asset abnormal conditions need to be warned, and the information is reported to an administrator for processing. In addition, the normal assets form an independent asset list to be used as a follow-up management and control basis.
Furthermore, the assets formed by the SCD file can be checked by comparing the traffic with the SCD file, because some assets in the SCD file may be older, and are not updated and modified, for example, the SCD file is not modified in time when the asset IP is changed and the asset is not available.
Further, the SCD file (support configuration Description:): the intelligent substation SCD file describes instance configurations and communication parameters of all intelligent electronic devices in the substation, communication configurations between IEDs, and other information.
It should be noted that, name and IP address in the SCD file are sample:
where the device name is PL2228B and the IP address is 1.2.3.4.
Wherein, the IED name is MT2201A, the IP is 127.0.0.1, and the MAC is 01-0C-CD-01-00-40.
Further, ACL (Access Control List): and accessing the control list, and taking corresponding action to process through configuring the table item matching message. The ACL of the chip passes through and loses packets, and also finishes port mirroring, VLAN check, qinQ, chip three-layer forwarding, flow redirection and the like. The matching condition of the ACL includes source destination IP, source destination MAC, protocol number, port number, physical interface, VLAN, and the like.
It should be noted that the ACL is a general technology, and the ACL is a function on the chip, but because the configuration is complex and the asset condition is not known in the field, the number of general configurations is 0, which is equivalent to a null configuration, and does not play any role in access control.
the assets in the asset table in step 104 are refreshed from the corresponding IP/MAC, the ACL table entries of the chip are set to pass the legal asset action, the ACL with the largest ID of the table entries is set to be all lost packets, it is ensured that all data packets can hit the ACL (ACL hit is matched one by one from the beginning of the smallest ID, unauthorized asset traffic hits the last lost ACL), thereby performing security protection, blocking asset access traffic of the IP or MAC which is not in the table entries, simultaneously performing count statistics on the hit ACL table entries, and recording detailed information for subsequent analysis and emergency treatment.
Furthermore, the obtaining of the asset list comprises analyzing the file data of the intelligent substation to obtain the asset list of the intelligent substation;
furthermore, the real-time flow is analyzed through interface packet connection to obtain a flow IP and an MAC;
further, comparing the acquired asset list of the intelligent substation with the flow IP and the MAC;
further, judging whether the intelligent substation assets have flow;
furthermore, if the flow exists, the flow is set as an effective asset, and an access control list item is generated;
furthermore, if the flow does not exist, invalid assets are set, and alarm reporting is carried out.
Table 1 access control list entries
| ACL ID | Source IP | Source MAC | Destination IP | Destination MAC | ACL other fields | Movement of | Hit counting |
| 1 | Legal IP | Legal MAC | By passing | ||||
| 2 | Legal IP | Legal MAC | By passing | ||||
| 3 | Legal IP | Legal MAC | By passing | ||||
| 。。。 | |||||||
| 1000 | Packet loss | 5000 |
It should be noted that the assets in the network are subjected to admission control to prevent illegal access, thereby preventing further network attack and virus invasion. Because the ACL list item is automatically refreshed, the deployment is simplified, the problem that the strategy is 0 caused by unclear network asset condition and difficult configuration of the original ACL list item is solved, and the protection difficulty is solved.
And step 108, setting an emergency response threshold value for the packet loss label, and if the illegal access flow hit exceeds the threshold value, closing the interface management state to realize network threat protection.
If the illegal access flow hit exceeds the threshold value, which indicates that the illegal accessor is trying to access all the time, the shutdown operation is performed on the physical interface of the accessor, the interface management state is down (the non-administrator authority cannot be UP again), and the access way of the intruder is automatically cut off.
Specifically, for assets such as a notebook that have been accessed illegally, when it is found that traffic abnormality occurs, such as virus propagation, a large number of detection messages are generated, and at this time, the corresponding interface DOWN is dropped, so as to block an attack source in time.
The utility model provides a power substation network threat protector which characterized in that: comprises an intelligent substation analysis module, a flow learning module, an asset comparison analysis module and an interface emergency disposal module,
the intelligent substation analysis module analyzes an intelligent substation system configuration file in the intelligent substation, extracts assets in the substation and forms an intelligent substation asset table;
the flow learning module analyzes the real-time circulating flow to acquire real-time asset information, and performs flow marking on the abnormal assets of the intelligent substation asset table to acquire an asset list;
the asset comparison and analysis module sets the action generated by the assets in the asset table as a passing label and sets the action generated by the assets which are not in the asset table as a packet loss label;
and the interface emergency handling module sets an emergency response threshold value for the packet loss label, and closes the interface management state if the illegal access flow hit exceeds the threshold value, so that network threat protection is realized.
The above unit modules may be embedded in hardware or independent from a processor in the computer device, or may be stored in a memory in the computer device in software, so that the processor calls and executes operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 4. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operating system and the computer program to run on the non-volatile storage medium. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a method of power substation cyber-threat protection. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on a shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, performs the steps of:
analyzing an intelligent substation system configuration file in an intelligent substation, extracting assets in the substation and forming an intelligent substation asset table;
analyzing the real-time flow, acquiring real-time asset information, and marking abnormal assets on the intelligent substation asset list to obtain an asset list;
setting the action generated by the assets in the asset table as a pass tag, and setting the action generated by the assets which are not in the asset table as a packet loss tag;
and setting an emergency response threshold value for the packet loss label, and if the illegal access flow hit exceeds the threshold value, closing the interface management state to realize network threat protection.
Example 2
Referring to fig. 1 to 4, a method and an apparatus for protecting against cyber threats of an electric power substation are provided as an embodiment of the present invention, and scientific demonstration is performed through comparative experiments to verify the beneficial effects of the present invention.
Table 2 access control list
TABLE 3 distinguishing characteristics of the conventional technical solution from the present application
It should be noted that the patent provides a method and a device for protecting against network threats of an electric power substation, which check an asset table generated by a substation configuration description file through means of parsing the substation configuration description file and learning flow, remove abnormal assets, and push alarm information to an administrator to optimize the substation configuration description file. And then converting the checked asset list into a chip access control list item, so that the problems that the number of assets in the station is large, the corresponding relation is not easy to sort, and the access control list deployment strategy is difficult are solved. The flow accessed by unauthorized assets is controlled through the table entries, access threat detection is continuously carried out, and processing is carried out according to the interface emergency disposal module, so that threats such as virus propagation, malicious attack and the like from illegal terminals are avoided in advance.
It should be noted that the above-mentioned embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, which should be covered by the claims of the present invention.
It should be noted that the above-mentioned embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, which should be covered by the claims of the present invention.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein. The scheme in the embodiment of the application can be implemented by adopting various computer languages, such as object-oriented programming language Java and transliterated scripting language JavaScript.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. A network threat protection method for an electric power substation is characterized by comprising the following steps: comprises the steps of (a) preparing a mixture of a plurality of raw materials,
analyzing an intelligent substation system configuration file in an intelligent substation, extracting assets in the substation and forming an intelligent substation asset table;
analyzing the real-time flow, acquiring real-time asset information, and marking abnormal assets on the intelligent substation asset list to obtain an asset list;
setting the action generated by the assets in the asset table as a pass tag, and setting the action generated by the assets which are not in the asset table as a packet loss tag;
and setting an emergency response threshold value for the packet loss label, and if the illegal access flow hits and exceeds the threshold value, closing the interface management state to realize network threat protection.
2. The power substation network threat prevention method of claim 1, characterized in that: the intelligent substation asset table comprises the measurement and control device, the IED and IP, MAC, type and description of the terminal host substation assets.
3. The power substation network threat prevention method of claim 2, characterized in that: the abnormal asset marking comprises analyzing the flow of circulation through the network threat protection device of the power transformer substation, acquiring IP and MAC information in a data packet, marking the flow of the asset table of the intelligent transformer substation,
if the assets are in the table and the flow exists, marking the assets as normal;
if the assets are in the table and flow does not exist, marking abnormality, and determining that invalid asset information exists in the intelligent substation file at the moment;
and if the assets are not in the asset list, the intelligent substation file is determined to omit the asset information.
4. The method and apparatus for electric power substation network threat prevention according to claim 3, characterized in that: the marking of the anomalous asset may further comprise,
when the assets are abnormal, alarming is needed, and at the moment, information is reported to an administrator for processing;
and when the assets are normal, forming the normal assets into an individual asset list to be used as a follow-up management and control basis.
5. The power substation network threat prevention method of claim 4, characterized in that: the setting of the label comprises that IP/MAC corresponding to the assets in the asset table is flushed down to the chip access control list item,
the legal asset action is set to pass, the access control list with the maximum ID of the table entry is set to be totally lost, and all data packets can be guaranteed to hit the access control list, so that safety protection is performed;
blocking asset access flow of IP or MAC which is not in the table entry, counting and counting hit access control list entries, and recording detailed information for subsequent analysis and emergency disposal;
and performing access control on assets in the network to prevent illegal access, thereby preventing further network attack and virus invasion.
6. The power substation network threat prevention method of claim 5, characterized in that: the setting of the emergency response threshold includes,
counting hit statistics of the packet loss access control list, and setting an emergency response threshold;
if the illegal access flow hit exceeds the threshold value, the illegal accessor is indicated to try to access all the time, the shutdown operation is carried out on the physical interface of the accessor, the interface management state is closed, the operation belongs to the authority of a non-administrator, the operation cannot be carried out online again, and the access way of the intruder is completely and automatically cut off;
if the assets are illegally accessed, when the traffic is found to be abnormal, a large amount of detection messages can be generated, and at the moment, the corresponding interfaces are turned off to block the attack sources in time.
7. The power substation network threat prevention method of claim 6, characterized in that: the obtaining a list of assets includes obtaining a list of assets,
analyzing file data of the intelligent substation to obtain an asset list of the intelligent substation;
receiving packets through an interface, analyzing real-time flow to obtain a flow IP and an MAC;
comparing the acquired asset list of the intelligent substation with the flow IP and the MAC;
judging whether the intelligent substation assets have flow;
if the flow exists, setting the flow as an effective asset, and generating an access control list item;
if the flow does not exist, setting the flow as invalid assets, and reporting an alarm.
8. The utility model provides an electric power substation network threat protector which characterized in that: comprises an intelligent substation analysis module, a flow learning module, an asset comparison analysis module and an interface emergency disposal module,
the intelligent substation analysis module analyzes an intelligent substation system configuration file in the intelligent substation, extracts assets in the substation and forms an intelligent substation asset table;
the flow learning module analyzes the real-time circulating flow to obtain real-time asset information, and performs flow marking on the abnormal assets on the intelligent substation asset table to obtain an asset list;
the asset comparison and analysis module sets the action generated by the assets in the asset table as a passing label and sets the action generated by the assets which are not in the asset table as a packet loss label;
and the interface emergency handling module sets an emergency response threshold value for the packet loss label, and closes the interface management state if the illegal access flow hit exceeds the threshold value, so that network threat protection is realized.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211281373.1A CN115913642A (en) | 2022-10-19 | 2022-10-19 | Network threat protection method and device for power substation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211281373.1A CN115913642A (en) | 2022-10-19 | 2022-10-19 | Network threat protection method and device for power substation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115913642A true CN115913642A (en) | 2023-04-04 |
Family
ID=86492747
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211281373.1A Pending CN115913642A (en) | 2022-10-19 | 2022-10-19 | Network threat protection method and device for power substation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115913642A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104518568A (en) * | 2014-12-15 | 2015-04-15 | 东南大学 | Method for realizing network message selection in intelligent substation |
| US20170366571A1 (en) * | 2016-06-21 | 2017-12-21 | Ntt Innovation Institute, Inc. | Asset protection apparatus, system and method |
| CN110768846A (en) * | 2019-10-31 | 2020-02-07 | 国网四川省电力公司阿坝供电公司 | Intelligent substation network safety protection system |
| CN111049843A (en) * | 2019-12-18 | 2020-04-21 | 国网浙江省电力有限公司宁波供电公司 | Intelligent substation network abnormal flow analysis method |
| CN112350846A (en) * | 2019-08-07 | 2021-02-09 | 杭州木链物联网科技有限公司 | Asset learning method, device, equipment and storage medium for intelligent substation |
| CN113285937A (en) * | 2021-05-17 | 2021-08-20 | 国网山东省电力公司电力科学研究院 | Safety audit method and system based on traditional substation configuration file and IEC103 protocol flow |
| CN114567501A (en) * | 2022-03-04 | 2022-05-31 | 科来网络技术股份有限公司 | Automatic asset identification method, system and equipment based on label scoring |
-
2022
- 2022-10-19 CN CN202211281373.1A patent/CN115913642A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104518568A (en) * | 2014-12-15 | 2015-04-15 | 东南大学 | Method for realizing network message selection in intelligent substation |
| US20170366571A1 (en) * | 2016-06-21 | 2017-12-21 | Ntt Innovation Institute, Inc. | Asset protection apparatus, system and method |
| CN112350846A (en) * | 2019-08-07 | 2021-02-09 | 杭州木链物联网科技有限公司 | Asset learning method, device, equipment and storage medium for intelligent substation |
| CN110768846A (en) * | 2019-10-31 | 2020-02-07 | 国网四川省电力公司阿坝供电公司 | Intelligent substation network safety protection system |
| CN111049843A (en) * | 2019-12-18 | 2020-04-21 | 国网浙江省电力有限公司宁波供电公司 | Intelligent substation network abnormal flow analysis method |
| CN113285937A (en) * | 2021-05-17 | 2021-08-20 | 国网山东省电力公司电力科学研究院 | Safety audit method and system based on traditional substation configuration file and IEC103 protocol flow |
| CN114567501A (en) * | 2022-03-04 | 2022-05-31 | 科来网络技术股份有限公司 | Automatic asset identification method, system and equipment based on label scoring |
Non-Patent Citations (3)
| Title |
|---|
| 张道银;: "智能变电站信息安全技术研究", 电力信息与通信技术, no. 01, 15 January 2015 (2015-01-15) * |
| 李憧;刘鹏;蔡国庆;: "基于流量感知的动态网络资产监测研究", 信息安全研究, no. 06, 4 June 2020 (2020-06-04) * |
| 蒋毅;周凯兵;郭晏;周涛;: "电网企业项目资产统一身份编码建设", 项目管理技术, no. 02, 10 February 2020 (2020-02-10) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Hu et al. | A survey of intrusion detection on industrial control systems | |
| Garitano et al. | A review of SCADA anomaly detection systems | |
| Gifty et al. | Privacy and security of big data in cyber physical systems using Weibull distribution-based intrusion detection | |
| CN102663278B (en) | Cloud computing mode platform of internet of things data process method for security protection | |
| Yi et al. | An intelligent communication warning vulnerability detection algorithm based on IoT technology | |
| KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
| CN111935061A (en) | Industrial control host and network security protection implementation method thereof | |
| CN110650117A (en) | Cross-site attack protection method, device, equipment and storage medium | |
| CN110324323A (en) | A kind of new energy plant stand relates to net end real-time, interactive process exception detection method and system | |
| Sangeetha et al. | Signature based semantic intrusion detection system on cloud | |
| CN112968885B (en) | Edge computing platform safety protection method and device | |
| CN111835680A (en) | Safety protection system of industry automatic manufacturing | |
| CN114418263A (en) | A defense system for power monitoring device of thermal power plant | |
| Hink et al. | Characterization of cyberattacks aimed at integrated industrial control and enterprise systems: a case study | |
| Hu et al. | An enhanced multi-stage semantic attack against industrial control systems | |
| Feng et al. | Snort improvement on profinet RT for industrial control system intrusion detection | |
| CN115913642A (en) | Network threat protection method and device for power substation | |
| CN111404917B (en) | Industrial control simulation equipment-based threat information analysis and detection method and system | |
| CN113422776A (en) | Active defense method and system for information network security | |
| CN102970188B (en) | A kind of 110kV digital transformer substation secure network | |
| Li et al. | Network security in the industrial control system: A survey | |
| KR20210141198A (en) | Network security system that provides security optimization function of internal network | |
| CN114866254B (en) | BMC safety protection method, equipment and readable storage medium | |
| Faramondi et al. | Configuration vulnerability in SNORT for Windows Operating Systems | |
| Zhao et al. | An Area‐Context‐Based Credibility Detection for Big Data in IoT |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |