CN104168268A - Power grid object access control device capable of realizing safety configuration and access of power grid model data - Google Patents

Power grid object access control device capable of realizing safety configuration and access of power grid model data Download PDF

Info

Publication number
CN104168268A
CN104168268A CN 201410355049 CN201410355049A CN104168268A CN 104168268 A CN104168268 A CN 104168268A CN 201410355049 CN201410355049 CN 201410355049 CN 201410355049 A CN201410355049 A CN 201410355049A CN 104168268 A CN104168268 A CN 104168268A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
grid
access control
model
security
access
Prior art date
Application number
CN 201410355049
Other languages
Chinese (zh)
Other versions
CN104168268B (en )
Inventor
谢善益
杨强
范颖
杜双育
梁成辉
徐庆平
Original Assignee
广东电网公司电力科学研究院
威海欣智信息科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S10/00Systems supporting electrical power generation, transmission or distribution
    • Y04S10/40Systems characterised by the display of information, e.g. of data or controls
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects
    • Y04S40/24Arrangements for network security or for protecting computers or computer systems against unauthorised activity, e.g. cyber security

Abstract

The invention aims at providing a power grid object access control device capable of realizing safety configuration and access of power grid model data. The device is characterized by including a layered division and security permission configuration module of the power grid model data and an access security control module; the layered division and security permission configuration module realizes layered division and security permission configuration of the power grid model data; and the access security control module realizes access security control of a power grid model. Through hierarchical organization of the power grid model according to region, sub regions, power stations and voltage levels, classification of other power grid objects such as devices, terminals and measurement devices and the like into corresponding hierarchies according to incidence relations, and combination of access permissions of system access users for the data and the hierarchical result, the device realizes access security control which is appropriate in granularity and enables security access of operation data of the whole power grid to be corresponding to a management system which is currently in effect.

Description

—种能够实现对电网模型数据安全配置和访问的电网对象访问控制装置 - the kind of network model enables secure data access and configuration of the grid object access control device

技术领域 FIELD

[0001] 本发明涉及电网数据的安全访问和控制,具体来说涉及提供一种能够实现对电网模型数据安全配置和访问的电网对象访问控制装置。 [0001] The present invention relates to a security and access control data grid, particularly to provide a security configuration can achieve the object grid and the grid model data access to the access control means.

背景技术 Background technique

[0002] 电力系统的生产管理通常根据电网分布的地域、电网的电压等级等特征,将电网划分成分层分块的多个子网,如按电压等级等电气特征,可以将电网划分成国调、网调、省调、地调、县调等多级调度中心;而在同一个级别,又可以按照电网分布的地域将同一级别的电网划分为多个调度中心;最终形成一套“统一调度、分层管理”的管理体系。 [0002] The production of electric power management system usually based on the geographical distribution grid, wherein the grid voltage level, etc., will be divided into the grid component layer of the plurality of sub block, according to the electrical characteristics such as voltage levels, etc., may be divided into national grid adjustment, network regulation, the provincial transfer, to transfer, and other multi-level modulation County dispatch center; and on the same level, but also in accordance with the geographical distribution of the grid will be the same level of power grid into multiple dispatch center; eventually form a "unified, hierarchical management "management systems.

[0003] 近年来,随着电网业务的发展和管理要求的提高,电力系统各个专业应用之间、各部门之间、上下级调度机构之间的信息共享和协作的要求越来越高。 [0003] In recent years, with the development and management requirements of network traffic between the various professional applications power systems, among the various departments, the information sharing and collaboration among the lower dispatching agencies have become increasingly demanding. 电力控制中心需要在满足电力调度系统网络安全隔离的要求下,整合管理多级调度电网模型、数据、图形等各种信息资源,建立统一的电网运行数据中心,实现电力系统信息资源的共享,进而为电网调度生产、管理决策提供可靠的数据资源和有力的综合分析与应用手段。 Power Control Center network scheduling system needs to meet the safety isolation of the power requirements, the integration of multi-level scheduling grid management model, data, graphics and other information resources, the establishment of a unified data center network operation, information sharing power system resources, thereby provide a reliable schedule for the production and management decision-making power and data resources, strong comprehensive analysis and application tools.

[0004] 伴随着统一的电网运行数据中心而来的,是对信息访问管控的需求。 [0004] With the unified power grid data center comes a demand for information access management and control. 在建设电网运行数据中心以前,与“统一调度、分层管理”的管理体系对应,各调度中心都建立并维护着所辖电网的详细的电网模型结构参数和与运行数据,并负责相应的电网运行数据进行整体安全管控。 Before the construction of power grid data center, corresponds to the "unified dispatch, hierarchical management" management system, all dispatch centers have been established and maintains detailed structural parameters of the grid model under the jurisdiction of the grid and operating data, and is responsible for the corresponding grid operating data overall security control. 但在电网运行数据中心中,各调度中心的的电网运行数据被整合在一起,对电网运行数据访问的安全管控则必须更为细致和灵活。 But running a data center network, operating data for each grid dispatch center is integrated, access to grid operational data security management and control must be more detailed and flexible.

[0005] 现有技术中,直接利用系统所基于的数据库安全访问控制对电网运行数据的访问进行管控是目前常见的方式。 [0005] In the prior art, the direct use of the database security access control system based on the data access operation power control is performed in a common manner. 通过设置用户是否对指定对象类型(或表格)、对象实例(或表格记录)的访问权限达到对指定数据访问的管控。 By setting the user whether the specified object type (or form), an object instance (or record table) to achieve access control data access to specified.

[0006] 而基于数据库的安全访问控制的缺点在于:安全控制粒度与电力系统实际不匹配,电力系统采取的分层、分区域安全管控,而数据库安全管理,如关系数据库系统,面向的是表格、表格记录;这就导致相应的安全控制实现复杂、访问控制效率低。 [0006] The disadvantage secure database access control based on that: the safety control of particle size and the electric power system does not actually match the hierarchical power system taken subregional security control, and database security management, such as relational database systems, for the table , table records; This leads to the appropriate security controls implementation complexity, low efficiency of access control.

[0007] 另外一种常见的安全解决方案是直接针对OPC UA服务器电网模型节点进行访问权限控制。 [0007] Another common security solution is direct access to the control grid model for OPC UA server node.

[0008] OPC:OLE for Process Control,用于过程控制的OLE。 [0008] OPC: OLE for Process Control, OLE for process control. 是一个工业标准,管理这个标准国际组织是OPC基金会。 Is an industry standard, the International Standards Organization is managing the OPC Foundation. OPC包括一整套接口、属性和方法的标准集,用于过程控制和制造业自动化系统。 OPC includes a set of standard set of interfaces, properties and methods for process control and manufacturing automation systems.

[0009] OPC UA:0PC Unified Architecture, OPC基金会规定的用于替代OPC的新标准协议。 [0009] OPC UA: 0PC Unified Architecture, the new standard agreement for the replacement of the OPC Foundation's OPC. UA为统一架构。 UA is a unified architecture.

[0010] OPC UA是一种由OPC基金会规定的、用于独立于制造厂商和平台的通信的新标准协议,特别是在过程自动化中。 [0010] OPC UA is a specified by the OPC Foundation, new standards for communication protocols manufacturers and independent platforms, especially in process automation. OPC UA提供了一个一致的、完整的地址空间和服务模型,可用来将电网运行数据中心中的所有电网运行数据,包括电网描述数据、实时数据,报警与事件以及它们的历史信息统一到一个OPC UA服务器地址空间里,并且以用一套统一的服务为它们向外提供接口。 OPC UA provides a consistent, complete address space and service model can be used to power grid operation data of all operating data center network, including network description data, real-time data, alarms and events and their historical information into one single OPC UA server address space, and to use a common set of services that they provide an interface to the outside. OPC UA还提供了一个安全模型,给出了何种安全机制可供选择和配置以满足对特定安装的安全需求。 OPC UA also provides a security model, given what security mechanisms are available and are configured to meet the security needs of a particular installation. 安全模型包括标准安全机制和参数。 Security model includes standard security mechanisms and parameters. 应用程序级的安全性依靠一个安全的通信通道,这个通信通道在应用程序会话过程中始终有效,并且保证所有被交换信息的完整性。 Application-level security relies on a secure communication channel, the communication channel is always active during a session in the application, and ensures the integrity of all information exchanged. 当一个会话建立时,客户端和服务器应用程序协商构造一个安全通信通道并且交换表明客户端和服务器身份的软件认证书还要交换各自所能提供功能的信肩、O When a session is established, the client and server applications negotiate construct a secure communication channel and exchange software certification indicates that the client and server exchange the identity of the letter also offered their shoulder function, O

[0011] 直接基于OPC UA服务器电网模型节点的安全访问控制的缺点在于:以OPC UA节点为安全控制基础,对于地调电网模型OPC UA节点就达到百万数量级的电网模型而言,其安全控制粒度过细,相应的系统配置维护工作量大。 [0011] Based on direct secure access to the disadvantage of OPC UA server node model grid control is: the OPC UA security control node basis, to adjust the grid model for OPC UA nodes to reach one million orders of magnitude in terms of the grid model, its security control size too small, the respective system configuration and maintenance workload. 而且,由于不能与电网生产管理的现行管理方式匹配,在电网模型或电网调度权限发生变化时,难以自动进行安全配置迁移。 Moreover, since not match with the existing management of production management of the grid when the grid or the grid scheduling permissions model changes, it is difficult to automate security configuration migration.

发明内容 SUMMARY

[0012] 本发明的目的在于提供一种能够实现对电网模型数据安全配置和访问的电网对象访问控制装置,该装置能够将用户认证和授权机制与电网模型的层次划分继承,实现对电网运行数据访问的更加细致、灵活和高效的安全管控,并且该装置能够实现对整个电网运行数据的安全访问与现行管理系统的对应的、合适力度的访问控制。 [0012] The object of the present invention is to provide a security configuration, and enables access to the power grid model data object access control apparatus is able to divide the user-level authentication and authorization mechanisms grid model inheritance realize the operation of distribution network access to more detailed, flexible and efficient security control, and the device can be realized corresponding to the overall operation of secure access to the data with the existing power management systems, access control suitable strength.

[0013] 本发明的目的可通过以下的技术措施来实现: [0013] The object of the present invention can be achieved by the following technical measures:

一种能够实现对电网模型数据安全配置和访问的电网对象访问控制装置,所述装置包括: Grid model capable of achieving data access and security configuration of the grid object access control apparatus, said apparatus comprising:

电网模型数据的分层划分及安全权限配置模块和访问安全控制模块;所述分层划分及安全权限配置模块实现电网模型数据的分层划分及安全权限配置,包括如下内容: Layered grid division and security rights model data configuration module and a secure access control module; and dividing the layered configuration module tiered security permissions and security rights division network model configuration data, including the following:

(11)电网模型分区初始化: (11) network model partition initialization:

电网对象访问控制装置从OPC UA服务器获取电网模型数据,将电网模型数据中的地区、设备容器、设备、量测、量测值类型的电网模型对象按照地区间、地区与设备容器间、不同类型设备容器之间、设备容器与设备间、设备与量测间、量测与量测值间的关联关系进行层次划分; Grid object access control device acquires the grid model data from the OPC UA server, the regional power grid model data, equipment containers, equipment, measurement, measured value type grid model object according to inter-regional, regional and equipment containers, different types of container between devices, between the plant container, between the device and the measurement, the relationship between the measurement value and measurement hierarchical division;

所述地区间关联关系,是指“省-市-县”这样的地区_>子地区之间的包含关系; The regional association, refers to the region "province - county - city" _> that contains the relationship between the sub-regions;

所述设备容器是一种抽象概念,包括电厂、变电站、电压等级、间隔、线路;其中,所述电厂、变电站通常统称为厂站;所述电压等级含义为一个变电站内由具有相同电压的设备构成的一个逻辑上的设备容器;所述间隔为一个变电站内紧密连接、具有某些共同功能的部分所构成的一个逻辑上的设备容器;通常间隔根据其包含的主要设备的类型被归类为不同的间隔,包括电力出线间隔、母线间隔、主变压器间隔; The container is a device abstraction, including power plants, substations, voltage level, spacing, line; wherein the power plant, generally referred to as factory substation station; meaning the voltage level within a substation by a device having the same voltage a logic device on the container configuration; the substation interval is within a tight connection, some common features of the device on a logical part of the container part; main apparatus comprising spaced generally classified as being in accordance with the type of different intervals, including power line interval, the bus interval, the interval of the main transformer;

所述地区与设备容器间关联关系,是指地区与厂站之间的包含关系; The area between the container and the device association, refers to a relationship between the area and the station plant;

所述设备容器间的关联关系,是指厂站包含电压等级、电压等级包含间隔以及厂站直接包含间隔这几种关联关系; The relationship between the apparatus vessel, means plant station comprises voltage level, voltage level, and comprising a spacer comprising a spacer stations to direct these types of relationships;

所述设备容器与设备间的关联关系,是指变电站、电压等级、间隔与设备之间的包含关系; The relationship between the device and the container device, refers to a relationship between the substation, voltage level, and spacing device;

所述设备与量测间的关联关系,是指设备与量测之间的包含关系; 所述量测与量测值间的关联关系,是指量测与量测值之间的包含关系; The relationship between the device and the measurement means comprises between the device and the measurement; relationship between the amount of the measurement and the measured values, the means comprising the relationship between the measurement and the measured values;

(12)异步订阅:电网对象访问控制装置向OPC UA服务器订阅监听电网模型变化事件,OPC UA服务器在其管理的电网模型发生变化时,针对异步订阅的电网模型事件变化事件,向电网对象访问控制装置提供模型变化的异步通知;所关心的电网模型变化事件的类型包括电网对象增加、删除、电网对象间的关联关系修改; (12) Asynchronous subscription: grid object access control device subscription monitor network model change events to the OPC UA server, OPC UA server in the network model of its management changes, for asynchronous subscribe grid model events change event, the object access network control device provides asynchronous notification model changes; the type of network model change event of interest including increased grid objects, delete, relationship between the grid object modification;

(13)电网对象访问控制装置对异步订阅对应的异步通知进行响应,根据异步通知中携带的电网模型的增删改信息,动态的维护电网模型层次划分; (13) the grid object access to asynchronous notification subscription corresponding asynchronous control means responsive, in accordance with additions or deletions to the grid model asynchronous notification information carried in the dynamic model of the power level maintenance division;

(14)管理操作设定:指定特定的用户对不同电网模型层次分支的访问权限,支持的访问权限有“读取”、“创建”、“更改”和“删除”,对电网层次分支而言,针对下一层次的权限指定覆盖对父层次的统一权限指定; (14) management operations setting: specifies a particular user access to different levels of branch network model to support access there is "read", "Create", "Change" and "Delete" on the grid in terms of branch level , designated for the next level of authority covering unified permission on the parent level specified;

所述访问安全控制模块实现电网模型的访问安全控制,所述访问安全控制包括如下内容: The secure access control module for controlling access security network model, the secure access control include the following:

(21) OPC UA客户端、OPC UA服务器端通过协商,建立起安全通道,并对对方的身份进行了认证,设此时客户端会话被确认为“用户I”; (21) OPC UA client, OPC UA server through consultation, establish a secure channel, and each other's identity is authenticated, client sessions set up at this time was recognized as "user I";

(22) OPC UA客户端发起电网模型相关操作; (22) OPC UA client initiates network model related operations;

(23) OPC UA服务器向电网对象访问控制装置查询用户是否具有合适的权限; (23) OPC UA server access to the grid object control device queries whether the user has the appropriate permissions;

(24)电网对象访问控制装置首先确认客户端所访问的UA节点对应的电网模型对象所属电网区域,然后查询客户端的身份,是否具有对目标区域的相应权限,如果拥有,则返回“允许”,否则,返回“拒绝”;并作为对步骤(23)调用的应答,向OPC UA服务器返回处理步骤结果; (24) the grid object access control device first confirmation UA ​​node client to access the corresponding grid model object grid area belongs to, then queries the client's identity, whether the appropriate permissions on the target area, if you have, then return to "Allow" otherwise, it returns "reject"; and as a response to the step (23) call to return to the OPC UA server procedure results;

(25)根据步骤(24)返回结果,如果是“允许”,则执行步骤(22)请求操作,返回操作执行结果;否则直接向OPC UA客户端返回“无访问权限,操作被拒绝”; (25) returns the result in accordance with step (24), if it is "allowed", step (22) request operation, operation returns an execution result; otherwise, directly to the OPC UA client returns "No access is denied.";

(26 )作为对步骤(22 )调用的应答,向OPC UA客户端返回步骤(25 )处理步骤结果。 (26) as a step (22) of the call response, the OPC UA client returns to the step (25) the results of the processing step.

[0014] 本发明对比现有技术,有如下优点: [0014] comparative prior art the present invention, has the following advantages:

本发明提出通过将OPC UA安全模型,特别是其中的用户认证和授权机制与电网模型的层次化划分集成,实现对电网运行数据访问的更加细致、灵活和高效的安全管控。 The invention proposes by the OPC UA security model, especially hierarchical division which user authentication and authorization mechanisms with the grid model of integration so that more detailed data access to grid operation, flexible and efficient security management and control.

[0015] 本发明通过将电网模型按照地区_>子地区_>厂站_>电压等级按层次组织,其它电网对象,如设备、端子、量测等按照其关联关系归属到相应层级中,并将系统访问用户对数据的访问权限与这个层次结果结合,实现了将整个电网运行数据的安全访问与现行管理体系对应的、合适粒度的访问安全控制。 [0015] The present invention, by network model by region _> subregions _> Plant Station _> voltage level hierarchical organization, other grid objects, such as devices, terminals, measuring the like in accordance with their relationship to respective hierarchy, and the system access user access to data combined with the results of this level to achieve the safe operation of the data access to the entire network with the existing management system corresponding to the appropriate size of access security control.

附图说明 BRIEF DESCRIPTION

[0016] 图1是电网模型数据分层划分及安全权限配置的流程图; [0016] FIG. 1 is a flowchart illustrating data configuration of a network model and hierarchical division of security permissions;

图2是电网模型访问安全控制策略实施的流程图; FIG 2 is a flowchart of access control policy network model embodiment of the security;

图3是电网模型树状结构层次划分示意图。 Figure 3 is a network diagram of the model tree level division.

具体实施方式 detailed description

[0017] 本发明提供一种能够实现如下目的的并能够实现对电网模型数据安全配置和访问的电网对象访问控制装置, 1.与电网生产管理现行管理体系对应的,电网模型地区-> 子地区-> 厂站-> 电压等级层次化组织方法。 [0017] The present invention provides a following object can be achieved and enables the grid network model object access control means and access to the configuration data security, 1. Production grid management system corresponding to the current management, network model Region -> sub-region -> plant station -> voltage level hierarchical organization method.

[0018] 2.利用OPC UA模型更新变化订阅、发布技术实现对电网模型层次化组织的动态维护。 [0018] 2. Use the update changes OPC UA subscription model, dynamic publishing technology to achieve the maintenance of the hierarchical organization of the network model.

[0019] 3.基于OPC UA安全模型与电网模型层次化组织相结合,而实现的运行时电网运行数据受控访问技术。 [0019] 3. OPC UA-based security model and network model hierarchical organization combine to achieve controlled access to operational data grid technology at runtime.

[0020] 该电网对象访问控制装置包括:电网模型数据的分层划分及安全权限配置模块和访问安全控制模块; [0020] The grid object access control apparatus comprising: a hierarchical network model partitioning and security rights data configuration module and a secure access control module;

如图1所示,分层划分及安全权限配置模块实现电网模型数据的分层划分及安全权限配置,包括如下步骤: 1, a hierarchical division and implement security privileges FIG configuration module layered network model data division and security permissions configuration, comprising the steps of:

(11)电网模型分区初始化步骤:电网对象访问控制装置从OPC UA服务器获取电网模型数据,将电网模型数据中的地区、设备容器、设备、量测、量测值类型的电网模型对象按照地区间、地区与设备容器间、不同类型设备容器之间、设备容器与设备间、设备与量测间、量测与量测值间的关联关系进行层次划分; (11) grid model partition initialization step: the grid object access control device acquires the grid model data from the OPC UA server, the network model in the data area, equipment containers, equipment, measurement, measured value type grid model object according to regional , regional and equipment containers, a container between different types of devices, equipment and containers, apparatus, apparatus and measurement, the relationship between the measurement value and measurement hierarchical division;

所述地区间关联关系,是指“省-市-县”这样的地区_>子地区之间的包含关系。 The inter-regional association, refers to the region "province - county - city" _> that contains the relationship between the sub-regions.

[0021] 所述设备容器是一种抽象概念,包括电厂、变电站、电压等级、间隔、线路。 The [0021] container is a device abstraction, including power plants, substations, voltage level, spacing, line. 其中,所述电厂、变电站通常统称为厂站。 Wherein said power plant, generally referred to as factory substation station. 所述电压等级含义为一个变电站内由具有相同电压的设备构成的一个逻辑上的设备容器。 Meaning the voltage level of the container is a logical device within a substation consisting of the devices with the same voltage. 所述间隔为一个变电站内紧密连接、具有某些共同功能的部分所构成的一个逻辑上的设备容器。 A logic device on the container within a substation interval tight connection, some common features of a portion constituted. 通常间隔根据其包含的主要设备的类型被归类为不同的间隔,例如电力出线间隔、母线间隔、主变压器间隔。 The spacer is usually of the type comprising a main apparatus is classified as different intervals, such as power line interval, the bus interval, the interval of the main transformer.

[0022] 所述地区与设备容器间关联关系,是指地区与厂站之间的包含关系。 The [0022] region between the container and the device association, refers to a relationship between the area and the plant stand.

[0023] 所述设备容器间的关联关系,是指厂站包含电压等级、电压等级包含间隔以及厂站直接包含间隔这几种关联关系。 [0023] The relationship between the container apparatus, comprising a plant stand refers voltage level, voltage level, and comprising a spacer comprising a spacer stations to direct these types of relationship.

[0024] 所述设备容器与设备间的关联关系,是指变电站、电压等级、间隔与设备之间的包含关系。 [0024] The relationship between the plant container means comprising the relationship between the substation, voltage level, and the spacer device.

[0025] 所述设备与量测间的关联关系,是指设备与量测之间的包含关系。 The [0025] relationship between the device and the measurement means comprises between the device and measurement.

[0026] 所述量测与量测值间的关联关系,是指量测与量测值之间的包含关系。 [0026] The relationship between the measured value and the measuring means comprising the relationship between the measurement and the measured values.

[0027] (12)异步订阅:电网对象访问控制装置向OPC UA服务器订阅监听电网模型变化事件。 [0027] (12) Asynchronous Subscribe: Subscribe to the grid object access control devices monitor the grid model change events to the OPC UA server.

[0028] 首先,OPC UA服务器在其管理的电网模型发生变化时,针对异步订阅的电网模型事件变化事件,向电网对象访问控制装置提供模型变化的异步通知。 [0028] First, OPC UA server in the network model of its management changes, the grid model for asynchronous subscription events change events, object access control device to the grid to provide asynchronous notification model change. 为了确保电网对象访问控制装置中管理的电网对象与OPC UA服务器中的电网对象模型保持一致,电网对象访问控制装置向OPC UA服务器订阅监听电网模型变化事件,所关心的电网模型变化类型包括电网对象增加、删除、电网对象间的关联关系修改,例如一个变电站的调度权由省调下放到地调,就会导致相应的地区(省)-> 子地区(地市)-> 厂站的关联关系发生变化。 In order to ensure grid target grid object access control device management with OPC UA server network object model consistent grid object access control device subscription monitor network model change events to the OPC UA server model changes in the type of grid of interest include grid objects increase, modify the relationship between the deleted network objects, for example to tune into the next scheduled provincial right to transfer a substation, will lead to a corresponding region (province) - relationship> substation -> sub-regions (cities) change.

[0029] 按照地区_>子地区_>厂站_>电压等级_>间隔之间的包含关系,可以将电网模型从网状结构划分为图3所示树状结构层次,从而将电网模型中的设备、量测按照关联关系归属到相应的树状结构分支中,所述树状结构中地区为根节点,每个地区_>子地区_>厂站_>电压等级构成一个具体的分支;这样,设备、量测就可以根据其与设备容器及相互之间的关联关系,被归属到相应的树状结构分支中。 [0029] _ according Region> subregions _> _ Station Plant> voltage level _> contains the relationship between the interval from the network model may be a mesh structure into a hierarchical tree structure shown in FIG. 3, so that the grid model the apparatus, according to the measurement attributable to the corresponding relationship branch tree structure, the tree structure of the root area, each region _> _ subregions> plant station _> voltage level constitutes a particular branch; Thus, the device, can be measured in accordance with the relationship between each apparatus and the container, it is attributed to the corresponding tree branch.

[0030] 由于在一个OPC UA服务器中,每个电网模型对象对应于一个OPC UA节点,且这些OPC UA节点间会根据其所代表的电网模型对象间的关系建立起相互的关联引用,自然也就可以根据其所代表的电网模型对象而被划分到一个具体的电网模型层次分支中。 [0030] Since an OPC UA server, each grid model OPC UA object corresponds to a node, and the inter-node OPC UA establish mutual association relationship between the reference grid model in accordance with the object it represents, naturally It can be divided into a specific model hierarchy branch network in accordance with the grid model objects they represent. 因此,进过步骤(I)的划分后,所有电网模型对象对应的OPC UA节点,均被划分到一个具体的电网模型层次分支中。 Thus, after I have been to step (I) is divided, all objects corresponding to the network model OPC UA nodes are classified into a particular branch of the grid model hierarchy.

[0031] OPC UA服务器在其管理的电网模型发生变化时,会产生相应的模型变化描述,并向那些之前明确订阅这些变化的应用,如电网对象访问控制装置,发送所产生的模型变化描述。 [0031] OPC UA server in the network model of its management changes, will produce a corresponding change in the model description, and those applications before explicitly subscribe to these changes, such as the grid object access control device, transmitting the generated model changes described. 模型变化描述,在OPC UA标准里,被称之为模型变化事件。 Model changes described in the OPC UA standards, the model is called the change event.

[0032] (13)电网对象访问控制装置对异步订阅对应的异步通知进行响应,根据异步通知中携带的电网模型的增删改信息,动态的维护电网模型层次划分。 [0032] (13) the grid object access asynchronous to asynchronous notification subscription in response to a corresponding control device in accordance with additions or deletions to the grid model asynchronous notification information carried in, the dynamic network model maintenance level division.

[0033] 所述电网对象访问控制装置和OPC UA服务器间的电网模型同步,是通过一组异步操作完成的,包括异步订阅和异步通知: [0033] The object access control grid between the device and the network model OPC UA server synchronization, asynchronous operation is completed by a group, including asynchronous and asynchronous notification subscription:

a.异步订阅,电网对象访问控制装置订阅所关心的模型变化事件 a. asynchronous subscription, grid object access control device subscription model change events of interest

b.异步通知,当电网模型发生变化时,OPC UA服务器产生电网模型变化事件,并向电网对象访问控制装置发送。 b. asynchronous notification, when the grid model changes, OPC UA server generates network model change events, and sends the grid object access control device. 这一操作与电网对象访问控制装置的订阅操作之间不是同步执行的,而是异步执行的。 Subscription operation between this operation and the grid object access control device is not executed synchronously, but asynchronously executed.

[0034] (14)管理操作设定步骤:指定特定的用户对不同电网模型层次分支的访问权限,支持的访问权限有“读取”、“创建”、“更改”和“删除”,对电网层次分支而言,针对下一层次的权限指定覆盖对父层次的统一权限指定,例如指定“用户I”对“XX省aa市”具有“读取、更新”权限,而对“XX省aa市XXX变电站”具有“读取”权限,则“用户I”对“xx省aa市XXX变电站”的“更新”权限被剥夺。 [0034] (14) management operation setting step: specify a specific user access to different levels of branch network model to support access there is "read", "Create", "Change" and "Delete" on the grid branch level, the next level of coverage for a specified permission on the parent level unified authority to specify, for example, specify "user I" to "aa City, XX Province" have "read, update" permission, while the "aa City, XX Province XXX substation "have" read "permission, the" user I "to" aa xx province city substation XXX "and" update "permission denied.

[0035] 如图2所示,访问安全控制模块实现电网模型的访问安全控制,所述访问安全控制包括如下步骤: [0035] As illustrated, access control module implements the security control grid 2 access security model, the security access control comprising the steps of:

(21) OPC UA客户端、OPC UA服务器端通过协商,建立起安全通道,并对对方的身份进行了认证,设此时客户端会话被确认为“用户I”。 (21) OPC UA client, OPC UA server through consultation, establish a secure channel, and each other's identity is authenticated, client sessions set up at this time was recognized as "user I".

[0036] (22) OPC UA客户端发起电网模型相关操作。 [0036] (22) OPC UA client initiates network model related operations.

[0037] (23) OPC UA服务器向电网对象访问控制装置查询用户是否具有合适的权限。 [0037] (23) OPC UA server control device to query object access network if the user has the appropriate permissions. 比如,如果步骤(22)的相关操作为OPC UA的Browse (Nodel)操作,则检查读取(用户l,Nodel,“读取”)访问请求是否满足;如果步骤(22)的相关操作为DeleteNodes(Nodd)操作,则检查删除(用户1,Node2,“删除”)访问请求是否满足。 For example, if the step (22) related to the operation of OPC UA Browse (Nodel) operation, reading is checked (User l, Nodel, "read") the access request is satisfied; if the step (22) of the related operation is DeleteNodes (Nodd) operation, check the delete (user 1, Node2, "delete") access request is satisfied.

[0038] (24)电网对象访问控制装置首先确认客户端所访问的UA节点对应的电网模型对象所属电网区域,然后查询客户端的身份,是否具有对目标区域的相应权限,如果拥有,则返回“允许”,否则,返回“拒绝”。 [0038] (24) grid object access control device first confirmation UA ​​node client to access the corresponding grid model object grid area belongs to, then queries the identity of the client, whether the appropriate permissions on the target area, if you have, then return. " allow ", otherwise, it returns" reject. " 例如,在步骤(22)的相关操作为DeleteNodes(Nodd)操作时,查询到Node2属于” xx省dd市”,而“用户I ”不具有“删除权限”,返回拒绝。 For example, in step (22) of the related operation is DeleteNodes (Nodd) operation, query belongs to Node2 "xx dd provincial city", and "user I" do not have the "delete permissions", refused to return.

[0039] 并作为对步骤(23)调用的应答,向OPC UA服务器返回处理步骤结果。 [0039] and as a response to step (23) of the call, returns the processing result to the step OPC UA server.

[0040] (25)根据步骤(24)返回结果,如果是“允许”,则执行步骤(22)请求操作,返回操作执行结果;否则直接向OPC UA客户端返回“无访问权限,操作被拒绝”。 [0040] (25) returns the result in accordance with step (24), if it is "allowed", step (22) request operation returns to operation execution result; otherwise, directly to the OPC UA client returns "no access operation is denied . "

[0041] (26)作为对步骤(22)调用的应答,向OPC UA客户端返回步骤(25)处理步骤结果。 [0041] (26) as a step (22) of the call response, the OPC UA client returns to the step (25) the results of the processing step.

[0042] 本发明的实施方式不限于此,在本发明上述基本技术思想前提下,按照本领域的普通技术知识和惯用手段对本发明内容所做出其它多种形式的修改、替换或变更,均落在本发明权利保护范围之内。 [0042] Embodiment of the present invention is not limited to this embodiment, in the above-described basic technical idea of ​​the present invention, provided that other forms of modification according to the conventional technical knowledge and customary practice in the art to make the contents of the invention, substitutions or changes are within the scope of protection of the present invention as claimed.

Claims (9)

  1. 1.一种能够实现对电网模型数据安全配置和访问的电网对象访问控制装置,其特征在于所述装置包括:电网模型数据的分层划分及安全权限配置模块和访问安全控制模块; 所述分层划分及安全权限配置模块实现电网模型数据的分层划分及安全权限配置,包括如下内容: (11)电网模型分区初始化: 电网对象访问控制装置从OPC UA服务器获取电网模型数据,将电网模型数据中的地区、设备容器、设备、量测、量测值类型的电网模型对象按照地区间、地区与设备容器间、不同类型设备容器之间、设备容器与设备间、设备与量测间、量测与量测值间的关联关系进行层次划分; (12)异步订阅:电网对象访问控制装置向OPC UA服务器订阅监听电网模型变化事件,OPC UA服务器在其管理的电网模型发生变化时,针对异步订阅的电网模型事件变化事件,向电网对象访问控制装置 A possible configuration of the network model data security and access control grid object access means, characterized in that said apparatus including: hierarchical partitioning and security rights data network model configuration module and a secure access control module; the partition layer configuration module division and security privileges and implement security privileges hierarchically split network model configuration data, including the following: (11) network model partition initialization: the grid object access control means acquires data from the network model OPC UA server, the network model data the area, equipment containers, equipment, measurement, measured values ​​according to the type of inter-grid model object region, and the region between the container devices, the container between different types of devices, between plant container, and measurement equipment, the amount of relationship between the measurement and the measurement value hierarchical division; (12) asynchronous subscription: the grid object access control device subscription monitor network model change events to the OPC UA server, change OPC UA server occurs in the network model of its management for asynchronous Subscribe grid model events change events, object access control device to the power grid 供模型变化的异步通知; (13)电网对象访问控制装置对异步订阅对应的异步通知进行响应,根据异步通知中携带的电网模型的增删改信息,动态的维护电网模型层次划分; (14)管理操作设定:指定特定的用户对不同电网模型层次分支的访问权限,支持的访问权限有“读取”、“创建”、“更改”和“删除”,对电网层次分支而言,针对下一层次的权限指定覆盖对父层次的统一权限指定; 所述访问安全控制模块实现电网模型的访问安全控制,所述访问安全控制包括如下内容: (21) OPC UA客户端、OPC UA服务器端通过协商,建立起安全通道,并对对方的身份进行了认证,设此时客户端会话被确认为“用户I”; (22) OPC UA客户端发起电网模型相关操作; (23) OPC UA服务器向电网对象访问控制装置查询用户是否具有合适的权限; (24)电网对象访问控制装置首先确认客 Asynchronous notification for model changes; (13) the grid object access control means asynchronous notification of asynchronous subscription corresponding to respond, according to the additions and deletions to the information network model asynchronous notification carried in dynamic hierarchical division maintenance network model; (14) Management operation setting: specifies a particular user access to different levels of branch network model to support access there is "read", "create", "change" and "delete" on the branch level in terms of power, for the next levels of authority designated to cover unity permission on the parent level specified; the access security control module implements network access control security model, the security access control include the following: (21) OPC UA client, OPC UA server through negotiation and establish a secure channel, and each other's identity is authenticated, client sessions set up at this time was recognized as "user I"; (22) OPC UA client initiates network model related operations; (23) OPC UA server into the grid object access control device queries whether the user has the proper authority; (24) the grid object access control device first confirmed guest 端所访问的UA节点对应的电网模型对象所属电网区域,然后查询客户端的身份,是否具有对目标区域的相应权限,如果拥有,则返回“允许”,否则,返回“拒绝”;并作为对步骤(23)调用的应答,向OPC UA服务器返回处理步骤结果; (25)根据步骤(24)返回结果,如果是“允许”,则执行步骤(22)请求操作,返回操作执行结果;否则直接向OPC UA客户端返回“无访问权限,操作被拒绝”; (26)作为对步骤(22)调用的应答,向OPC UA客户端返回步骤(25)处理步骤结果。 Grid model object grid area UA nodes corresponding to the end of the visit belongs, and then query the client's identity, whether the appropriate permissions on the target area, if you have, then return to "Allow", otherwise, it returns "reject"; and as a step (23) answering the call, returns the processing step result to the OPC UA server; (25) returns the result in accordance with step (24), if it is "allowed", step (22) request operation returns to operation execution result; otherwise, directly to OPC UA client returns "no access is denied."; (26) as a response to step (22) call to the OPC UA client returns to the step (25) the results of the processing step.
  2. 2.根据权利要求1所述的电网对象访问控制装置,其特征在于:所述地区间关联关系,是指“省-市-县”这样的地区_>子地区之间的包含关系。 The grid according to the object access control apparatus according to claim 1, wherein: said association relationship between regions, refers to regions "Province - - County City" _> relationship between the sub-regions comprise.
  3. 3.根据权利要求1所述的电网对象访问控制装置,其特征在于:所述设备容器是一种抽象概念,包括电厂、变电站、电压等级、间隔、线路;其中,所述电厂、变电站通常统称为厂站;所述电压等级含义为一个变电站内由具有相同电压的设备构成的一个逻辑上的设备容器;所述间隔为一个变电站内紧密连接、具有某些共同功能的部分所构成的一个逻辑上的设备容器;通常间隔根据其包含的主要设备的类型被归类为不同的间隔,包括电力出线间隔、母线间隔、主变压器间隔。 3. Grid object access control apparatus according to claim 1, wherein: said container is a device abstraction, including power plants, substations, voltage level, spacing, line; wherein the power plants, substations are often collectively referred a logic interval is a substation of the tight junctions, have certain common functional portion constituted; factory to station; meaning the voltage level of the device within a logical container consisting of a substation devices with the same voltage device on the container; are typically spaced according to the type of apparatus mainly comprising is classified as different intervals, including power line interval, the bus interval, the interval of the main transformer.
  4. 4.根据权利要求1所述的电网对象访问控制装置,其特征在于:所述地区与设备容器间关联关系,是指地区与厂站之间的包含关系。 The grid according to the object access control apparatus according to claim 1, wherein: the area between the container and the device association, refers to a relationship between the area and the plant stand.
  5. 5.根据权利要求1所述的电网对象访问控制装置,其特征在于:所述设备容器间的关联关系,是指厂站包含电压等级、电压等级包含间隔以及厂站直接包含间隔这几种关联关系O The grid object access control apparatus according to claim 1, wherein: the relationship between the apparatus vessel, means plant station comprises voltage level, voltage level, and comprising a spacer comprising a spacer plant stand directly associated with these types of relations O
  6. 6.根据权利要求1所述的电网对象访问控制装置,其特征在于:所述设备容器与设备间的关联关系,是指变电站、电压等级、间隔与设备之间的包含关系。 The grid according to the object access control apparatus according to claim 1, wherein: association relationship between the device and the container device, refers to a relationship between the substation, voltage level, and the spacer device.
  7. 7.根据权利要求1所述的电网对象访问控制装置,其特征在于:所述设备与量测间的关联关系,是指设备与量测之间的包含关系。 The grid according to the object access control apparatus according to claim 1, wherein: the relationship between the device and the measurement means comprises between the device and measurement.
  8. 8.根据权利要求1所述的电网对象访问控制装置,其特征在于:所述量测与量测值间的关联关系,是指量测与量测值之间的包含关系。 8. The grid of claim 1 the object access control apparatus according to claim, wherein: association relationship between the measurement and the measured values, refers to a relationship between the measurement and the measured values.
  9. 9.根据权利要求1所述的电网对象访问控制装置,其特征在于:所述电网模型变化事件的类型包括电网对象增加、删除、电网对象间的关联关系修改。 9. The grid according to a target access control apparatus according to claim, characterized in that: said type change event comprises an increase power grid model objects, delete, grids relationship between the object is modified.
CN 201410355049 2014-07-24 2014-07-24 Grid model capable of achieving data access and security configuration of the grid object access control means CN104168268B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201410355049 CN104168268B (en) 2014-07-24 2014-07-24 Grid model capable of achieving data access and security configuration of the grid object access control means

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201410355049 CN104168268B (en) 2014-07-24 2014-07-24 Grid model capable of achieving data access and security configuration of the grid object access control means

Publications (2)

Publication Number Publication Date
CN104168268A true true CN104168268A (en) 2014-11-26
CN104168268B CN104168268B (en) 2016-01-20

Family

ID=51911892

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201410355049 CN104168268B (en) 2014-07-24 2014-07-24 Grid model capable of achieving data access and security configuration of the grid object access control means

Country Status (1)

Country Link
CN (1) CN104168268B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104506528A (en) * 2014-12-23 2015-04-08 国家电网公司 Integrated network safety access method
CN105468689A (en) * 2015-11-17 2016-04-06 广东电网有限责任公司电力科学研究院 Power grid object level authority configuration and inheritance method
CN105717904A (en) * 2016-05-09 2016-06-29 柴俊沙 Intelligent irrigation device based on OPC protocol
WO2017214802A1 (en) * 2016-06-13 2017-12-21 深圳天珑无线科技有限公司 Distributed network message processing method and node

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080219186A1 (en) * 2007-03-05 2008-09-11 Grid Net, Inc. Energy switch router
CN101272051A (en) * 2008-05-06 2008-09-24 江苏省电力公司南京供电公司 Information system integration method of electric network production control region and management information region
CN101482901A (en) * 2009-02-06 2009-07-15 中国电力科学研究院 System and method for providing power data correlated service based on WAN
CN101540505A (en) * 2009-01-09 2009-09-23 南京南瑞继保电气有限公司;湖北省电力公司 Building method of multistage multi-region interconnected network data model
CN101751426A (en) * 2008-12-11 2010-06-23 北京市电力公司 Method and device for realizing information sharing between SCADA and GIS
CN201518429U (en) * 2009-10-26 2010-06-30 江西省电力科学研究院 Electric energy qualitative data concentrator for digitalization transforming plant
CN102035210A (en) * 2011-01-05 2011-04-27 河北省电力研究院 Relaxative-constraint powerless equipment optimization method for power system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080219186A1 (en) * 2007-03-05 2008-09-11 Grid Net, Inc. Energy switch router
CN101272051A (en) * 2008-05-06 2008-09-24 江苏省电力公司南京供电公司 Information system integration method of electric network production control region and management information region
CN101751426A (en) * 2008-12-11 2010-06-23 北京市电力公司 Method and device for realizing information sharing between SCADA and GIS
CN101540505A (en) * 2009-01-09 2009-09-23 南京南瑞继保电气有限公司;湖北省电力公司 Building method of multistage multi-region interconnected network data model
CN101482901A (en) * 2009-02-06 2009-07-15 中国电力科学研究院 System and method for providing power data correlated service based on WAN
CN201518429U (en) * 2009-10-26 2010-06-30 江西省电力科学研究院 Electric energy qualitative data concentrator for digitalization transforming plant
CN102035210A (en) * 2011-01-05 2011-04-27 河北省电力研究院 Relaxative-constraint powerless equipment optimization method for power system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104506528A (en) * 2014-12-23 2015-04-08 国家电网公司 Integrated network safety access method
CN104506528B (en) * 2014-12-23 2018-02-23 国家电网公司 An integrated security network access method
CN105468689A (en) * 2015-11-17 2016-04-06 广东电网有限责任公司电力科学研究院 Power grid object level authority configuration and inheritance method
CN105717904A (en) * 2016-05-09 2016-06-29 柴俊沙 Intelligent irrigation device based on OPC protocol
WO2017214802A1 (en) * 2016-06-13 2017-12-21 深圳天珑无线科技有限公司 Distributed network message processing method and node

Also Published As

Publication number Publication date Type
CN104168268B (en) 2016-01-20 grant

Similar Documents

Publication Publication Date Title
Khurana et al. Smart-grid security issues
Ancillotti et al. The role of communication systems in smart grids: Architectures, technical solutions and research challenges
Bera et al. Cloud computing applications for smart grid: A survey
Wu et al. Power system control centers: Past, present, and future
Tao et al. CCIoT-CMfg: cloud computing and internet of things-based cloud manufacturing service system
Al Faruque et al. Energy management-as-a-service over fog computing platform
Yigit et al. Cloud computing for smart grid applications
CN102291280A (en) Cloud computing platform and intelligent monitoring and control of Things based monitoring and control
CN102063102A (en) Remote control system and control method for intelligent home
CN102843352A (en) Cross-physical isolation data transparent transmission system and method between intranet and extranet
CN102938098A (en) Power grid operation manner expert system
CN101751435A (en) Data exchanging system and method for electric power system
CN101127454A (en) Power monitoring information security access device
CN102750606A (en) Power grid scheduling cloud system
CN102724175A (en) Remote communication security management architecture of ubiquitous green community control network and method for constructing the same
CN103679348A (en) Operation-maintenance-integrated on-site data collection and feedback tour-inspection management system
Xu et al. Toward software defined smart home
CN104426950A (en) Electric power Internet of things intelligent communication method, system and gateway
CN101364733A (en) Electric power digital integrated management system
CN103870649A (en) Active power distribution network autonomous simulation method based on distributive intelligent computing
CN102280937A (en) Monitoring system and method for distributed energy
US20150097695A1 (en) Methods of processing data corresponding to a device that corresponds to a gas, water, or electric grid, and related devices and computer program products
CN102255389A (en) Method for implementing intensive intelligent substation based on intelligent power grid system
CN102611710A (en) Data interaction method and data interaction system for scheduling master station and transformer substation based on MMS (Multimedia Messaging Service)
CN104219328A (en) Sharing system and sharing method for internet-of-things device

Legal Events

Date Code Title Description
C06 Publication
C53 Correction of patent for invention or patent application
COR Change of bibliographic data

Free format text: CORRECT: APPLICANT; FROM: ELECTRICAL POWER RESEARCH INSTITUTE OF GUANGDONG POWER GRID CORPORATION TO: ELECTRIC POWER RESEARCH INSTITUTE OF GUANGDONG POWER GRID CO., LTD.

C10 Entry into substantive examination
C14 Grant of patent or utility model