CN105449863B - A kind of intelligent substation Network Communicate Security antihunt means - Google Patents

A kind of intelligent substation Network Communicate Security antihunt means Download PDF

Info

Publication number
CN105449863B
CN105449863B CN201510940760.5A CN201510940760A CN105449863B CN 105449863 B CN105449863 B CN 105449863B CN 201510940760 A CN201510940760 A CN 201510940760A CN 105449863 B CN105449863 B CN 105449863B
Authority
CN
China
Prior art keywords
communication
network
security
intelligent substation
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510940760.5A
Other languages
Chinese (zh)
Other versions
CN105449863A (en
Inventor
王治民
周毅
张蕾
蒋森维
魏恺
邱泽伟
雷锐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Sifang Automation Co Ltd
Beijing Sifang Engineering Co Ltd
Original Assignee
Beijing Sifang Automation Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Sifang Automation Co Ltd filed Critical Beijing Sifang Automation Co Ltd
Priority to CN201510940760.5A priority Critical patent/CN105449863B/en
Publication of CN105449863A publication Critical patent/CN105449863A/en
Application granted granted Critical
Publication of CN105449863B publication Critical patent/CN105449863B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • H02J13/00006Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment
    • H02J13/00007Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment using the power network as support for the transmission
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02EREDUCTION OF GREENHOUSE GAS [GHG] EMISSIONS, RELATED TO ENERGY GENERATION, TRANSMISSION OR DISTRIBUTION
    • Y02E60/00Enabling technologies; Technologies with a potential or indirect contribution to GHG emissions mitigation
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S10/00Systems supporting electrical power generation, transmission or distribution
    • Y04S10/16Electric power substations

Abstract

A kind of intelligent substation Network Communicate Security antihunt means, for real-time monitoring and defence of the intelligent substation based on the IEC61850 device network securities to communicate and stability.The network communication that the intelligent substation Network Communicate Security antihunt means are realized to intelligent substation equipment by security audit, abnormal audit, communication defence is based on that Security Audit Strategy real-time auditing, defence be illegal and abnormal conditions, and real-time early warning.Pass through the use of this method, intelligent substation equipment is made to may refrain from and filter illegal and exceptional communication in bottom communication link, so as to improve the safety and stability of functions of the equipments and operation, this method can reach significantly effective effect and important meaning especially when substation network is linked into common network.

Description

A kind of intelligent substation Network Communicate Security antihunt means
Technical field
The present invention relates to a kind of intelligent substation Network Communicate Security antihunt means, belong to technical field of electric power automation, Particularly for real-time monitoring and defence of the intelligent substation based on the IEC61850 device network securities to communicate and stability.
Background technology
Intelligent substation uses IEC61850 standard traffics, defines the 3 layer network knot such as station level, wall and network layer Structure, the acquisition of data, the control of functions of the equipments etc. is all realized by network communication mode, therefore there are the safety such as network intrusions is hidden Suffer from, than substation's local area network of relatively isolated closing especially when intelligent substation is linked into common network communications facility It is more susceptible to network attack.
At present in intelligent substation to IEC61850's in use, including station level MMS (manufacture message specification) communication, Process layer GOOSE (traffic model object transformer substation case) and SV (sampled value) communications, all could be used without any Prevention-Security and arrange The basic communication mechanism applied.On the other hand, as many novel devices occurs in intelligent substation development, such as combining unit, intelligence Energy terminal etc., in addition to the various exceptional communications that may occur in operation, the application of novel device is improved and can also deposited in the process The exceptional communication caused by some defects, all these exceptional communications can all cause the unpredictable behavior of functions of the equipments, drop The low stability of equipment.
From the point of view of Network Communicate Security and equipment stable operation, it is necessary to intelligent substation device network communication Safety and stability monitor and defend in real time, make equipment may refrain from and filtered in bottom communication link it is illegal and abnormal logical Letter, so as to promote the safety and stability of intelligent substation operation.
The content of the invention
In order to overcome the shortcomings of above-mentioned prior art, the present invention provides a kind of intelligent substation Network Communicate Security stabilizations Method.
The technical solution adopted in the present invention is:
A kind of intelligent substation Network Communicate Security antihunt means pass through security audit module, abnormal Audit Module, communication Link is defendd to realize the real-time auditing to intelligent substation device network communication, defends illegal and abnormal conditions, it is illegal in appearance And during abnormal conditions, real-time early warning function is realized, which is characterized in that the Network Communicate Security antihunt means include following step Suddenly:
(1) all network communication messages into intelligent substation equipment are accessed by network communication monitoring module, and will Network communication message submits to abnormal Audit Module and security audit module simultaneously;
(2) abnormal Audit Module divides MMS, GOOSE, SV network communication message according to IEC61850 communication specifications After analysis, the network communication message i.e. exception message for not meeting specification is directly abandoned, and auditing result is recorded with log mode, carry Give real-time early warning module;
(3) security audit module audits to network communication message, will clearly be forbidden or not in the net of allowed band Network communication message further carries out the invalid packet by the defense module that communicates as the invalid packet for influencing communication security Communication service refusal, communication disconnection process, the security audit module is by the auditing result of invalid packet and treatment measures with day Will mode records, and submits to real-time early warning module;
(4) intelligent substation is submitted to the warning information of audit finding in step (2) and (3) by real-time early warning module The information management module of equipment.
Acceptable further preferred following technical scheme of the invention:
In step (3), Security Audit Strategy is according to the default communication security plan of intelligent substation equipment service requirement It omits, including:Communication access policies, communication control strategy;If network communication message is clear and definite in the communication access policies Forbid or not in the network communication message of allowed band, as influence the invalid packet of secure communication, then according further to described Communication control strategy determines to handle the invalid packet;It specifically includes:
3.1 communication access policies are that the communications access for allowing and forbidding configures, including communication message type, communicatedly Location, communication service type;Communication message type is the existing protocol type of ICP/IP protocol stack specification;Lead to for GOOSE and SV Letter, mailing address are application ID, that is, APPID;It communicates for TCP/UDP, mailing address is IP address;Communication service type only pin To MMS communication, the Abstract Common Service Interface ACSI defined for IEC61850 specifications.
The 3.2 communication control strategies include communication service refusal, communication disconnects.The communication service refusal is for net The negative response of network communication services request.The communication disconnects the disconnection linked to communication session request.
Communication defense module is responsible for sending message to the network monitored, is disconnected including communication service refusal message, communication Message.
Compared with the prior art, the beneficial effects of the invention are as follows:Intelligent substation equipment is made just to press down in bottom communication link Illegal and exceptional communication is made and filtered, so as to improve the safety and stability of functions of the equipments and operation, especially works as power transformation Network insertion of standing can reach effective obvious action and important meaning to this method during common network.
Description of the drawings
Fig. 1 is the intelligent substation Network Communicate Security antihunt means flow chart of the present invention;
Specific embodiment
The present invention is further described with reference to the accompanying drawings and examples.
In Fig. 1, intelligent substation Network Communicate Security antihunt means of the invention comprise the following steps:(1) network leads to Believe entrance of the monitoring module 10 as communication links in equipment, it is responsible to monitor the network communication message for being linked into equipment, simultaneously will Message is submitted to abnormal Audit Module 20 and security audit module 30 respectively, carries out the audit processing of Different Logic.
(2) in abnormal Audit Module 20 to step (1) submit MMS, GOOSE, SV network communication message according to IEC61850 communication specifications are analyzed, the legitimacy including message format, coding correctness, the correctness of communication mechanism.Its In, the correctness emphasis of communication mechanism is analyzed for GOOSE and SV communications, and trapezoidal temporal is sent in the variation including GOOSE Mechanism, GOOSE bursts and the empty change of repeat mechanism, GOOSE and anomalous variation, GOOSE time-out, SV time-out, SV data jumps.For The communication message of specification, i.e. exception message are not met, as auditing result with log mode complete documentation original message and time Afterwards, the exception message is directly abandoned in order to avoid being further processed by functions of the equipments, reduce influence of the exception message to functions of the equipments, from And the stability of lifting means function.
(3) MMS, GOOSE, SV network communication message the foundation safety submitted in security audit module 30 to step (1) Audit strategy 31 carries out security audit.Security Audit Strategy 31 has preset the auditing objectives of equipment operational safety requirement, that is, communicates The measure taken, i.e. communication control strategy are needed when access strategy and discovery safety problem.If network communication message is logical Clearly forbidden in letter access strategy or not in the illegal report of the network communication message of allowed band, as influence communication security Text is then further determined the treatment measures to the invalid packet by communication control strategy.The invalid packet and the processing are arranged It applies and original message and time is recorded with log mode for auditing result.
Communication access policies are from flexibly and easily arrangement angles being divided into and allowing and the communications access forbidden configures, each way It may comprise mailing address, communication message type, communication service type.It communicates for GOOSE and SV, mailing address APPID, It is not related to communication service type.For MMS communication, mailing address is IP address, and communication service type is determined for IEC61850 specifications The ACSI of justice, it is main to include control service, definite value service, write the larger various services of security threats such as service.Communication message class Type is the existing protocol type of ICP/IP protocol stack specification, in addition to MMS, GOOSE, SV communication that IEC61850 specifications define, Common also has FTP, HTTP, TELNET etc., if equipment does not allow or forbids some communication message types, can be included in logical Believe in access strategy configuration.
Communication control strategy be after security audit module 30 is audited according to communication access policies to clearly being forbidden or not In the treatment measures of the network communication message of allowed band, disconnected including communication service refusal, communication.Communication service refusal is used for Negative response to network communication service requests is such as forbidden being found that on network pair in the case of control service and definite value service The equipment control operation or definite value operation, then Security Audit Strategy 31 carry out negative response, so as to refuse accordingly operation with Ensure the security of equipment.Communication disconnects the disconnection linked to communication session request, available for the communication service quilt forbidden It was found that when disconnect communication session link, it can also be used to the session rejection of the communication message type forbidden or link disconnect, such as when peace Full audit strategy 31, which is configured with, forbids FTP to communicate, then is disconnected in the network communication of equipment if FTP any communication messages are found Corresponding link.
Communication defense module 40 is the specific execution to the treatment measures of invalid packet, i.e., is sent to monitored network specific Communication message, including communication service refusal message, communication disconnect message.
(4) in step (2) and (3), if abnormal Audit Module 20 or security audit module 30 pass through audit finding Exception message or invalid packet then record the details of these messages and submit to real-time early warning module 50.Real-time early warning mould Block 50 is responsible for the management and forwarding of warning information, is such as forwarded to the information management module 60 of equipment, can pass through information management module 60 are further forwarded to the other systems such as monitoring system outside equipment.
Example given above is illustrating the present invention and its practical application, and the hence technology of this field Personnel can realize or use the present invention, or else those of ordinary skill in the art can depart from the situation of the invention thought of the present invention Under, various modifications or variation are made to above-described embodiment, thus the present invention is not limited by above-described embodiment, and should meet The maximum magnitude for the innovative features that claims are mentioned.

Claims (4)

1. a kind of intelligent substation Network Communicate Security antihunt means, anti-by security audit module, abnormal Audit Module, communication Imperial module realizes the real-time auditing to intelligent substation device network communication, and defence is illegal and abnormal conditions, occur it is illegal and During abnormal conditions, real-time early warning function is realized, which is characterized in that the Network Communicate Security antihunt means comprise the following steps:
(1) all network communication messages into intelligent substation equipment are accessed by network communication monitoring module, and by network Communication message submits to abnormal Audit Module and security audit module simultaneously;
(2) abnormal Audit Module analyzes MMS, GOOSE, SV network communication message according to IEC61850 communication specifications, will After the network communication message i.e. exception message for not meeting specification directly abandons, and auditing result is recorded with log mode, submit to Real-time early warning module;
(3) security audit module audits to network communication message, will clearly be forbidden or not led in the network of allowed band Believe that message as the invalid packet for influencing communication security, further communicates to the invalid packet by the defense module that communicates Service-denial, communication disconnection process, the security audit module is by the auditing result of invalid packet and treatment measures with daily record side Formula records, and submits to real-time early warning module;Security Audit Strategy is default logical according to intelligent substation equipment service requirement Believe security strategy, including:Communication access policies, communication control strategy;If network communication message is the communication access policies It is middle clearly to be forbidden or not in the network communication message of allowed band, the invalid packet of secure communication is as influenced, then further It determines to handle the invalid packet according to the communication control strategy;
(4) intelligent substation equipment is submitted to the warning information of audit finding in step (2) and (3) by real-time early warning module Information management module.
2. intelligent substation Network Communicate Security antihunt means according to claim 1, it is characterised in that:
In step (3), Security Audit Strategy specifically includes:
3.1 communication access policies are to allow and the communications access forbidden configures, including communication message type, mailing address, Communication service type;
The 3.2 communication control strategies include communication service refusal, communication disconnects.
3. intelligent substation Network Communicate Security antihunt means according to claim 2, it is characterised in that:
In 3.1, communication message type is the existing protocol type of ICP/IP protocol stack specification;It communicates, leads to for GOOSE and SV Letter address is application ID, that is, APPID;It communicates for TCP/UDP, mailing address is IP address;Communication service type is only for MMS Communication, the Abstract Common Service Interface ACSI defined for IEC61850 specifications.
4. intelligent substation Network Communicate Security antihunt means according to claim 2, it is characterised in that:
In 3.2, the communication service refusal is for the negative response to network communication service requests;The communication, which disconnects, to be used for The disconnection of communication session link is asked.
CN201510940760.5A 2015-12-16 2015-12-16 A kind of intelligent substation Network Communicate Security antihunt means Active CN105449863B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510940760.5A CN105449863B (en) 2015-12-16 2015-12-16 A kind of intelligent substation Network Communicate Security antihunt means

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510940760.5A CN105449863B (en) 2015-12-16 2015-12-16 A kind of intelligent substation Network Communicate Security antihunt means

Publications (2)

Publication Number Publication Date
CN105449863A CN105449863A (en) 2016-03-30
CN105449863B true CN105449863B (en) 2018-05-25

Family

ID=55559768

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510940760.5A Active CN105449863B (en) 2015-12-16 2015-12-16 A kind of intelligent substation Network Communicate Security antihunt means

Country Status (1)

Country Link
CN (1) CN105449863B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109981812A (en) * 2019-03-13 2019-07-05 深圳供电局有限公司 A kind of interior communication method and device thereof, the computer equipment of multiple substations
CN113467345B (en) * 2021-08-11 2022-06-14 中电积至(海南)信息技术有限公司 Intelligent home security gateway system with simulation module
CN114301621A (en) * 2021-11-17 2022-04-08 北京智芯微电子科技有限公司 Intelligent substation and network communication safety control method and device thereof

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101316051A (en) * 2008-07-03 2008-12-03 绍兴电力局 Internetwork communication log analysis system and method based on IEC61850 transforming plant automatization system
CN101728869A (en) * 2009-11-10 2010-06-09 重庆大学 Power station automation system data network security monitoring method
CN104052640A (en) * 2014-07-09 2014-09-17 西安丙坤电气有限公司 Self-adaptation detection method for digital substation process level network messages
CN104065160A (en) * 2014-06-06 2014-09-24 武汉中元华电科技股份有限公司 Method for processing abnormal message in electric power system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ATE518329T1 (en) * 2008-08-18 2011-08-15 Abb Technology Ag ANALYSIS OF COMMUNICATION CONFIGURATION IN A PROCESS CONTROL SYSTEM

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101316051A (en) * 2008-07-03 2008-12-03 绍兴电力局 Internetwork communication log analysis system and method based on IEC61850 transforming plant automatization system
CN101728869A (en) * 2009-11-10 2010-06-09 重庆大学 Power station automation system data network security monitoring method
CN104065160A (en) * 2014-06-06 2014-09-24 武汉中元华电科技股份有限公司 Method for processing abnormal message in electric power system
CN104052640A (en) * 2014-07-09 2014-09-17 西安丙坤电气有限公司 Self-adaptation detection method for digital substation process level network messages

Also Published As

Publication number Publication date
CN105449863A (en) 2016-03-30

Similar Documents

Publication Publication Date Title
CN106982235B (en) IEC 61850-based electric power industry control network intrusion detection method and system
Yang et al. Multidimensional intrusion detection system for IEC 61850-based SCADA networks
EP2721801B1 (en) Security measures for the smart grid
CN103457791B (en) A kind of intelligent substation network samples and the self-diagnosing method of control link
CN103036733B (en) Unconventional network accesses monitoring system and the monitoring method of behavior
CN105449863B (en) A kind of intelligent substation Network Communicate Security antihunt means
CN105488396B (en) A kind of intelligent grid service security gateway system based on data stream association analytical technology
CN106168757A (en) Configurable robustness agency in factory safety system
CN110401624A (en) The detection method and system of source net G system mutual message exception
CN106911529A (en) Power network industry control safety detecting system based on protocol analysis
CN107395570A (en) Cloud platform auditing system based on big data administrative analysis
CN104104558B (en) A kind of method that network storm suppresses in transformer station process layer communication
CN103546488A (en) Active security defense system and method of power secondary system
CN108270600A (en) A kind of processing method and associated server to malicious attack flow
CN109510841A (en) A kind of security isolation gateway of control device and system
Matoušek et al. Increasing visibility of iec 104 communication in the smart grid
Mai et al. IEC 60870-5-104 network characterization of a large-scale operational power grid
KR100758796B1 (en) Realtime service management system for enterprise and a method thereof
TW201141155A (en) Alliance type distributed network intrusion prevention system and method thereof
CN111565167B (en) Generalized remote operation information safety device and safety operation and maintenance method for intelligent substation
KR102145421B1 (en) Digital substation with smart gateway
CN110138773B (en) Protection method for goose attack
CN109150888A (en) A method of network security mould group operating mode is controlled by physical switch
CN105827630A (en) Botnet attribute identification method, defense method and device
Eslava An algorithm for optimal firewall placement in iec61850 substations

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20190320

Address after: 100085 9, four street, Shang Di information industry base, Haidian District, Beijing.

Co-patentee after: Beijing Sifang Jibao Engineering Technology Co., Ltd.

Patentee after: Beijing Sifang Jibao Automation Co., Ltd.

Address before: 100085 9, four street, Shang Di information industry base, Haidian District, Beijing.

Patentee before: Beijing Sifang Jibao Automation Co., Ltd.