CN106534110A - Three-in-one security protection system architecture for substation secondary system - Google Patents

Three-in-one security protection system architecture for substation secondary system Download PDF

Info

Publication number
CN106534110A
CN106534110A CN201610981634.9A CN201610981634A CN106534110A CN 106534110 A CN106534110 A CN 106534110A CN 201610981634 A CN201610981634 A CN 201610981634A CN 106534110 A CN106534110 A CN 106534110A
Authority
CN
China
Prior art keywords
security
network
behavior
safety
subsystem
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610981634.9A
Other languages
Chinese (zh)
Other versions
CN106534110B (en
Inventor
汤震宇
沈全荣
李力
朱晓彤
张春合
文继锋
林青
张阳
胡绍谦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NR Electric Co Ltd
NR Engineering Co Ltd
Original Assignee
NR Electric Co Ltd
NR Engineering Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NR Electric Co Ltd, NR Engineering Co Ltd filed Critical NR Electric Co Ltd
Priority to CN201610981634.9A priority Critical patent/CN106534110B/en
Publication of CN106534110A publication Critical patent/CN106534110A/en
Application granted granted Critical
Publication of CN106534110B publication Critical patent/CN106534110B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Remote Monitoring And Control Of Power-Distribution Networks (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention discloses a three-in-one security protection system architecture for a substation secondary system. The system architecture is integrated with a structure security subsystem as a first security defense line, a body security subsystem as a second security defense line and a behavior security subsystem for monitoring and controlling the network behavior security; the structure security subsystem is provided with an encryption authentication device, a network isolation device and firewall equipment on a network boundary of the secondary system; the body security subsystem carries out system reinforcement on network node equipment; and the behavior security subsystem, in a whole network communication process of the secondary system, is provided with a network behavior security monitoring device and a network host equipment checking agent program, so as to monitor network communication in real time, evaluate a security risk, push an early warning prompt and carry out a security audit. According to the three-in-one security protection system architecture disclosed by the invention, a three-dimensional security protection system is established from three levels, namely the system structure boundary, the network node equipment and the network dynamic behavior; and the security performance of the secondary system can be greatly improved.

Description

A kind of Trinitarian transformer station secondary system security protection system framework
Technical field
The invention belongs to network security and field of electric power automation, are related specifically to the safety about transformer station secondary system The architecture design of protection.
Background technology
With networking, digitlization and intelligent, the situation change of substation secondary information security of transformer station secondary system Obtain increasingly serious, current obvious security risk mainly has:There is safety from structure, electrical secondary system networking border Risk., used as relatively independent application system, its networking structure security is higher for electrical secondary system, if opening with other system What putting property was interconnected is even directly connected to public telecommunication network, then risk is just higher.From for the network equipment, net in electrical secondary system There is security risk in itself in network equipment.The operating system of each network equipment can or can not have logic either with or without leak, application software Whether bomb, port rationally open, and communication protocol is secrecy transmission, the network equipment whether stalwartness etc. when under attack. From for network behavior, the complicated communication interaction of electrical secondary system different business brings risk, what the outside O&M for accessing also brought Risk.Therefore whether the architecture design of substation secondary security protection system is comprehensively and practical extremely important.
Traditional substation secondary security protection system stresses the security boundary of system architecture, and the ontological security of the network equipment is especially It is the behavior safety monitoring deficiency of network service.The electrical secondary system function of intelligent substation is increasingly complicated now, the network of communication Change generally, O&M means become more diverse, thus the traditional security protection system for stressing border of transformer station shows deficiency.
Accordingly, it would be desirable to a kind of more comprehensively applicable security protection system of research and design, the border structure safety, net in system The ontological security of network node device, three aspects of the behavior safety of communication interaction are gone to set up a kind of safety of multi-level solid and are prevented Watch box system structure.
The content of the invention
The purpose of the present invention, is to propose a kind of Trinitarian transformer station secondary system security protection system framework, The border structure safety of system, the ontological security of apparatus for network node, three aspects of behavior safety of communication interaction go to improve excellent Change the deficiency of present security protection.
In order to reach above-mentioned purpose, the solution of the present invention is specific as follows:
1) a kind of Trinitarian transformer station secondary system security protection system framework is built, including the safe subsystem of structure System, the combination of the multi-level solid of ontological security subsystem, behavior safety subsystem, it is characterised in that:
Build integrated morphology safety, ontological security, the transformer station secondary system safety of the multi-level solid of behavior safety Protection system, arranges the special longitudinal direction encryption authentication device of electric power, forward and reverse network isolating device on the border of grid, prevents Wall with flues guards the overall security boundary of electrical secondary system as first security perimeter;With apparatus for network node sheet, it is System is reinforced and arranges second security perimeter, guards the basic functional safety in business of each network equipment in electrical secondary system; During the entire process of electrical secondary system network service, network behavior security management and control system, including network behavior security monitoring dress are set up Putting and Agent being verified with apparatus for network node, real time monitoring network communication behavior assesses security risk, and real time propelling movement early warning is carried Show, and the network security to system is audited.
2) structure secure subsystem is built, as first safety of the security protection system of Trinity multilayer stereo combination Defence line, arranges encryption authentication device, network isolating device and firewall box on the border of electrical secondary system network independence networking. The business outlet of structure application solutions electrical secondary system, the security protection of the communication of the interregional interaction of internal different safety class, prevent Only unauthorized access and external attack, ensure the overall security boundary of electrical secondary system.
3) ontological security subsystem is built, as the second safety of the security protection system of Trinity multilayer stereo combination Defence line, is that system reinforcement is carried out on the apparatus for network node of electrical secondary system, using the operation of the hardware system and safety of safety System, closes unsafe miniport service, strengthens the complexity and intensity of user password, sets up access control based roles, Record and the audit of event are set up, correspondence with foreign country sets up encryption certification control.Second security perimeter realizes apparatus for network node The operation safety of itself, prevents unauthorized access and malicious attack to equipment itself, ensures that electrical secondary system equipment is run in function On safety.
4) build behavior safety subsystem, as the Trinity multilayer stereo combination security protection system to network behavior Security management and control, verifies Agent including being independently arranged behavior safety supervising device and installing equipment in apparatus for network node. Behavior safety supervising device obtains whole communication numbers of grid interaction by the mirror image network interface on system core switch According to real time monitoring network communication behavior is verified the network behavior of apparatus for network node, storage original message and system journal, commented Estimate security risk, real time propelling movement early warning, and the network security to system to audit.It is right that network behavior security management and control is realized The monitor in real time of electrical secondary system network behavior and analysis, are estimated to security risk and early warning, ensure that electrical secondary system network is handed over Mutual level of security.
The invention has the beneficial effects as follows:Build integrated morphology safety, ontological security, the change of the multilayer stereo of behavior safety The security protection system of power station electrical secondary system, change lay particular emphasis on Border Protection in transformer station secondary system security protection system for a long time and Lack the safe design of three-dimensional depth protection, supervise safety wind on the border of grid, node device, communication behavior comprehensively Danger, carries out the three-dimensional real-time monitoring of total system and risk assessment, can greatly improve the security performance of electrical secondary system.
Description of the drawings
Fig. 1 is the system integrated stand composition in the present invention;
Fig. 2 is the structure secure subsystem figure in the architectural framework in the present invention;
Fig. 3 is the ontological security subsystem figure in the architectural framework in the present invention;
Fig. 4 is the behavior safety subsystem figure in the architectural framework in the present invention;
Specific embodiment
To make technical scheme and feature definitely, below the invention will be further elaborated.
1) system integrated stand composition in the present invention is as shown in figure 1, build integrated morphology secure subsystem, ontological security The security protection system framework of system, the transformer station secondary system of the multilayer stereo of behavior safety subsystem.
2) on the border of grid arrange electric power it is special longitudinal direction encryption authentication device, forward and reverse network isolating device, Fire wall guards the overall security boundary of electrical secondary system as first security perimeter.
3) with apparatus for network node sheet, carry out system reinforcement and second security perimeter is set, guard in electrical secondary system The basic functional safety in business of each autonomous device.
4) during the entire process of grid communication, network behavior security management and control system, real-time monitoring and audit are set up Network service behavior, assesses security risk.
1) the structure secure subsystem figure in the architectural framework in the present invention is as shown in Fig. 2 as first security perimeter Structure secure subsystem, on the border of transformer station secondary system network according to " network-specific, security partitioning, lateral isolation, The principle of longitudinal certification " arranges safety measure, is further characterized in that following steps:
What step one, the principle construction of the network of electrical secondary system according to physics independence, and external network were not joined directly together Link;
The network structure of electrical secondary system is divided into production control zone and information management area, two region difference by step 2 Possess different safe classes;
Step 3, in the production control zone of electrical secondary system at the telemechanical communication outlet of main website, arranges the special longitudinal direction of electric power Encryption authentication device, realizes the certification of connection setup and the encryption of information transfer;
Step 4, between the production control zone of electrical secondary system and information management area, arranges forward and reverse physical isolation apparatus, Realization is unable to the data one-way transmission between safe class region;
Step 5, electrical secondary system information management area at the communication outlet of main website, arrange fire wall, realize communication visit Ask the safety filtering with data interaction;
5) the ontological security subsystem figure in the architectural framework in the present invention is as shown in figure 3, as second security perimeter Ontological security subsystem, system reinforcement is carried out on apparatus for network node, following steps are further characterized in that:
Step one, using the chip of safety, mainboard, the hardware system of planned network equipment;
Step 2, using the operating system of safety, the software systems environment of planned network equipment;
Step 3, closes unsafe port and service;
Step 4, strengthens the complexity and intensity of user password;
Step 5, sets up access control based roles on equipment is accessed;
Step 6, sets up record and the audit of event;
Step 7, correspondence with foreign country set up encryption certification control;
6) the behavior safety subsystem figure in the architectural framework in the present invention is as shown in figure 4, as network behavior bursting tube The behavior safety subsystem of control, in grid is logical arranges independent behavior safety supervising device and sets installed in network node Equipment in standby verifies two parts of Agent, is further characterized in that following steps:
Step one, establish mirror image on the crucial switch of grid mouth, obtains the whole interaction by the switch Data;
Step 2, by monitoring switch communication data, monitoring network behavior, monitoring network flow, monitoring analysis network The legitimacy of equipment and network connection;
Step 3, by switch mirror port, gathers original message, stores original message;
Step 4, sets up the association evidence of Network anomalous behaviors and original scene message;
Step 5, is pushed to interface alarm immediately and reminds after finding Network Abnormal;
Step 6, the process in equipment verification Agent real time scan equipment in apparatus for network node, mobile storage The changing features that equipment is accessed, send messages to behavior safety supervising device, carry out recording, alert;
Step 7, log recording and event audit;
Step 8, the risk of behavior safety supervising device real-time assessment network security, provides analysis result;
It should be noted that the above only expresses embodiments of the present invention, its description is more concrete and detailed, but Therefore the restriction to the scope of the claims of the present invention can not be interpreted as.It should be pointed out that for the ordinary skill people of this area For member, without departing from the inventive concept of the premise, some deformations and improvement can also be made, these belong to the present invention's Protection domain.Therefore, the protection domain of patent of the present invention should be defined by claims.

Claims (3)

1. a kind of Trinitarian transformer station secondary system security protection system framework, including structure secure subsystem, body peace Full subsystem, behavior safety subsystem, it is characterised in that:
The structure secure subsystem is by arranging encryption authentication device, network isolating device on the network boundary of electrical secondary system And firewall box, build first security perimeter;
The ontological security subsystem carries out system reinforcement on apparatus for network node, builds second security perimeter;
The behavior safety subsystem arranges network behavior safety monitoring device during the entire process of electrical secondary system network service Agent is verified with Web hosted services, real time monitoring network communication behavior assesses security risk, and real time propelling movement early warning is carried Show, and the network security to system is audited, build the security management and control to network behavior;
First security perimeter guards the overall security boundary of electrical secondary system, by second safety after first security perimeter fall The functional safety of each apparatus for network node is guarded in defence line, and the Safety actuality of whole electrical secondary system network service behavior is pacified by behavior Full subsystem real-time monitoring and risk analysis.
2. a kind of Trinitarian transformer station secondary system security protection system framework as described in right 1, it is characterised in that institute Ontological security subsystem is stated, using the operating system of the hardware system and safety of safety, unsafe miniport service is closed, is strengthened The complexity and intensity of user password, sets up access control based roles, sets up record and the audit of event, and correspondence with foreign country is built Vertical encryption certification control, security protection second security perimeter are realized the operation safety of apparatus for network node itself, are prevented to setting For itself unauthorized access and malicious attack, safety of the electrical secondary system equipment in function operation is ensured.
3. a kind of Trinitarian transformer station secondary system security protection system framework as described in right 1, it is characterised in that institute Behavior safety subsystem is stated, as the security management and control in security protection architectural framework to network behavior, including the behavior peace being independently arranged Full supervising device and the equipment in apparatus for network node verify two parts of Agent;Behavior safety supervising device leads to The mirror image network interface crossed on system core switch, obtains whole communication datas of grid interaction, real time monitoring network communication Behavior, verifies the network behavior of apparatus for network node, storage original message and system journal, assesses security risk, real time propelling movement Early warning, and the network security to system audits;Network behavior security management and control is realized to electrical secondary system network behavior Monitor in real time and analysis, are estimated to security risk and early warning, ensure the level of security of electrical secondary system network interaction.
CN201610981634.9A 2016-11-08 2016-11-08 Trinity transformer substation secondary system safety protection system framework system Active CN106534110B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610981634.9A CN106534110B (en) 2016-11-08 2016-11-08 Trinity transformer substation secondary system safety protection system framework system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610981634.9A CN106534110B (en) 2016-11-08 2016-11-08 Trinity transformer substation secondary system safety protection system framework system

Publications (2)

Publication Number Publication Date
CN106534110A true CN106534110A (en) 2017-03-22
CN106534110B CN106534110B (en) 2020-07-28

Family

ID=58350005

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610981634.9A Active CN106534110B (en) 2016-11-08 2016-11-08 Trinity transformer substation secondary system safety protection system framework system

Country Status (1)

Country Link
CN (1) CN106534110B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107426171A (en) * 2017-06-02 2017-12-01 国家电网公司 The safety protecting method and device of power information Intranet
CN109586409A (en) * 2018-11-28 2019-04-05 广东电网有限责任公司 Automatic dispatching system and automatic dispatching method
CN109639681A (en) * 2018-12-14 2019-04-16 三门核电有限公司 A kind of online core power distribution monitoring system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7907050B1 (en) * 2003-09-30 2011-03-15 Rockwell Automation Technologies, Inc. Power supply communication system and method
CN103269332A (en) * 2013-04-22 2013-08-28 中国南方电网有限责任公司 Safeguard system for power secondary system
CN103473626A (en) * 2013-08-20 2013-12-25 国家电网公司 Security protection method based on integrated dispatching data network operation and maintenance system
CN103532776A (en) * 2013-09-30 2014-01-22 广东电网公司电力调度控制中心 Service flow detection method and system
CN103546488A (en) * 2013-11-05 2014-01-29 上海电机学院 Active security defense system and method of power secondary system
CN105847021A (en) * 2015-01-13 2016-08-10 国家电网公司 Concentrated operation and maintenance safety audit system in intelligent power grid dispatching control system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7907050B1 (en) * 2003-09-30 2011-03-15 Rockwell Automation Technologies, Inc. Power supply communication system and method
CN103269332A (en) * 2013-04-22 2013-08-28 中国南方电网有限责任公司 Safeguard system for power secondary system
CN103473626A (en) * 2013-08-20 2013-12-25 国家电网公司 Security protection method based on integrated dispatching data network operation and maintenance system
CN103532776A (en) * 2013-09-30 2014-01-22 广东电网公司电力调度控制中心 Service flow detection method and system
CN103546488A (en) * 2013-11-05 2014-01-29 上海电机学院 Active security defense system and method of power secondary system
CN105847021A (en) * 2015-01-13 2016-08-10 国家电网公司 Concentrated operation and maintenance safety audit system in intelligent power grid dispatching control system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
潘路: ""电力二次系统网络信息安全防护的设计与实现"", 《中国优秀硕士学位论文全文数据库工程科技Ⅱ辑2015年第01期》 *
焦伟: ""电力调度自动化网络安全防护系统的研究与实现"", 《中国优秀硕士学位论文全文数据库 信息科技辑 2015年第03期》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107426171A (en) * 2017-06-02 2017-12-01 国家电网公司 The safety protecting method and device of power information Intranet
CN109586409A (en) * 2018-11-28 2019-04-05 广东电网有限责任公司 Automatic dispatching system and automatic dispatching method
CN109639681A (en) * 2018-12-14 2019-04-16 三门核电有限公司 A kind of online core power distribution monitoring system

Also Published As

Publication number Publication date
CN106534110B (en) 2020-07-28

Similar Documents

Publication Publication Date Title
Gunduz et al. Cyber-security on smart grid: Threats and potential solutions
Goel et al. Security challenges in smart grid implementation
CN104639624B (en) A kind of method and apparatus for realizing mobile terminal remote access control
CN103269332B (en) Safeguard system for power secondary system
CN108063751A (en) A kind of public network safety access method for new energy power plant
Fan et al. Overview of cyber-security of industrial control system
CN109976239A (en) Industrial control system terminal security guard system
CN103856345B (en) Server account number and password management method and system and server
CN109995796A (en) Industrial control system terminal safety protection method
CN104184735A (en) Electric marketing mobile application safe protection system
CN106911529A (en) Power network industry control safety detecting system based on protocol analysis
CN106992984A (en) A kind of method of the mobile terminal safety access information Intranet based on electric power acquisition net
CN109543301A (en) A kind of network security attacks prototype modeling method based on Industry Control
CN103546488A (en) Active security defense system and method of power secondary system
CN109347847A (en) A kind of smart city security assurance information system
CN106534110A (en) Three-in-one security protection system architecture for substation secondary system
CN107920089A (en) A kind of intelligent network lotus interactive terminal protecting information safety authentication encryption method
Czechowski et al. Cyber security in communication of SCADA systems using IEC 61850
CN106603489A (en) Network security management and control apparatus for transformer substation
Mahboob et al. Intrusion avoidance for SCADA security in industrial plants
Cagalaban et al. Improving SCADA control systems security with software vulnerability analysis
CN105471857A (en) Power grid terminal invalid external connection monitoring blocking method
KR20170093429A (en) Power Control System for Urgent Situation
Zou et al. Research and implementation of intelligent substation information security risk assessment tool
Zhang et al. Design and implementation of IEC61850 communication security protection scheme for smart substation based on bilinear function

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant