CN106911529A - Power network industry control safety detecting system based on protocol analysis - Google Patents

Power network industry control safety detecting system based on protocol analysis Download PDF

Info

Publication number
CN106911529A
CN106911529A CN201610438899.4A CN201610438899A CN106911529A CN 106911529 A CN106911529 A CN 106911529A CN 201610438899 A CN201610438899 A CN 201610438899A CN 106911529 A CN106911529 A CN 106911529A
Authority
CN
China
Prior art keywords
network
monitoring
control
dispatching
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610438899.4A
Other languages
Chinese (zh)
Inventor
俞海国
马先
徐有蕊
张海宁
苏生平
李楠芳
尚西元
王蔚青
许勇刚
刘忠魁
赵明明
张霞
李华
唐文
郭代飞
潘善民
高峰
李作为
陈忠祥
任风伟
王云峰
王迎鹤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Middle Electricity Runs (beijing) Information Technology Co Ltd
State Grid Qinghai Electric Power Co Ltd
Original Assignee
Middle Electricity Runs (beijing) Information Technology Co Ltd
State Grid Qinghai Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Middle Electricity Runs (beijing) Information Technology Co Ltd, State Grid Qinghai Electric Power Co Ltd filed Critical Middle Electricity Runs (beijing) Information Technology Co Ltd
Publication of CN106911529A publication Critical patent/CN106911529A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02BCLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO BUILDINGS, e.g. HOUSING, HOUSE APPLIANCES OR RELATED END-USER APPLICATIONS
    • Y02B70/00Technologies for an efficient end-user side electric power management and consumption
    • Y02B70/30Systems integrating technologies related to power network operation and communication or information technologies for improving the carbon footprint of the management of residential or tertiary loads, i.e. smart grids as climate change mitigation technology in the buildings sector, including also the last stages of power distribution and the control, monitoring or operating management systems at local level
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02BCLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO BUILDINGS, e.g. HOUSING, HOUSE APPLIANCES OR RELATED END-USER APPLICATIONS
    • Y02B90/00Enabling technologies or technologies with a potential or indirect contribution to GHG emissions mitigation
    • Y02B90/20Smart grids as enabling technology in buildings sector
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S20/00Management or operation of end-user stationary applications or the last stages of power distribution; Controlling, monitoring or operating thereof
    • Y04S20/20End-user application control systems
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/12Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them characterised by data transport means between the monitoring, controlling or managing units and monitored, controlled or operated electrical equipment
    • Y04S40/124Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them characterised by data transport means between the monitoring, controlling or managing units and monitored, controlled or operated electrical equipment using wired telecommunication networks or data transmission busses
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Abstract

A kind of power network industry control safety monitoring system based on protocol analysis, industry control particularly between control centre and new energy power station communicates the security threat for facing, deployment power network industrial control system threatens monitoring system, the flow of existing network is monitored with analysis, be that power network industrial control information safely provides guarantee.Power network industrial control system security threat monitoring system based on protocol massages deep analysis is deployed in control centre and new energy power station, 104 stipulations and Transmission Control Protocol communication flows are carried out with deep analysis and security threat monitoring, recognize in time and record including Bypass Control, integrity violations, violate authorize, distort message, it is illegal use, deception camouflage, refusal service, eavesdropping, plaintext communication, malicious code, access control etc. are threatened, for reply power network industrial control system provides a complete threat monitoring solution parsed based on protocol depth.

Description

Power network industry control safety detecting system based on protocol analysis
Technical field
It is the present invention relates to a kind of monitoring system, more particularly to a kind of monitoring for power network industrial control system security threat System.
Background technology
Modern industry infrastructure is including electric power, oil and gas, chemical industry, water conservancy, industry manufacture and traffic control etc. Key industry, constitutes the important foundation of Chinese national economy, modern society and national security.It is crucial in industrial infrastructure May cause destroyed casualties, serious economic loss, infrastructure, environmental disaster using the failure of, system, jeopardize public affairs All living creatures' work and national security etc..Industrial control system (ICS-Industrial Control System) constitutes modern industry The nervous system of infrastructure.Traditionally, industrial control system is generally and, using the close network of special technology, does not interconnect externally Intercommunication, its information security threats for facing are not protruded.Correspondingly, various industrial control equipments, using, system, communication protocol all Designed mainly for proprietary enclosed environment.Due to the information security threats without reality, industrial automation control system exists Design, realize that its leading indicator is availability, function, performance, (physics) security, real-time etc. with during deployment, and nothing The problems such as network attack, information security must excessively being considered.
In recent decades, various industrial control systems just rapidly move towards open, interconnection (bag from closing, isolated system Include and interconnected with traditional IT system), increasingly industry is controlled as the communications infrastructure using Ethernet/IP/TCP networks Application layer of the protocol migration processed to ICP/IP protocol stack;Using the various wireless networks including including IWLAN, GPRS etc.;Extensively The commercial operation systems such as the Windows using standard, equipment, software, middleware and various current techiques.Typical industry is automatic Networked control systems, including SCADA (Supervisory Control And Data Acquisition, data acquisition and monitoring System), DCS (Distributed Control System, dcs), PLC (Programmable LogicController, programmable logic controller (PLC)) etc., just increasingly becoming open, general and standardization.
Industrial control system is also faced with day while progress, efficiency and the interests that open, interconnection technique brings are enjoyed The serious security threat of benefit.Due to the promotion of long-term lacking demand for security, to (using current techiques such as TCP/IP) network rings The security threat being widely present under border lacks to be fully realized, and the existing industrial control system past is almost complete in design, research and development The problem of information security is not accounted for, hacker attacks, malicious code infections, APT (Advanced cannot be all resisted Persistent Threat, senior continuation is threatened) security threat such as attack, lack necessary again in deployment and O&M in addition Awareness of safety, management, flow, strategy and the support of relevant speciality technology, cause to there is this in many industrial control systems Sample or such safety problem, once being not intended to or malicious exploitation, will result in various serious security incidents.
Power network industrial control system exists in recent years as automatization level, networking degree highest ICS systems, its security Academic research and industrial circle receive the attention of height.
2005, John Robert Hughes were in its patent of invention " rule-based expansible certification (Rule Based Extensible Authentication) " propose in (US8418233B1) and a kind of use rule-based deep message solution Analyse for extracting voucher, and be further used for the method being managed to the access of resource.In the invention, in client device A network equipment is disposed between server apparatus.When the equipment of client sends message, during request resource, the network equipment is intercepted The request, and multi-level deep message parsing is carried out to it, extract the voucher in request.Then, the network equipment will be utilized The voucher judges whether the request is able to access that requested resource.In one embodiment, the network equipment can receive to come from The rule of another equipment, rules guide network device requests others voucher.Although the invention is related to be used to access by DPI control System, but the purpose of the invention is to replace server apparatus to perform security function, so that the non-traffic for reducing server apparatus is born Lotus.And the invention is only applicable to contain the application scenarios of security credence (as used in the request of client device SSL, TLS communicate).
2006, the Z. Ke Ersitu Ritchies of Alcatel " were connect for being prioritized in patent of invention by internet A kind of method is proposed in the system and method for entering the business of network " (CN101005454A), " even if being used for logical in public packet Also ensure that specific traffic flows are fully prioritized in the network when communication network is by heavy congestion.The QoS ability quilts of each stream It is added to vpn tunneling.Connection request is routed to the vpn gateway specified by the particular port in the network for accessing provider.It is right Deep packet inspection is performed by the business of the port, it is intended to determine whether the connection request is received.If the connection request Received, then when the service traffics related to the session are by packet access network, it is given the excellent of specific QoS level First level." invention by deep packet inspection be used for recognize access packet the characteristics of, for use in determine the service traffics QoS Priority, be not directed to carry out Operational Visit identification (Identification), certification (Authentication) With mandate (Authorization).
, patent of invention " a kind of base that Xiong Guilan of Wuhan-Hong Xu information technology limited liability company et al. is proposed in 2008 In the internet application recognition method of dynamic depth bag detection ", it is therefore an objective to control is identified and accessed to harmful traffics such as P2P System.The invention in addition to carrying out Access Control to business using traditional ACL technologies, further using DPI technologies to Business Stream The flow of amount, tagged word are analyzed statistics, so that Dynamic Recognition goes out harmful business.
2010, Eun Joo KIM et al. " on demand should using DPI offers are seamless in a communication network in patent of invention With System and method for (the System and Method for Providing Seamless On-Demand of service Application Service Using DPI in Communication Networks) " in (US20110145902A1) A kind of system that on-demand service is provided is proposed, i.e., the signature of media is recognized using a switch device, according to signature, user Resolution of equipment etc. changes the resolution of media, or terminal or user are authenticated according to the requirement of authentication management server Deng.The invention refers to the on-demand service quality management field of the network media, and wherein DPI is only applied to recognize media network stream Signature, resolution of amount etc..
2011, Gaash Hazan " for detection content server, cached hot content and provide proper in patent of invention As System and method for (the System and Methods Thereof For Detection of Content of certification Servers, Caching Popular Content Therein, and Providing Support for Proper Authentication) " (US20130212708A1) proposes a kind of method, and the content that content source is provided is stored in content In an equipment between source and content user, it is allowed to other guide user is transmitted the content to from the equipment, so as to reduce The load of whole network.To protect the content, the need for the equipment will recognise that certification and provide a random mark to mesh Mark content user, while the equipment can store the mark and relative parameter to be used to test the content user later Card.
2014, Eric Byres et al. were in its article " Securing EtherNet/IP Control Systems How described in using Deep Packet Inspection Firewall Technology " using DPI technologies pair EtherNet/IP protocol massages are checked and filtered.
In sum, prior art is mostly after being parsed to the content of network message using DPI technologies, directly by result For application fields such as QoS, business identification, Content Management, packet filterings.But it is not directed to for DPI to be used for power network Industry Control Content in terms of system security threat monitoring.
The content of the invention
Goal of the invention:Invention is a kind of to be directed to power network industrial control system, particularly control centre and new energy power station Between the industry control security threat that faces of communication, deployment power network industrial control system threatens monitoring system, and the flow to existing network enters Row monitoring and analysis, are that power network industrial control information safely provides guarantee.And the power network work of protocol massages deep analysis will be based on Industry control system security threat monitoring system is deployed in control centre and new energy power station, to 104 stipulations and Transmission Control Protocol communication stream Amount carry out deep analysis and security threat monitoring, recognize in time and record including Bypass Control, integrity violations, violate authorize, Distort message, illegal use, deception camouflage, refusal service, eavesdropping, plaintext communication, malicious code, access control etc. to threaten, be Reply power network industrial control system provides a complete threat based on protocol depth parsing and monitors solution.
What the present invention was realized in:A kind of power network industry control safety monitoring system based on protocol analysis is based on distribution portion Administration's framework, is made up of monitoring system main website and local supervising and measuring equipment.Monitoring main website is deployed in dispatching of power netwoks control centre, and power network is adjusted Degree control centre generally also includes the engineer station, man-machine interface, operator station and the service that are coupled together by EPA The equipment such as device;Man-machine interface that photovoltaic plant generally includes to couple together by EPA, operator station, measuring instrumentss, Telemechanical apparatus etc..Local supervising and measuring equipment is then respectively deployed in dispatching of power netwoks control centre and individual photovoltaic plant, and between the two Communication link on the specific deployment way of local supervising and measuring equipment it is as follows:1., the key network in dispatching of power netwoks control centre is handed over Change planes or router on Port Mirroring is set, the communication flows in EPA is mirrored to the network port of free time, Local supervising and measuring equipment I is linked into the network port again, you can the network traffic of monitoring dispatching of power netwoks control centre;②、 Port Mirroring is set on the key network interchanger or router of photovoltaic plant, by the communication flows mirror image in EPA To the network port of free time, then local supervising and measuring equipment II is linked into the network port, you can the net of monitoring photovoltaic plant Network communication flows;3., between longitudinal encryption device of dispatching of power netwoks control centre and longitudinal encryption device of photovoltaic plant Port Mirroring is set on the network switch or router, the communication flows in EPA is mirrored to the network of free time Port, then local supervising and measuring equipment III is linked into the network port, you can between monitoring grid dispatching center and photovoltaic plant Communication flows.
It is deployed in dispatching of power netwoks control centre, each photovoltaic plant, and each field monitoring between them on communication link Device, gathers the all-network communication flows on various place networks, sends it to monitoring main website.Monitoring main website will be to coming Convergence is carried out from the network traffics of each local supervising and measuring equipment, parsing is saved in database, and according to pre-defining Security strategy is analyzed to it, such as finds to violate the communication behavior of security strategy, just enters in the data exhibiting aspect based on Web Row alarm.Meanwhile, monitoring main website can also can also be directed to monitored flow and provide the functions such as situation displaying, statistical report form.It is described Dispatching of power netwoks control centre and photovoltaic plant circuit be divided into two, real time business and non-real-time service;Two business are by vertical It is connected to each business of encryption device and photovoltaic plant.
Compared to having technical effect that prior art has:Power network industry control based on association's parsing of the present invention The aspect exhibition such as applied analysis, security threat analysis, detection technique of the safety monitoring system mainly for Industry Control smart machine Exemplary deployment and effect analysis research are opened, following problem is solved:
1st, industry control smart machine safety detection is solved the problems, such as.Safety detection technology to industry control smart machine is carried out Research, while the risk faced to it carries out detection checking, develops power network industrial control system and threatens monitoring system, can Realize detection of the industry control smart machine from system safety to service security.
2nd, the monitoring of power network industrial control system smart machine security threat and analysis are solved the problems, such as.Power network Industry Control System is power information important component, and the security threat analysis of power network be unable to do without the safe prestige of Industry Control smart machine The side of body, these smart machines face which security threat, these security threats can cause which to endanger, and this project takes special with equipment The adaptable safety monitoring of point is monitored to the security of industry control smart machine with analysis method and is actually set with analysis, and combination It is standby to have carried out existing network deployment and monitoring checking, carry out the monitoring of the important safeties such as asset identification and invalid packet threat and divided Analysis.
3rd, the safety monitoring result for industry control smart machine carries out depth analysis, is mutually tied with the depth analysis based on agreement Close, be that further safe disposal and protection provide valuable experience, behind can be with reference to relevant criterion, it is proposed that system Security protection scheme, and the Security Construction of power network industrial control system is carried out using corresponding safety protection technique.
4th, for later power network smart machine information security Study on Monitoring Technology has cleared thinking.By grinding for Demonstration Application Study carefully, the technical characterstic, security threat to industry control smart machine have understanding on the whole, to its safety detection, security protection side Method has thinking generally.
Brief description of the drawings
Fig. 1 is that power network industrial control system security threat monitoring system of the present invention is based on distributed deployment configuration diagram.
Fig. 2 is the network architecture schematic diagram of application scenarios of the invention i.e. power scheduling control centre and photo-voltaic power generation station.
Fig. 3 is power network industrial control system security threat monitoring system functional framework of the present invention based on protocol depth parsing Schematic diagram.
Specific embodiment
Power network Industry Control smart machine is the important component of power network industrial control system, its security direct relation To whole power information system security, the security threat of Industry Control smart machine is effectively analyzed and monitors, and carry out in time Corresponding safe disposal and security protection, could be that power information system safely provides guarantee.
It is that power network industrial control system security threat monitoring system of the present invention is based on distributed deployment configuration diagram by Fig. 1 Understand that a kind of power network industrial control system security threat monitoring system based on protocol depth parsing is based on distributed deployment frame Structure, is made up of monitoring system main website and local supervising and measuring equipment.
Monitoring main website 5 is deployed in dispatching of power netwoks control centre 8, for realizing coming from the data of local supervising and measuring equipment 6,10,12 Receiving with converge, and provide data exhibiting, monitoring service implementation, data analysis, convergence storage, system management function, Its function structure such as Fig. 3 is power network industrial control system security threat monitoring system functional of the present invention based on protocol depth parsing Shown in configuration diagram;Power network industrial control system threatens monitoring system to be based primarily upon the power network Industry Control of protocol depth parsing The collection of flow, detection and security threat analysis.Security threat monitoring needs and power network marginal analysis is combined, new energy photovoltaic The border stood, including user's Border Protection, generating plant border, the security threat of emphasis is with regulator control system and the work of photovoltaic plant 11 Control system boundary is attached most importance to.
Power network industrial control system system is made up of key elements such as equipment, system platform, business software and networks, wherein each Key element all has the various weakness that can be attacked, and with emerging in an endless stream for attack meanses, the threat that it faces is increasingly severe. Security threat monitors what is impended mainly for the safety problem of electricity consumption acquisition system intelligent terminal and distribution power automation terminal Monitoring and analysis, systematically monitor its threat for being faced and its fragility for existing, and security incident is identified in time.
Dispatching of power netwoks control centre 8 generally also includes the engineer station 1, the man-machine boundary that are coupled together by EPA 7 The equipment such as face 2, operator station 3 and server 4;Photovoltaic plant 11 generally include by EPA 7 couple together it is man-machine Interface 2, operator station 3, measuring instrumentss 12, telemechanical apparatus 14 etc..And the field monitoring dress on communication link between the two 6,10,12 are put, specific deployment way is as follows:
● Port Mirroring is set on the key network interchanger or router 15 of dispatching of power netwoks control centre 8, by industry Communication flows in Ethernet 7 is mirrored to the network port of free time, then local supervising and measuring equipment I 6 is linked into the network-side Mouthful, you can the network traffic of monitoring dispatching of power netwoks control centre 8.
● Port Mirroring is set on the key network interchanger or router 15 of photovoltaic plant 11, by EPA 7 Interior communication flows is mirrored to the network port of free time, then local supervising and measuring equipment II 12 is linked into the network port, i.e., The network traffic of photovoltaic plant 11 can be monitored.
● between longitudinal encryption device 9 of dispatching of power netwoks control centre 8 and longitudinal encryption device 9 of photovoltaic plant 11 Port Mirroring is set on the network switch or router 16, the communication flows in EPA 7 is mirrored to free time The network port, then local supervising and measuring equipment III10 is linked into the network port, you can monitoring grid dispatching center 8 and photovoltaic electric The communication flows stood between 11.
It is deployed in dispatching of power netwoks control centre 8, each photovoltaic plant 11, and each scene prison between them on communication link Device 6,10,12 is surveyed, the all-network communication flows on various place networks is gathered, monitoring main website 5 is sent it to.
Monitoring main website 5 will carry out convergence to the network traffics from each local supervising and measuring equipment 6,10,12, and parsing is preserved To in database, and it is analyzed according to the security strategy for pre-defining, such as finds to violate the communication row of security strategy Just to be alerted in the data exhibiting aspect based on Web.Meanwhile, monitoring main website 5 can also can also be directed to monitored flow The functions such as situation displaying, statistical report form are provided.
Application scenarios of the invention as shown in Figure 2 are that power scheduling control centre shows with the network architecture of photo-voltaic power generation station It is intended to understand that dispatching of power netwoks control centre 8 is divided into two with the circuit of photovoltaic plant 11, one is real time business, and one is non real-time Business.Two business pass through longitudinal encryption device 9 and are connected with each business of photovoltaic plant 11.(monitor bypass)
Integrated automation of transformation stations monitoring system be by the secondary device of transformer station (including measuring instrumentss 13, signal system, Relay protection, automatics and telemechanical apparatus etc.) combined by function and optimization design, using advanced computer technology, now For electronic technology, mechanics of communication and signal processing technology, realize to the capital equipment of full transformer station and defeated, distribution line automatic Monitor, measure, automatically control with microcomputer shield, and with the comprehensive automation function such as dispatching communication.
Because generation of electricity by new energy station security protection system has weak link, it is subject to be sent out by new energy from outside The penetration attack of power station industrial control system.Regulator control system is threatened with generation of electricity by new energy station security boundary to be included:
Send illegal control command;
Unauthorized update system configuration, program, control command and sensitive data;
Unauthorized operation is carried out using identity or equipment is authorized;
Intercept or distort order, parameter and the sensitive data in transmission
Camouflage identity invasion;
A large amount of snowslide data are sent, network or systemic breakdown is caused;
Eavesdrop the sensitive information of plaintext transmission.
Therefore, the present invention will be between power network industrial control system, particularly control centre and new energy power station The industry control security threat that faces of communication, deployment power network industrial control system threatens monitoring system, and the flow to existing network is supervised Survey and analyze, be that power network industrial control information safely provides guarantee.
Power network industrial control system security threat monitoring system is a comprehensive security risk monitoring system, to ensure In Dispatching Control System and new energy power station industrial control system border success Demonstration Application, it is necessary to pay attention to new energy power station work The specific feature of industry control system security risk and dispatching of power netwoks control system security risk.
Power network industrial control system security threat monitoring system of the present invention is based on distributed deployment framework, by monitoring system master Stand and monitoring device or the composition of local supervising and measuring equipment 6,10,12.Security threat monitoring system can realize operation monitoring, abnormal prison The functions such as control, operational management, distribution analysis, by data acquisition, scanning, analysis, to instructing for illegally or maliciously being distorted Filtered, and sent warning information.
Power network industrial control system security threat monitoring system be required to monitoring new energy power station industrial control system and Dispatching of power netwoks control system main security risk.Power network industrial control system security threat monitoring system provides new energy power station master The monitoring capability of the security risk wanted and necessary pre-alerting ability.
Power network industrial control system security threat monitoring system (should be adjusted in new energy power station (i.e. plant stand end) and regulator control system Control end) assets automatic identification function is provided, and realize following monitoring function:
1st, Bypass Control monitoring.Can monitor that invader sends illegal control command to plant stand or regulator control system.
(1), based on assets automatic identification, the IP at plant stand end or the legal hosts at regulation and control center is added to threat monitoring flat In platform.
(2), when a rogue attacks main frame is linked into plant stand or regulation and control center, and using iec103 stipulations messages to plant stand Or other main frames at regulation and control center send illegal control instruction,
(3) monitoring platform, is threatened during the network traffics for monitoring plant stand end, is found from the IP ground outside white list Location is sending 103 stipulations messages, is alerted with regard to record security daily record and on interface.
2nd, integrity violations monitoring.Unauthorized update plant stand or regulator control system configuration, program, sensitive data can be detected Deng operation.
(1), monitoring system is threatened to support the deep analysis to the communication of the stipulations of IEC 60870-5 103.On this basis, use Family can configure the IEC103 stipulations device address (section) for allowing to access or do not run access.
(2), at plant stand end or regulation and control center, if attacker has kidnapped a main frame, using 104 stipulations messages to tune Control system sends data command, accesses the device address of integrity security strategy unauthorized access.
(3), threaten monitoring platform during the network traffics for monitoring plant stand end, find host computer IEC103 stipulations Message accesses the device address of integrity security strategy unauthorized access, is alerted with regard to record security daily record and on interface.
3rd, violate and authorize monitoring.Plant stand end, the unauthorized operation in regulation and control center can be detected.
(1), monitoring platform is threatened to support the deep analysis to the communication of the stipulations of IEC 60870-5 103.On this basis, use The corresponding delegated strategy of family definable, the sensitive message in 103 stipulations is set in blacklist.
(2) if, attacker kidnapped the main frame at plant stand end or regulation and control center, violate delegated strategy using not allowing 103 stipulations sensitivity message communicated with other main frames.
(3) monitoring platform, is threatened during the network traffics for monitoring plant stand, it is found that the main frame is violated predefined logical Letter delegated strategy, has carried out unauthorized communication (including sending 103 stipulations messages), is complained to regard to record security daily record and at interface It is alert.
4th, message monitoring is distorted.Transmission in plant stand, plant stand end-regulation and control end transmitting message can be detected and intercept or distort report Text operation.
(1) the validity checking module of the stipulations messages of 60870-5 103, is developed in threat monitoring platform, can be advised to 103 The form of about middle all kinds message carries out validity checking.On this basis, user can enable to 103 stipulations not as needed With the inspection of the different field and structure of message.
(2) if, attacker kidnapped plant stand end or regulation and control center a main frame, violate 103 protocol specifications, in plant stand Or the 103 lopsided stipulations messages for passing through and distorting are sent in regulation and control center.Specifically include:
Crucial function field;
Length field;
Scope (threshold value) of semaphore value etc.
(3), threaten monitoring platform during the network traffics for monitoring plant stand end or regulation and control center, it is found that the main frame is violated 103 stipulations, send the 103 lopsided protocol massages by distorting, once the match is successful, with regard to record security daily record and on interface Alarm.
5th, it is illegal to use monitoring.Unauthorized can operate out the operation at plant stand end, regulation and control centring system or equipment.
(1) each main frame that plant stand end and regulation and control center-side, are configured in monitoring platform is threatened allows the communication for performing (TCP communication) is used as delegated strategy;
(2) if, attacker kidnapped the main frame at plant stand end or regulation and control center, violate Communications Authorization using not allowing Agreement (TCP communication) communicated with other main frames,
(3), threaten monitoring platform during plant stand end or network traffics are monitored, it is found that the main frame is violated predefined Communications Authorization strategy, has carried out unauthorized communication, is alerted with regard to record security daily record and on interface.
6th, cheat, camouflage is monitored.Plant stand end, regulation and control center service spoofing attack can be detected.
(1), based on assets automatic identification, plant stand end and each main frame of regulation and control center are pre-configured with monitoring platform is threatened IP, MAC Address and its allow access network service as access control policy;
(2), when attacker is on a main frame at plant stand end or regulation and control center, other are pretended to be (to close using IP puppet source technologies Method) IP of main frame accesses the network service specified.
(3), threaten monitoring platform during the network traffics for monitoring plant stand end, allowed using IP, MAC Address and binding The service of access, identifies that the main frame violates predefined access control policy, has carried out service spoofing attack, and just record is pacified Full-time will is simultaneously alerted on interface.
7th, service monitoring is refused.Plant stand end, regulation and control center can be monitored a large amount of snowslide data behaviors occur.
(1) ARP floods model, the TCP flood attacks monitoring plan at plant stand end and regulation and control center, are configured in monitoring platform is threatened Slightly;
(2), when attacker starts ARP flood attacks or TCP flood attacks in the A/B nets at plant stand end or at regulation and control center When.
(3) monitoring platform, is threatened during the network traffics for monitoring plant stand end, finds to there occurs ARP flood models in network Attack or TCP flood attacks, alerted with regard to record security daily record and on interface.
8th, eavesdropping monitoring.Transmission in plant stand, plant stand end-regulation and control end message transmissions eavesdropping behavior can be monitored.
(1), based on assets automatic identification, each of plant stand end and regulation and control center have been pre-configured with monitoring platform is threatened The MAC Address of main frame is used as access control policy;
(2), when attacker accesses an eavesdropping main frame at plant stand end or regulation and control center, the main frame is not configuring IP address In the case of communication flows eavesdropping can be carried out using the software such as Wireshark.
(3) monitoring platform, is threatened in plant stand end and regulation and control central site network discharge process is monitored, or is sending ARP broadcast During message, discovery has the MAC Address outside accesses control list, you can suspection has equipment to access carries out communication flows (biography Defeated message) eavesdropping, alert with regard to record security daily record and on interface.
9th, monitor in plain text.Can detect whether transmission, plant stand end-regulation and control end message transmissions in plant stand are encrypted.
(1), a network probe is disposed between the encryption device at plant stand end and regulation and control center.
(2), configured in threatening monitoring platform the network probe check plant stand end-regulation and control center between communication whether be Coded communication;
(3) if, there is equipment to bypass encryption device at plant stand end, to regulation and control center send plaintext communication message.
(4) after, the network probe monitors plaintext communication, and to threatening monitoring platform to report, threaten monitoring platform corresponding Ground record security daily record is simultaneously alerted on interface.
10th, malicious code monitoring.Transmission in transmission plant stand can be detected, in plant stand end-regulation and control end message transmissions message Malicious code.
(1), monitoring platform is threatened to support the identification to various industry controls correlation malicious code (towards the virus of Linux). On the basis of this, user can configure corresponding malicious code monitoring policy in monitoring platform is threatened.
(2), when malicious code has been infected on the main frame at plant stand end and regulation and control center, the malicious code can be attempted by network Other main frames are infected in communication (transmitting message).
(3), threaten monitoring platform during the network traffics for monitoring plant stand end and regulation and control center, discovery there are malice The network traffics of code propagation, alert with regard to record security daily record and on interface.
11st, access monitoring.Regulation and control center, the access of plant stand end unauthorized device can be detected.
(1), found automatically based on assets, the IP address of legal hosts in plant stand end and regulation and control center is added to threat prison Survey in the main frame white list of platform.
(2) unauthorized device, is configured to corresponding IP address section, plant stand end is linked into.
(3), threaten monitoring platform during the network traffics for monitoring plant stand end and regulation and control center, find to come from white list Outside IP address in transmitting-receiving communication message, alert with regard to record security daily record and on interface.
(4) historical data mining analysis, can be based on, all new energy power station industrial control systems and scheduling controlling is realized The Security Trend analysis of system.

Claims (4)

1. a kind of power network industry control safety monitoring system based on protocol analysis, it is characterised in that:Electricity based on protocol depth parsing Net industrial control system security threat monitoring system is based on distributed deployment framework, by monitoring system main website and local supervising and measuring equipment Composition;Monitoring main website is deployed in dispatching of power netwoks control centre, and dispatching of power netwoks control centre includes engineer station, man-machine interface, behaviour Work person is stood and server apparatus are connected by EPA;Photovoltaic plant include man-machine interface, operator station, measuring instrumentss, Telemechanical apparatus is connected by EPA.
2. monitoring system as claimed in claim 1, it is characterised in that:Described dispatching of power netwoks control centre and photovoltaic plant Between communication link on the specific deployment way of local supervising and measuring equipment it is as follows:
1. Port Mirroring, is set on the key network interchanger or router of dispatching of power netwoks control centre, by EPA Interior communication flows is mirrored to the network port of free time, then local supervising and measuring equipment I is linked into the network port, you can prison Survey the network traffic of dispatching of power netwoks control centre;
2. Port Mirroring, is set on the key network interchanger or router of photovoltaic plant, by the communication in EPA Traffic mirroring is to the network port of free time, then local supervising and measuring equipment II is linked into the network port, you can monitoring photovoltaic The network traffic in power station;
3., the network exchange between longitudinal encryption device of dispatching of power netwoks control centre and longitudinal encryption device of photovoltaic plant Port Mirroring is set on machine or router, the communication flows in EPA is mirrored to the network port of free time, then Local supervising and measuring equipment III is linked into the network port, you can the communication stream between monitoring grid dispatching center and photovoltaic plant Amount.
3. monitoring system as claimed in claim 1 or 2, it is characterised in that:The described dispatching of power netwoks control centre, each of being deployed in Photovoltaic plant, and each local supervising and measuring equipment between them on communication link, gather the all-network on various place networks Communication flows, sends it to monitoring main website;Monitoring main website will carry out data to the network traffics from each local supervising and measuring equipment Converge, parsing is saved in database, and it is analyzed according to the security strategy for pre-defining, such as find to violate safety The communication behavior of strategy, is just alerted in the data exhibiting aspect based on Web.
4. monitoring system as claimed in claim 1 or 2, it is characterised in that:Described dispatching of power netwoks control centre and photovoltaic electric Station track road is divided into two, real time business and non-real-time service;Two business passes through longitudinal encryption device and each business of photovoltaic plant It is connected.
CN201610438899.4A 2015-12-22 2016-06-20 Power network industry control safety detecting system based on protocol analysis Pending CN106911529A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201521071538 2015-12-22
CN2015210715388 2015-12-22

Publications (1)

Publication Number Publication Date
CN106911529A true CN106911529A (en) 2017-06-30

Family

ID=59206223

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610438899.4A Pending CN106911529A (en) 2015-12-22 2016-06-20 Power network industry control safety detecting system based on protocol analysis

Country Status (1)

Country Link
CN (1) CN106911529A (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107465677A (en) * 2017-08-01 2017-12-12 上海尚能电力工程设计有限公司 Electric power network security protection system
CN107544470A (en) * 2017-09-29 2018-01-05 杭州安恒信息技术有限公司 A kind of controller guard technology based on white list
CN108173843A (en) * 2017-12-26 2018-06-15 成都鼎信致远科技有限公司 A kind of method that industry control information displaying and data packet are excavated
CN108847979A (en) * 2018-06-21 2018-11-20 北京和利时智能技术有限公司 A kind of adaptive configuration system and method based on SCADA
CN109118745A (en) * 2018-07-12 2019-01-01 国网江西省电力有限公司电力科学研究院 A kind of industrial control information transmission system
CN109302303A (en) * 2018-07-11 2019-02-01 上海电力学院 One kind is provided multiple forms of energy to complement each other energy internal layer control system
CN109873838A (en) * 2019-04-19 2019-06-11 国网甘肃省电力公司电力科学研究院 A kind of illegal network channel recognition methods of new energy plant stand novel maintenance
CN110958231A (en) * 2019-11-21 2020-04-03 博智安全科技股份有限公司 Industrial control safety event monitoring platform and method based on Internet
CN111130220A (en) * 2020-01-15 2020-05-08 青海绿能数据有限公司 Device of distributing type photovoltaic power plant information acquisition and control
CN111277546A (en) * 2018-12-05 2020-06-12 陕西思科锐迪网络安全技术有限责任公司 Method for monitoring illegal reading and writing Siemens S7-PLC data
CN112578694A (en) * 2019-09-27 2021-03-30 西门子股份公司 Monitoring system, method, apparatus and computer readable medium for an industrial controller
CN113039755A (en) * 2018-12-26 2021-06-25 西门子股份公司 Monitoring method, device, system and computer readable medium for industrial control system
CN114172702A (en) * 2021-11-26 2022-03-11 中能电力科技开发有限公司 Network safety monitoring method and system for power grid industrial control system
CN116470650A (en) * 2023-06-15 2023-07-21 国能日新科技股份有限公司 Online linkage management method and management module of distributed grid-connected fusion terminal
CN116566046A (en) * 2023-05-05 2023-08-08 山东鲁能超越电气有限公司 Visual online intelligent management platform based on box-type substation

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102438026A (en) * 2012-01-12 2012-05-02 冶金自动化研究设计院 Industrial control network security protection method and system
CN102882701A (en) * 2012-08-14 2013-01-16 深圳供电局有限公司 Alarm system and method for intelligently monitoring power grid core service data

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102438026A (en) * 2012-01-12 2012-05-02 冶金自动化研究设计院 Industrial control network security protection method and system
CN102882701A (en) * 2012-08-14 2013-01-16 深圳供电局有限公司 Alarm system and method for intelligently monitoring power grid core service data

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘烃,孙鸿,刘杨,程海军,姜丕杰: "智能电网安全使用平台:设计、实现与仿真", 《武汉大学学报(理学版)》 *
陈春霖等: "智能电网信息安全防护体系及关键技术研究与应用", 《电力行业信息化优秀成果集2013》 *

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107465677A (en) * 2017-08-01 2017-12-12 上海尚能电力工程设计有限公司 Electric power network security protection system
CN107544470A (en) * 2017-09-29 2018-01-05 杭州安恒信息技术有限公司 A kind of controller guard technology based on white list
CN108173843A (en) * 2017-12-26 2018-06-15 成都鼎信致远科技有限公司 A kind of method that industry control information displaying and data packet are excavated
CN108847979A (en) * 2018-06-21 2018-11-20 北京和利时智能技术有限公司 A kind of adaptive configuration system and method based on SCADA
CN108847979B (en) * 2018-06-21 2021-10-01 宁波和利时智能科技有限公司 Self-adaptive configuration system and method based on SCADA
CN109302303A (en) * 2018-07-11 2019-02-01 上海电力学院 One kind is provided multiple forms of energy to complement each other energy internal layer control system
CN109118745B (en) * 2018-07-12 2020-12-15 国网江西省电力有限公司电力科学研究院 Industrial control information sending system
CN109118745A (en) * 2018-07-12 2019-01-01 国网江西省电力有限公司电力科学研究院 A kind of industrial control information transmission system
CN111277546A (en) * 2018-12-05 2020-06-12 陕西思科锐迪网络安全技术有限责任公司 Method for monitoring illegal reading and writing Siemens S7-PLC data
CN113039755A (en) * 2018-12-26 2021-06-25 西门子股份公司 Monitoring method, device, system and computer readable medium for industrial control system
CN109873838A (en) * 2019-04-19 2019-06-11 国网甘肃省电力公司电力科学研究院 A kind of illegal network channel recognition methods of new energy plant stand novel maintenance
CN112578694A (en) * 2019-09-27 2021-03-30 西门子股份公司 Monitoring system, method, apparatus and computer readable medium for an industrial controller
CN110958231A (en) * 2019-11-21 2020-04-03 博智安全科技股份有限公司 Industrial control safety event monitoring platform and method based on Internet
CN111130220A (en) * 2020-01-15 2020-05-08 青海绿能数据有限公司 Device of distributing type photovoltaic power plant information acquisition and control
CN111130220B (en) * 2020-01-15 2023-06-06 青海绿能数据有限公司 Distributed photovoltaic power station information acquisition and monitoring device
CN114172702A (en) * 2021-11-26 2022-03-11 中能电力科技开发有限公司 Network safety monitoring method and system for power grid industrial control system
CN116566046A (en) * 2023-05-05 2023-08-08 山东鲁能超越电气有限公司 Visual online intelligent management platform based on box-type substation
CN116566046B (en) * 2023-05-05 2023-10-10 山东鲁能超越电气有限公司 Visual online intelligent management platform based on box-type substation
CN116470650A (en) * 2023-06-15 2023-07-21 国能日新科技股份有限公司 Online linkage management method and management module of distributed grid-connected fusion terminal
CN116470650B (en) * 2023-06-15 2023-09-12 国能日新科技股份有限公司 Online linkage management method and management module of distributed grid-connected fusion terminal

Similar Documents

Publication Publication Date Title
CN106911529A (en) Power network industry control safety detecting system based on protocol analysis
Gan et al. Internet of things security analysis
CN103269332B (en) Safeguard system for power secondary system
KR101375813B1 (en) Active security sensing device and method for intrusion detection and audit of digital substation
CN103546488A (en) Active security defense system and method of power secondary system
CN107276983A (en) A kind of the traffic security control method and system synchronous with cloud based on DPI
CN106992984A (en) A kind of method of the mobile terminal safety access information Intranet based on electric power acquisition net
CN115150208B (en) Zero-trust-based Internet of things terminal secure access method and system
CN106559399A (en) A kind of the Internet mobile terminal synthesis managing and control system
Gao et al. An intrusion detection method based on machine learning and state observer for train-ground communication systems
CN109165508A (en) A kind of external device access safety control system and its control method
CN109995769A (en) A kind of trans-regional full actual time safety management-control method of multi-tier Heterogeneous
CN206962850U (en) The security protection system and power information system of Electricity Information Network
CN102026199A (en) WiMAX system as well as device and method for defending DDoS attack
CN113794714A (en) Network safety system for intelligent power plant architecture
Zhang et al. The security for power internet of things: Framework, policies, and countermeasures
AbuEmera et al. Security framework for identifying threats in smart manufacturing systems using STRIDE approach
Naanani Security in Industry 4.0: Cyber-attacks and countermeasures
Kamaev et al. Attacks and intrusion detection in wireless sensor networks of industrial SCADA systems
Kang et al. Whitelists based multiple filtering techniques in SCADA sensor networks
CN113382076A (en) Internet of things terminal security threat analysis method and protection method
Mahboob et al. Intrusion avoidance for SCADA security in industrial plants
RU2703329C1 (en) Method of detecting unauthorized use of network devices of limited functionality from a local network and preventing distributed network attacks from them
KANG et al. Cyber security risk analysis and protection structure design for power distribution IoT
Wu et al. Cyber Security and information protection in a smart grid environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20170630

WD01 Invention patent application deemed withdrawn after publication