CN106982235B - IEC 61850-based electric power industry control network intrusion detection method and system - Google Patents

Abstract

The invention discloses an IEC 61850-based power industry control network intrusion detection method and system, which comprises access control detection, protocol white list detection, model-based detection and multi-parameter-based detection. Among other things, access control detection may prevent malware activity and attacks attempting to communicate with the control server, especially during the initial infection phase; detecting abnormal protocol flow in a substation control layer and a process layer network of the transformer substation and giving an alarm by protocol white list detection; the abnormal behavior detection method based on the model has the potential of discovering malicious attacks or unintentional abnormalities in a station control layer and a process layer network; multi-parameter based detection identifies possible threats to industrial control systems due to internal inadvertent misuse or external malicious attacks by monitoring the most sensitive parameters of the intelligent substation. The invention is verified on a network physical test platform simulating an actual 500kV intelligent substation, and the instantaneity and the usability of the intrusion detection method are verified.

Description

IEC 61850-based electric power industry control network intrusion detection method and system

Technical Field

The invention belongs to the technical field of industrial control system network information safety, and particularly relates to an IEC 61850-based electric power industrial control network intrusion detection method and system.

Background

The industrial control system is a computer-based production process control and scheduling automation system, can monitor and control on-site operating equipment, and plays an important role in industrial control systems of key infrastructures such as power, petroleum, chemical engineering and the like. As the complexity and interconnectivity of industrial control systems continues to increase, the likelihood of malicious cyber attacks also increases substantially. Industrial control networks that follow conventional communication protocols often fail to address network security threats at the beginning of design. The evolving industrial control system may be viewed as a key target of attack by a malicious attacker or an insider employee who is not satisfied with mind, and illegal access and control are achieved by using system vulnerabilities without authorization. Such intrusion may be a simple or advanced persistent attack and may compromise the safe and stable operation of the industrial control system. The industrial industry and the academic community at home and abroad attach more importance to and pay more attention to the network safety problem of the electric power industrial control system, and the network information safety problem of the electric power industrial control system becomes an engineering practical problem related to the safe, reliable and stable operation of the electric power system.

With the emergence of new information security threats, existing methods for general IT security cannot be completely compatible with an operation scene of an electric power engineering system based on the IEC61850 standard. For example, conventional IT security devices such as firewalls, Intrusion Detection Systems (IDS) are generally application-layer data that cannot account for such communications. While the IEC 62351 standard defines a framework for network security provisions based on the IEC61850 protocol, manufacturers generally do not implement proper protection for their Intelligent Electronic Devices (IEDs). Under the condition that the response speed of manufacturers is slow, how a power grid company deals with security vulnerabilities so that the security vulnerabilities can be detected and relieved, becomes a problem to be solved urgently. However, the current intrusion detection methods have not been able to solve such problems.

The currently released intrusion detection methods for power engineering systems are mainly directed to DNP3, EtherNet/IP and Modbus TCP protocols, and these Snort detection rules can identify unauthorized requests, incorrectly formatted protocol requests and responses, less used and dangerous commands, and other possible attack situations. But the research of the IEC 61850-based electric power industrial control network intrusion detection system is still in the early stage. The IEC61850 transmission protocol has been widely used in electric power engineering systems (e.g. intelligent substations). Data in the industrial control network of the intelligent substation are transmitted in a plaintext mode, so that the risk of eavesdropping, sniffing or tampering exists in information transmission. For example, an attacker may launch a man-in-the-middle attack (MITM) to sniff and collect telemetry values, remote control commands, or other remote signals. In each case, they can be tampered with and re-injected into the communication system, compromising the stability of the power engineering system or reducing the security of the system, and possibly also launching further attacks in the future. Due to the lack of a control instruction authentication mechanism in the conventional power industry system, a malicious attacker may have unauthorized access to the industrial control system, destroy the integrity and availability of information, launch fraud attacks, replay attacks and man-in-the-middle attacks, possibly cause catastrophic damage and endanger the safe operation of the system. The existing IEC 61850-based intrusion detection system has the following defects: (1) the "zero-day attack" (unknown threat or undiscovered vulnerability) cannot be effectively prevented; (2) due to the influence of Message Manufacturing Standard (MMS) and substation event (GOOSE) messages facing to a general object, most statistical analysis and detection methods generate false negatives and real attacks are missed; (3) the detection precision needs to be improved and the method cannot adapt to an actual transformer substation.

Disclosure of Invention

The purpose of the invention is as follows: in order to solve the problems in the prior art, the invention provides an IEC 61850-based electric power industry control network intrusion detection method and system.

The technical scheme is as follows: an IEC 61850-based electric power industry control network intrusion detection method comprises the following steps:

ACD access control detection: for preventing malware activity and attacks attempting to communicate with the control server during the initial infection phase; extracting a destination IP address, a source IP address, a destination MAC address or a source MAC address or a port from a captured message, comparing the destination IP address with a pre-established access control white list, and if the IP address, the MAC address or the port does not belong to the access control white list, determining the IP address, the MAC address or the port as a suspicious IP address, an MAC address or a port; if the access control white list belongs to the access control white list, the access control white list is regarded as a normal IP address, a normal MAC address or a normal port;

detecting a white list of a PWD protocol: the system is used for detecting abnormal protocol flow in a substation control layer network and a process layer network of the transformer substation and giving an alarm; the method comprises the steps of setting various protocols supported by a station control layer network and a process layer network, wherein the various protocols comprise MMS, COTP, TPKT, SNTP, GOOSE, SMV and IEEE 1588; for the station control layer network, only allowing communication services conforming to MMS, COTP, TPKT or SNTP protocols, otherwise, considering suspicious communication and generating alarm information; for the process layer network, only allowing GOOSE, SMV or IEEE 1588 traffic, otherwise, generating alarm information considering suspicious traffic;

model-based detection of MBD: the system is used for detecting malicious attacks or unexpected abnormal behaviors in a station control layer network and a process layer network; analyzing the content of the SCD file and the IEC61850 message, comparing the detected message with a normal behavior model defined by using protocol analysis, and if the condition of violating any normal behavior model occurs, generating an alarm and recording a detection result;

MPD based on multi-parameter detection: the method comprises the steps of monitoring parameters of the intelligent substation to identify threats caused by internal accidental misuse or external malicious attacks; the method comprises the steps of detecting telemetering data and remote signaling data from a station control layer network and a process layer network, identifying abnormal data through homologous comparison, and regarding the abnormal data as abnormal data when the homologous data are inconsistent; in particular to remote signaling comparison detection and remote sensing comparison detection.

Further, in the ACD access control detection, the established access control white list includes a MAC address in a data link layer, an IP address in a network layer, and an access control white list of a transport layer port.

Further, in the ACD access control detection, for the IP address, MAC address, or port considered as suspicious, a preset action is also taken, which specifically includes: sending out an alarm in an IDS mode, stopping in an IPS mode, and recording a detection result; the following formula (1):

wherein, AC ═ MAC_src，MAC_dst，IP_src，IP_dst，Port_src，Port_dst，AC_wlRepresenting an established access control white list; MAC_src，MAC_dst，IP_src，IP_dst，Port_src，Port_dstRespectively representing a source MAC address and a destination MAC address, a source IP address and a destination IP address, a source port and a destination port; each host or device having a unique identity<IP，MAC>Matching; if the intelligent electronic device is not replaced by a new device, but if two or more MAC addresses correspond to the same IP addressNamely, it is determined that a spoofing attack has occurred.

Further, the model-based detection of the MBD performed on the station level network specifically includes:

in a station control layer network, establishing a normal behavior model based on ACSI or SNTP mapped to MMS, and generating an alarm and recording a detection result if any normal behavior model is violated; the normal behavior model is established as follows:

a) report service model

In the SCD file, the maximum number of instantiatable report control blocks per intelligent electronic device has been configured; the proposed report service model defines the maximum number of instantiatable report control blocks per intelligent electronic device as detection rules; if the abnormal connection requests which possibly occupy all the instantiatable report control blocks of the intelligent electronic equipment are identified, the suspicious denial of service (DoS) attack is alarmed and the detection result is recorded;

b) association service model

The associated service model defines the maximum number of connectable IEC61850 clients; if an abnormal connection request to the client is detected, generating an alarm and recording a detection result;

c) setting up a service model

The provisioning service model definition only allows IEC61850 clients to modify the provisioning, and if the definition is violated, alarm information will be issued.

d) File transfer model

The client side uses the ACSI GetFileAttributeValues service to acquire the name and the attribute of a specific file in the file storage of the server, the file transmission model defines that the IEC61850 client side can only transmit a single file, and if the definition is violated, an alarm is generated and the detection result is recorded;

e) SNTP model

In a transformer substation network, SNTP is used for realizing time synchronization through LAN communication, SNTP flow adopts a user datagram protocol at a transmission layer, in the aspect of SNTP flow, the port number of the user datagram protocol connection to an IEC61850 server is <123>, and if the port number of the SNTP flow is not <123>, an alarm is triggered and the result is stored in a log file;

f) time dependent model

Important control commands have time-dependent constraints including time interval limits and frequency limits, and if the same legitimate command is sent too frequently, the rules of trans (2) (3) are violated, in each case some alarm and log actions will be initiated:

CV(n)-CV(n-1)＜T→Actions(alert,log) (2)

CV in equation (2) is a control command, n is a positive integer (n >1), and T is a limit of a time interval;

in the formula (3), F represents a frequency limit.

Further, the model-based detection of the MBD performed on the process layer network specifically includes: in a process layer network, establishing the normal behavior model based on GOOSE and SMV protocol specifications, and if any normal behavior model is violated, generating an alarm and recording a detection result; GOOSE APDU has twelve fields as gocbRef, timeAllowedToLive, datSet, goID, t, StNum, SqNum, test, confRev, ndsCom, numDateSetEntries and allData; according to IEC 61850-9-2, SMV datagram adopts ISO/IEC 8802-3 in data link layer; the SV APDU has five fields of svID, smpCnt, confRev, smpSynch and seqData, and the normal behavior model is defined as follows:

a) destination address model

Configuring a destination ISO/IEC 8802-3 multicast address for transmitting GOOSE/SMV in an SCD file < Communication > → < sub network > → < connected AP >; the destination address fields of GOOSE and SMV messages start with four octets 01-0C-CD-01 and 01-0C-CD-04, respectively. The destination addresses of GOOSE and SMV are as in formulas (4) and (5):

in formula (4), P is a message captured in the process layer network, and P_GOOSERepresenting a GOOSE message, and DstAField representing the value of a destination address field in an ISO/IEC 8802-3 frame format;

p in formula (5)_SMVRepresenting an SMV message;

b) TPID field model

The 2 octets of the tag protocol identifier field show the ethernet type allocated for the 802.1Q ethernet encoded frame; the value of the TPID field in the GOOSE/SMV message should be 0x8100, i.e.

Wherein TPIDField represents the value of the TPID field, and P_GOOSE/SMVRepresenting GOOSE or SMV messages;

c) EtherType field model

The EtherType field 2 bytes of ISO/IEC 8802-3 are registered by the IEEE Authority, and the assigned EtherType values for GOOSE and SMV are 0x88B8 and 0x88BA, respectively, equation (7) (8):

wherein EthTField is the value of the EtherType field;

d) priority domain model

Defining the priority values of GOOSE and SMV messages, the default value of GOOSE/SMV is 4, and the priority values should be configured in the SCD file from 0 to 7, that is, equation (9):

PrioField in formula (9) is the value of the user priority field;

e) APPID field model

Each GOOSE/SMV control block has a unique APPID in the SCD file, the 2 octets of the APPID field of the GOOSE message are 4-bit hexadecimal [0000-3FFF ], and the field of the SMV message is [4000-7FFF ], as in equations (10) and (11):

f) length model

The length field 2 octets of the GOOSE/SMV message specifies the total number of bytes in the frame starting from APPID to APDU, which is equal to 8+ m, where m is the length of the APDU, m <1492, the length field model is as follows (12):

where Length field is the value of the Length field;

the length of the goID field in the GOOSE APDU is less than or equal to 65 bytes, i.e. equation (13),

wherein LenGoIDField is the length of the goID field;

g) TimeAllowedToLive field model

The timeAllowedToLive field in the GOOSE APDU shall be double MaxTime; "MaxTime" is configured in the SCD file as <5000>, < Communication > → < subnet > → < connecticut ap > → < GSE > → < MaxTime >; if no GOOSE data packet exists within 10000ms, sending a communication interruption alarm;

h) mark field model

In the GOOSE tag field model, tag values of the gocbRef, timeAllowedToLive, datSet, goID, t, StNum, SqNum, test, confRev, ndsCom, and numdatset fields of the GOOSE packet are 0x80,0x81,0x82,0x83,0x84,0x85, 0x86, 0x87, 0x88, 0x89, and 0x8 a. In the SMV label field model, label values of svID, smpCnt, confRev and smpSynch fields of an SMV message are respectively 0x80,0x82,0x83 and 0x 85;

i) SmpCnt field model

The smpCnt field model specifies the value of a counter, which is incremented each time a new sample of the analog value is sampled; when the sampling rate of the merging unit MU is 4000Hz, wherein 80 samples/cycle, the values of smpCnt are in the range of [0,3999], maintaining the correct order, i.e. equation (14),

wherein SmpCField is the value of the smpCnt field;

j) correlation model

According to the actual SCD configuration of the intelligent substation, the APPID field, equal to the last two octets of the destination address field, is defined as the relevant domain model, i.e. equation (15):

wherein DstAField (P)_5,6The last two octets representing the destination address field;

the type of the gocbRef field in the GOOSE APDU is a string including the logical device LD name, the logical node LN name, the function constraint FC, and the control block CB name, i.e., LD/LN $ FC $ CB; the datSet field in the GOOSE APDU includes the LD name, the LN name, and the data set DS name, i.e., LD/LN $ DS; the default value of the goID field in the GOOSE APDU is similar to the default value of the gocb reference field, i.e. LD/LN $ CB; the LD/LN value in the gcbRef field matches the LD/LN value in the dataSet field; the control block name in the gocbRef field matches the control block name in the goID field; gocbRef: PM5001APIGO/LLN0$ GO $ gocb1, dataSet: PM5001APIGO/LLN0$ dsGOOSE1, goID: PM5001APIGO/LLN0.gocb1, the corresponding associated dictionary model is as follows (16):

wherein GocbField, DatSField, and GoIDfield represent the gocbRef, dataSet, and goID fields, respectively;

the change of the state quantity StNum and the sequence number SqNum in the GOOSE APDU strictly obeys the associated behavior pattern; when the value of datSet in the transmitted GOOSE message changes, the value of StNum will increase, which will result in the value of SqNum being set to zero; when the value of StNum is not changed, the value of SqNum will increment for each GOOSE transmission, but it will roll over to 0 at its maximum value SqNummax 4294967295:

StNum (GP) in the formula (17)_i) And SqNum (GP)_i) Respectively representing StNum and SqNum values of the ith GOOSE message;

k) flow-based model

According to the service captured from the actual substation scene, the service-based model defines the upper limit and the lower limit threshold of the per-second message transmission rate PPS, the per-second transmission byte size BPS, the message length LoP and the message size SoP as the normal flow behavior, as shown in formula (18):

wherein PPS_minAnd PPS_maxRepresenting PPSLower and upper threshold values.

Further, the remote signaling comparison detection specifically comprises: in the IEC61850 intelligent substation, intelligent electronic equipment in a process layer network sends remote signaling data to intelligent electronic equipment in a bay layer by adopting a GOOSE message, and receives a tripping/closing instruction from a protection or measurement and control device; the remote signaling comparison detection identifies abnormal events by comparing GOOSE messages with associated MMS messages; and if the input signal of the GOOSE message for protecting the intelligent electronic equipment in the process layer network is inconsistent with the MMS message of the associated signal report from the station control layer network, abnormal alarm is generated.

Further, the telemetry comparison detection specifically comprises: in an IEC61850 intelligent substation, a merging unit MU has a sampling value model and sends SV information to a protection measurement and control device, and the telemetering comparison detection comprises two rules:

a) range detection rules

The sampled values have an upper boundary value and a lower boundary value, and if the measured values are outside the expected range, an alarm is issued, equation (19):

where smv (I), I — I, U, represents different sample values, current I and voltage U; [ SMV (i)_min-e(i),SMV(i)_max+e(i)]Representing the range between the upper and lower boundaries, e (i) is the measurement tolerance, which is configured according to the design and operating specifications of the substation under normal operating conditions, the bus voltage of the 500(330) kV substation being set at 90% and 110% nominal voltage at the lower boundary.

b) Consistency detection rules

The duplicated intelligent electronic devices in the bay level are configured into groups A and B, receive the same MU sample values from the associated current transformer CT/voltage transformer VT, detect inconsistencies between the configured merging unit SMV parameters and the MMS of the associated plurality of protection devices, telemetrically compare the parameters including voltage, current and differential current, and alarm an anomaly if a consistency detection rule is violated.

The invention also provides an IEC 61850-based electric power industry control network intrusion detection system, which comprises:

the ACD access control detection module: this module is used to prevent malware activity and attacks attempting to communicate with the control server during the initial infection phase; detecting through a pre-established MAC address in a data link layer, an IP address in a network layer and an access control white list of a port of a transmission layer, extracting a target IP address, a source IP address, a target MAC address or a port from a captured message, comparing the target MAC address with the established access control white list, and if the IP address, the MAC address or the port does not belong to the access control white list, considering the target MAC address or the port as a suspicious IP address, an MAC address or a port, and adopting a preset action by the module; if the access control white list belongs to the access control white list, the access control white list is regarded as a normal IP address, a normal MAC address or a normal port;

PWD agreement white list detection module: the module is used for detecting abnormal protocol flow in a substation control layer network and a process layer network of the transformer substation and giving an alarm; various protocols supported by a station control layer network and a process layer network are set, a protocol white list is established for detection, and the various protocols comprise MMS, COTP, TPKT, SNTP, GOOSE, SMV and IEEE 1588; for the station control layer network, the module only allows communication services conforming to MMS, COTP, TPKT or SNTP protocols, otherwise, the module considers suspicious communication and generates alarm information; for the process layer network, the module only allows GOOSE, SMV or IEEE 1588 traffic, otherwise, the module generates alarm information considering suspicious traffic;

MBD model-based detection module: the module is used for detecting malicious attacks or unexpected abnormal behaviors in a station control layer network and a process layer network; analyzing the content of the SCD file and the IEC61850 message, comparing the detected message with a normal behavior model defined by using protocol analysis, and if the condition of violating any normal behavior model occurs, generating an alarm and recording a detection result;

MPD multi-parameter based detection module: the module is used for identifying threats caused by internal accidental misuse or external malicious attacks by monitoring parameters of the intelligent substation; the method comprises the steps of detecting telemetering data and remote signaling data from a station control layer network and a process layer network, identifying abnormal data through homologous comparison, and regarding the abnormal data as abnormal data when the homologous data are inconsistent; the remote sensing device specifically comprises a remote signaling comparison detection module and a remote sensing comparison detection module.

Further, the ACD access control detection module is to take a preset action specifically as follows: sending out an alarm in an IDS mode, stopping in an IPS mode, and recording a detection result; the following formula (1):

wherein, AC ═ MAC_src，MAC_dst，IP_src，IP_dst，Port_src，Port_dst，AC_wlRepresenting an established access control white list; MAC_src，MAC_dst，IP_src，IP_dst，Port_src，Port_dstRespectively representing a source MAC address and a destination MAC address, a source IP address and a destination IP address, a source port and a destination port; each host or device having a unique identity<IP，MAC>Matching; if the intelligent electronic device is not replaced by a new device, but if two or more MAC addresses correspond to the same IP address, the module judges that a spoofing attack occurs.

Has the advantages that: the invention improves the network security of the industrial control system based on the IEC61850 protocol, provides the industrial control network intrusion detection method and system based on the IEC61850, integrates the power service knowledge, the protocol specification and the logic behavior, and is a comprehensive and effective solution capable of relieving various network attacks. The invention includes access control detection, protocol white list detection, model-based detection, and multi-parameter based detection. Among other things, access control detection may prevent malware activity and attacks attempting to communicate with the control server, especially during the initial infection phase; detecting abnormal protocol flow in a substation control layer and a process layer network of the transformer substation and giving an alarm by protocol white list detection; the abnormal behavior detection method based on the model has the potential of discovering malicious attacks or unintentional abnormalities in a station control layer and a process layer network; multi-parameter based detection identifies possible threats to industrial control systems due to internal inadvertent misuse or external malicious attacks by monitoring the most sensitive parameters of the intelligent substation. The invention is verified on a network physical test platform simulating an actual 500kV intelligent substation, and the instantaneity and the usability of the intrusion detection method are verified.

Drawings

FIG. 1 is a flow chart of the present invention;

FIG. 2 is a flow chart of the remote signaling comparison detection of the present invention;

FIG. 3 is a flowchart of the consistency detection in the present invention.

Detailed Description

The following describes embodiments of the present invention in detail with reference to the accompanying drawings;

as shown in fig. 1, the method for detecting the intrusion of the power industry control network based on IEC61850 includes:

ACD access control detection: for preventing malware activity and attacks attempting to communicate with the control server during the initial infection phase; establishing an MAC address in a data link layer, an IP address in a network layer and an access control white list of a port of a transmission layer, and if any address or port is not in the corresponding white list, taking a preset action;

detecting a white list of a PWD protocol: the system is used for detecting abnormal protocol flow in a substation control layer network and a process layer network of the transformer substation and giving an alarm; setting various protocols supported by a station control layer network and a process layer network, and establishing a protocol white list, wherein the various protocols comprise MMS, COTP, TPKT, SNTP, GOOSE, SMV and IEEE 1588; for the station control layer network, only allowing communication services conforming to MMS, COTP, TPKT or SNTP normal protocols, otherwise, considering suspicious communication and generating alarm information; for the process layer network, only allowing normal traffic of GOOSE, SMV or IEEE 1588, otherwise, generating alarm information considering suspicious traffic;

model-based detection of MBD: the system is used for detecting malicious attacks or unexpected abnormal behaviors in a station control layer network and a process layer network; analyzing an SCD (substation configuration description) file and normal IEC61850 message content, defining a normal behavior model by using deep protocol analysis, and comparing a detected message with the normal behavior model to construct a detection model to identify abnormal deviation;

MPD based on multi-parameter detection: the method is used for identifying threats caused by internal accidental misuse or external malicious attacks by monitoring the most sensitive parameters of the intelligent substation; the method comprises the steps of detecting telemetering and telesignaling data from a station control layer network and a process layer network, identifying abnormity, specifically, comparing and detecting telesignaling and comparing and detecting telemetering.

Meanwhile, the invention also provides a system capable of realizing the IEC 61850-based intrusion detection method for the power industry control network, which comprises the following steps:

the ACD access control detection module: this module is used to prevent malware activity and attacks attempting to communicate with the control server during the initial infection phase; the method comprises the steps that detection is carried out by establishing an MAC address in a data link layer, an IP address in a network layer and an access control white list of a port of a transmission layer, and if any address or port is not in the corresponding white list, the module takes a preset action;

PWD agreement white list detection module: the module is used for detecting abnormal protocol flow in a substation control layer network and a process layer network of the transformer substation and giving an alarm; various protocols supported by a station control layer network and a process layer network are set, a protocol white list is established for detection, and the various protocols comprise MMS, COTP, TPKT, SNTP, GOOSE, SMV and IEEE 1588; for the station control layer network, the module only allows communication services conforming to MMS, COTP, TPKT or SNTP normal protocols, otherwise, the module considers suspicious communication and generates alarm information; for the process layer network, the module only allows the normal flow of GOOSE, SMV or IEEE 1588, otherwise, the module is regarded as suspicious flow and generates alarm information;

MBD model-based detection module: the module is used for detecting malicious attacks or unexpected abnormal behaviors in a station control layer network and a process layer network; analyzing the SCD file and the content of a normal IEC61850 message, using a deep protocol to analyze and define a normal behavior model, comparing the detected message with the normal behavior model, and constructing a detection model to identify abnormal deviation;

MPD multi-parameter based detection module: the module is used for identifying threats caused by internal inadvertent misuse or external malicious attacks by monitoring the most sensitive parameters of the intelligent substation; the method is used for identifying abnormality by detecting telemetering and telesignaling data from a station control layer network and a process layer network, and specifically comprises a telesignaling comparison detection module and a telemetering comparison detection module.

The following describes in detail the detection processes in the method of the present invention, and also the implementation processes of the detection modules in the system of the present invention:

(1) ACD access control detection

ACD is an access control white list policy that includes Media Access Control (MAC) addresses in the data link layer, IP addresses in the network layer, and ports in the transport layer. The TCP port of IEC61850 flow is <102 >. If any address or port is not on the corresponding white list, the IDS will take a preset action. For example, an alarm is issued in an IDS (Intrusion Detection System) mode, a block is issued in an IPS (Intrusion Prevention System) mode, and a Detection result is recorded. The following formula (1):

here, AC ═ MAC_src，MAC_dst，IP_src，IP_dst，Port_src，Port_dst，AC_wlRepresenting the corresponding set of whitelists. MAC_src，MAC_dst，IP_src，IP_dst，Port_src，Port_dstRepresenting source and destination MACs, source and destination IPs, and source and destination ports.

Each host or device in the secondary system of the intelligent substation has a unique < IP, MAC > match. If the IED device is not replaced by a new device, but corresponds to the same IP address from two or more MAC addresses, this means that a spoofing attack may occur.

(2) PWD protocol whitelist detection

Protocol white list detection references layers 2-7 of the Open Systems Interconnection (OSI) model, handling various protocols of the intelligent substation network, such as MMS, COTP, TPKT, Simple Network Time Protocol (SNTP), GOOSE, SMV, and IEEE 1588. A typical IEC61850 based substation network comprises a site control layer network and a process layer network. For a network of the site-controlled layer, the IDS may be set to only allow communication traffic that conforms to the normal protocol, MMS/COTP/TPKT/SNTP, etc. For the process layer network, the IDS only allows the normal traffic of GOOSE/SV/IEEE 1588 and the like. In different cases, the IDS may be set to support other specific protocols. For example, when the IDS is deployed in the intelligent substation process layer network, only the GOOSE/SV/IEEE 1588 traffic is allowed, otherwise the alarm information is generated as suspicious traffic.

(3) Model-based detection of MBD

The model-based detection method analyzes the contents of the SCD file and the normal IEC61850 message, defines a normal behavior model by using deep protocol analysis, and compares the detected message with a correct behavior model to identify abnormal deviation. The abnormal behavior detection method based on the model has the potential of detecting unknown attacks. Compared to traditional IT networks, industrial control networks in intelligent substations have different characteristics, such as regular flow and predictable behaviour patterns, which may simplify the behaviour model. The proposed MBD has the potential to discover malicious attacks or unintentional anomalies in both the station level and the process level networks.

1) MBD for station control layer network

In a site-controlled layer network, abnormal behavior detection is based on ACSI or SNTP mapped to MMS. The detection model is defined as follows,

a) report service model

In the SCD file, the maximum number of instantiatable reporting control blocks per IED has been configured. The proposed reporting service model defines the maximum number of instantiatable reporting control blocks per IED as detection rules. If the MBD identifies abnormal connection requests that may occupy all instantiatable report control blocks of the IED, a suspected denial of service (DoS) attack is alerted and the detection results are recorded.

b) Association service model

The proposed association service model defines the maximum number of connectable IEC61850 clients. And if the MBD detects an abnormal connection request to the client, generating an alarm and recording a detection result.

c) Setting up a service model

The proposed provisioning service model definition only allows IEC61850 clients to modify the provisioning. When this model is violated, the MBD will issue an alarm message.

d) File transfer model

The ACSI GetFile service is used by clients to transfer the content of a file from a server to a client. The client uses the ACSI getfileattribute values service to obtain the name and attributes of a particular file in the server file store. The file transmission model defines that an IEC61850 client can only transmit a single file. If this rule is violated, it will generate an alarm and record the detection result.

e) SNTP model

In a substation network, SNTP is used to achieve time synchronization through LAN communication. SNTP traffic uses User Datagram Protocol (UDP) at the transport layer. In terms of SNTP traffic, the port number of the UDP connection to the IEC61850 server should be <123 >. If the port number of the SNTP traffic is not <123>, the MBD will trigger an alarm and save the result in a log file.

f) Time dependent model

Important control commands have time-dependent constraints, such as time interval limits and frequency limits. If the same legitimate command is sent too frequently, the following rules may be violated, as in equations (2) (3). In each case, the IDS will initiate some action (alerts and logs).

CV(n)-CV(n-1)＜T→Actions(alert,log) (2)

CV in equation (2) is a control command, n is a positive integer (n >1), and T is a limit of a time interval.

In the formula (3), F represents a frequency limit.

2) MBD of process layer

In the process layer network, model detection is based on GOOSE and SMV protocol specifications. A GOOSE APDU has twelve fields, such as gocbRef (control block reference), timeAllowedToLive, datSet (data set reference), goid (GOOSE id), t (event timestamp), StNum (state number), SqNum (test identifier), test (test bit), confRev (configuration revision), ndsCom (debug required), numdatset entries (number of data set entries), and allData. According to IEC 61850-9-2, SMV datagrams are in ISO/IEC 8802-3 in the data link layer, similar to GOOSE datagrams. The SV APDU has five fields such as svID (SMV control block ID), smpCnt (sample counter), confRev (configuration revision), smpSynch (synchronization adopted), and seqData (data sequence). The partial detection model is defined as follows:

a) destination address model

The destination ISO/IEC 8802-3 multicast address is configured in the SCD file (< Communication > → < subnet > → < connected ap >) for transporting GOOSE/SMV. The destination address fields (6 octets) of GOOSE and SMV messages start with four octets (01-0C-CD-01) and (01-0C-CD-04), respectively. The destination address models of GOOSE and SMV are (4) and (5), i.e.:

in formula (4), P is a message captured in the process layer network, and P_GOOSERepresenting a GOOSE message and DstAField representing the value of the destination address field in the ISO/IEC 8802-3 frame format.

P in formula (5)_SMVRepresenting an SMV message.

b) TPID field model

The Tag Protocol Identifier (TPID) field (2 octets) shows the ethernet type assigned for the 802.1Q ethernet encoded frame. The value of the TPID field in the GOOSE/SMV message should be 0x8100, i.e.

Wherein TPIDField represents the value of the TPID field, and P_GOOSE/SMVRepresenting GOOSE or SMV messages.

c) EtherType field model

The EtherType field (2 bytes) of ISO/IEC 8802-3 is registered by the IEEE Authority. The assigned EtherType values for GOOSE and SMV are 0x88B8 and 0x88BA, respectively, i.e., equation (7) (8):

where EthTField is the value of the EtherType field.

d) Priority domain model

The priority field (3-bit) model defines the priority values of GOOSE and SMV packets. GOOSE/SMV has a default value of 4, and is also configured in the SCD file. The priority value should be from 0 to 7, i.e. equation (9):

PrioField in equation (9) is the value of the user priority field.

e) APPID field model

Each GOOSE/SMV control block has a unique APPID in the SCD file. The APPID field (2 octets) of the GOOSE message should be 4-bit hexadecimal, i.e. [0000-3FFF ], and the field of the SMV message should be [4000-7FFF ]. The detection model is shown in the formulas (10) and (11),

f) length model

The length field (2 octets) of the GOOSE/SMV message specifies the total number of bytes in the frame starting from APPID to APDU, which is equal to 8+ m (m is the length of the APDU, m < 1492). The length field model is as in equation (12),

where longfield is the value of the length field.

The length of the goID field in the GOOSE APDU is less than or equal to 65 bytes, i.e. equation (13),

where LenGoIDField is the length of the goID field.

g) TimeAllowedToLive field model

The timeAllowedToLive field in the GOOSE APDU shall be double MaxTime. "MaxTime" is configured in the SCD file as <5000> (< Communication > → < subnet > → < connectitedap > → < GSE > → < MaxTime >). This detection mode will send a communication interruption alarm if there are no GOOSE packets within 10000 ms.

h) Mark field model

In the GOOSE tag field model, tag values of the gocbRef, timeAllowedToLive, datSet, goID, t, StNum, SqNum, test, confRev, ndsCom, and numdatset fields of the GOOSE packet are 0x80,0x81,0x82,0x83,0x84,0x85, 0x86, 0x87, 0x88, 0x89, and 0x8 a. In the SMV label field model, label values of the fields of the svID, smpCnt, confRev and smpSynch of the SMV message are 0x80,0x82,0x83 and 0x85 respectively.

i) SmpCnt field model

The smpCnt field model specifies the value of a counter that is incremented each time a new sample of the analog value is sampled. When the sample rate of the Merging Unit (MU) is 4000Hz (80 samples/cycle), the values of smpCnt should be kept in the correct order within the range of [0,3999], i.e. equation (14),

where SmpCField is the value of the smpCnt field.

j) Correlation model

The APPID field is equal to the last two octets of the destination address field according to the actual SCD configuration of the intelligent substation. It can be defined as a correlation domain model, equation (15),

wherein DstAField (P)_5,6Representing the last two octets of the destination address field.

The type of the gocbRef field in the GOOSE APDU is a string including a Logical Device (LD) name, a Logical Node (LN) name, a Function Constraint (FC), and a Control Block (CB) name, i.e., LD/LN $ FC $ CB. The datSet field in the GOOSE APDU includes the LD name, the LN name, and the Data Set (DS) name, i.e., LD/LN $ DS. The default value of the goID field in the GOOSE APDU is similar to the default value of the gocb reference field, i.e., LD/LN $ CB. The LD/LN value in the gcbRef field matches the LD/LN value in the dataSet field. The control block name in the gocbRef field matches the control block name in the goID field. For example, gocbRef: PM5001APIGO/LLN0$ GO $ gocb1, dataSet: PM5001APIGO/LLN0$ dsGOOSE1, goID: PM5001APIGO/LLN0. gocb1. The corresponding associated dictionary model is as in equation (16),

wherein GocbField, DatSField, and GoIDfield denote the gocbRef, dataSet, and goID fields, respectively.

The changes in the number of states (StNum) and sequence number (SqNum) in GOOSE APDUs strictly adhere to the associated behavior pattern. When the value of datSet in the GOOSE message sent changes, the value of StNum will increase, which will result in the value of SqNum being set to zero. When the value of StNum is not changed, the value of SqNum will increment for each GOOSE transmission, but it will roll over to 0 at its maximum value (SqNummax 4294967295).

StNum (GP) in the formula (17)_i) And SqNum (GP)_i) Respectively representing StNum and SqNum values of the ith GOOSE message.

k) Flow-based model

According to the service captured from the actual substation scene, the service-based model defines the upper and lower threshold values of the per-second message transmission rate (PPS), the per-second transmission byte size (BPS), the message length (LoP) and the message size (SoP) as normal traffic behaviors. The flow detection model is expressed by equation (18),

wherein PPS_minAnd PPS_maxRepresenting lower and upper thresholds for PPS.

Behavior outside of these protocol models is considered anomalous and suspicious. If any of the above models is violated, the MBD will generate an alarm and record the detection results.

(4) MPD multi-parameter based detection

The core idea of multi-parameter based detection is to identify possible threats to the industrial control system due to internal unintentional misuse or external malicious attacks by monitoring the most sensitive parameters of the intelligent substation. These multidimensional parameters are relevant to the safe and stable operation of intelligent substations, such as telemetry and telemetry data from station level and process level networks. And a multi-parameter detection strategy is provided from the service knowledge and the operation experience of the intelligent substation, such as comparison of key switch signals and key analog signals.

1) Remote signaling comparison detection rules

In the IEC61850 intelligent substation, an intelligent terminal in a process level network sends remote signaling data to IEDs in bay levels by adopting GOOSE messages, and receives tripping/closing instructions from a protection or measurement and control device. As shown in fig. 2, the proposed telemetry comparison detection rule identifies exceptional events by comparing GOOSE messages with associated MMS messages. For example, if an incoming signal of a protection IED (GOOSE message) in the process level network and an associated signal report (MMS message) from the station level network do not coincide, an abnormal alarm will occur.

2) Telemetry comparison detection rules

In an IEC61850 intelligent substation, a Merging Unit (MU) has a sample value model and sends SV messages to protection measurement and control devices. The telemetry comparison detection rule contains two categories:

a) range detection rules

Typically the sampled values have an upper boundary value and a lower boundary value (e.g. current (I) and voltage (U)). If the measured value is outside the expected range, an alarm is issued, equation (19),

where smv (i), i — I, U, represent different sample values, such as current and voltage; [ SMV (i)_min-e(i),SMV(i)_max+e(i)]Representing the range between the upper and lower boundaries, e (i) is the measurement tolerance. In the normal stateIn the operational case, the upper and lower boundaries are configured according to the design and operational specifications of the substation. For example, the bus voltage upper and lower bounds of a 500(330) kV substation are set to 90% and 110% rated voltages. From the point of view of safe operation of the industrial control system, such suspicious phenomena should be noticed and resolved by the operators in the substation as long as the measured values are outside the expected range. Thus, the proposed range detection rules can identify anomalous events caused by measurement errors or malicious attacks.

b) Consistency detection rules

In a practical case, the dualized configured IEDs (groups a and B) in the bay level receive the same MU sample values from the associated current/voltage transformers (CT/VT). As shown in fig. 3, the proposed conformance detection rules are used to detect inconsistencies between the configured merging unit SMV parameters and the MMS of the associated plurality of protection devices (e.g. line protection a/B, bus protection a/B and transformer protection a/B). Parameters for telemetry comparison include voltage and current, and also include differential current, i.e., the differential current in the two sets of protection MMS messages is compared. If the consistency detection rule is violated, an exception alarm will occur. The IEC 61850-based power industry control network intrusion detection method and system provided by the invention can form a logic network boundary in a digital substation, wherein the logic network boundary comprises an IEC 61850-related communication safety area. The next step to ensure that defense in depth is to establish a supervision mechanism in the security zone that can detect vulnerabilities and failed security controls, such as an attacker penetrating a misconfigured firewall, or bypassing the firewall altogether to launch an attack by a computer that an engineer has connected directly to the substation lan and is infected with malware. Once an intruder establishes a presence at the target substation network, scanning from the primary network to intentionally attempting to obtain a response from the IED; or cause a particular command to be executed; automatic or manual actions will be initiated that are not prevented by the border firewall. Therefore, the intrusion detection system aiming at the IEC61850 is designed to discover suspicious abnormal bewildering behaviors possibly existing in the electric power engineering system and improve the safety of the electric power engineering system based on the IEC61850 protocol.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

Claims (6)

1. An IEC 61850-based electric power industry control network intrusion detection method is characterized by comprising the following steps:

ACD access control detection: for preventing malware activity and attacks attempting to communicate with the control server during the initial infection phase; extracting a destination IP address, a source IP address, a destination MAC address or a source MAC address or a port from a captured message, comparing the destination IP address with a pre-established access control white list, and if the IP address, the MAC address or the port does not belong to the access control white list, determining the IP address, the MAC address or the port as a suspicious IP address, an MAC address or a port; if the access control white list belongs to the access control white list, the access control white list is regarded as a normal IP address, a normal MAC address or a normal port;

detecting a white list of a PWD protocol: the system is used for detecting abnormal protocol flow in a substation control layer network and a process layer network of the transformer substation and giving an alarm; the method comprises the steps of setting various protocols supported by a station control layer network and a process layer network, wherein the various protocols comprise MMS, COTP, TPKT, SNTP, GOOSE, SMV and IEEE 1588; for the station control layer network, only allowing communication services conforming to MMS, COTP, TPKT or SNTP protocols, otherwise, considering suspicious communication and generating alarm information; for the process layer network, only allowing GOOSE, SMV or IEEE 1588 traffic, otherwise, generating alarm information considering suspicious traffic;

model-based detection of MBD: the system is used for detecting malicious attacks or unexpected abnormal behaviors in a station control layer network and a process layer network; analyzing the content of the SCD file and the IEC61850 message, comparing the detected message with a normal behavior model defined by using protocol analysis, and if the condition of violating any normal behavior model occurs, generating an alarm and recording a detection result;

MPD based on multi-parameter detection: the method comprises the steps of monitoring parameters of the intelligent substation to identify threats caused by internal accidental misuse or external malicious attacks; the method comprises the steps of detecting telemetering data and remote signaling data from a station control layer network and a process layer network, identifying abnormal data through homologous comparison, and regarding the abnormal data as abnormal data when the homologous data are inconsistent; specifically, remote signaling comparison detection and remote sensing comparison detection are carried out;

the model-based detection of the MBD on the station control layer network specifically comprises the following steps:

in a station control layer network, establishing a normal behavior model based on ACSI or SNTP mapped to MMS, and generating an alarm and recording a detection result if any normal behavior model is violated; the normal behavior model is established as follows:

a) report service model

In the SCD file, the maximum number of instantiatable report control blocks per intelligent electronic device has been configured; the proposed report service model defines the maximum number of instantiatable report control blocks per intelligent electronic device as detection rules; if the abnormal connection requests which possibly occupy all the instantiatable report control blocks of the intelligent electronic equipment are identified, the suspicious denial of service (DoS) attack is alarmed and the detection result is recorded;

b) association service model

The associated service model defines the maximum number of connectable IEC61850 clients; if an abnormal connection request to the client is detected, generating an alarm and recording a detection result;

c) setting up a service model

The provisioning service model definition only allows the IEC61850 client to modify the provisioning, and if the definition is violated, an alarm message will be sent;

d) file transfer model

The ACSIGetFile service is used by a client for transmitting the content of a file from a server to the client, the client acquires the name and the attribute of a specific file in the file storage of the server by using the ACSI GetFileAttributeValues service, a file transmission model defines that the IEC61850 client can only transmit a single file, and if the definition is violated, an alarm is generated and the detection result is recorded;

e) SNTP model

In a transformer substation network, SNTP is used for realizing time synchronization through LAN communication, SNTP flow adopts a user datagram protocol at a transmission layer, in the aspect of SNTP flow, the port number of the user datagram protocol connection to an IEC61850 server is <123>, and if the port number of the SNTP flow is not <123>, an alarm is triggered and the result is stored in a log file;

f) time dependent model

Important control commands have time-dependent constraints including time interval limits and frequency limits, and if the same legitimate command is sent too frequently, the rules of trans (2) (3) are violated, in each case some alarm and log actions will be initiated:

CV(n)-CV(n-1)＜T→Actions(alert,log) (2)

CV in equation (2) is a control command, n is a positive integer (n >1), and T is a limit of a time interval;

in the formula (3), F represents a frequency limit.

2. The IEC61850 based power industry control network intrusion detection method according to claim 1, wherein in the ACD access control detection, the established access control white list comprises MAC addresses in data link layer, IP addresses in network layer and access control white list of transport layer ports.

3. The IEC61850 based power industry control network intrusion detection method according to claim 1, wherein in the ACD access control detection, for the IP address, MAC address or port deemed suspicious, a preset action is further taken, which specifically is: sending out an alarm in an IDS mode, stopping in an IPS mode, and recording a detection result; the following formula (1):

wherein, AC ═ MAC_src，MAC_dst，IP_src，IP_dst，Port_src，Port_dst，AC_wlRepresenting an established access control white list; MAC_src，MAC_dst，IP_src，IP_dst，Port_src，Port_dstRespectively representing a source MAC address and a destination MAC address, a source IP address and a destination IP address, a source port and a destination port; each host or device having a unique identity<IP，MAC>Matching; if the intelligent electronic equipment is not replaced by a new device, but if two or more MAC addresses correspond to the same IP address, the cheating attack is judged to occur.

4. The IEC 61850-based power industry control network intrusion detection method according to claim 1, wherein the MBD model-based detection on the process level network specifically comprises: in a process layer network, establishing the normal behavior model based on GOOSE and SMV protocol specifications, and if any normal behavior model is violated, generating an alarm and recording a detection result; GOOSE APDU has twelve fields as gocbRef, timeAllowedToLive, datSet, goID, t, StNum, SqNum, test, confRev, ndsCom, numDateSetEntries and allData; according to IEC 61850-9-2, SMV datagram adopts ISO/IEC 8802-3 in data link layer; the SV APDU has five fields of svID, smpCnt, confRev, smpSynch and seqData, and the normal behavior model is defined as follows:

a) destination address model

Configuring a destination ISO/IEC 8802-3 multicast address for transmitting GOOSE/SMV in an SCD file < Communication > → < sub network > → < connected AP >; the destination address fields of the GOOSE message and the SMV message start with four octets 01-0C-CD-01 and 01-0C-CD-04, respectively; the destination addresses of GOOSE and SMV are as in formulas (4) and (5):

in formula (4), P is a message captured in the process layer network, and P_GOOSERepresenting a GOOSE message, and DstAField representing the value of a destination address field in an ISO/IEC 8802-3 frame format;

p in formula (5)_SMVRepresenting an SMV message;

b) TPID field model

The 2 octets of the tag protocol identifier field show the ethernet type allocated for the 802.1Q ethernet encoded frame; the value of the TPID field in the GOOSE/SMV message should be 0x8100, i.e.

Wherein TPIDField represents the value of the TPID field, and P_GOOSE/SMVRepresenting GOOSE or SMV messages;

c) EtherType field model

The EtherType field 2 bytes of ISO/IEC 8802-3 are registered by the IEEE Authority, and the assigned EtherType values for GOOSE and SMV are 0x88B8 and 0x88BA, respectively, equation (7) (8):

wherein EthTField is the value of the EtherType field;

d) priority domain model

Defining the priority values of GOOSE and SMV messages, the default value of GOOSE/SMV is 4, and the priority values should be configured in the SCD file from 0 to 7, that is, equation (9):

PrioField in formula (9) is the value of the user priority field;

e) APPID field model

Each GOOSE/SMV control block has a unique APPID in the SCD file, the 2 octets of the APPID field of the GOOSE message are 4-bit hexadecimal [0000-3FFF ], and the field of the SMV message is [4000-7FFF ], as in equations (10) and (11):

f) length model

The length field 2 octets of the GOOSE/SMV message specifies the total number of bytes in the frame starting from APPID to APDU, which is equal to 8+ m, where m is the length of the APDU, m <1492, the length field model is as follows (12):

where Length field is the value of the Length field;

the length of the goID field in the GOOSE APDU is less than or equal to 65 bytes, i.e. equation (13),

wherein LenGoIDField is the length of the goID field;

g) TimeAllowedToLive field model

The timeAllowedToLive field in the GOOSE APDU shall be double MaxTime; "MaxTime" is configured in the SCD file as <5000>, < Communication > → < subnet > → < connecticut ap > → < GSE > → < MaxTime >; if no GOOSE data packet exists within 10000ms, sending a communication interruption alarm;

h) mark field model

In the GOOSE tag field model, tag values of gocbRef, timeallowedtollive, datSet, goID, t, StNum, SqNum, test, confRev, ndsCom and numdatset fields of the GOOSE packet are 0x80,0x81,0x82,0x83,0x84,0x85, 0x86, 0x87, 0x88, 0x89 and 0x8 a; in the SMV label field model, label values of svID, smpCnt, confRev and smpSynch fields of an SMV message are respectively 0x80,0x82,0x83 and 0x 85;

i) SmpCnt field model

The smpCnt field model specifies the value of a counter, which is incremented each time a new sample of the analog value is sampled; when the sampling rate of the merging unit MU is 4000Hz, wherein 80 samples/cycle, the values of smpCnt are in the range of [0,3999], maintaining the correct order, i.e. equation (14),

wherein SmpCField is the value of the smpCnt field;

j) correlation model

According to the actual SCD configuration of the intelligent substation, the APPID field, equal to the last two octets of the destination address field, is defined as the relevant domain model, i.e. equation (15):

wherein DstAField (P)_5,6The last two octets representing the destination address field;

the type of the gocbRef field in the GOOSE APDU is a string including the logical device LD name, the logical node LN name, the function constraint FC, and the control block CB name, i.e., LD/LN $ FC $ CB; the datSet field in the GOOSE APDU includes the LD name, the LN name, and the data set DS name, i.e., LD/LN $ DS; the default value of the goID field in the GOOSE APDU is similar to the default value of the gocb reference field, i.e. LD/LN $ CB; the LD/LN value in the gcbRef field matches the LD/LN value in the dataSet field; the control block name in the gocbRef field matches the control block name in the goID field; gocbRef: PM5001APIGO/LLN0$ GO $ gocb1, dataSet: PM5001APIGO/LLN0$ dsGOOSE1, goID: PM5001APIGO/LLN0.gocb1, the corresponding associated dictionary model is as follows (16):

wherein GocbField, DatSField, and GoIDfield represent the gocbRef, dataSet, and goID fields, respectively;

the change of the state quantity StNum and the sequence number SqNum in the GOOSE APDU strictly obeys the associated behavior pattern; when the value of datSet in the transmitted GOOSE message changes, the value of StNum will increase, which will result in the value of SqNum being set to zero; when the value of StNum is not changed, the value of SqNum will increment for each GOOSE transmission, but it will roll over to 0 at its maximum value SqNummax 4294967295:

StNum (GP) in the formula (17)_i) And SqNum (GP)_i) Respectively representing StNum and SqNum values of the ith GOOSE message;

k) flow-based model

According to the service captured from the actual substation scene, the service-based model defines the upper limit and the lower limit threshold of the per-second message transmission rate PPS, the per-second transmission byte size BPS, the message length LoP and the message size SoP as the normal flow behavior, as shown in formula (18):

wherein PPS_minAnd PPS_maxRepresenting lower and upper thresholds for PPS.

5. The IEC61850 based power industry control network intrusion detection method according to claim 1, wherein the remote signaling comparison detection specifically comprises: in the IEC61850 intelligent substation, intelligent electronic equipment in a process layer network sends remote signaling data to intelligent electronic equipment in a bay layer by adopting a GOOSE message, and receives a tripping/closing instruction from a protection or measurement and control device; the remote signaling comparison detection identifies abnormal events by comparing GOOSE messages with associated MMS messages; and if the input signal of the GOOSE message for protecting the intelligent electronic equipment in the process layer network is inconsistent with the MMS message of the associated signal report from the station control layer network, abnormal alarm is generated.

6. The IEC61850 based power industry control network intrusion detection method according to claim 1, wherein the telemetry comparison detection specifically is: in an IEC61850 intelligent substation, a merging unit MU has a sampling value model and sends SV information to a protection measurement and control device, and the telemetering comparison detection comprises two rules:

a) range detection rules

The sampled values have an upper boundary value and a lower boundary value, and if the measured values are outside the expected range, an alarm is issued, equation (19):

where smv (I), I — I, U, represents different sample values, current I and voltage U; [ SMV (i)_min-e(i),SMV(i)_max+e(i)]Representing the range between the upper and lower boundaries, e (i) is the measurement tolerance, the upper and lower boundaries being configured according to the design and operating specifications of the substation under normal operating conditions, the bus voltage of the 500(330) kV substation being set at 90% and 110% rated voltage;

b) consistency detection rules

The duplicated intelligent electronic devices in the bay level are configured into groups A and B, receive the same MU sample values from the associated current transformer CT/voltage transformer VT, detect inconsistencies between the configured merging unit SMV parameters and the MMS of the associated plurality of protection devices, telemetrically compare the parameters including voltage, current and differential current, and alarm an anomaly if a consistency detection rule is violated.

Images