CN110611665B

CN110611665B - Safe operation and maintenance gateway method for telecontrol operation and maintenance of power secondary system

Info

Publication number: CN110611665B
Application number: CN201910818769.7A
Authority: CN
Inventors: 吴蔚雯
Original assignee: Hangzhou Xiyifeng Xinye Technology Co ltd
Current assignee: Hangzhou Xiyifeng Xinye Technology Co ltd
Priority date: 2019-08-30
Filing date: 2019-08-30
Publication date: 2022-01-25
Anticipated expiration: 2039-08-30
Also published as: CN110611665A

Abstract

The invention discloses a method for a safety operation and maintenance gateway of telecontrol operation and maintenance of an electric power secondary system, which comprises the steps of carrying out operation and maintenance safety monitoring on the system through a special operation and maintenance tool matched with an operation and maintenance terminal; the motion control end controls the motion execution end in real time according to the monitoring condition; and the operation and maintenance terminal and the motion execution terminal provide firewall, route and gateway services for network connection through the operation and maintenance gateway. The invention integrates the login process through the gateway control system, well integrates the account management into the security check process of the whole security operation and maintenance through the mechanism of mapping the record table by the source account, well integrates the management of the protection rule of the firewall, forms a complete authorization system, and then safely sends the operation request/network access of the operation and maintenance special tool running on the operation and maintenance terminal to the target address through the gateway or NAT mode of the operation and maintenance gateway.

Description

Safe operation and maintenance gateway method for telecontrol operation and maintenance of power secondary system

Technical Field

The invention belongs to the technical field of electric power, and particularly relates to a method for a safety operation and maintenance gateway for telecontrol operation and maintenance of an electric power secondary system.

Background

The power system consists of power generation, power transmission, power transformation, power distribution, power utilization equipment and corresponding auxiliary systems.

The electrical equipment of the power system is defined and distinguished by primary equipment and secondary equipment.

Primary equipment (also called primary equipment), which is the main body constituting an electric power system, is equipment for directly producing, transporting and distributing electric energy, and comprises: the generator, the transformer, switching apparatus, power line, mutual-inductor, arrester etc. possess the characteristics of high voltage, heavy current.

The circuit formed by the mutual connection of the primary devices according to the purposes and functions is called a primary loop or a primary wiring or a main wiring diagram.

The secondary equipment is used for controlling, regulating, protecting and monitoring the primary equipment, comprises a measuring meter, a relay protection and automatic device, an operating electrical appliance, a direct-current power supply device and the like, and has the characteristics of low voltage and low current.

The secondary equipment is in electric connection with the primary equipment through a voltage transformer and a current transformer.

The circuit formed by the interconnection of the secondary electrical devices is called a secondary circuit or secondary wiring.

A primary system of an electric power system is composed of primary equipment and electric circuits connected with the primary equipment.

The secondary system of the power system is composed of secondary equipment and electric circuits connected with the secondary equipment, and is a system for monitoring, controlling, regulating and protecting the primary system of a transformer substation.

The telecontrol system is a system for monitoring and controlling the production process in a wide area, and comprises all equipment and functions for acquiring, processing, transmitting, displaying, executing and the like necessary process information. The equipment constituting the telecontrol system comprises a dispatching end telecontrol device (also called a control end), a station end telecontrol device (also called a controlled end and an execution end) and a telecontrol channel. The telemechanical system using computer technology is also called a remote monitoring and Data Acquisition system, also called scada (supervisory Control and Data Acquisition system). The main functions of the system are realized by software programming, and the system has the outstanding advantages of information data processing, man-machine conversation, automatic itinerant detection and the like.

The Power System telemechanical is a special technology for remote monitoring and control of Power System dispatching service, and is a technical means for managing and monitoring the operation conditions of a plurality of widely distributed plants, stations, equipment and components.

The control end (also called as dispatching end) is the generation part of remote control and remote regulation instruction information of the telemechanical system, and is also the receiving part of remote measurement and communication information of the controlled end equipment object. The main tasks of the control end are to process and process the information sent by the controlled end (such as active power, reactive power, electric energy and the like), to perform various reports, record, print, store and display according to needs, to give an alarm to an accident signal, to send an operation command to each controlled object through a man-machine interface by an operator and the like.

The controlled end (also called as an execution end) is a receiving and executing part of remote control and remote regulation instruction information of the telemechanical system, and is also a collecting and sending part of remote measurement and remote signaling information of the controlled end equipment object. The execution end is used for realizing the function perfection of the telemechanical system and generally has the functions of sequential recording, self-recovery and self-detection of events of the controlled equipment object. In SCADA, the execution end is also referred to as a Remote Terminal Unit (RTU). The execution end of the computer telecontrol system mainly comprises a computer, a data acquisition circuit, a display, a printer and other equipment, and the main functions of the computer telecontrol system are realized by software programming.

The main function of the telecontrol channel is to undertake the transmission of information data and commands between the control end and the controlled end. Generally, data transmitted from a control end to a controlled end is called "downlink" data; conversely, data transmitted from the controlled terminal to the control terminal is referred to as "upstream" data. The greatest difference between telemechanical systems and general automation systems is in the structure, the existence of the channel. The distance between the scheduling end and the execution end is long, and the channel has the weak point of being easily interfered by external factors, so that the accuracy of commands and the reliability of the whole system are reduced. As more commands need to be transmitted and the system becomes more complex, the structure of the channel becomes more complex, the weakness becomes more prominent, and the cost of the channel becomes higher. Therefore, a series of measures are needed to ensure that the system operates properly, reliably and economically. Typically, telemechanical systems employ techniques for converting communicated commands into the best form of information suitable for transmission over a channel, such as analog signal digitization techniques, error correction coding techniques, digital encryption techniques, baseband transmission techniques, synchronization techniques, and the like. This format is often very different from the format of commands in a typical automation system, and thus some special conversion equipment is required to convert commands in a telemechanical system.

There are many gateways, the english name of which is Gateway, and the Gateway in TCP/IP protocol is the most commonly used Gateway, and here we speak of "Gateway" as the Gateway under TCP/IP protocol. A gateway is essentially an IP address of one network to another. For example, the network A and the network B are provided, the IP address range of the network A is '192.168.1.1-192.168.1.254', and the subnet mask is 255.255.255.0; the IP address range of the network B is 192.168.2.1-192.168.2.254, and the subnet mask is 255.255.255.0. Without a router, TCP/IP communication between two networks is not possible, and even if two networks are connected to the same switch (or hub), the TCP/IP protocol determines that the hosts in the two networks are in different networks based on the subnet mask (255.255.255.0). Communication between the two networks must be accomplished through a gateway. The gateway has corresponding IP addresses in network A and network B respectively, and accesses network A and network B simultaneously. If the host in network A finds that the destination host of the data packet is not in the local network, the data packet is forwarded to the gateway of the host in network A and then forwarded to the gateway of network B, and the gateway of network B forwards to a host in network B. This is the process by which network a forwards packets to network B through the gateway.

NAT, which is called "Network Address Translation" throughout english, and chinese means "Network Address Translation", which is an IETF (Internet Engineering Task Force) standard that allows an entire organization to appear on the Internet as a public ip (Internet protocol) Address. As the name implies, it is a technique that translates internal private network addresses (IP addresses) into legitimate network IP addresses. Briefly, the NAT uses an internal address in the internal network of the lan, and when an internal node wants to communicate with an external network, the internal address is replaced with a public address at a gateway (which can be understood as an egress, such as a gate of a courtyard), so that the NAT can be normally used on an external public network (Internet), and multiple computers can share an Internet connection through the NAT, which well solves the problem of shortage of public IP addresses. By the method, a user can only apply for a legal IP address to access the computer in the whole local area network to the Internet. At this point, the NAT masks the intranet, and all intranet computers are not visible to the public network, whereas intranet computer users are generally unaware of the NAT's presence.

A firewall, which is a software or hardware protection barrier constructed on the interface between Intranet and extranet, private network and public network, is a kind of image saying for obtaining Security method, it is a combination of computer hardware and software, make Internet and Intranet establish a Security Gateway (Security Gateway), thus protect Intranet from the invasion of illegal users, the firewall is mainly composed of 4 parts of service access rule, authentication tool, packet filtering and application Gateway, the firewall is a software or hardware located between computer and network connected to it. All network traffic and data packets flowing into and out of the computer pass through the firewall. In a network, a "firewall" refers to a method of separating an intranet from a public access network (e.g., the Internet), which is actually an isolation technique. A firewall is an access control metric implemented when two networks communicate, which allows you "agree" people and data to enter your network, and also rejects you "disagree" people and data to the outside, maximally preventing hackers in the network from accessing your network. In other words, without passing through a firewall, a person inside the company cannot access the Internet, and a person on the Internet cannot communicate with a person inside the company.

Firewalls are structurally divided into two categories: namely a proxy architecture and a router + filter architecture. In principle, firewalls can be divided into 4 types: specially designed hardware firewall, data packet filtering type, circuit layer gateway and application level gateway. The firewall system with high safety performance combines and uses various types of firewalls to construct a plurality of firewalls for 'defense works'.

Ping is a command under Windows, Unix, and Linux systems. ping also belongs to a communication protocol and is part of the TCP/IP protocol. The 'ping' command can be used for checking whether the network is connected or not, and can well help us to analyze and judge network faults.

Ping (packet Internet groper), Internet packet explorer, a program for testing network connection volume. Ping sends an ICMP (Internet Control Messages protocol), namely an Internet message Control protocol; an echo request message is sent to the destination and reports whether the desired ICMP echo (ICMP echo reply) is received. It is a command to check whether the network is open or the speed of the network connection.

Currently, with the increase of network security risks such as viruses, trojans, malicious attacks and the like, in the operation and maintenance process of a telecontrol system of a secondary power system, the existing technical specifications, operation rules and safety protection measures are delayed, and safety accidents such as the safe runaway of a maintenance computer (control end), the isolation failure of an internal network and an external network, the carrying and injection of viruses, the touching of attack programs to a special internal network and the like easily occur.

Through actual research on the power industry and retrieval of related patents, the current operation and maintenance management of a power secondary system, particularly the operation and maintenance management of a telemechanical system, is found to lag behind the development of the safety technology of the current IT industry, and the technology selection capable of carrying out normalized safety management is quite deficient. When maintenance operation is carried out on a telecontrol system of the power secondary system, a safer protection system is needed, whole-course protection supervision can be realized, the safety and controllability of operation and maintenance equipment and the implementation of a network isolation strategy are ensured, and various unauthorized accesses are prevented from permeating into a protection area through a dynamic firewall.

Disclosure of Invention

In order to solve the problems, the invention provides an operation and maintenance terminal safety guarantee system for telemechanical operation and maintenance of an electric power secondary system, and provides a high-standard safety protection system.

The technical scheme of the invention is as follows: a method for a safety operation and maintenance gateway of a power secondary system telecontrol operation and maintenance comprises the following steps:

the operation and maintenance safety monitoring is carried out on the system through a matched operation and maintenance special tool on the operation and maintenance terminal;

the motion control end controls the motion execution end in real time according to the monitoring condition of the matched operation and maintenance special tool;

the invention provides a construction method of a safety operation and maintenance gateway system for the telecontrol operation and maintenance of an electric power secondary system, and a complete technical product is formed through verification of a real environment, so that a higher-standard safety protection system is provided for the operation and maintenance operation of the telecontrol system of the electric power secondary system.

The invention can be applied to the field of operation and maintenance of the telecontrol of the power secondary system, can be applied to the operation and maintenance of more fields of the power secondary system by carrying out targeted optimization and adjustment at the later stage, can provide wider and deeper protection effect for the safety production of the power system, and has good technical development prospect, industry application prospect and market prospect.

The operation and maintenance terminal and the motion execution terminal provide firewall, route and gateway service of network connection through an operation and maintenance gateway, the operation and maintenance gateway is controlled through a gateway control system, the gateway control system is responsible for providing interface service for an operation and maintenance gateway agent, managing the connection session state of the operation and maintenance gateway agent through TCP/IP connection session, and helping the operation and maintenance gateway to make decisions on which network requests to provide the route and gateway service through a source account mapping record table;

the telemechanical control terminal 100 of the present invention has many control end systems and versions according to the actual requirements of telemechanical control of the power secondary system, the differences of manufacturers/models/specifications of selected hardware devices, matching control systems, etc., and the design of the present invention can adapt to the use process thereof, and the implementation and design thereof are not the design points of the present invention, so detailed description is omitted.

The telemechanical execution end 200 receives, executes, acquires and transmits remote control, remote regulation, remote measurement and remote signaling instructions/information of the telemechanical power secondary system, and because of the difference of actual management requirements and the difference of manufacturers/models/specifications of selected and matched hardware equipment, matched control systems and the like, a plurality of execution end systems and versions exist.

The telecontrol channel 300 has various choices according to the telecontrol communication distance, the communication mode and the related technical standards of the power secondary system, the design of the invention can adapt to the use process, and the realization and the design are not the design points of the invention, so the detailed description is omitted.

The operation and maintenance terminal 400 belongs to computer equipment, and can adopt different types of operation systems with composite safety standards according to the requirements of the national electric power secondary system safety protection general scheme, and can support the operation of the special operation and maintenance tool 401 matched with the telecontrol execution terminal 200.

The operation and maintenance terminal 400 needs to install an operation and maintenance gateway agent 413 capable of supporting the operating environment of the device operating system according to the design requirements of the system.

The operation and maintenance gateway agent 413 is responsible for linking with the gateway control system 513 since being started, and helps the operation and maintenance personnel to log in the gateway control system 513 by using the correct account and password, so that the operation and maintenance gateway 500 provides normal service for the operation and maintenance operation of the current operation and maintenance terminal 400.

During the operation and maintenance process, the operation and maintenance personnel first start the operation and maintenance gateway agent 413.

The operation and maintenance gateway agent 413 is connected with the gateway control system 513, logs in and establishes a session according to an interface of the gateway control system 513 of the operation and maintenance gateway 500, determines whether to actively close the session according to a control logic of the operation and maintenance gateway agent, and responds according to the situation of the gateway control system 513 to passively close the session.

The operation and maintenance gateway agent 413 interfaces and interacts with the gateway control system 513, and provides a login interface (request and response), a client closing connection (the operation and maintenance gateway agent 413 initiates closing), a server closing connection (the operation and maintenance gateway control system 513 initiates closing), and a closing notification (both the client and the server can initiate the request to notify the opposite side that the connection is about to be closed) in a TCP/IP long connection manner.

The operation and maintenance gateway agent 413 performs interaction through an interface of the gateway control system 513 after establishing connection with the gateway control system 513.

In the login process of the operation and maintenance gateway agent 413, firstly, the correct IP address IP _513 and the correct service Port _513 of the gateway control system 513 need to be input; then, after a correct operation and maintenance user name Account _ Yunwei and a Password _ Yunwei need to be input, clicking a login button; at this time, the operation and maintenance gateway agent 413 establishes a TCP/IP connection with the gateway control system 513, calls a login interface of the gateway control system 513, and sends an Account _ YunWei and a Password _ YunWei to the gateway control system 513 through the current TCP/IP connection; after receiving the login interface request, the gateway control system 513 authenticates the acquired Account _ YunWei and Password _ YunWei with the Account and the Password prestored in the gateway control system; if the authentication result is correct, replying a login success instruction of the operation and maintenance gateway proxy 413 through a login interface response command, and keeping the connection available state; if the authentication result is wrong, replying an operation and maintenance gateway proxy 413 login failure instruction through a login interface response command, and immediately closing the current connection;

the gateway control system 513 terminates the continuous service for the operation and maintenance gateway agent 413 according to the self control logic; the first is that the gateway control system 513 sends a "close notification" to the operation and maintenance gateway agent 413 through the current TCP/IP connection according to the interface standard (after the notification is sent, the gateway control system immediately closes the current connection, i.e., "the server closes the connection"), and the second is that the current TCP/IP connection is directly closed, i.e., "the server closes the connection". After receiving the "close notification", the operation and maintenance gateway agent 413 should immediately perform "client close connection"; when the operation and maintenance gateway proxy 413 finds that the current TCP/IP connection has the server-side connection closing, the client-side connection closing should be performed immediately.

After the login is successful, the gateway control system 513 accepts the access of the operation and maintenance terminal 400 represented by the operation and maintenance gateway agent 413 through the identification of the IP address, and records the relevant information in the source account mapping record table 900.

The operation and maintenance gateway 500 of the present invention, according to the design requirements of the present system, includes: firewall system 511, gateway routing system 512, gateway control system 513.

The basic functions of the operation and maintenance gateway 500 are the functions of a gateway and a router (the basic functions are realized by the gateway routing system 512), and the functions of the gateway and the NAT need to be supported in the corresponding working mode. The hardware configuration of the computer device of the operation and maintenance gateway 500 must have dual network cards and dual network ports, and other configurations refer to common computer configurations; the operating system of the operation and maintenance gateway 500 may adopt different types of operating systems with composite safety specifications according to the requirements of the national electric power secondary system safety protection general scheme; the operation and maintenance gateway 500 is used as core software of a gateway and a router, belongs to the functions of a proxy server and a router standardized in the current IT technology, and has mature software products and open source codes (such as Nginx, DD-WRT, Tomato, OpenWrt, OPNsense, PFSense and the like) in the industry at present, and has multiple choices; the detailed implementation of the hardware, the operating system and the core software is supported by a plurality of manufacturers and models, and the implementation details of the hardware, the operating system and the core software do not belong to the design points of the invention, so the detailed description is omitted.

The overall working flow of the operation and maintenance gateway 500 in the invention is as follows:

a) the firewall system 511 and the gateway routing system 512 are driven by their own rules to provide firewall services and gateway routing services, and perform additional target authorization time permission check, target authorization account permission check, and the like according to corresponding design requirements. The firewall system 511 and the gateway routing system 512 are configured to obtain, according to their own needs and according to a source IP of a network request obtained in a service process, corresponding records from the source account mapping record table 900 in a process of providing a service for the operation and maintenance terminal 400, so as to obtain information (source IP, login time, login account, authentication result) of a source device (the operation and maintenance terminal 400) of the network request, and use the information in their own logical judgment, such as checking a target authorized account permission and other checks;

b) when the operation and maintenance gateway agent 413 is actively closed, the gateway control system 513 initiates a server side to close the connection, or a TCP/IP connection between the operation and maintenance gateway agent 413 and the gateway control system 513 is closed due to network instability, the authentication of the current login session will be disabled, the corresponding record in the source account mapping record table 900 will be deleted, and the firewall system 511 and the gateway routing system 512 will consider that the source has not been logged in when acquiring the corresponding record (no legal account is in a login successful state, and only the record with an authorized account number of the target authorized account number permission table as a record conforming to the check rule of the authorized account number entry therein).

c) The firewall system is used as an outer layer protection of the operation and maintenance gateway 500 and continuously protects all accesses to the operation and maintenance gateway 500;

d) the firewall system 511, in the checking mode of the network request in the system, takes the initial initiator (client) of the TCP/IP connection as the source, the server as the target, and does not take the source IP address pair and the target IP address pair of a single IP packet as the source and the target.

e) The firewall system 511 performs security check on the network request arriving at the operation and maintenance gateway 500, releases the network request meeting the release requirement, and allows the network request to go to the gateway routing system 512 or forwards the network request through the gateway routing system 512;

f) the operation and maintenance personnel starts the operation and maintenance gateway agent 413 of the operation and maintenance terminal 400, after the security check of the firewall system 511, the login is completed through the butted gateway control system 513, the authentication is successful, the TCP/IP connection between the operation and maintenance gateway agent 413 and the gateway control system 513 keeps a connection (session) state, and once the connection is closed, the current authentication is invalid;

g) the gateway control system 513 stores the information of successful login in the source account mapping record table 900, and deletes corresponding records from the source account mapping record table 900 once authentication fails;

h) the operation and maintenance personnel start the operation and maintenance special tool 401, send a network request by operating the operation and maintenance special tool 401, and after the security check of the firewall system 511, the network request can reach the operation and maintenance gateway 500;

i) if the network request initiated by the operation and maintenance special tool 401 is rejected by the firewall 511 and cannot reach the gateway routing system 512, the forwarding service of the operation and maintenance gateway 500 cannot be obtained;

j) after the network request reaches the gateway routing system 512, the network request is forwarded by the gateway routing system 512 according to rules of gateway and routing, and a source address pair and a target address pair in the network request need to be converted according to an NAT working mode, and the network request is forwarded after the conversion is completed;

k) firewall system 511 does not perform additional security checks for network requests forwarded via network routing system 512.

The operation and maintenance gateway 500, only the external service network address pair IP _513: Port _513 of the gateway control system 513, allows free access (all sources, all times, all accounts) in the rule (source target authorization table, target authorization time permission table, target authorization account permission table) setting of the firewall system 511:

a) source destination authorization table 600 (source IP 601: ", source port 602: ", target IP 603: "IP _ 513", destination port 604: "Port _ 513", operation Option 606: ' go ' and ' go)

b) Target authorized time permission table 700 (target IP 701: "IP _ 513", destination port 702: "Port _ 513", date: ", time period: "*")

c) Target authorized account permission table 800 (target IP 801: "IP _ 513", destination port 802: "Port _ 513", authorization account: "*")

The gateway control system 513 is responsible for starting the firewall system 511 and the gateway routing system 512, so as to provide gateway and routing services for the operation and maintenance terminal 400 accessing the operation and maintenance gateway 500.

The operation and maintenance gateway agent 413 interfaces and interacts with the gateway control system 513, and provides a login interface (request and response), a client closing connection (the operation and maintenance gateway agent 413 initiates closing), a server closing connection (the operation and maintenance gateway control system 513 initiates closing), and a closing notification in a TCP/IP long connection manner.

The gateway control system 513 is used as a daemon process of the operation and maintenance gateway 500, and automatically starts the system after the equipment is started;

after the gateway control system 513 is started, it is responsible for starting the firewall system 511 and the gateway routing system 512, and protecting and serving external access of the operation and maintenance gateway 500;

the gateway control system 513 obtains its own IP address IP _513 (equivalent to IP500_ Wai) according to the configuration of its own environment, and monitors on a pre-configured Port _ 513;

the gateway control system 513 monitors the IP address of the operation and maintenance gateway 500 to the IP _513: Port _513 according to the design requirement of the system, and waits for the TCP/IP connection access of the operation and maintenance gateway agent 413.

a) After obtaining a TCP/IP connection access of the operation and maintenance gateway agent 413, the gateway control system will create a thread to serve the current connection independently, thereby ensuring that the transaction related to the operation and maintenance gateway agent 413 on the TCP/IP connection can be processed in time;

b) according to the mechanism of TCP/IP connection, the gateway control system 513 can obtain the IP address IP _413 of the operation and maintenance gateway agent 413 on the current connection.

c) The operation and maintenance gateway agent 413 sends the operation and maintenance user name Account _ YunWei and the Password _ YunWei to the gateway control system 513 through a login interface of the gateway control system 513, and the gateway control system 513 performs authentication;

when the operation and maintenance user name Account _ YunWei and the Password _ YunWei fail to authenticate, the gateway control system 513 replies a login failure instruction of the operation and maintenance gateway agent 413 through a login interface response command, and immediately closes the current connection;

when the operation and maintenance user name Account _ YunWei and the Password _ YunWei are successfully authenticated, replying a login success instruction of the operation and maintenance gateway agent 413 through a login interface response command, and keeping a connection available state;

d) after the authentication is successful, the gateway control system 513 writes the current login record (IP _413, authentication success time according to the format of "yyyy-mm-dd hh24: mi: ss", Account _ YunWei, "success") into the source Account mapping table 900 of the operation and maintenance gateway 500.

The source account mapping record table 900 has 4 rules set in its example, including record 911, record 912, record 913, and record 914. Each record contains the following record items: source IP 901, login time 902, login account 903, authentication result 904 (corresponding to remarks, since the record stored in the record table is necessary to be the record that the login authentication result is successful).

a) The source IP 901 of each record in the record table is the IP of the corresponding operation and maintenance gateway proxy 413, and is an accurate single IP address.

b) The login time 902 of each record in the record table is the time when the login of the corresponding operation and maintenance gateway agent 413 is successful.

c) The login account 903 of each record in the record table is an account used by the login request of the corresponding operation and maintenance gateway proxy 413.

The source account mapping record table 900 is only accessed by the gateway control system 513, the firewall system 511 and the gateway routing system 512 of the operation and maintenance gateway 500; the gateway control system 513 is responsible for maintaining data records therein (including creating new records and deleting existing records), the firewall system 511 only reads data therein for its own logical judgment, and the gateway routing system 512 only reads data therein for its own logical judgment.

When the gateway control system 513 receives an interface request for closing a connection (the operation and maintenance gateway agent 413 initiates closing) from a client in one TCP/IP connection, or acquires a closing notification, it queries the corresponding client IP address, i.e. the IP address IP _413 used by the corresponding operation and maintenance gateway agent 413, and then deletes all the records of the source IP in the source account mapping record table 900, which are the same as the IP _413, directly.

When the gateway control system 513 is in some special situations (for example, for reasons of human control, etc.), it wants to close the connection of a specific operation and maintenance gateway agent 413, first, directly delete all the records of the source IP in the source account mapping record table 900, which are the same as IP _413, for the IP address IP _413 corresponding to the operation and maintenance gateway agent 413, then send an interface command for closing the connection at the server to the gateway agent 413 over the corresponding connection, and then directly close the TCP/IP connection.

The firewall system 511 may adopt a standardized software product of a current security manufacturer (e.g., star, green alliance, security, etc.), may also adopt a software firewall (e.g., Iptables/Netfilter of Linux, IPCop supported by Linux, etc.) of a part of the operating system itself, and may also adopt an open source code firewall: shorewall, Vuurmuur, pfSense, IPFire, Smoothwall, and the like. The detailed implementation is supported by a plurality of manufacturers and models, and the implementation details do not belong to the design points of the invention, so the detailed description is omitted.

The firewall system 511 is started immediately as a power-on self-start service when the operation and maintenance gateway 500 is started.

The firewall system 511 will perform security checks according to the following authorization table at the same time:

a) source target authorization Table 600

b) Target grant time permission table 700

c) Target authorized account permissions table 800

The authorization table (source target authorization table 600, target authorization time permission table 700, target authorization account permission table 800) of the firewall system 511 allows other management programs to configure the firewall system 511 through a configuration management interface of the core software of the firewall system 511 (the implementation of the configuration management interface is carried by the software itself, and the implementation details of the implementation details do not belong to the design point of the present invention, so the detailed description thereof is omitted).

The source-destination-authorization table 600, for which 8 rules are set in the example, includes rule 611, rule 612, rule 613, rule 614, rule 615, rule 616, rule 617, and rule 618. Each rule contains the following rule items: source IP 601, source port 602, destination IP 603, destination port 604, service description 605, operation options 606.

a) For each network access, checking one by one according to the numbering sequence of the rules;

when a matching (compliant) rule is found with the operation option 606 of "deny", the network access is prohibited and subsequent rules are not checked.

When a matching (compliant) rule is found with the operation option 606 of "pass-through", the network access is allowed and subsequent rules are not checked.

b) The source IP 601 and the source port 602 are source check rule entries for describing the current rule.

The source IP 601 is to check the IP address of the initiator of the network access, "# indicates that all IP addresses are matched," 192.168.1. "indicates that all IP addresses (including" 192.168.1.1 "," 192.168.1.2 ", until" 192.168.1.255 ") beginning with" 192.168.1. "are matched," 192.168.1.100-110 "indicates that all IP addresses (including" 192.168.1.100 "," 192.168.1.101 ", until" 192.168.1.110 ") are between" 192.168.1.100 "and" 192.168.1.110 "; both representations, "", and "-", may occur elsewhere in the configuration rule.

The source port 602 is a port of an initiator of network access, and because the port of the initiator is often dynamically allocated due to technical implementation specification, the port is not generally checked. "" indicates that all ports match the rule entry.

c) The target IP 603 and the target port 604 are target check rule items for specifying the current rule.

Target IP 603, which is a check of the target IP address of the network access, "" # "indicates that all IP addresses are matched," 10.1.1.201 "indicates a strictly matched single address" 10.1.1.201, "10.1.1.201-205" indicates all IP addresses (including "10.1.1.201," "10.1.1.202," up to "10.1.1.205") in the interval "10.1.1.201" and "10.1.205"; both representations, "", and "-", may occur elsewhere in the configuration rule.

Target ports 604, which are target ports for network access, are checked, ", which indicates that all ports are matched (no rule example of the configuration is adopted in the current example)," 80 "indicates a strictly matched single port" 80 port, "and" 9001-;

d) the service description 605 is a remark description of the service of the target port corresponding to the current rule, and is not used for checking, for example: "HTTP" in the service description 605 item of the rule 611 indicates that the service corresponding to the access target address of the current rule (the value of the target address 603 is "10.1.1.201", and the value of the target port 604 is "80") is "HTTP service"; the "internal service" in the service description 605 entry of the rule 614 indicates that the service corresponding to the access target address of the current rule (the value of the target address 603 is "10.1.1.201-205", the value of the target port 604 is "9001-; other rules are also remarked for the same.

e) Only if the network access meets 4 rule items of a source IP 601, a source port 602, an IP 603 and a target port 604 of a rule, the network access is judged to meet the rule, and the network access is treated according to the operation options of the rule;

f) for a network access, if the source target authorization table 600 does not have any rule in compliance, the network access will be prohibited;

the target authorized time permission table 700 has 4 rules set in its example, including rule 711, rule 712, rule 713, and rule 714. Each rule contains the following rule items: target IP 701, target port 702, service description 703, date 704, time period 705.

a) For each network access through the firewall system 511, the network access is allowed in the order of the number of the target authorized time permission table 700 rules, and when a rule is found to be met, subsequent rules are not checked. If no rule is found to be met, the network access is prohibited.

b) The target IP 701 and the target port 702 are target check rule items for explaining the current rule, and represent a network address pair of the target resource.

Target IP 701, which is a check of target IP addresses of network access, "" # "indicates that all IP addresses are matched," 10.1.1.201 "indicates a strictly matched single address" 10.1.1.201, "10.1.1.201-205" indicates all IP addresses (including "10.1.1.201," "10.1.1.202," up to "10.1.1.205") between "10.1.1.201" and "10.1.205"; both representations, "", and "-", may occur elsewhere in the configuration rule. And judging that the current rule item is matched as long as the target IP address of the current network access belongs to the data set of the current rule item, and judging that the current rule item is matched.

Target port 702, which is the target port for network access, is checked, ", which indicates that all ports are matched (no rule example of this configuration is adopted in the present example)," 80 "indicates a strictly matched single port" 80 port, "and" 9001-; and judging that the current rule item is matched as long as the target IP address of the current network access is in the data set of the current rule item, and judging that the current rule item is matched.

c) The service description 703 is a remark description of the service of the target resource corresponding to the current rule, and is not used for checking.

d) Where date 704 and time period 705 are the allowable configurations for the accessible time corresponding to the current rule. Comparing the current date when the network access occurs with the date 704, and comparing the current time with the time period 705; only the current date and the current time are both in the record set of the date 704 and the time period 705 corresponding to the current rule, and are considered to be the rule item check according to the date 704 and the time period 705.

Date 704 is a date on which access to the network is permitted, and there are several indications, "+" indicates that all dates are available, and week indications may also be used. Such as: "Monday, Tuesday, Wednesday, Thursday" means all four days of the week; "2018/8/8, 2018/8/9" indicates that these two days are specific; in addition, a mixed display mode can be adopted, for example, "Monday, Tuesday, 2018/8/10-2018/8/30" indicates Monday and Tuesday every week, and 8 and 10 days in 2018 to 8 and 30 days in 2018. And judging that the current rule item is matched as long as the current access date is in the data set of the current rule item, namely judging that the current rule item is matched, and judging that the current rule item is matched.

The time zone 705 is a permitted time zone for network access, and is expressed in a 24-hour system (with accuracy of minutes), and there are several expression modes, "+" indicates that it is possible to use any time all day, and may also be expressed in a time zone. Such as: "9: 00-12:00, 14:00-17: 00" indicates that the specific working hours of morning and afternoon every day are from 9 o 'clock to 12 o' clock, and from 14 o 'clock to 17 o' clock; the rest is analogized in the same way. As long as the current access time is within the data set of the current item of the current rule, the matching of the item meeting the current rule is judged to be met.

e) Only if the currently checked network access meets 4 rule items of a target IP 701, a target port 702, a date 704 and a time period 705 which are all consistent with a rule, the network access is judged to meet the rule, and then the network access is allowed and released; the implementation of the normal access procedure is not the gist of the present invention, and therefore, a detailed description thereof is omitted.

The target authorized account number permission table 800 has 3 rules set in its example, including rule 811, rule 812, and rule 813. Each rule contains the following rule items: target IP 801, target port 802, service description 803, authorization account 804.

a) For each network access through the firewall system 511, the network access is allowed in the order of the numbering of the target authorized account permission table 800 rules, and when a rule is found to be met, the subsequent rules are not checked. If no rule is found to be met, the network access is prohibited.

b) The target IP 801 and the target port 802 are target check rule items for describing the current rule, and represent a network address pair of the target resource.

Target IP 801, which is a check on the target IP address of the network access, "" # "indicates that all IP addresses are matched," 10.1.1.201 "indicates a strictly matched single address" 10.1.1.201, "10.1.1.201-205" indicates all IP addresses (including "10.1.1.201," "10.1.1.202," up to "10.1.1.205") between "10.1.1.201" and "10.1.205"; both representations, "", and "-", may occur elsewhere in the configuration rule. And judging that the current rule item is matched as long as the target IP address of the current network access belongs to the data set of the current rule item, and judging that the current rule item is matched.

Target port 802, which is the target port for network access, is checked, ", which indicates that all ports are matched (no rule example of this configuration is adopted in the present example)," 80 "indicates a strictly matched single port" 80 port, "and" 9001-; and judging that the current rule item is matched as long as the target IP address of the current network access is in the data set of the current rule item, and judging that the current rule item is matched.

c) The service description 803 is a remark description of the service of the target resource corresponding to the current rule, and is not used for checking.

d) The authorized account 804 is a permission configuration for the authorized account corresponding to the current rule.

The authorized Account 804 is a data set for checking an Account _ Cur corresponding to network access, and has several representation modes, where "+" represents all accounts, or may use an Account list representation mode. Such as: "manager _1, manager _ 2" indicates that if Account _ Cur is a certain Account (manager _1 or manager _2) in the current data set of the rule item authorization Account 804, the matching is passed; "admin, beijing _ zhangsan, angzhou _ lisi" represents the dataset for these three specific accounts, and if Account _ Cur belongs to this dataset (i.e., is the same as one of them), then the match is deemed to pass; if the Account Account _ Cur used by the current network access is in the data set of the current rule and the current item, the matching meeting the current rule item is judged, and the matching is judged to be met.

For one network access, the firewall can extract a source IP according to a TCP/IP mechanism, and with the source IP as an inspection condition, sequentially inspect one by one from the source account mapping record table 900 to inquire records identical to the current source IP;

if a matching record is found in the source account mapping record table 900, taking the login account of the first record meeting the checking condition (the source IP of the current record in the source account mapping record table 900 is the same as the source IP of the current network access) as the account of the current network access; if no matching record is found in the source account mapping record table 900, it is considered that no account exists in the current network access;

the authorized accounts 804 of the target authorized account permission table 800, which are "", are regarded as account matches satisfying all network accesses (including no account/unregistered network access), and the check result is that the match is passed;

if the authorized account 804 of the target authorized account permission table 800 is a set of multiple determined accounts (not ″), the login account must be queried in the source account mapping record table 900 by the current network access, and the login account is identical to one of the authorized accounts 804 of the target authorized account permission table 800, and the checking result is that the matching is passed;

e) only if the currently checked network access meets 3 rule items, namely, the target IP 801, the target port 802 and the authorized account 804 which meet one rule at the same time, the network access is judged to meet the rule, and then the network access is allowed and released, so that normal access is performed through the firewall system 511; the implementation of the normal access procedure is not the gist of the present invention, and therefore, a detailed description thereof is omitted.

The gateway routing system 512 receives the operation and maintenance operation instructions (the network requests initiated by the operation and maintenance personnel through the operation and maintenance special tool 401, and these network requests are initiated from the operation and maintenance terminal 400), forwards the network requests according to the corresponding forwarding mechanism, and sends the network requests to specific remote execution terminals (such as a remote execution terminal a, a remote execution terminal B, a remote execution terminal C, and the like);

a) the operation and maintenance terminal 400 sets a legal IP address IP _400 which has the same network segment as the IP500_ Wai but is not repeated for the local computer so as to ensure that the operation and maintenance terminal 400 and the operation and maintenance gateway 500 can communicate with each other after being communicated through a network cable;

b) the operation and maintenance gateway 500 is provided with double network cards and double IPs, the IP address corresponding to the network outside the gateway is IP500_ Wai, and the IP500_ Nei corresponding to the network inside the network manager;

c) when the operation and maintenance terminal 400 needs to communicate with the remote execution terminal a (201), according to the rule constraint of the operation and maintenance gateway 500, the IP address of the operation and maintenance terminal is IP _400, and each time a TCP/IP connection is established with the remote execution terminal, a different Port _ Dyn is dynamically allocated (in different connection sessions, the ports represented by the Port _ Dyn are different); and establishing corresponding network connection (the recommended connection mode of the current power secondary system telecontrol channel 300 is TCP/IP connection) according to the working modes (two modes: gateway mode and NAT mode) of the operation and maintenance gateway 500, thereby performing subsequent operation and maintenance operations.

Mode 1 (gateway mode): the intranet IP address of the remote execution end A is IP _201, the monitoring Port is Port _201, and the monitoring address pair is IP _201: Port _ 201; the corresponding address pairs of the two ends of the established TCP/IP connection are respectively IP _400: Port _ Dyn of the operation and maintenance terminal 400 side and IP _201: Port _201 of the telecontrol execution terminal A side.

Mode 2(NAT mode): in the NAT mode, the operation and maintenance gateway establishes a monitoring address pair IP500_ Wai and Port500_201 after NAT conversion for a monitoring address pair IP _201: Port _201 of a telecontrol execution terminal A of an inner network and an outer network; the corresponding address pairs of the two ends of the established TCP/IP connection are respectively IP _400: Port _ Dyn of the operation and maintenance terminal 400 side and the address pair IP500_ Wai: Port500_201 after NAT conversion of the telecontrol execution terminal a side.

And establishing the connection between the operation and maintenance terminal 400 and other telecontrol execution terminals, and so on.

d) When the operation and maintenance tool software 401 needs to access the telecontrol execution terminal a, selecting a corresponding address pair as a connection target address according to the working mode of the operation and maintenance gateway 500; the monitoring address pair IP _201: Port _201 of the telecontrol execution end A is selected in the mode 1 (gateway mode), and the NAT-converted address pair IP500_ Wai: Port500_201 of the telecontrol setting short A is selected in the mode 2(NAT mode). And the rest can be analogized when accessing other telecontrol execution terminals.

After the operation and maintenance tool software 401 establishes connection with the remote operation and maintenance execution terminal a, the connection automatically passes through the transfer of the operation and maintenance gateway 500 according to a network communication mechanism, through the connection, instructions and information initiated by the operation and maintenance tool software are sent to the remote operation and maintenance execution terminal a, and the information of the remote operation and maintenance execution terminal a is collected and then sent to the operation and maintenance tool software 401.

Compared with the prior art, the invention has the beneficial effects that:

the invention forms a strict and complete data transmission chain by integrating mature products of the security industry, manages and configures based on interfaces of the mature products in the industry, integrates a login process through a gateway control system, well integrates account management into the security inspection process of the whole security operation and maintenance through a mechanism of a source account mapping record table, well integrates the management of protection rules (source target authorization, target authorization time permission and target authorization account permission) of a firewall, forms a complete authorization system, and then safely sends an operation request/network access of an operation and maintenance special tool running on an operation and maintenance terminal to a target address (a remote execution end) through a gateway or NAT mode of the operation and maintenance gateway.

Meanwhile, the invention can also carry out auditing management with powerful functions by integrating more mature products at the later stage, can carry out extension design in the future, further integrates the monitoring, auditing and managing capabilities of all the systems, creates a more strengthened safe operation and maintenance management platform in the future, is used for wider fields, and provides powerful safety guarantee for the fields of related industries.

Drawings

Fig. 1 is a schematic diagram of the framework of the present invention.

Fig. 2 shows the source target authorization intention.

Fig. 3 shows the intention for the target authorized time grant.

Fig. 4 shows the intent of the target authorized account permission.

Fig. 5 is a source account mapping record representation intent.

Detailed Description

The present embodiment is a method for a safety operation and maintenance gateway for telemechanical operation and maintenance of an electric power secondary system, as shown in fig. 1, including:

the operation and maintenance terminal and the motion execution terminal provide firewall, route and gateway services for network connection through an operation and maintenance gateway, the operation and maintenance gateway is controlled through a gateway control system, the gateway control system is responsible for providing interface services for an operation and maintenance gateway agent, managing the connection session state of the operation and maintenance gateway agent through a TCP/IP connection session, and helping the operation and maintenance gateway to make decisions on which network requests to provide the route and gateway services through a source account mapping record table;

a) source target authorization Table 600

b) Target grant time permission table 700

c) Target authorized account permissions table 800

Claims

1. A method for a safety operation and maintenance gateway of a power secondary system telecontrol operation and maintenance is characterized by comprising the following steps: the operation and maintenance safety monitoring is carried out on the system through a matched operation and maintenance special tool on the operation and maintenance terminal;

the operation and maintenance gateway operation process comprises the following steps:

a) the firewall system and the gateway routing system acquire corresponding records from a source account mapping record table according to the source IP of the network request acquired in the service process according to the self requirement in the process of providing service for the operation and maintenance terminal so as to acquire the information of the operation and maintenance terminal of the network request and use the information in self logic judgment;

b) when the operation and maintenance gateway proxy is actively closed, the gateway control system initiates a server to close connection, or the TCP/IP connection between the operation and maintenance gateway proxy and the gateway control system is closed due to network instability, the authentication of the current login session is invalid, the corresponding record in the source account mapping record table is deleted, and the firewall system and the gateway routing system assume that the source is not logged in when acquiring the corresponding record;

c) the firewall system continuously protects all accesses to the operation and maintenance gateway;

d) the firewall system takes an initial initiator of TCP/IP connection as a source and a server as a target in a network request checking mode in the system, and does not take a source IP address pair and a target IP address pair of a single IP packet as the source and the target;

e) the firewall system carries out security check on the network request arriving at the operation and maintenance gateway, releases the network request according with the release requirement, and allows the network request to go to the gateway routing system or forwards the network request through the gateway routing system;

f) the operation and maintenance personnel start the operation and maintenance gateway agent of the operation and maintenance terminal, after the safety inspection of the firewall system, the login is completed through the butted gateway control system, the authentication is successful, the TCP/IP connection between the operation and maintenance gateway agent and the gateway control system keeps a connection state, and once the connection is closed, the current authentication is invalid;

g) the gateway control system stores the information of successful current login into a source account mapping record table, and deletes corresponding records from the source account mapping record table once authentication fails;

h) the operation and maintenance personnel start the operation and maintenance special tool, send a network request by operating the operation and maintenance special tool, and the network request can reach the operation and maintenance gateway after the security check of the firewall system;

i) if the network request initiated by the operation and maintenance special tool is rejected by the firewall and cannot reach the gateway routing system, the forwarding service of the operation and maintenance gateway cannot be obtained;

j) after the network request reaches the gateway routing system, the gateway routing system forwards the network request according to the rules of the gateway and the route, and needs to convert a source address pair and a target address pair in the network request according to the NAT working mode, and forwards the network request after the conversion is completed;

k) the firewall system does not perform additional security checks on network requests forwarded through the network routing system.

2. The method as claimed in claim 1, wherein in step b), the operation and maintenance gateway agent connects, logs in and establishes a session with the gateway control system according to an interface of the gateway control system of the operation and maintenance gateway, determines whether to actively close the session according to its own control logic, and responds to passively close the session according to the condition of the gateway control system.

3. The method for the safe operation and maintenance gateway for the telecontrol of the power secondary system as claimed in claim 1, wherein the operation and maintenance gateway only allows the external service network address of the gateway control system to be freely accessed in the rule setting of the firewall system.

4. The method of claim 1, wherein the operation gateway agent interfaces and interacts with the gateway control system to provide login interface, client connection close, server connection close, and close notification by way of TCP/IP long connection.

5. The method for the safe operation and maintenance gateway of the telecontrol of the power secondary system as claimed in claim 1, characterized in that the gateway control system is used as a daemon process of the operation and maintenance gateway, and after the equipment is started, the system is automatically started; after the gateway control system is started, the gateway control system is responsible for starting a firewall system and a gateway routing system, and protecting and serving external access of the operation and maintenance gateway; the gateway control system obtains the IP address of the gateway control system according to the configuration of the environment where the gateway control system is located, and monitors the IP address on the pre-configured port.

6. The method according to claim 1, wherein when the gateway control system receives an interface request for closing a connection from a client over a TCP/IP connection, or obtains a closing notification, the gateway control system queries a corresponding client IP address, that is, an IP address used by a corresponding operation gateway proxy, through the connection, and then directly deletes all the source IPs in the source account mapping record table that are the same as the IP addresses used by the operation gateway proxy.

7. The method as claimed in claim 1, wherein when the gateway control system is in some special situations, it will close the connection of a specific operation gateway proxy, and will first delete all the source IPs in the source account mapping record table and the records with the same IP address used by the operation gateway proxy for the IP address corresponding to the operation gateway proxy, and then send the interface command for closing the connection of the server to the gateway proxy on the corresponding connection, and then directly close the TCP/IP connection.

8. The method of claim 1, wherein the dedicated tools comprise an environmental monitoring tool, a screen recording detection tool, and an operation gateway agent.