Non-invasive intelligent substation vulnerability detection method
Technical Field
The invention belongs to the field of information security, and relates to a non-invasive intelligent substation vulnerability detection method.
Background
The intelligent substation has the technical characteristics of total-station information digitization, communication platform networking, information sharing standardization and the like. The secondary system of the intelligent substation is developed based on SCD, and a three-layer two-network architecture is adopted. The station control layer adopts a TCP/IP MMS protocol to realize the digitalized unified modeling and control of the information on the spacing layer; the spacer layer and the process layer adopt GOOSE and SV protocols and directly communicate on the Ethernet; the transformer substation of the process layer (equipment layer) based on the IEC61850 standard generally adopts the exchange Ethernet technology, mainly comprises an electronic transformer and a merging unit, is configured with intelligent primary equipment, and automatically completes the functions of information acquisition, measurement, control, protection, measurement, detection and the like.
Potential bugs existing in the transformer substation, such as bugs which do not meet standard protocols of specifications, unauthorized access, default passwords and the like, pose great threats to the safe and stable operation of the smart grid. When the current common mature vulnerability detection technology is applied to an intelligent substation system, the following problems mainly exist:
(1) the traditional active detection vulnerability detection technology needs to send a large number of detection data packets, which may cause abnormal interruption of key services. In an intelligent substation system, whether a primary system or a secondary system, and a bay level or a process level, the continuity and the health of services are crucial, but due to the closed and independent characteristics of the intelligent substation system, the intelligent substation system does not have more fault-tolerant processing, such as processing of abnormal instructions, and does not have processing of greater pressure, such as rapid data transmission and access.
(2) The traditional vulnerability detection mode based on the host is not suitable for the primary system of the intelligent substation.
(3) The traditional vulnerability detection mode based on the network is not suitable for the system architecture of three layers and two networks of the intelligent substation.
(4) The traditional vulnerability detection facilities/equipment lack effective support for GOOSE, SV and other protocols.
Disclosure of Invention
In view of this, the present invention provides a method for detecting a vulnerability of a non-intrusive intelligent substation.
In order to achieve the purpose, the invention provides the following technical scheme:
a non-intrusive intelligent substation vulnerability detection method comprises the following steps: detecting the state of the intelligent substation equipment, acquiring reference vulnerability information and analyzing the security vulnerability association of the intelligent substation;
the intelligent substation equipment state detection is used for detecting and confirming information such as an SCADA (supervisory control and data acquisition), an operating system, network equipment, a merging unit, an intelligent terminal and a protocol deployed by an intelligent substation secondary system and a primary system, and generating an intelligent substation equipment state database;
the method comprises the steps that reference vulnerability information collection is used for collecting public authoritative vulnerability databases, vulnerability extension information of open standards and vulnerability information in security bulletins of relevant system/equipment manufacturers to generate reference vulnerability information databases;
and the intelligent substation security vulnerability correlation analysis is used for matching vulnerability information from the reference vulnerability information database according to the equipment information confirmed in the equipment state database, and analyzing the security vulnerability state of the intelligent substation.
Optionally, the state detection of the intelligent substation device is as follows:
(1) analyzing the SCD file configured in the intelligent substation total station, and acquiring a device list and attribute data of the intelligent substation total station;
(2) analyzing MMS, GOOSE and SV flow data messages in the intelligent substation network to obtain an active equipment list, fingerprint information and an MAC address;
(3) confirming the existing equipment list and state in the intelligent substation network according to the analysis results of the steps (1) and (2);
(4) judging the hierarchy of the equipment according to the description of the IED node about the equipment information in the scd file;
(5) performing correlation analysis on the data in the steps (3) and (4), completing equipment level modeling, and generating equipment state information, wherein the method comprises the following steps: the hierarchy of the device, the connection status, the product family and model, the firmware version, the address, the name and the manufacturer identification.
Optionally, the reference vulnerability information acquisition is as follows:
(1) acquiring CVE _ ID, CIA deviation, attack vector, authority, Chinese information, vulnerability position, utilization mode and vulnerability influence information of related vulnerabilities of intelligent substation facility equipment through a public authoritative vulnerability database;
(2) acquiring CVE _ ID and Vendor _ ID information of the vulnerability through safety notice information of a system equipment manufacturer;
(3) searching vulnerability extension information of an open standard according to the CVE _ ID and the Vendor _ ID, and collecting vulnerability classification, vulnerability description, attack mode and affected system information related to the vulnerability;
(4) and (3) logically associating, analyzing and sorting the information acquisition data in the steps (1), (2) and (3), and forming complete reference vulnerability information by comprehensively collecting and standardizing vulnerability information.
Optionally, the intelligent substation security vulnerability association analysis is as follows:
(1) according to equipment fingerprint information in the intelligent substation equipment state data, retrieving corresponding vulnerability information from the reference vulnerability information;
(2) and evaluating the vulnerability from vulnerability severity, vulnerability CIA deviation and vulnerability attack mode according to the information in the benchmark vulnerability information.
The invention has the beneficial effects that:
according to the non-invasive intelligent substation vulnerability detection method, the vulnerability is detected in an interference-free bypass mode, and safety accidents caused by system faults of the intelligent substation due to vulnerability scanning can be avoided.
The method comprises the steps that information such as instance configuration, communication parameters and communication configuration among IEDs of all intelligent electronic equipment in an intelligent substation is obtained through analyzing an SCD file of the intelligent substation, and a communication network model of the intelligent substation is established; meanwhile, the real-time flow data of the intelligent substation is compared with the acquired real-time flow data of the intelligent substation to obtain a network topology structure of the intelligent substation in the current state, and the network topology structure is hierarchically divided through equipment functions and mapped to a station control layer, a bay layer and a process layer of the intelligent substation to realize object-level management of the equipment. Meanwhile, managers of the intelligent transformer substation can master the current network connection state of the intelligent transformer substation in real time, the network operation and maintenance difficulty and cost of the intelligent transformer substation are further reduced, the overall safety of the intelligent transformer substation is improved, and a basis is provided for information safety research of the intelligent transformer substation.
The method has the advantages that the basic information of the vulnerability is perfected by collecting the public authoritative vulnerability database information, the mainstream open standard vulnerability expansion information and the manufacturer safety notice information, and the incidence relation of the vulnerability is established, so that the description information of the vulnerability is more three-dimensional, the deep incidence influence analysis of the vulnerability is more facilitated, and the vulnerability detection result has high precision and better expansibility.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention may be realized and attained by the means of the instrumentalities and combinations particularly pointed out hereinafter.
Drawings
For the purposes of promoting a better understanding of the objects, aspects and advantages of the invention, reference will now be made to the following detailed description taken in conjunction with the accompanying drawings in which:
fig. 1 is a flowchart of a method for detecting vulnerabilities of a non-intrusive intelligent substation according to an embodiment;
FIG. 2 is a flowchart illustrating an SCD file parsing according to an embodiment;
fig. 3 is a flow chart of traffic packet parsing according to an embodiment;
fig. 4 is a schematic diagram of a vulnerability information collection method provided by the embodiment;
fig. 5 is a schematic diagram of the intelligent substation security vulnerability correlation analysis provided in the embodiment.
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present invention in a schematic way, and the features in the following embodiments and examples may be combined with each other without conflict.
Wherein the showings are for the purpose of illustrating the invention only and not for the purpose of limiting the same, and in which there is shown by way of illustration only and not in the drawings in which there is no intention to limit the invention thereto; to better illustrate the embodiments of the present invention, some parts of the drawings may be omitted, enlarged or reduced, and do not represent the size of an actual product; it will be understood by those skilled in the art that certain well-known structures in the drawings and descriptions thereof may be omitted.
The same or similar reference numerals in the drawings of the embodiments of the present invention correspond to the same or similar components; in the description of the present invention, it should be understood that if there is an orientation or positional relationship indicated by terms such as "upper", "lower", "left", "right", "front", "rear", etc., based on the orientation or positional relationship shown in the drawings, it is only for convenience of description and simplification of description, but it is not an indication or suggestion that the referred device or element must have a specific orientation, be constructed in a specific orientation, and be operated, and therefore, the terms describing the positional relationship in the drawings are only used for illustrative purposes, and are not to be construed as limiting the present invention, and the specific meaning of the terms may be understood by those skilled in the art according to specific situations.
As shown in fig. 1, a non-intrusive intelligent substation vulnerability detection method includes the following steps:
(1) analyzing the SCD file of the transformer substation, and setting up a list and attribute data of the whole intelligent transformer substation (see the detailed steps in FIG. 2);
(2) acquiring flow data messages of intelligent substations such as MMS, GOOSE, SV and the like, analyzing and extracting equipment configuration information (see the detailed steps in FIG. 3);
(3) filtering the equipment list in the flow data through the equipment configuration information list extracted from the scd file so as to obtain the equipment list in the current network and the connection condition between the equipment, and mapping the equipment list to a three-layer two-network structure of the intelligent substation;
(4) and (5) carrying out vulnerability detection and association impact analysis on the intelligent substation facility equipment according to the equipment related information in the vulnerability information base (the vulnerability information base acquisition method is shown in figure 4).
As shown in fig. 2, the SCD file parsing includes the following steps:
(1) acquiring an SCD file of an intelligent substation;
(2) parsing the scd file using xml. dom. minitom in python; saving all elements in the SCD document as document objects with DOM tree structures;
(3) traversing layer by using a function provided by the DOM to obtain the label data of all the devices;
(4) and storing the obtained identification list and attribute data of the intelligent substation total station into a database.
As shown in fig. 3, the traffic packet parsing includes the following steps:
(1) sniffing flow data in a three-layer two-network system of the intelligent substation, and storing the flow data as a pcap file;
(2) reading the pcap file by using a scapy module of python, filtering the message according to the IEC 61850-9-2 standard, and identifying GOOSE and SV messages;
(3) analyzing a message protocol data unit by using a BER coding rule;
(4) and storing the device information such as the mac address in the analyzed GOOSE (SV, MMS) into a database.
As shown in fig. 4, the vulnerability information collection is developed based on an authoritative vulnerability database and mainstream open standards (CVE, NVD, CNNVD, CPE, CWE, CAPEC, CVSS) by using Python, Sqlite, openCVSS open source technologies, and supports association with third party security references (CVSS, OSVDB, OVAL) and system vendor security bulletins; in order to adapt to the current situation of network deployment of internal and external network physical isolation of an intelligent substation, the subsystem can independently operate to support offline acquisition of vulnerability information and support use of cross-system platforms (Windows and Linux). The concrete implementation steps are as follows:
(1) acquiring CVE _ ID, CIA deviation, attack vector, authority, Chinese information, vulnerability position, utilization mode and vulnerability influence information of the latest vulnerability through a public authority vulnerability database;
(2) acquiring CVE _ ID and Vendor _ ID information of the latest vulnerability through safety notice information of an equipment system manufacturer;
(3) searching vulnerability expansion information of an open standard according to the CVE _ ID and the Vendor _ ID, and acquiring vulnerability classification, vulnerability description, attack mode and affected system information related to the vulnerability;
(4) the classification information structured processing main module performs logical association analysis and sorting on the information acquisition data of the three steps, and forms complete reference vulnerability information through omnibearing collection and standardized sorting of vulnerability information.
As shown in fig. 5, the specific implementation steps of the vulnerability correlation analysis of the intelligent substation are as follows:
(1) the security vulnerability correlation analysis module performs correlation analysis on the data of the reference vulnerability information and the state information of the intelligent substation system equipment, and the vulnerability information is corresponding to the intelligent substation system equipment which is actually deployed and operated;
(2) and according to the information in the benchmark vulnerability information, performing management analysis and evaluation from vulnerability severity, vulnerability CIA deviation, vulnerability attack mode and vulnerability influence range.
In the embodiment of the application, the generated vulnerability information is more comprehensive, the vulnerability detection result is more accurate, the problems that the detection result of the current vulnerability detection system is simply high, medium and low in vulnerability division, the correlation influence among vulnerabilities and the distribution of the vulnerabilities in the whole system range are more visually described are effectively solved, and timely and comprehensive decision support information can be provided for the safety protection of Web application.
Finally, the above embodiments are only intended to illustrate the technical solutions of the present invention and not to limit the present invention, and although the present invention has been described in detail with reference to the preferred embodiments, it will be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions, and all of them should be covered by the claims of the present invention.