CN112073375A - Isolation device and isolation method suitable for power Internet of things client side - Google Patents
Isolation device and isolation method suitable for power Internet of things client side Download PDFInfo
- Publication number
- CN112073375A CN112073375A CN202010789502.2A CN202010789502A CN112073375A CN 112073375 A CN112073375 A CN 112073375A CN 202010789502 A CN202010789502 A CN 202010789502A CN 112073375 A CN112073375 A CN 112073375A
- Authority
- CN
- China
- Prior art keywords
- data message
- data
- processing module
- external network
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y10/00—Economic sectors
- G16Y10/35—Utilities, e.g. electricity, gas or water
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/08—Protocols for interworking; Protocol conversion
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The invention relates to an isolation device and an isolation method suitable for a power Internet of things client side, wherein an external network processing module is used for analyzing a received first data message sent by external network equipment to obtain key information, and protocol format conversion processing is carried out on the key information according to a data ferry protocol to obtain a second data message; controlling an external network processing module and an internal network processing module to be in a physical isolation state by using an isolation exchange module, and carrying out format verification on the second data message; and after the second data message passes the format check, the second data message is decrypted by using the intranet processing module, and the decrypted second data message is subjected to protocol format conversion processing according to the power internet of things private communication protocol so as to obtain a third data message and send the third data message to the intranet equipment, so that the safety isolation of an open client side access network and a power internet of things core network is realized, and the illegal intrusion of a core service system can be effectively prevented.
Description
Technical Field
The invention relates to the technical field of internet of things, in particular to an isolation device and an isolation method suitable for a power internet of things client side.
Background
With the development of new technologies such as mobile interconnection, artificial intelligence and the like, bidirectional interaction between power users and a smart power grid is more and more frequent, and the requirements of the users on the service form and the service quality of the power grid are higher and higher. In order to meet the application requirements of power consumers and enhance the perception and participation of the power consumers to the smart grid, the power internet of things is generated accordingly. The power internet of things has the characteristics of comprehensive operation state sensing, efficient information processing, convenient and flexible application and the like, and power users and equipment, various enterprises and equipment, people and objects are connected to generate shared data, so that the power users, power grids, power enterprises, suppliers and the society are served, the power grids are used as hubs, the platform and the sharing function are played, and more valuable services are provided for the whole industry and more market subjects.
In order to improve the interactivity between the power internet of things and users, massive safe and uncontrolled non-grid asset equipment such as charging piles and external comprehensive energy equipment needs to be accessed to the client side of the power internet of things. These equipment accessible WIFI etc. convenient communication mode is connected with all kinds of electrical equipment, realizes the collection and the information interaction of power consumption data. The electric power network is inevitably changed from a closed service mode to an open service mode, so that the electric power internet of things is directly connected with a public network, the risk that the electric power internet of things is attacked by network such as forged terminal access, trojans, viruses, malicious codes and the like is increased to a great extent, and malicious personnel can easily invade the whole electric power network through the sensing layer and attack and damage the electric power network. Therefore, the isolation device is required to realize network isolation and secure interaction of data between networks. However, the traditional isolation device or system has a single function, a large device size and power consumption, requires relatively many computing resources, is mostly only suitable for boundary isolation of a traditional network, and cannot meet the requirement of client-side uncontrolled device information security interaction of a power internet of things sensing layer or a boundary layer with low power consumption, low cost and multiple distribution requirements.
Therefore, the internet of things micro-isolation technology needs to be researched, a network isolation device which can be deployed in a power internet of things sensing layer or an edge layer is developed, and an access network which is open for power users and a core network of the power internet of things are safely isolated.
Disclosure of Invention
The invention provides an isolation device and an isolation method suitable for a power internet of things client side, and aims to solve the problem of how to safely isolate an open internet of things client side access network from a power internet of things core network.
In order to solve the above problem, according to an aspect of the present invention, there is provided an isolation device suitable for a client side of a power internet of things, the device including:
the external network processing module is used for analyzing the received first data message sent by the external network equipment to acquire key information, and performing protocol format conversion processing on the key information according to a data ferry protocol to acquire a second data message and sending the second data message to the isolation exchange module;
the isolation switching module is used for controlling the outer network processing module and the inner network processing module to be in a physical isolation state, carrying out format verification on the second data message, and sending the second data message to the inner network processing module after the second data message passes the format verification;
and the intranet processing module is used for decrypting the second data message and performing protocol format conversion processing on the decrypted second data message according to the power internet of things special communication protocol so as to obtain a third data message and send the third data message to the intranet equipment.
Preferably, wherein the apparatus further comprises:
the intranet processing module is used for encrypting the received fourth data message sent by the intranet equipment and carrying out protocol format conversion processing on the encrypted fourth data according to a data ferry protocol so as to obtain a fifth data message and sending the fifth data message to the isolation exchange module;
the isolation switching module is used for controlling the external network processing module and the internal network processing module to be in a physical isolation state, carrying out format verification on the fifth data message, and sending the fifth data message to the external network processing module after the fifth data message passes the format verification;
and the external network processing module is used for carrying out protocol format conversion processing on the fifth data message according to the communication protocol of the external network equipment so as to obtain a sixth data message and sending the sixth data message to the external network equipment.
Preferably, the extranet processing module further includes:
the format checking unit is used for checking whether the message format of the first data message meets the admission requirement of the power Internet of things; if the verification is passed, analyzing the first data message; if the verification fails, rejecting the data transmission request of the external network equipment;
the flow monitoring unit is used for monitoring whether the data flow of the external network equipment meets the admission requirement of the power internet of things and whether abnormal data flow exists; if the abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if the abnormal data flow does not exist, allowing the data transmission request of the external network equipment.
Preferably, the isolating and exchanging module, which controls the external network processing module and the internal network processing module to be in a physically isolated state, includes:
controlling the outer network processing module and the inner network processing module to be in a physical cut-off state at the same time; if one of the outer network processing module and the inner network processing module is carrying out data interaction with the logic isolation unit, the logic isolation unit and the other module are in a disconnected state, and after the data interaction of the one module is finished and the isolation control signal is released, the other module can carry out data interaction with the logic isolation unit.
Preferably, the isolating and exchanging module performs format check by using the following method, including:
checking whether the format of the data message to be transmitted conforms to a data ferry protocol; if the format check is passed, transmitting the data message to be transmitted; and if the format check fails, rejecting the data message to be transmitted.
Preferably, the intranet processing module further includes:
the identity recognition unit is used for acquiring the identity information of the external network equipment to be accessed according to the decrypted second data message and carrying out identity authentication according to the identity information of the external network equipment to be accessed; if the identity authentication is successful, allowing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; if the identity authentication fails, refusing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; wherein the key information comprises: identity information of the extranet device.
Preferably, the identity identifying unit performs identity authentication according to identity information of an external network device to be accessed, and includes:
respectively generating an equipment fingerprint and an operating environment fingerprint according to the identity information of the external equipment to be accessed and a preset fingerprint generation strategy, and comparing the equipment fingerprint and the operating environment fingerprint with the equipment fingerprint and the environment fingerprint in a preset equipment access white list to perform identity authentication; wherein the identity information comprises: device parameter information and operating environment parameter information; the device parameter information includes: MAC address, IP, communication protocol, effective data and data format of the external network equipment; the operating environment parameter information includes: energy consumption changes, signal strength changes, and traffic changes for the extranet devices.
Preferably, the intranet processing module further includes:
the access control unit is used for performing access control on the external network equipment according to a preset access control strategy and determining the access authority of the external network equipment;
the service monitoring unit is used for monitoring the process in the intranet processing module and timely processing the abnormal event when the abnormal event occurs so as to maintain the normal service of the intranet processing module;
the log recording unit is used for recording various operation logs and communication logs;
and the key certificate import unit is used for being in butt joint with the electric power unified password infrastructure so as to realize the distribution of the key of the external network equipment and the application and issuing of the digital certificate.
According to another aspect of the invention, an isolation method suitable for a client side of a power internet of things is provided, and the method comprises the following steps:
analyzing a received first data message sent by the external network equipment to acquire key information, and performing protocol format conversion processing on the key information according to a data ferry protocol to acquire a second data message;
controlling the outer network processing module and the inner network processing module to be in a physical isolation state, and carrying out format verification on the second data message;
and after the second data message passes format verification, decrypting the second data message, and performing protocol format conversion processing on the decrypted second data message according to a power internet of things special communication protocol to obtain a third data message and send the third data message to the intranet equipment.
Preferably, wherein the method further comprises:
encrypting a received fourth data message sent by the intra-network equipment, and performing protocol format conversion processing on the encrypted fourth data according to a data ferry protocol to obtain a fifth data message;
controlling the outer network processing module and the inner network processing module to be in a physical isolation state, and carrying out format verification on the fifth data message;
and after the fifth data message passes the format verification, performing protocol format conversion processing on the fifth data message according to a communication protocol of the external network equipment to obtain a sixth data message and sending the sixth data message to the external network equipment.
Preferably, wherein the method further comprises:
before analyzing a received first data message sent by an external network device, checking whether the message format of the first data message meets the admission requirement of the power Internet of things; if the verification is passed, analyzing the first data message; if the verification fails, rejecting the data transmission request of the external network equipment;
monitoring whether the data flow of the external network equipment meets the admission requirement of the power internet of things or not and whether abnormal data flow exists or not; if the abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if the abnormal data flow does not exist, allowing the data transmission request of the external network equipment.
Preferably, the controlling the external network processing module and the internal network processing module in a physically isolated state includes:
controlling the outer network processing module and the inner network processing module to be in a physical cut-off state at the same time; if one of the outer network processing module and the inner network processing module is carrying out data interaction with the logic isolation unit, the logic isolation unit and the other module are in a disconnected state, and after the data interaction of the one module is finished and the isolation control signal is released, the other module can carry out data interaction with the logic isolation unit.
Preferably, the method performs format verification by using the following modes:
checking whether the format of the data message to be transmitted conforms to a data ferry protocol; if the format check is passed, transmitting the data message to be transmitted; and if the format check fails, rejecting the data message to be transmitted.
Preferably, wherein the method further comprises:
according to the decrypted second data message, acquiring the identity information of the external network equipment to be accessed, and performing identity authentication according to the identity information of the external network equipment to be accessed; if the identity authentication is successful, allowing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; if the identity authentication fails, refusing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; wherein the key information comprises: identity information of the extranet device.
Preferably, the performing identity authentication according to the identity information of the external network device to be accessed includes:
respectively generating an equipment fingerprint and an operating environment fingerprint according to the identity information of the external equipment to be accessed and a preset fingerprint generation strategy, and comparing the equipment fingerprint and the operating environment fingerprint with the equipment fingerprint and the environment fingerprint in a preset equipment access white list to perform identity authentication; wherein the identity information comprises: device parameter information and operating environment parameter information; the device parameter information includes: MAC address, IP, communication protocol, effective data and data format of the external network equipment; the operating environment parameter information includes: energy consumption changes, signal strength changes, and traffic changes for the extranet devices.
Preferably, wherein the method further comprises:
performing access control on the external network equipment according to a preset access control strategy, and determining the access authority of the external network equipment;
monitoring the process in the intranet processing module, and timely processing the abnormal event when the abnormal event occurs so as to maintain the normal service of the intranet processing module;
recording various operation logs and communication logs;
and the device is in butt joint with the electric power unified password infrastructure to realize the distribution of the external network equipment key and the application and issuing of the digital certificate.
The invention provides an isolation device and an isolation method suitable for a power Internet of things client side, wherein an external network processing module is used for analyzing a received first data message sent by external network equipment to obtain key information, and the protocol format conversion processing is carried out on the key information according to a data ferry protocol to obtain a second data message; controlling an external network processing module and an internal network processing module to be in a physical isolation state by using an isolation exchange module, and carrying out format verification on the second data message; and after the second data message passes the format check, the second data message is decrypted by using the intranet processing module, and the decrypted second data message is subjected to protocol format conversion processing according to the power internet of things private communication protocol so as to obtain a third data message and send the third data message to the intranet equipment, so that the safety isolation of an open client side access network and a power internet of things core network is realized, and the illegal intrusion of a core service system can be effectively prevented.
Drawings
A more complete understanding of exemplary embodiments of the present invention may be had by reference to the following drawings in which:
fig. 1 is a schematic structural diagram of an isolation device 100 suitable for a client side of an electric internet of things according to an embodiment of the invention;
FIG. 2 is a diagram of the logical architecture of a network isolated device according to an embodiment of the present invention;
FIG. 3 is a flow diagram of identity authentication according to an embodiment of the present invention;
FIG. 4 is a read and write logic diagram of an isolation device according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of transparent proxy mode based application layer data exchange according to an embodiment of the present invention;
fig. 6 is a flowchart of an isolation method 600 suitable for a client side of an internet of things of power according to an embodiment of the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the embodiments described herein, which are provided for complete and complete disclosure of the present invention and to fully convey the scope of the present invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, the same units/elements are denoted by the same reference numerals.
Unless otherwise defined, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Further, it will be understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
Fig. 1 is a schematic structural diagram of an isolation device 100 suitable for a client side of an electric internet of things according to an embodiment of the present invention. As shown in fig. 1, the isolation device suitable for the client side of the power internet of things provided by the invention realizes the safe isolation between the open client side access network and the core network of the power internet of things, and can effectively prevent the core service system from being illegally invaded. The isolation device 100 suitable for the client side of the power internet of things provided by the embodiment of the invention comprises: an extranet processing module 101, an isolation exchange module 102 and an intranet processing module 103.
Preferably, the external network processing module 101 is configured to analyze a received first data packet sent by the external network device to obtain key information, and perform protocol format conversion processing on the key information according to a data ferry protocol to obtain a second data packet and send the second data packet to the isolation switching module.
Preferably, the extranet processing module 101 further includes:
the format checking unit is used for checking whether the message format of the first data message meets the admission requirement of the power Internet of things; if the verification is passed, analyzing the first data message; if the verification fails, rejecting the data transmission request of the external network equipment;
the flow monitoring unit is used for monitoring whether the data flow of the external network equipment meets the admission requirement of the power internet of things and whether abnormal data flow exists; if the abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if the abnormal data flow does not exist, allowing the data transmission request of the external network equipment.
Fig. 2 is a diagram of the logical architecture of a micro network isolation device according to an embodiment of the present invention. As shown in fig. 2, in an embodiment of the present invention, an extranet processing module includes: an outer network communication submodule and an outer network service processing submodule.
Wherein, extranet communication submodule includes: the device comprises an HPLC interface unit, a WIFI interface unit and an external network Ethernet interface unit; the external network equipment can realize network access in a WIFI, HPLC, Ethernet and other modes.
The external network service processing submodule mainly comprises an external network data transceiving unit, a format checking unit, a flow monitoring unit, an external network protocol conversion unit and an external network upgrading management unit. And the external network data receiving and sending unit is used for receiving the first data message sent by the external network equipment. The format checking unit is used for checking whether the message format of the first data message meets the admission requirement of the power Internet of things; if the verification is passed, analyzing the first data message; and if the verification fails, rejecting the data transmission request of the external network equipment. The flow monitoring unit is used for monitoring whether the data flow of the external network equipment meets the admission requirement of the power internet of things and whether abnormal data flow exists; if the abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if the abnormal data flow does not exist, allowing the data transmission request of the external network equipment. And the external network protocol conversion unit is used for analyzing the first data message to acquire key information, performing transport layer protocol removal processing on the key information and performing encapsulation processing on the key information according to a data ferry protocol to acquire a second data message and sending the second data message to the isolation exchange module. Wherein the key information comprises: device MAC information, IP address, instruction effective data sent by the device, and the like. The format of the data message before the protocol conversion processing conforms to the communication protocol of the external network equipment, and the data after the protocol conversion processing conforms to the data ferry protocol. And the external network upgrading management unit is mainly responsible for upgrading and maintaining the software of the external network processing module.
Preferably, the isolation switching module 102 is configured to control the external network processing module and the internal network processing module to be in a physically isolated state, perform format verification on the second data message, and send the second data message to the internal network processing module after the second data message passes the format verification.
Preferably, the isolating and exchanging module 102, which controls the extranet processing module and the intranet processing module to be in a physically isolated state, includes:
controlling the outer network processing module and the inner network processing module to be in a physical cut-off state at the same time; if one of the outer network processing module and the inner network processing module is carrying out data interaction with the logic isolation unit, the logic isolation unit and the other module are in a disconnected state, and after the data interaction of the one module is finished and the isolation control signal is released, the other module can carry out data interaction with the logic isolation unit.
Preferably, the isolating and exchanging module performs format check by using the following method, including:
checking whether the format of the data message to be transmitted conforms to a data ferry protocol; if the format check is passed, transmitting the data message to be transmitted; and if the format check fails, rejecting the data message to be transmitted.
As shown in fig. 2, in an embodiment of the present invention, an isolated switching module includes: the isolation switching master controller MCU and the network isolation submodule are arranged; the network isolation submodule comprises: a logic isolation unit and a data exchange unit.
The method comprises the steps that a logic isolation unit controls an outer network processing module and an inner network processing module to process a physical isolation state, a data exchange module is used for carrying out format verification on a second data message, and the second data message is sent to the inner network processing module after the second data message passes the format verification, so that data transmission is completed. The method comprises the following steps that a logic isolation unit in an isolation exchange module is utilized to control an external network processing module and an internal network processing module to be in a physical cut-off state at the same time; if one of the outer network processing module and the inner network processing module is carrying out data interaction with the logic isolation unit, the logic isolation unit and the other module are in a disconnected state, and after the data interaction of the one module is finished and the isolation control signal is released, the other module can carry out data interaction with the logic isolation unit. When the format of the second data message is checked to be in accordance with the data ferry protocol, if the format check is passed, transmitting the data message to be transmitted; and if the format check fails, rejecting the data message to be transmitted.
The isolation exchange main controller MCU comprises at least 3 CPUs, wherein two CPUs are respectively used for processing intranet services and extranet services, and the other CPU is used for managing system configuration and security policy setting.
Preferably, the intranet processing module 103 is configured to decrypt the second data message, and perform protocol format conversion processing on the decrypted second data message according to a power internet of things dedicated communication protocol to obtain a third data message and send the third data message to the intranet device.
Preferably, the intranet processing module further includes:
the identity recognition unit is used for acquiring the identity information of the external network equipment to be accessed according to the decrypted second data message and carrying out identity authentication according to the identity information of the external network equipment to be accessed; if the identity authentication is successful, allowing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; if the identity authentication fails, refusing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; wherein the key information comprises: identity information of the extranet device.
Preferably, the identity identifying unit performs identity authentication according to identity information of an external network device to be accessed, and includes:
respectively generating an equipment fingerprint and an operating environment fingerprint according to the identity information of the external equipment to be accessed and a preset fingerprint generation strategy, and comparing the equipment fingerprint and the operating environment fingerprint with the equipment fingerprint and the environment fingerprint in a preset equipment access white list to perform identity authentication; wherein the identity information comprises: device parameter information and operating environment parameter information; the device parameter information includes: MAC address, IP, communication protocol, effective data and data format of the external network equipment; the operating environment parameter information includes: energy consumption changes, signal strength changes, and traffic changes for the extranet devices.
Preferably, the intranet processing module further includes:
the access control unit is used for performing access control on the external network equipment according to a preset access control strategy and determining the access authority of the external network equipment;
the service monitoring unit is used for monitoring the process in the intranet processing module and timely processing the abnormal event when the abnormal event occurs so as to maintain the normal service of the intranet processing module;
the log recording unit is used for recording various operation logs and communication logs;
and the key certificate import unit is used for being in butt joint with the electric power unified password infrastructure so as to realize the distribution of the key of the external network equipment and the application and issuing of the digital certificate.
As shown in fig. 2, in an embodiment of the present invention, an intranet processing module includes: an intranet communication submodule, a password operation submodule and an intranet business processing submodule. Wherein, intranet communication submodule includes: the power private network interface unit and the intranet Ethernet interface unit. A cryptographic operation sub-module comprising: a key management unit and an arithmetic operation unit. The intranet service processing submodule comprises: the system comprises an intranet data receiving and transmitting unit, an intranet protocol conversion unit, an identity recognition unit, a service monitoring unit, an access control unit, a key certificate importing unit, a log recording unit and an intranet upgrading management unit.
In the embodiment of the invention, the key management unit is used for taking charge of the safety management of the whole life cycle of the key. And the algorithm operation unit is used for performing operation of cryptographic algorithms such as state ciphers SM1, SM2, SM3, SM4, SM7 and SM9 and the like, and decrypting the second data message to obtain the decrypted second data message. After receiving the second message data sent by the isolation switching module through the intranet data receiving and sending module, the intranet processing module decrypts the second data message through the algorithm operation module, performs protocol format conversion processing on the decrypted second data message according to the power internet of things special communication protocol by using the intranet protocol conversion unit to obtain a third data message, and sends the third data message after protocol conversion and encapsulation to the intranet equipment by using the intranet data receiving and sending unit. The format of the data message before protocol conversion processing conforms to the data ferry protocol; the data after the protocol conversion processing accords with a special communication protocol of the power Internet of things. In addition, the intranet processing module also performs identity authentication according to the identity information of the extranet equipment to be accessed by using the identity recognition unit; if the identity authentication is successful, allowing the external network equipment to be logged in to access; and if the identity authentication fails, the external network equipment to be accessed is refused to be accessed. Specifically, the process of identity authentication is shown in fig. 3, and includes:
(1) sensing equipment or user electrical equipment uses MAC, IP and communication protocol P thereofrValid data DvData format DfAnd the device parameter information is sent to the intranet processing module. The intranet processing module analyzes the legality and the validity of the intranet processing module, and if the intranet processing module meets the admission requirement of the environment of the Internet of things, an equipment fingerprint D is formedfpAnd feeding back the verification result to the sensing equipment or the user electric equipment.
(2) The sensing equipment or the user electrical equipment sends the environmental parameter information such as energy consumption change Ec, signal intensity change Sc, flow change Fc and the like to the intranet processing module. The isolator generates a "running Environment fingerprint" EfpAnd feeding back the received result to the sensing equipment or the user electrical equipment.
(3) The intranet processing module transmits the acquired fingerprint information to a background centralized management platform, and establishes a sensing equipment access white list Wl。
(4) When the equipment to be accessed is accessed to the isolation device in a WIFI, HPLC or Ethernet mode, the intranet processing module respectively generates an equipment fingerprint and an operating environment fingerprint according to the identity information of the external equipment to be accessed and a preset fingerprint generation strategy again, and compares the equipment fingerprint and the operating environment fingerprint with the equipment fingerprint and the environment fingerprint in a preset equipment access white list to perform identity authentication; wherein the identity information comprises: device parameter information and operating environment parameter information.
The isolation device of the embodiment of the invention mainly realizes the encryption protection of the service data/instruction through bidirectional identity authentication, data encryption packaging and data integrity verification. The bidirectional identity authentication process comprises the following steps: and the system adopts cryptographic algorithms such as SM1, SM2 and SM3, and performs bidirectional identity authentication with the master station service application system based on mechanisms such as challenge response, digital certificate signature and signature verification. The data encryption and encapsulation process comprises the following steps: and realizing the encapsulation and data encryption of service data and control instructions based on a special safe communication protocol for the power Internet of things. The data integrity verification process comprises the following steps: and the integrity of the service data and the control instruction is ensured through the message authentication code, the digital signature and the data timeliness verification.
In an embodiment of the present invention, the access control unit is configured to perform access control on the external network device according to a preset access control policy, and determine the access right of the external network device. And the intranet upgrading management unit is used for upgrading and maintaining the software of the intranet processing module. And the key certificate import unit is in charge of butt joint with the electric power unified password infrastructure, and realizes distribution of the external network equipment key and application and issuing of the digital certificate. And the log recording unit is used for recording information such as various operation logs, communication logs and the like for post analysis and tracing.
Preferably, wherein the apparatus further comprises:
the intranet processing module is used for encrypting the received fourth data message sent by the intranet equipment and carrying out protocol format conversion processing on the encrypted fourth data according to a data ferry protocol so as to obtain a fifth data message and sending the fifth data message to the isolation exchange module;
the isolation switching module is used for controlling the external network processing module and the internal network processing module to be in a physical isolation state, carrying out format verification on the fifth data message, and sending the fifth data message to the external network processing module after the fifth data message passes the format verification;
and the external network processing module is used for carrying out protocol format conversion processing on the fifth data message according to the communication protocol of the external network equipment so as to obtain a sixth data message and sending the sixth data message to the external network equipment.
In an embodiment of the present invention, when data is transmitted from the intranet to the extranet, the intranet processing module is further configured to encrypt a received fourth data packet sent by the intranet device by using the arithmetic operation unit, and perform protocol format conversion processing on the encrypted fourth data packet by using the intranet protocol conversion unit according to the data ferry protocol of the isolation switching module, so as to obtain a fifth data packet, and send the fifth data packet to the isolation switching module by using the intranet data transceiver unit. The data message before protocol conversion processing conforms to a special communication protocol of the power internet of things, and the data message after protocol conversion processing conforms to a data ferry protocol of the isolation exchange module. And the isolation switching module is further used for controlling the external network processing module and the internal network processing module to be in a physical isolation state, performing format verification on the fifth data message, and sending the fifth data message to the external network processing module after the fifth data message passes the format verification. And the external network processing module is further used for performing protocol format conversion processing on the fifth data message by using an external network protocol conversion unit according to the communication protocol of the external network equipment so as to obtain a sixth data message and sending the sixth data message to the external network equipment by using an external network data receiving and sending unit. Wherein, the data message before protocol conversion processing conforms to the data ferry protocol; the data message after the protocol conversion processing conforms to the communication protocol of the external network equipment.
FIG. 4 is a read/write logic diagram of an isolation device according to an embodiment of the present invention. As shown in fig. 4, the isolation device according to the embodiment of the present invention mainly uses independent internal and external network read-write channels and an information ferry mechanism to implement the secure isolation and information secure interaction between the internal and external networks. The object exchanged between the internal and external network processing modules is not an IP data packet, but an application layer data packet encapsulated by a dedicated internal protocol, and any original IP data packet cannot pass through the channel. The isolation device can completely disconnect two networks or hosts at the physical layer of the network, and is responsible for 'ferry' of safe network data under the condition that an external network interface and an internal network interface are physically disconnected at the same time. If one end network exchanges data through the isolation device, the isolation device is disconnected from the other end network. After the end performs data interaction and releases the isolation control signal, the other end can perform information interaction with the isolation device. And storing the data at the two ends into a buffer area of the isolation device, checking the state before writing the buffer area, writing the data into the buffer area when the state is allowed, and otherwise, waiting. And checking the state before reading the buffer area, reading the data in the buffer area when the state is allowed, and otherwise, waiting. The specific data reading and writing process comprises the following steps: if the data is sent from one end network to the other end network by the internal network processing module and the external network processing module, the data can be written into the transmission FIFO module, and at this time, the FIFO receiving module is closed, and only the writing channel is in a connected state; if data is to be read from another processing unit, the data is written to the FIFO receive block, at which point the FIFO transmit block is turned off and only the read channel is put in a connected state.
Fig. 5 is a schematic diagram of application layer data exchange based on transparent proxy mode according to an embodiment of the present invention. As shown in fig. 5, in the embodiment of the present invention, the isolation device mainly uses the transparent proxy mode to implement the application layer data exchange. The transparent proxy comprises a proxy engine and a proxy stub which are respectively positioned on different network processing units. The proxy stub is mainly used for network connection request checking. The proxy engine is mainly used for calling a transmission interface and exchanging information returned by an external network to the network processing unit through the high-speed exchange channel. The proxy engine and the proxy stub communicate dialog and data based on a high-speed switching channel and a proprietary protocol.
In the aspect of data confidentiality and integrity protection, the isolation device of the embodiment of the invention mainly realizes service data/instruction encryption protection through bidirectional identity authentication, data encryption packaging and data integrity verification. The bidirectional identity authentication process comprises the following steps: and the system adopts cryptographic algorithms such as SM1, SM2 and SM3, and performs bidirectional identity authentication with the master station service application system based on mechanisms such as challenge response, digital certificate signature and signature verification. The data encryption and encapsulation process comprises the following steps: and realizing the encapsulation and data encryption of service data and control instructions based on a special safe communication protocol for the power Internet of things. The data integrity verification process comprises the following steps: and the integrity of the service data and the control instruction is ensured through the message authentication code, the digital signature and the data timeliness verification.
The isolation device of the embodiment of the invention realizes the safe isolation of the open client side access network and the core network of the power internet of things, and can effectively prevent the core service system from being illegally invaded.
Fig. 6 is a flowchart of an isolation method 600 suitable for a client side of an internet of things of power according to an embodiment of the present invention. As shown in fig. 6, in an isolation method 600 applicable to a client side of an electric power internet of things according to an embodiment of the present invention, starting from step 601, a received first data message sent by an external network device is parsed in step 601 to obtain key information, and a protocol format conversion process is performed on the key information according to a data ferry protocol to obtain a second data message.
Preferably, wherein the method further comprises:
before analyzing a received first data message sent by an external network device, checking whether the message format of the first data message meets the admission requirement of the power Internet of things; if the verification is passed, analyzing the first data message; if the verification fails, rejecting the data transmission request of the external network equipment;
monitoring whether the data flow of the external network equipment meets the admission requirement of the power internet of things or not and whether abnormal data flow exists or not; if the abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if the abnormal data flow does not exist, allowing the data transmission request of the external network equipment.
In step 602, the extranet processing module and the intranet processing module are controlled to be in a physical isolation state, and format verification is performed on the second data message.
In step 603, after the second data message passes format verification, the second data message is decrypted, and protocol format conversion processing is performed on the decrypted second data message according to the power internet of things dedicated communication protocol, so as to obtain a third data message and send the third data message to the intranet equipment.
Preferably, wherein the method further comprises:
according to the decrypted second data message, acquiring the identity information of the external network equipment to be accessed, and performing identity authentication according to the identity information of the external network equipment to be accessed; if the identity authentication is successful, allowing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; if the identity authentication fails, refusing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; wherein the key information comprises: identity information of the extranet device.
Preferably, the performing identity authentication according to the identity information of the external network device to be accessed includes:
respectively generating an equipment fingerprint and an operating environment fingerprint according to the identity information of the external equipment to be accessed and a preset fingerprint generation strategy, and comparing the equipment fingerprint and the operating environment fingerprint with the equipment fingerprint and the environment fingerprint in a preset equipment access white list to perform identity authentication; wherein the identity information comprises: device parameter information and operating environment parameter information; the device parameter information includes: MAC address, IP, communication protocol, effective data and data format of the external network equipment; the operating environment parameter information includes: energy consumption changes, signal strength changes, and traffic changes for the extranet devices.
Preferably, wherein the method further comprises:
encrypting a received fourth data message sent by the intra-network equipment, and performing protocol format conversion processing on the encrypted fourth data according to a data ferry protocol to obtain a fifth data message;
controlling the outer network processing module and the inner network processing module to be in a physical isolation state, and carrying out format verification on the fifth data message;
and after the fifth data message passes the format verification, performing protocol format conversion processing on the fifth data message according to a communication protocol of the external network equipment to obtain a sixth data message and sending the sixth data message to the external network equipment.
Preferably, the controlling the external network processing module and the internal network processing module in a physically isolated state includes:
controlling the outer network processing module and the inner network processing module to be in a physical cut-off state at the same time; if one of the outer network processing module and the inner network processing module is carrying out data interaction with the logic isolation unit, the logic isolation unit and the other module are in a disconnected state, and after the data interaction of the one module is finished and the isolation control signal is released, the other module can carry out data interaction with the logic isolation unit.
Preferably, the method performs format verification by using the following modes:
checking whether the format of the data message to be transmitted conforms to a data ferry protocol; if the format check is passed, transmitting the data message to be transmitted; and if the format check fails, rejecting the data message to be transmitted.
Preferably, wherein the method further comprises:
performing access control on the external network equipment according to a preset access control strategy, and determining the access authority of the external network equipment;
monitoring the process in the intranet processing module, and timely processing the abnormal event when the abnormal event occurs so as to maintain the normal service of the intranet processing module;
recording various operation logs and communication logs;
and the device is in butt joint with the electric power unified password infrastructure to realize the distribution of the external network equipment key and the application and issuing of the digital certificate.
The isolation method 600 applicable to the power internet of things client side according to the embodiment of the present invention corresponds to the isolation device 100 applicable to the power internet of things client side according to another embodiment of the present invention, and details thereof are not repeated herein.
The invention has been described with reference to a few embodiments. However, other embodiments of the invention than the one disclosed above are equally possible within the scope of the invention, as would be apparent to a person skilled in the art from the appended patent claims.
Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to "a/an/the [ device, component, etc ]" are to be interpreted openly as referring to at least one instance of said device, component, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.
Claims (16)
1. An isolation device suitable for a client side of an electric power internet of things, the device comprising:
the external network processing module is used for analyzing the received first data message sent by the external network equipment to acquire key information, and performing protocol format conversion processing on the key information according to a data ferry protocol to acquire a second data message and sending the second data message to the isolation exchange module;
the isolation switching module is used for controlling the outer network processing module and the inner network processing module to be in a physical isolation state, carrying out format verification on the second data message, and sending the second data message to the inner network processing module after the second data message passes the format verification;
and the intranet processing module is used for decrypting the second data message and performing protocol format conversion processing on the decrypted second data message according to the power internet of things special communication protocol so as to obtain a third data message and send the third data message to the intranet equipment.
2. The apparatus of claim 1, further comprising:
the intranet processing module is used for encrypting the received fourth data message sent by the intranet equipment and carrying out protocol format conversion processing on the encrypted fourth data according to a data ferry protocol so as to obtain a fifth data message and sending the fifth data message to the isolation exchange module;
the isolation switching module is used for controlling the external network processing module and the internal network processing module to be in a physical isolation state, carrying out format verification on the fifth data message, and sending the fifth data message to the external network processing module after the fifth data message passes the format verification;
and the external network processing module is used for carrying out protocol format conversion processing on the fifth data message according to the communication protocol of the external network equipment so as to obtain a sixth data message and sending the sixth data message to the external network equipment.
3. The apparatus of claim 1, wherein the extranet processing module further comprises:
the format checking unit is used for checking whether the message format of the first data message meets the admission requirement of the power Internet of things; if the verification is passed, analyzing the first data message; if the verification fails, rejecting the data transmission request of the external network equipment;
the flow monitoring unit is used for monitoring whether the data flow of the external network equipment meets the admission requirement of the power internet of things and whether abnormal data flow exists; if the abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if the abnormal data flow does not exist, allowing the data transmission request of the external network equipment.
4. The apparatus of claim 1, wherein the isolated switching module, which controls the extranet processing module and the intranet processing module to be in a physically isolated state, comprises:
controlling the outer network processing module and the inner network processing module to be in a physical cut-off state at the same time; if one of the outer network processing module and the inner network processing module is carrying out data interaction with the logic isolation unit, the logic isolation unit and the other module are in a disconnected state, and after the data interaction of the one module is finished and the isolation control signal is released, the other module can carry out data interaction with the logic isolation unit.
5. The apparatus of claim 1 or 2, wherein the isolated switching module performs format checking by:
checking whether the format of the data message to be transmitted conforms to a data ferry protocol; if the format check is passed, transmitting the data message to be transmitted; and if the format check fails, rejecting the data message to be transmitted.
6. The apparatus according to claim 1, wherein the intranet processing module further comprises:
the identity recognition unit is used for acquiring the identity information of the external network equipment to be accessed according to the decrypted second data message and carrying out identity authentication according to the identity information of the external network equipment to be accessed; if the identity authentication is successful, allowing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; if the identity authentication fails, refusing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; wherein the key information comprises: identity information of the extranet device.
7. The apparatus of claim 6, wherein the identity recognizing unit performs identity authentication according to identity information of an external network device to be accessed, and comprises:
respectively generating an equipment fingerprint and an operating environment fingerprint according to the identity information of the external equipment to be accessed and a preset fingerprint generation strategy, and comparing the equipment fingerprint and the operating environment fingerprint with the equipment fingerprint and the environment fingerprint in a preset equipment access white list to perform identity authentication; wherein the identity information comprises: device parameter information and operating environment parameter information; the device parameter information includes: MAC address, IP, communication protocol, effective data and data format of the external network equipment; the operating environment parameter information includes: energy consumption changes, signal strength changes, and traffic changes for the extranet devices.
8. The apparatus according to claim 1, wherein the intranet processing module further comprises:
the access control unit is used for performing access control on the external network equipment according to a preset access control strategy and determining the access authority of the external network equipment;
the service monitoring unit is used for monitoring the process in the intranet processing module and timely processing the abnormal event when the abnormal event occurs so as to maintain the normal service of the intranet processing module;
the log recording unit is used for recording various operation logs and communication logs;
and the key certificate import unit is used for being in butt joint with the electric power unified password infrastructure so as to realize the distribution of the key of the external network equipment and the application and issuing of the digital certificate.
9. An isolation method suitable for a client side of a power internet of things is characterized by comprising the following steps:
analyzing a received first data message sent by the external network equipment to acquire key information, and performing protocol format conversion processing on the key information according to a data ferry protocol to acquire a second data message;
controlling the outer network processing module and the inner network processing module to be in a physical isolation state, and carrying out format verification on the second data message;
and after the second data message passes format verification, decrypting the second data message, and performing protocol format conversion processing on the decrypted second data message according to a power internet of things special communication protocol to obtain a third data message and send the third data message to the intranet equipment.
10. The method of claim 9, further comprising:
encrypting a received fourth data message sent by the intra-network equipment, and performing protocol format conversion processing on the encrypted fourth data according to a data ferry protocol to obtain a fifth data message;
controlling the outer network processing module and the inner network processing module to be in a physical isolation state, and carrying out format verification on the fifth data message;
and after the fifth data message passes the format verification, performing protocol format conversion processing on the fifth data message according to a communication protocol of the external network equipment to obtain a sixth data message and sending the sixth data message to the external network equipment.
11. The method of claim 9, further comprising: before analyzing a received first data message sent by an external network device, checking whether the message format of the first data message meets the admission requirement of the power Internet of things; if the verification is passed, analyzing the first data message; if the verification fails, rejecting the data transmission request of the external network equipment;
monitoring whether the data flow of the external network equipment meets the admission requirement of the power internet of things or not and whether abnormal data flow exists or not; if the abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if the abnormal data flow does not exist, allowing the data transmission request of the external network equipment.
12. The method of claim 9, wherein controlling the extranet processing module and the intranet processing module to be in a physically isolated state comprises:
controlling the outer network processing module and the inner network processing module to be in a physical cut-off state at the same time; if one of the outer network processing module and the inner network processing module is carrying out data interaction with the logic isolation unit, the logic isolation unit and the other module are in a disconnected state, and after the data interaction of the one module is finished and the isolation control signal is released, the other module can carry out data interaction with the logic isolation unit.
13. The method according to claim 9 or 10, wherein the method performs format check by using the following method, comprising:
checking whether the format of the data message to be transmitted conforms to a data ferry protocol; if the format check is passed, transmitting the data message to be transmitted; and if the format check fails, rejecting the data message to be transmitted.
14. The method of claim 9, further comprising:
acquiring the identity information of the external network equipment to be accessed according to the decrypted second data message, and performing identity authentication according to the identity information of the external network equipment to be accessed; if the identity authentication is successful, allowing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; if the identity authentication fails, refusing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; wherein the key information comprises: identity information of the extranet device.
15. The method according to claim 14, wherein the performing identity authentication according to the identity information of the external network device to be accessed comprises:
respectively generating an equipment fingerprint and an operating environment fingerprint according to the identity information of the external equipment to be accessed and a preset fingerprint generation strategy, and comparing the equipment fingerprint and the operating environment fingerprint with the equipment fingerprint and the environment fingerprint in a preset equipment access white list to perform identity authentication; wherein the identity information comprises: device parameter information and operating environment parameter information; the device parameter information includes: MAC address, IP, communication protocol, effective data and data format of the external network equipment; the operating environment parameter information includes: energy consumption changes, signal strength changes, and traffic changes for the extranet devices.
16. The method of claim 9, further comprising:
performing access control on the external network equipment according to a preset access control strategy, and determining the access authority of the external network equipment;
monitoring the process in the intranet processing module, and timely processing the abnormal event when the abnormal event occurs so as to maintain the normal service of the intranet processing module;
recording various operation logs and communication logs;
and the device is in butt joint with the electric power unified password infrastructure to realize the distribution of the external network equipment key and the application and issuing of the digital certificate.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010789502.2A CN112073375B (en) | 2020-08-07 | 2020-08-07 | Isolation device and isolation method suitable for client side of electric power Internet of things |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010789502.2A CN112073375B (en) | 2020-08-07 | 2020-08-07 | Isolation device and isolation method suitable for client side of electric power Internet of things |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112073375A true CN112073375A (en) | 2020-12-11 |
CN112073375B CN112073375B (en) | 2023-09-26 |
Family
ID=73662549
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010789502.2A Active CN112073375B (en) | 2020-08-07 | 2020-08-07 | Isolation device and isolation method suitable for client side of electric power Internet of things |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112073375B (en) |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112769774A (en) * | 2020-12-24 | 2021-05-07 | 国网冀北电力有限公司信息通信分公司 | Data ferrying system and method |
CN113329018A (en) * | 2021-05-28 | 2021-08-31 | 中国电子信息产业集团有限公司第六研究所 | Novel security isolation IPsec VPN processing architecture |
CN113506096A (en) * | 2021-09-08 | 2021-10-15 | 国网浙江省电力有限公司 | Inter-system interface method based on industrial internet identification analysis system |
CN113612734A (en) * | 2021-07-13 | 2021-11-05 | 共道网络科技有限公司 | Cross-network remote court trial media stream transmission method and device |
CN113645610A (en) * | 2021-07-09 | 2021-11-12 | 厦门市美亚柏科信息股份有限公司 | Mobile phone data parallel acquisition method and system based on intranet system |
CN114024781A (en) * | 2022-01-07 | 2022-02-08 | 广东电力信息科技有限公司 | Electric power Internet of things low-speed stable equipment access method based on edge calculation |
CN114039748A (en) * | 2021-10-25 | 2022-02-11 | 中广核工程有限公司 | Identity authentication method, system, computer device and storage medium |
CN114124549A (en) * | 2021-11-26 | 2022-03-01 | 绿盟科技集团股份有限公司 | Method, system and device for safely accessing mails based on visible light system |
CN114726574A (en) * | 2022-02-28 | 2022-07-08 | 新华三信息安全技术有限公司 | Safety isolation protection system and safety isolation protection method |
CN114745182A (en) * | 2022-04-12 | 2022-07-12 | 宇辰科技(山东)有限公司 | Internal and external network application data safety interaction intelligent travel system and equipment thereof |
CN114745454A (en) * | 2022-04-11 | 2022-07-12 | 中国南方电网有限责任公司 | Boundary protection device, system, method, computer equipment and storage medium |
CN114944940A (en) * | 2022-04-26 | 2022-08-26 | 国网山东省电力公司滨州供电公司 | Electronic file processing system and method for electrical test data |
CN114978784A (en) * | 2022-08-02 | 2022-08-30 | 矩阵时光数字科技有限公司 | Data protection equipment and system |
CN115065498A (en) * | 2022-04-15 | 2022-09-16 | 北京全路通信信号研究设计院集团有限公司 | Peripheral ferry device and system thereof |
CN115190379A (en) * | 2022-07-28 | 2022-10-14 | 国核信息科技有限公司 | Split type wind power vibration monitoring data transmission method and monitoring device |
CN115208612A (en) * | 2022-05-10 | 2022-10-18 | 北京市遥感信息研究所 | Complex networking security system architecture |
CN115664841A (en) * | 2022-11-14 | 2023-01-31 | 济南大学 | Data acquisition system and method with network isolation and one-way encryption transmission functions |
CN116094828A (en) * | 2023-02-14 | 2023-05-09 | 深圳市利谱信息技术有限公司 | Dynamic protocol gateway system based on physical isolation |
CN116319094A (en) * | 2023-05-19 | 2023-06-23 | 北京安帝科技有限公司 | Data safety transmission method, computer equipment and medium based on tobacco industry |
CN117201207A (en) * | 2023-11-08 | 2023-12-08 | 深圳市顺源科技有限公司 | Industrial Internet of things system based on high-isolation mode network data conversion |
Citations (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103619020A (en) * | 2013-12-09 | 2014-03-05 | 成都达信通通讯设备有限公司 | Mobile payment security system for wireless data private network physical isolation internet |
CN103905451A (en) * | 2014-04-03 | 2014-07-02 | 国家电网公司 | System and method for trapping network attack of embedded device of smart power grid |
CN104486336A (en) * | 2014-12-12 | 2015-04-01 | 冶金自动化研究设计院 | Device for safely isolating and exchanging industrial control networks |
US20150150110A1 (en) * | 2013-11-27 | 2015-05-28 | International Business Machines Corporation | Identifying and destroying potentially misappropriated access tokens |
CN104683332A (en) * | 2015-02-10 | 2015-06-03 | 杭州优稳自动化系统有限公司 | Security isolation gateway in industrial control network and security isolation method thereof |
CN105656883A (en) * | 2015-12-25 | 2016-06-08 | 冶金自动化研究设计院 | Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network |
CN106250857A (en) * | 2016-08-04 | 2016-12-21 | 深圳先进技术研究院 | A kind of identity recognition device and method |
CN106941494A (en) * | 2017-03-30 | 2017-07-11 | 中国电力科学研究院 | A kind of security isolation gateway and its application method suitable for power information acquisition system |
CN106991317A (en) * | 2016-12-30 | 2017-07-28 | 中国银联股份有限公司 | Safe verification method, platform, device and system |
CN107276987A (en) * | 2017-05-17 | 2017-10-20 | 厦门奥普拓自控科技有限公司 | A kind of the special line physical isolation industrial data means of communication and system |
US20170346631A1 (en) * | 2007-01-07 | 2017-11-30 | Apple Inc. | Securely recovering a computing device |
CN207638693U (en) * | 2017-12-29 | 2018-07-20 | 深圳市风云实业有限公司 | Gateway is isolated |
CN108965283A (en) * | 2018-07-06 | 2018-12-07 | 中国电力财务有限公司 | A kind of means of communication, device, application server and communication system |
CN109005189A (en) * | 2018-08-27 | 2018-12-14 | 广东电网有限责任公司信息中心 | A kind of access transmission platform suitable for double net isolation |
CN109525606A (en) * | 2019-01-04 | 2019-03-26 | 安徽和信科技发展有限责任公司 | A kind of Internet of Things security access terminal based on business data acquisition |
CN109842585A (en) * | 2017-11-27 | 2019-06-04 | 中国科学院沈阳自动化研究所 | Network information security protective unit and means of defence towards industrial embedded system |
CN109889532A (en) * | 2019-03-08 | 2019-06-14 | 武汉大学 | Internet of things equipment safety certification and cryptographic key negotiation method based on environmental context |
CN110210858A (en) * | 2019-05-31 | 2019-09-06 | 上海观安信息技术股份有限公司 | A kind of air control guard system design method based on intelligent terminal identification |
CN110472584A (en) * | 2019-08-16 | 2019-11-19 | 四川九洲电器集团有限责任公司 | A kind of communication equipment personal identification method, electronic equipment and computer program product |
CN110493225A (en) * | 2019-08-20 | 2019-11-22 | 杭州安恒信息技术股份有限公司 | A kind of request transmission method, device, equipment and readable storage medium storing program for executing |
CN110620791A (en) * | 2019-10-10 | 2019-12-27 | 江苏亨通工控安全研究院有限公司 | Industrial safety data ferrying system with early warning function |
CN110855756A (en) * | 2019-10-25 | 2020-02-28 | 珠海库奇科技有限公司 | Meter reading management system and method based on Internet of things |
CN110933055A (en) * | 2019-11-19 | 2020-03-27 | 江苏恒宝智能系统技术有限公司 | Authentication system based on Internet of things equipment |
US20200106686A1 (en) * | 2015-03-06 | 2020-04-02 | Georgia Tech Research Corporation | Device fingerprinting for cyber-physical systems |
CN111447153A (en) * | 2020-04-03 | 2020-07-24 | 北京天地和兴科技有限公司 | Industrial equipment fingerprint identification method |
-
2020
- 2020-08-07 CN CN202010789502.2A patent/CN112073375B/en active Active
Patent Citations (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170346631A1 (en) * | 2007-01-07 | 2017-11-30 | Apple Inc. | Securely recovering a computing device |
US20150150110A1 (en) * | 2013-11-27 | 2015-05-28 | International Business Machines Corporation | Identifying and destroying potentially misappropriated access tokens |
WO2015085809A1 (en) * | 2013-12-09 | 2015-06-18 | 成都达信通通讯设备有限公司 | Mobile payment security system with wireless data private network physically isolated from internet |
CN103619020A (en) * | 2013-12-09 | 2014-03-05 | 成都达信通通讯设备有限公司 | Mobile payment security system for wireless data private network physical isolation internet |
CN103905451A (en) * | 2014-04-03 | 2014-07-02 | 国家电网公司 | System and method for trapping network attack of embedded device of smart power grid |
CN104486336A (en) * | 2014-12-12 | 2015-04-01 | 冶金自动化研究设计院 | Device for safely isolating and exchanging industrial control networks |
CN104683332A (en) * | 2015-02-10 | 2015-06-03 | 杭州优稳自动化系统有限公司 | Security isolation gateway in industrial control network and security isolation method thereof |
US20200106686A1 (en) * | 2015-03-06 | 2020-04-02 | Georgia Tech Research Corporation | Device fingerprinting for cyber-physical systems |
CN105656883A (en) * | 2015-12-25 | 2016-06-08 | 冶金自动化研究设计院 | Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network |
CN106250857A (en) * | 2016-08-04 | 2016-12-21 | 深圳先进技术研究院 | A kind of identity recognition device and method |
CN106991317A (en) * | 2016-12-30 | 2017-07-28 | 中国银联股份有限公司 | Safe verification method, platform, device and system |
CN106941494A (en) * | 2017-03-30 | 2017-07-11 | 中国电力科学研究院 | A kind of security isolation gateway and its application method suitable for power information acquisition system |
US20180337948A1 (en) * | 2017-05-17 | 2018-11-22 | Optimal Process Control Technologies Co., Ltd. | Method of industrial data communication with dedicated physical channel isolation and a system applying the method |
CN107276987A (en) * | 2017-05-17 | 2017-10-20 | 厦门奥普拓自控科技有限公司 | A kind of the special line physical isolation industrial data means of communication and system |
CN109842585A (en) * | 2017-11-27 | 2019-06-04 | 中国科学院沈阳自动化研究所 | Network information security protective unit and means of defence towards industrial embedded system |
US20200045023A1 (en) * | 2017-11-27 | 2020-02-06 | Shenyang Institute Of Automation, Chinese Academy Of Sciences | Network guard unit for industrial embedded system and guard method |
CN207638693U (en) * | 2017-12-29 | 2018-07-20 | 深圳市风云实业有限公司 | Gateway is isolated |
CN108965283A (en) * | 2018-07-06 | 2018-12-07 | 中国电力财务有限公司 | A kind of means of communication, device, application server and communication system |
CN109005189A (en) * | 2018-08-27 | 2018-12-14 | 广东电网有限责任公司信息中心 | A kind of access transmission platform suitable for double net isolation |
CN109525606A (en) * | 2019-01-04 | 2019-03-26 | 安徽和信科技发展有限责任公司 | A kind of Internet of Things security access terminal based on business data acquisition |
CN109889532A (en) * | 2019-03-08 | 2019-06-14 | 武汉大学 | Internet of things equipment safety certification and cryptographic key negotiation method based on environmental context |
CN110210858A (en) * | 2019-05-31 | 2019-09-06 | 上海观安信息技术股份有限公司 | A kind of air control guard system design method based on intelligent terminal identification |
CN110472584A (en) * | 2019-08-16 | 2019-11-19 | 四川九洲电器集团有限责任公司 | A kind of communication equipment personal identification method, electronic equipment and computer program product |
CN110493225A (en) * | 2019-08-20 | 2019-11-22 | 杭州安恒信息技术股份有限公司 | A kind of request transmission method, device, equipment and readable storage medium storing program for executing |
CN110620791A (en) * | 2019-10-10 | 2019-12-27 | 江苏亨通工控安全研究院有限公司 | Industrial safety data ferrying system with early warning function |
CN110855756A (en) * | 2019-10-25 | 2020-02-28 | 珠海库奇科技有限公司 | Meter reading management system and method based on Internet of things |
CN110933055A (en) * | 2019-11-19 | 2020-03-27 | 江苏恒宝智能系统技术有限公司 | Authentication system based on Internet of things equipment |
CN111447153A (en) * | 2020-04-03 | 2020-07-24 | 北京天地和兴科技有限公司 | Industrial equipment fingerprint identification method |
Cited By (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112769774A (en) * | 2020-12-24 | 2021-05-07 | 国网冀北电力有限公司信息通信分公司 | Data ferrying system and method |
CN112769774B (en) * | 2020-12-24 | 2023-04-18 | 国网冀北电力有限公司信息通信分公司 | Data ferrying system and method |
CN113329018A (en) * | 2021-05-28 | 2021-08-31 | 中国电子信息产业集团有限公司第六研究所 | Novel security isolation IPsec VPN processing architecture |
CN113645610B (en) * | 2021-07-09 | 2024-04-02 | 厦门市美亚柏科信息股份有限公司 | Mobile phone data parallel acquisition method and system based on intranet system |
CN113645610A (en) * | 2021-07-09 | 2021-11-12 | 厦门市美亚柏科信息股份有限公司 | Mobile phone data parallel acquisition method and system based on intranet system |
CN113612734A (en) * | 2021-07-13 | 2021-11-05 | 共道网络科技有限公司 | Cross-network remote court trial media stream transmission method and device |
CN113506096A (en) * | 2021-09-08 | 2021-10-15 | 国网浙江省电力有限公司 | Inter-system interface method based on industrial internet identification analysis system |
CN114039748A (en) * | 2021-10-25 | 2022-02-11 | 中广核工程有限公司 | Identity authentication method, system, computer device and storage medium |
CN114124549A (en) * | 2021-11-26 | 2022-03-01 | 绿盟科技集团股份有限公司 | Method, system and device for safely accessing mails based on visible light system |
CN114024781A (en) * | 2022-01-07 | 2022-02-08 | 广东电力信息科技有限公司 | Electric power Internet of things low-speed stable equipment access method based on edge calculation |
CN114726574A (en) * | 2022-02-28 | 2022-07-08 | 新华三信息安全技术有限公司 | Safety isolation protection system and safety isolation protection method |
CN114745454A (en) * | 2022-04-11 | 2022-07-12 | 中国南方电网有限责任公司 | Boundary protection device, system, method, computer equipment and storage medium |
CN114745182A (en) * | 2022-04-12 | 2022-07-12 | 宇辰科技(山东)有限公司 | Internal and external network application data safety interaction intelligent travel system and equipment thereof |
CN115065498B (en) * | 2022-04-15 | 2024-03-22 | 北京全路通信信号研究设计院集团有限公司 | Peripheral ferry device and system thereof |
CN115065498A (en) * | 2022-04-15 | 2022-09-16 | 北京全路通信信号研究设计院集团有限公司 | Peripheral ferry device and system thereof |
CN114944940B (en) * | 2022-04-26 | 2023-10-03 | 国网山东省电力公司滨州供电公司 | Electronic archive processing system and method for electrical test data |
CN114944940A (en) * | 2022-04-26 | 2022-08-26 | 国网山东省电力公司滨州供电公司 | Electronic file processing system and method for electrical test data |
CN115208612A (en) * | 2022-05-10 | 2022-10-18 | 北京市遥感信息研究所 | Complex networking security system architecture |
CN115208612B (en) * | 2022-05-10 | 2023-10-13 | 北京市遥感信息研究所 | Complex networking safety system |
CN115190379B (en) * | 2022-07-28 | 2024-04-02 | 国核信息科技有限公司 | Split wind power vibration monitoring data transmission method and monitoring device |
CN115190379A (en) * | 2022-07-28 | 2022-10-14 | 国核信息科技有限公司 | Split type wind power vibration monitoring data transmission method and monitoring device |
CN114978784A (en) * | 2022-08-02 | 2022-08-30 | 矩阵时光数字科技有限公司 | Data protection equipment and system |
CN115664841A (en) * | 2022-11-14 | 2023-01-31 | 济南大学 | Data acquisition system and method with network isolation and one-way encryption transmission functions |
CN116094828A (en) * | 2023-02-14 | 2023-05-09 | 深圳市利谱信息技术有限公司 | Dynamic protocol gateway system based on physical isolation |
CN116094828B (en) * | 2023-02-14 | 2023-11-17 | 深圳市利谱信息技术有限公司 | Dynamic protocol gateway system based on physical isolation |
CN116319094A (en) * | 2023-05-19 | 2023-06-23 | 北京安帝科技有限公司 | Data safety transmission method, computer equipment and medium based on tobacco industry |
CN116319094B (en) * | 2023-05-19 | 2023-08-11 | 北京安帝科技有限公司 | Data safety transmission method, computer equipment and medium based on tobacco industry |
CN117201207B (en) * | 2023-11-08 | 2024-02-27 | 深圳市顺源科技有限公司 | Industrial Internet of things system based on high-isolation mode network data conversion |
CN117201207A (en) * | 2023-11-08 | 2023-12-08 | 深圳市顺源科技有限公司 | Industrial Internet of things system based on high-isolation mode network data conversion |
Also Published As
Publication number | Publication date |
---|---|
CN112073375B (en) | 2023-09-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112073375B (en) | Isolation device and isolation method suitable for client side of electric power Internet of things | |
CN112150147A (en) | Data security storage system based on block chain | |
CN111935714B (en) | Identity authentication method in mobile edge computing network | |
CN105871873A (en) | Security encryption authentication module for power distribution terminal communication and method thereof | |
CN101447907A (en) | VPN secure access method and system thereof | |
CN105162808B (en) | A kind of safe login method based on national secret algorithm | |
CN111954211B (en) | Novel authentication key negotiation system of mobile terminal | |
CN109995530B (en) | Safe distributed database interaction system suitable for mobile positioning system | |
CN110474921B (en) | Perception layer data fidelity method for local area Internet of things | |
CN113127914A (en) | Electric power Internet of things data security protection method | |
CN212486798U (en) | Electric power sensing equipment based on block chain technology | |
CN107196932A (en) | Managing and control system in a kind of document sets based on virtualization | |
CN104065485A (en) | Power grid dispatching mobile platform safety guaranteeing and controlling method | |
CN111756627A (en) | Cloud platform security access gateway of electric power monitored control system | |
CN112613006A (en) | Power data sharing method and device, electronic equipment and storage medium | |
CN115941236A (en) | Zero trust safety protection method for edge side of power distribution network | |
CN111970232A (en) | Safe access system of intelligent service robot of electric power business hall | |
CN211352206U (en) | IPSec VPN cryptographic machine based on quantum key distribution | |
CN114866245A (en) | Block chain-based power data acquisition method and system | |
CN114268643A (en) | Power distribution internet of things terminal based on active identification technology and management method | |
CN111064752B (en) | Preset secret key sharing system and method based on public network | |
CN103269301A (en) | Desktop type IPSecVPN cryptographic machine and networking method | |
CN107172078B (en) | Security management and control method and system of core framework platform based on application service | |
CN116192481A (en) | Analysis method for secure communication mechanism between cloud computing server models | |
CN107172462A (en) | A kind of video-encryption and identity identifying method and security module |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |