CN112073375A - Isolation device and isolation method suitable for power Internet of things client side - Google Patents

Isolation device and isolation method suitable for power Internet of things client side Download PDF

Info

Publication number
CN112073375A
CN112073375A CN202010789502.2A CN202010789502A CN112073375A CN 112073375 A CN112073375 A CN 112073375A CN 202010789502 A CN202010789502 A CN 202010789502A CN 112073375 A CN112073375 A CN 112073375A
Authority
CN
China
Prior art keywords
data message
data
processing module
external network
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010789502.2A
Other languages
Chinese (zh)
Other versions
CN112073375B (en
Inventor
梁晓兵
翟峰
岑炜
付义伦
曹永峰
刘鹰
李保丰
王晖南
徐萌
许斌
孔令达
冯云
冯占成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Marketing Service Center of State Grid Shanxi Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Marketing Service Center of State Grid Shanxi Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, China Electric Power Research Institute Co Ltd CEPRI, Marketing Service Center of State Grid Shanxi Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202010789502.2A priority Critical patent/CN112073375B/en
Publication of CN112073375A publication Critical patent/CN112073375A/en
Application granted granted Critical
Publication of CN112073375B publication Critical patent/CN112073375B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y10/00Economic sectors
    • G16Y10/35Utilities, e.g. electricity, gas or water
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/08Protocols for interworking; Protocol conversion
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The invention relates to an isolation device and an isolation method suitable for a power Internet of things client side, wherein an external network processing module is used for analyzing a received first data message sent by external network equipment to obtain key information, and protocol format conversion processing is carried out on the key information according to a data ferry protocol to obtain a second data message; controlling an external network processing module and an internal network processing module to be in a physical isolation state by using an isolation exchange module, and carrying out format verification on the second data message; and after the second data message passes the format check, the second data message is decrypted by using the intranet processing module, and the decrypted second data message is subjected to protocol format conversion processing according to the power internet of things private communication protocol so as to obtain a third data message and send the third data message to the intranet equipment, so that the safety isolation of an open client side access network and a power internet of things core network is realized, and the illegal intrusion of a core service system can be effectively prevented.

Description

Isolation device and isolation method suitable for power Internet of things client side
Technical Field
The invention relates to the technical field of internet of things, in particular to an isolation device and an isolation method suitable for a power internet of things client side.
Background
With the development of new technologies such as mobile interconnection, artificial intelligence and the like, bidirectional interaction between power users and a smart power grid is more and more frequent, and the requirements of the users on the service form and the service quality of the power grid are higher and higher. In order to meet the application requirements of power consumers and enhance the perception and participation of the power consumers to the smart grid, the power internet of things is generated accordingly. The power internet of things has the characteristics of comprehensive operation state sensing, efficient information processing, convenient and flexible application and the like, and power users and equipment, various enterprises and equipment, people and objects are connected to generate shared data, so that the power users, power grids, power enterprises, suppliers and the society are served, the power grids are used as hubs, the platform and the sharing function are played, and more valuable services are provided for the whole industry and more market subjects.
In order to improve the interactivity between the power internet of things and users, massive safe and uncontrolled non-grid asset equipment such as charging piles and external comprehensive energy equipment needs to be accessed to the client side of the power internet of things. These equipment accessible WIFI etc. convenient communication mode is connected with all kinds of electrical equipment, realizes the collection and the information interaction of power consumption data. The electric power network is inevitably changed from a closed service mode to an open service mode, so that the electric power internet of things is directly connected with a public network, the risk that the electric power internet of things is attacked by network such as forged terminal access, trojans, viruses, malicious codes and the like is increased to a great extent, and malicious personnel can easily invade the whole electric power network through the sensing layer and attack and damage the electric power network. Therefore, the isolation device is required to realize network isolation and secure interaction of data between networks. However, the traditional isolation device or system has a single function, a large device size and power consumption, requires relatively many computing resources, is mostly only suitable for boundary isolation of a traditional network, and cannot meet the requirement of client-side uncontrolled device information security interaction of a power internet of things sensing layer or a boundary layer with low power consumption, low cost and multiple distribution requirements.
Therefore, the internet of things micro-isolation technology needs to be researched, a network isolation device which can be deployed in a power internet of things sensing layer or an edge layer is developed, and an access network which is open for power users and a core network of the power internet of things are safely isolated.
Disclosure of Invention
The invention provides an isolation device and an isolation method suitable for a power internet of things client side, and aims to solve the problem of how to safely isolate an open internet of things client side access network from a power internet of things core network.
In order to solve the above problem, according to an aspect of the present invention, there is provided an isolation device suitable for a client side of a power internet of things, the device including:
the external network processing module is used for analyzing the received first data message sent by the external network equipment to acquire key information, and performing protocol format conversion processing on the key information according to a data ferry protocol to acquire a second data message and sending the second data message to the isolation exchange module;
the isolation switching module is used for controlling the outer network processing module and the inner network processing module to be in a physical isolation state, carrying out format verification on the second data message, and sending the second data message to the inner network processing module after the second data message passes the format verification;
and the intranet processing module is used for decrypting the second data message and performing protocol format conversion processing on the decrypted second data message according to the power internet of things special communication protocol so as to obtain a third data message and send the third data message to the intranet equipment.
Preferably, wherein the apparatus further comprises:
the intranet processing module is used for encrypting the received fourth data message sent by the intranet equipment and carrying out protocol format conversion processing on the encrypted fourth data according to a data ferry protocol so as to obtain a fifth data message and sending the fifth data message to the isolation exchange module;
the isolation switching module is used for controlling the external network processing module and the internal network processing module to be in a physical isolation state, carrying out format verification on the fifth data message, and sending the fifth data message to the external network processing module after the fifth data message passes the format verification;
and the external network processing module is used for carrying out protocol format conversion processing on the fifth data message according to the communication protocol of the external network equipment so as to obtain a sixth data message and sending the sixth data message to the external network equipment.
Preferably, the extranet processing module further includes:
the format checking unit is used for checking whether the message format of the first data message meets the admission requirement of the power Internet of things; if the verification is passed, analyzing the first data message; if the verification fails, rejecting the data transmission request of the external network equipment;
the flow monitoring unit is used for monitoring whether the data flow of the external network equipment meets the admission requirement of the power internet of things and whether abnormal data flow exists; if the abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if the abnormal data flow does not exist, allowing the data transmission request of the external network equipment.
Preferably, the isolating and exchanging module, which controls the external network processing module and the internal network processing module to be in a physically isolated state, includes:
controlling the outer network processing module and the inner network processing module to be in a physical cut-off state at the same time; if one of the outer network processing module and the inner network processing module is carrying out data interaction with the logic isolation unit, the logic isolation unit and the other module are in a disconnected state, and after the data interaction of the one module is finished and the isolation control signal is released, the other module can carry out data interaction with the logic isolation unit.
Preferably, the isolating and exchanging module performs format check by using the following method, including:
checking whether the format of the data message to be transmitted conforms to a data ferry protocol; if the format check is passed, transmitting the data message to be transmitted; and if the format check fails, rejecting the data message to be transmitted.
Preferably, the intranet processing module further includes:
the identity recognition unit is used for acquiring the identity information of the external network equipment to be accessed according to the decrypted second data message and carrying out identity authentication according to the identity information of the external network equipment to be accessed; if the identity authentication is successful, allowing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; if the identity authentication fails, refusing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; wherein the key information comprises: identity information of the extranet device.
Preferably, the identity identifying unit performs identity authentication according to identity information of an external network device to be accessed, and includes:
respectively generating an equipment fingerprint and an operating environment fingerprint according to the identity information of the external equipment to be accessed and a preset fingerprint generation strategy, and comparing the equipment fingerprint and the operating environment fingerprint with the equipment fingerprint and the environment fingerprint in a preset equipment access white list to perform identity authentication; wherein the identity information comprises: device parameter information and operating environment parameter information; the device parameter information includes: MAC address, IP, communication protocol, effective data and data format of the external network equipment; the operating environment parameter information includes: energy consumption changes, signal strength changes, and traffic changes for the extranet devices.
Preferably, the intranet processing module further includes:
the access control unit is used for performing access control on the external network equipment according to a preset access control strategy and determining the access authority of the external network equipment;
the service monitoring unit is used for monitoring the process in the intranet processing module and timely processing the abnormal event when the abnormal event occurs so as to maintain the normal service of the intranet processing module;
the log recording unit is used for recording various operation logs and communication logs;
and the key certificate import unit is used for being in butt joint with the electric power unified password infrastructure so as to realize the distribution of the key of the external network equipment and the application and issuing of the digital certificate.
According to another aspect of the invention, an isolation method suitable for a client side of a power internet of things is provided, and the method comprises the following steps:
analyzing a received first data message sent by the external network equipment to acquire key information, and performing protocol format conversion processing on the key information according to a data ferry protocol to acquire a second data message;
controlling the outer network processing module and the inner network processing module to be in a physical isolation state, and carrying out format verification on the second data message;
and after the second data message passes format verification, decrypting the second data message, and performing protocol format conversion processing on the decrypted second data message according to a power internet of things special communication protocol to obtain a third data message and send the third data message to the intranet equipment.
Preferably, wherein the method further comprises:
encrypting a received fourth data message sent by the intra-network equipment, and performing protocol format conversion processing on the encrypted fourth data according to a data ferry protocol to obtain a fifth data message;
controlling the outer network processing module and the inner network processing module to be in a physical isolation state, and carrying out format verification on the fifth data message;
and after the fifth data message passes the format verification, performing protocol format conversion processing on the fifth data message according to a communication protocol of the external network equipment to obtain a sixth data message and sending the sixth data message to the external network equipment.
Preferably, wherein the method further comprises:
before analyzing a received first data message sent by an external network device, checking whether the message format of the first data message meets the admission requirement of the power Internet of things; if the verification is passed, analyzing the first data message; if the verification fails, rejecting the data transmission request of the external network equipment;
monitoring whether the data flow of the external network equipment meets the admission requirement of the power internet of things or not and whether abnormal data flow exists or not; if the abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if the abnormal data flow does not exist, allowing the data transmission request of the external network equipment.
Preferably, the controlling the external network processing module and the internal network processing module in a physically isolated state includes:
controlling the outer network processing module and the inner network processing module to be in a physical cut-off state at the same time; if one of the outer network processing module and the inner network processing module is carrying out data interaction with the logic isolation unit, the logic isolation unit and the other module are in a disconnected state, and after the data interaction of the one module is finished and the isolation control signal is released, the other module can carry out data interaction with the logic isolation unit.
Preferably, the method performs format verification by using the following modes:
checking whether the format of the data message to be transmitted conforms to a data ferry protocol; if the format check is passed, transmitting the data message to be transmitted; and if the format check fails, rejecting the data message to be transmitted.
Preferably, wherein the method further comprises:
according to the decrypted second data message, acquiring the identity information of the external network equipment to be accessed, and performing identity authentication according to the identity information of the external network equipment to be accessed; if the identity authentication is successful, allowing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; if the identity authentication fails, refusing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; wherein the key information comprises: identity information of the extranet device.
Preferably, the performing identity authentication according to the identity information of the external network device to be accessed includes:
respectively generating an equipment fingerprint and an operating environment fingerprint according to the identity information of the external equipment to be accessed and a preset fingerprint generation strategy, and comparing the equipment fingerprint and the operating environment fingerprint with the equipment fingerprint and the environment fingerprint in a preset equipment access white list to perform identity authentication; wherein the identity information comprises: device parameter information and operating environment parameter information; the device parameter information includes: MAC address, IP, communication protocol, effective data and data format of the external network equipment; the operating environment parameter information includes: energy consumption changes, signal strength changes, and traffic changes for the extranet devices.
Preferably, wherein the method further comprises:
performing access control on the external network equipment according to a preset access control strategy, and determining the access authority of the external network equipment;
monitoring the process in the intranet processing module, and timely processing the abnormal event when the abnormal event occurs so as to maintain the normal service of the intranet processing module;
recording various operation logs and communication logs;
and the device is in butt joint with the electric power unified password infrastructure to realize the distribution of the external network equipment key and the application and issuing of the digital certificate.
The invention provides an isolation device and an isolation method suitable for a power Internet of things client side, wherein an external network processing module is used for analyzing a received first data message sent by external network equipment to obtain key information, and the protocol format conversion processing is carried out on the key information according to a data ferry protocol to obtain a second data message; controlling an external network processing module and an internal network processing module to be in a physical isolation state by using an isolation exchange module, and carrying out format verification on the second data message; and after the second data message passes the format check, the second data message is decrypted by using the intranet processing module, and the decrypted second data message is subjected to protocol format conversion processing according to the power internet of things private communication protocol so as to obtain a third data message and send the third data message to the intranet equipment, so that the safety isolation of an open client side access network and a power internet of things core network is realized, and the illegal intrusion of a core service system can be effectively prevented.
Drawings
A more complete understanding of exemplary embodiments of the present invention may be had by reference to the following drawings in which:
fig. 1 is a schematic structural diagram of an isolation device 100 suitable for a client side of an electric internet of things according to an embodiment of the invention;
FIG. 2 is a diagram of the logical architecture of a network isolated device according to an embodiment of the present invention;
FIG. 3 is a flow diagram of identity authentication according to an embodiment of the present invention;
FIG. 4 is a read and write logic diagram of an isolation device according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of transparent proxy mode based application layer data exchange according to an embodiment of the present invention;
fig. 6 is a flowchart of an isolation method 600 suitable for a client side of an internet of things of power according to an embodiment of the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the embodiments described herein, which are provided for complete and complete disclosure of the present invention and to fully convey the scope of the present invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, the same units/elements are denoted by the same reference numerals.
Unless otherwise defined, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Further, it will be understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
Fig. 1 is a schematic structural diagram of an isolation device 100 suitable for a client side of an electric internet of things according to an embodiment of the present invention. As shown in fig. 1, the isolation device suitable for the client side of the power internet of things provided by the invention realizes the safe isolation between the open client side access network and the core network of the power internet of things, and can effectively prevent the core service system from being illegally invaded. The isolation device 100 suitable for the client side of the power internet of things provided by the embodiment of the invention comprises: an extranet processing module 101, an isolation exchange module 102 and an intranet processing module 103.
Preferably, the external network processing module 101 is configured to analyze a received first data packet sent by the external network device to obtain key information, and perform protocol format conversion processing on the key information according to a data ferry protocol to obtain a second data packet and send the second data packet to the isolation switching module.
Preferably, the extranet processing module 101 further includes:
the format checking unit is used for checking whether the message format of the first data message meets the admission requirement of the power Internet of things; if the verification is passed, analyzing the first data message; if the verification fails, rejecting the data transmission request of the external network equipment;
the flow monitoring unit is used for monitoring whether the data flow of the external network equipment meets the admission requirement of the power internet of things and whether abnormal data flow exists; if the abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if the abnormal data flow does not exist, allowing the data transmission request of the external network equipment.
Fig. 2 is a diagram of the logical architecture of a micro network isolation device according to an embodiment of the present invention. As shown in fig. 2, in an embodiment of the present invention, an extranet processing module includes: an outer network communication submodule and an outer network service processing submodule.
Wherein, extranet communication submodule includes: the device comprises an HPLC interface unit, a WIFI interface unit and an external network Ethernet interface unit; the external network equipment can realize network access in a WIFI, HPLC, Ethernet and other modes.
The external network service processing submodule mainly comprises an external network data transceiving unit, a format checking unit, a flow monitoring unit, an external network protocol conversion unit and an external network upgrading management unit. And the external network data receiving and sending unit is used for receiving the first data message sent by the external network equipment. The format checking unit is used for checking whether the message format of the first data message meets the admission requirement of the power Internet of things; if the verification is passed, analyzing the first data message; and if the verification fails, rejecting the data transmission request of the external network equipment. The flow monitoring unit is used for monitoring whether the data flow of the external network equipment meets the admission requirement of the power internet of things and whether abnormal data flow exists; if the abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if the abnormal data flow does not exist, allowing the data transmission request of the external network equipment. And the external network protocol conversion unit is used for analyzing the first data message to acquire key information, performing transport layer protocol removal processing on the key information and performing encapsulation processing on the key information according to a data ferry protocol to acquire a second data message and sending the second data message to the isolation exchange module. Wherein the key information comprises: device MAC information, IP address, instruction effective data sent by the device, and the like. The format of the data message before the protocol conversion processing conforms to the communication protocol of the external network equipment, and the data after the protocol conversion processing conforms to the data ferry protocol. And the external network upgrading management unit is mainly responsible for upgrading and maintaining the software of the external network processing module.
Preferably, the isolation switching module 102 is configured to control the external network processing module and the internal network processing module to be in a physically isolated state, perform format verification on the second data message, and send the second data message to the internal network processing module after the second data message passes the format verification.
Preferably, the isolating and exchanging module 102, which controls the extranet processing module and the intranet processing module to be in a physically isolated state, includes:
controlling the outer network processing module and the inner network processing module to be in a physical cut-off state at the same time; if one of the outer network processing module and the inner network processing module is carrying out data interaction with the logic isolation unit, the logic isolation unit and the other module are in a disconnected state, and after the data interaction of the one module is finished and the isolation control signal is released, the other module can carry out data interaction with the logic isolation unit.
Preferably, the isolating and exchanging module performs format check by using the following method, including:
checking whether the format of the data message to be transmitted conforms to a data ferry protocol; if the format check is passed, transmitting the data message to be transmitted; and if the format check fails, rejecting the data message to be transmitted.
As shown in fig. 2, in an embodiment of the present invention, an isolated switching module includes: the isolation switching master controller MCU and the network isolation submodule are arranged; the network isolation submodule comprises: a logic isolation unit and a data exchange unit.
The method comprises the steps that a logic isolation unit controls an outer network processing module and an inner network processing module to process a physical isolation state, a data exchange module is used for carrying out format verification on a second data message, and the second data message is sent to the inner network processing module after the second data message passes the format verification, so that data transmission is completed. The method comprises the following steps that a logic isolation unit in an isolation exchange module is utilized to control an external network processing module and an internal network processing module to be in a physical cut-off state at the same time; if one of the outer network processing module and the inner network processing module is carrying out data interaction with the logic isolation unit, the logic isolation unit and the other module are in a disconnected state, and after the data interaction of the one module is finished and the isolation control signal is released, the other module can carry out data interaction with the logic isolation unit. When the format of the second data message is checked to be in accordance with the data ferry protocol, if the format check is passed, transmitting the data message to be transmitted; and if the format check fails, rejecting the data message to be transmitted.
The isolation exchange main controller MCU comprises at least 3 CPUs, wherein two CPUs are respectively used for processing intranet services and extranet services, and the other CPU is used for managing system configuration and security policy setting.
Preferably, the intranet processing module 103 is configured to decrypt the second data message, and perform protocol format conversion processing on the decrypted second data message according to a power internet of things dedicated communication protocol to obtain a third data message and send the third data message to the intranet device.
Preferably, the intranet processing module further includes:
the identity recognition unit is used for acquiring the identity information of the external network equipment to be accessed according to the decrypted second data message and carrying out identity authentication according to the identity information of the external network equipment to be accessed; if the identity authentication is successful, allowing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; if the identity authentication fails, refusing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; wherein the key information comprises: identity information of the extranet device.
Preferably, the identity identifying unit performs identity authentication according to identity information of an external network device to be accessed, and includes:
respectively generating an equipment fingerprint and an operating environment fingerprint according to the identity information of the external equipment to be accessed and a preset fingerprint generation strategy, and comparing the equipment fingerprint and the operating environment fingerprint with the equipment fingerprint and the environment fingerprint in a preset equipment access white list to perform identity authentication; wherein the identity information comprises: device parameter information and operating environment parameter information; the device parameter information includes: MAC address, IP, communication protocol, effective data and data format of the external network equipment; the operating environment parameter information includes: energy consumption changes, signal strength changes, and traffic changes for the extranet devices.
Preferably, the intranet processing module further includes:
the access control unit is used for performing access control on the external network equipment according to a preset access control strategy and determining the access authority of the external network equipment;
the service monitoring unit is used for monitoring the process in the intranet processing module and timely processing the abnormal event when the abnormal event occurs so as to maintain the normal service of the intranet processing module;
the log recording unit is used for recording various operation logs and communication logs;
and the key certificate import unit is used for being in butt joint with the electric power unified password infrastructure so as to realize the distribution of the key of the external network equipment and the application and issuing of the digital certificate.
As shown in fig. 2, in an embodiment of the present invention, an intranet processing module includes: an intranet communication submodule, a password operation submodule and an intranet business processing submodule. Wherein, intranet communication submodule includes: the power private network interface unit and the intranet Ethernet interface unit. A cryptographic operation sub-module comprising: a key management unit and an arithmetic operation unit. The intranet service processing submodule comprises: the system comprises an intranet data receiving and transmitting unit, an intranet protocol conversion unit, an identity recognition unit, a service monitoring unit, an access control unit, a key certificate importing unit, a log recording unit and an intranet upgrading management unit.
In the embodiment of the invention, the key management unit is used for taking charge of the safety management of the whole life cycle of the key. And the algorithm operation unit is used for performing operation of cryptographic algorithms such as state ciphers SM1, SM2, SM3, SM4, SM7 and SM9 and the like, and decrypting the second data message to obtain the decrypted second data message. After receiving the second message data sent by the isolation switching module through the intranet data receiving and sending module, the intranet processing module decrypts the second data message through the algorithm operation module, performs protocol format conversion processing on the decrypted second data message according to the power internet of things special communication protocol by using the intranet protocol conversion unit to obtain a third data message, and sends the third data message after protocol conversion and encapsulation to the intranet equipment by using the intranet data receiving and sending unit. The format of the data message before protocol conversion processing conforms to the data ferry protocol; the data after the protocol conversion processing accords with a special communication protocol of the power Internet of things. In addition, the intranet processing module also performs identity authentication according to the identity information of the extranet equipment to be accessed by using the identity recognition unit; if the identity authentication is successful, allowing the external network equipment to be logged in to access; and if the identity authentication fails, the external network equipment to be accessed is refused to be accessed. Specifically, the process of identity authentication is shown in fig. 3, and includes:
(1) sensing equipment or user electrical equipment uses MAC, IP and communication protocol P thereofrValid data DvData format DfAnd the device parameter information is sent to the intranet processing module. The intranet processing module analyzes the legality and the validity of the intranet processing module, and if the intranet processing module meets the admission requirement of the environment of the Internet of things, an equipment fingerprint D is formedfpAnd feeding back the verification result to the sensing equipment or the user electric equipment.
(2) The sensing equipment or the user electrical equipment sends the environmental parameter information such as energy consumption change Ec, signal intensity change Sc, flow change Fc and the like to the intranet processing module. The isolator generates a "running Environment fingerprint" EfpAnd feeding back the received result to the sensing equipment or the user electrical equipment.
(3) The intranet processing module transmits the acquired fingerprint information to a background centralized management platform, and establishes a sensing equipment access white list Wl
(4) When the equipment to be accessed is accessed to the isolation device in a WIFI, HPLC or Ethernet mode, the intranet processing module respectively generates an equipment fingerprint and an operating environment fingerprint according to the identity information of the external equipment to be accessed and a preset fingerprint generation strategy again, and compares the equipment fingerprint and the operating environment fingerprint with the equipment fingerprint and the environment fingerprint in a preset equipment access white list to perform identity authentication; wherein the identity information comprises: device parameter information and operating environment parameter information.
The isolation device of the embodiment of the invention mainly realizes the encryption protection of the service data/instruction through bidirectional identity authentication, data encryption packaging and data integrity verification. The bidirectional identity authentication process comprises the following steps: and the system adopts cryptographic algorithms such as SM1, SM2 and SM3, and performs bidirectional identity authentication with the master station service application system based on mechanisms such as challenge response, digital certificate signature and signature verification. The data encryption and encapsulation process comprises the following steps: and realizing the encapsulation and data encryption of service data and control instructions based on a special safe communication protocol for the power Internet of things. The data integrity verification process comprises the following steps: and the integrity of the service data and the control instruction is ensured through the message authentication code, the digital signature and the data timeliness verification.
In an embodiment of the present invention, the access control unit is configured to perform access control on the external network device according to a preset access control policy, and determine the access right of the external network device. And the intranet upgrading management unit is used for upgrading and maintaining the software of the intranet processing module. And the key certificate import unit is in charge of butt joint with the electric power unified password infrastructure, and realizes distribution of the external network equipment key and application and issuing of the digital certificate. And the log recording unit is used for recording information such as various operation logs, communication logs and the like for post analysis and tracing.
Preferably, wherein the apparatus further comprises:
the intranet processing module is used for encrypting the received fourth data message sent by the intranet equipment and carrying out protocol format conversion processing on the encrypted fourth data according to a data ferry protocol so as to obtain a fifth data message and sending the fifth data message to the isolation exchange module;
the isolation switching module is used for controlling the external network processing module and the internal network processing module to be in a physical isolation state, carrying out format verification on the fifth data message, and sending the fifth data message to the external network processing module after the fifth data message passes the format verification;
and the external network processing module is used for carrying out protocol format conversion processing on the fifth data message according to the communication protocol of the external network equipment so as to obtain a sixth data message and sending the sixth data message to the external network equipment.
In an embodiment of the present invention, when data is transmitted from the intranet to the extranet, the intranet processing module is further configured to encrypt a received fourth data packet sent by the intranet device by using the arithmetic operation unit, and perform protocol format conversion processing on the encrypted fourth data packet by using the intranet protocol conversion unit according to the data ferry protocol of the isolation switching module, so as to obtain a fifth data packet, and send the fifth data packet to the isolation switching module by using the intranet data transceiver unit. The data message before protocol conversion processing conforms to a special communication protocol of the power internet of things, and the data message after protocol conversion processing conforms to a data ferry protocol of the isolation exchange module. And the isolation switching module is further used for controlling the external network processing module and the internal network processing module to be in a physical isolation state, performing format verification on the fifth data message, and sending the fifth data message to the external network processing module after the fifth data message passes the format verification. And the external network processing module is further used for performing protocol format conversion processing on the fifth data message by using an external network protocol conversion unit according to the communication protocol of the external network equipment so as to obtain a sixth data message and sending the sixth data message to the external network equipment by using an external network data receiving and sending unit. Wherein, the data message before protocol conversion processing conforms to the data ferry protocol; the data message after the protocol conversion processing conforms to the communication protocol of the external network equipment.
FIG. 4 is a read/write logic diagram of an isolation device according to an embodiment of the present invention. As shown in fig. 4, the isolation device according to the embodiment of the present invention mainly uses independent internal and external network read-write channels and an information ferry mechanism to implement the secure isolation and information secure interaction between the internal and external networks. The object exchanged between the internal and external network processing modules is not an IP data packet, but an application layer data packet encapsulated by a dedicated internal protocol, and any original IP data packet cannot pass through the channel. The isolation device can completely disconnect two networks or hosts at the physical layer of the network, and is responsible for 'ferry' of safe network data under the condition that an external network interface and an internal network interface are physically disconnected at the same time. If one end network exchanges data through the isolation device, the isolation device is disconnected from the other end network. After the end performs data interaction and releases the isolation control signal, the other end can perform information interaction with the isolation device. And storing the data at the two ends into a buffer area of the isolation device, checking the state before writing the buffer area, writing the data into the buffer area when the state is allowed, and otherwise, waiting. And checking the state before reading the buffer area, reading the data in the buffer area when the state is allowed, and otherwise, waiting. The specific data reading and writing process comprises the following steps: if the data is sent from one end network to the other end network by the internal network processing module and the external network processing module, the data can be written into the transmission FIFO module, and at this time, the FIFO receiving module is closed, and only the writing channel is in a connected state; if data is to be read from another processing unit, the data is written to the FIFO receive block, at which point the FIFO transmit block is turned off and only the read channel is put in a connected state.
Fig. 5 is a schematic diagram of application layer data exchange based on transparent proxy mode according to an embodiment of the present invention. As shown in fig. 5, in the embodiment of the present invention, the isolation device mainly uses the transparent proxy mode to implement the application layer data exchange. The transparent proxy comprises a proxy engine and a proxy stub which are respectively positioned on different network processing units. The proxy stub is mainly used for network connection request checking. The proxy engine is mainly used for calling a transmission interface and exchanging information returned by an external network to the network processing unit through the high-speed exchange channel. The proxy engine and the proxy stub communicate dialog and data based on a high-speed switching channel and a proprietary protocol.
In the aspect of data confidentiality and integrity protection, the isolation device of the embodiment of the invention mainly realizes service data/instruction encryption protection through bidirectional identity authentication, data encryption packaging and data integrity verification. The bidirectional identity authentication process comprises the following steps: and the system adopts cryptographic algorithms such as SM1, SM2 and SM3, and performs bidirectional identity authentication with the master station service application system based on mechanisms such as challenge response, digital certificate signature and signature verification. The data encryption and encapsulation process comprises the following steps: and realizing the encapsulation and data encryption of service data and control instructions based on a special safe communication protocol for the power Internet of things. The data integrity verification process comprises the following steps: and the integrity of the service data and the control instruction is ensured through the message authentication code, the digital signature and the data timeliness verification.
The isolation device of the embodiment of the invention realizes the safe isolation of the open client side access network and the core network of the power internet of things, and can effectively prevent the core service system from being illegally invaded.
Fig. 6 is a flowchart of an isolation method 600 suitable for a client side of an internet of things of power according to an embodiment of the present invention. As shown in fig. 6, in an isolation method 600 applicable to a client side of an electric power internet of things according to an embodiment of the present invention, starting from step 601, a received first data message sent by an external network device is parsed in step 601 to obtain key information, and a protocol format conversion process is performed on the key information according to a data ferry protocol to obtain a second data message.
Preferably, wherein the method further comprises:
before analyzing a received first data message sent by an external network device, checking whether the message format of the first data message meets the admission requirement of the power Internet of things; if the verification is passed, analyzing the first data message; if the verification fails, rejecting the data transmission request of the external network equipment;
monitoring whether the data flow of the external network equipment meets the admission requirement of the power internet of things or not and whether abnormal data flow exists or not; if the abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if the abnormal data flow does not exist, allowing the data transmission request of the external network equipment.
In step 602, the extranet processing module and the intranet processing module are controlled to be in a physical isolation state, and format verification is performed on the second data message.
In step 603, after the second data message passes format verification, the second data message is decrypted, and protocol format conversion processing is performed on the decrypted second data message according to the power internet of things dedicated communication protocol, so as to obtain a third data message and send the third data message to the intranet equipment.
Preferably, wherein the method further comprises:
according to the decrypted second data message, acquiring the identity information of the external network equipment to be accessed, and performing identity authentication according to the identity information of the external network equipment to be accessed; if the identity authentication is successful, allowing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; if the identity authentication fails, refusing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; wherein the key information comprises: identity information of the extranet device.
Preferably, the performing identity authentication according to the identity information of the external network device to be accessed includes:
respectively generating an equipment fingerprint and an operating environment fingerprint according to the identity information of the external equipment to be accessed and a preset fingerprint generation strategy, and comparing the equipment fingerprint and the operating environment fingerprint with the equipment fingerprint and the environment fingerprint in a preset equipment access white list to perform identity authentication; wherein the identity information comprises: device parameter information and operating environment parameter information; the device parameter information includes: MAC address, IP, communication protocol, effective data and data format of the external network equipment; the operating environment parameter information includes: energy consumption changes, signal strength changes, and traffic changes for the extranet devices.
Preferably, wherein the method further comprises:
encrypting a received fourth data message sent by the intra-network equipment, and performing protocol format conversion processing on the encrypted fourth data according to a data ferry protocol to obtain a fifth data message;
controlling the outer network processing module and the inner network processing module to be in a physical isolation state, and carrying out format verification on the fifth data message;
and after the fifth data message passes the format verification, performing protocol format conversion processing on the fifth data message according to a communication protocol of the external network equipment to obtain a sixth data message and sending the sixth data message to the external network equipment.
Preferably, the controlling the external network processing module and the internal network processing module in a physically isolated state includes:
controlling the outer network processing module and the inner network processing module to be in a physical cut-off state at the same time; if one of the outer network processing module and the inner network processing module is carrying out data interaction with the logic isolation unit, the logic isolation unit and the other module are in a disconnected state, and after the data interaction of the one module is finished and the isolation control signal is released, the other module can carry out data interaction with the logic isolation unit.
Preferably, the method performs format verification by using the following modes:
checking whether the format of the data message to be transmitted conforms to a data ferry protocol; if the format check is passed, transmitting the data message to be transmitted; and if the format check fails, rejecting the data message to be transmitted.
Preferably, wherein the method further comprises:
performing access control on the external network equipment according to a preset access control strategy, and determining the access authority of the external network equipment;
monitoring the process in the intranet processing module, and timely processing the abnormal event when the abnormal event occurs so as to maintain the normal service of the intranet processing module;
recording various operation logs and communication logs;
and the device is in butt joint with the electric power unified password infrastructure to realize the distribution of the external network equipment key and the application and issuing of the digital certificate.
The isolation method 600 applicable to the power internet of things client side according to the embodiment of the present invention corresponds to the isolation device 100 applicable to the power internet of things client side according to another embodiment of the present invention, and details thereof are not repeated herein.
The invention has been described with reference to a few embodiments. However, other embodiments of the invention than the one disclosed above are equally possible within the scope of the invention, as would be apparent to a person skilled in the art from the appended patent claims.
Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to "a/an/the [ device, component, etc ]" are to be interpreted openly as referring to at least one instance of said device, component, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.

Claims (16)

1. An isolation device suitable for a client side of an electric power internet of things, the device comprising:
the external network processing module is used for analyzing the received first data message sent by the external network equipment to acquire key information, and performing protocol format conversion processing on the key information according to a data ferry protocol to acquire a second data message and sending the second data message to the isolation exchange module;
the isolation switching module is used for controlling the outer network processing module and the inner network processing module to be in a physical isolation state, carrying out format verification on the second data message, and sending the second data message to the inner network processing module after the second data message passes the format verification;
and the intranet processing module is used for decrypting the second data message and performing protocol format conversion processing on the decrypted second data message according to the power internet of things special communication protocol so as to obtain a third data message and send the third data message to the intranet equipment.
2. The apparatus of claim 1, further comprising:
the intranet processing module is used for encrypting the received fourth data message sent by the intranet equipment and carrying out protocol format conversion processing on the encrypted fourth data according to a data ferry protocol so as to obtain a fifth data message and sending the fifth data message to the isolation exchange module;
the isolation switching module is used for controlling the external network processing module and the internal network processing module to be in a physical isolation state, carrying out format verification on the fifth data message, and sending the fifth data message to the external network processing module after the fifth data message passes the format verification;
and the external network processing module is used for carrying out protocol format conversion processing on the fifth data message according to the communication protocol of the external network equipment so as to obtain a sixth data message and sending the sixth data message to the external network equipment.
3. The apparatus of claim 1, wherein the extranet processing module further comprises:
the format checking unit is used for checking whether the message format of the first data message meets the admission requirement of the power Internet of things; if the verification is passed, analyzing the first data message; if the verification fails, rejecting the data transmission request of the external network equipment;
the flow monitoring unit is used for monitoring whether the data flow of the external network equipment meets the admission requirement of the power internet of things and whether abnormal data flow exists; if the abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if the abnormal data flow does not exist, allowing the data transmission request of the external network equipment.
4. The apparatus of claim 1, wherein the isolated switching module, which controls the extranet processing module and the intranet processing module to be in a physically isolated state, comprises:
controlling the outer network processing module and the inner network processing module to be in a physical cut-off state at the same time; if one of the outer network processing module and the inner network processing module is carrying out data interaction with the logic isolation unit, the logic isolation unit and the other module are in a disconnected state, and after the data interaction of the one module is finished and the isolation control signal is released, the other module can carry out data interaction with the logic isolation unit.
5. The apparatus of claim 1 or 2, wherein the isolated switching module performs format checking by:
checking whether the format of the data message to be transmitted conforms to a data ferry protocol; if the format check is passed, transmitting the data message to be transmitted; and if the format check fails, rejecting the data message to be transmitted.
6. The apparatus according to claim 1, wherein the intranet processing module further comprises:
the identity recognition unit is used for acquiring the identity information of the external network equipment to be accessed according to the decrypted second data message and carrying out identity authentication according to the identity information of the external network equipment to be accessed; if the identity authentication is successful, allowing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; if the identity authentication fails, refusing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; wherein the key information comprises: identity information of the extranet device.
7. The apparatus of claim 6, wherein the identity recognizing unit performs identity authentication according to identity information of an external network device to be accessed, and comprises:
respectively generating an equipment fingerprint and an operating environment fingerprint according to the identity information of the external equipment to be accessed and a preset fingerprint generation strategy, and comparing the equipment fingerprint and the operating environment fingerprint with the equipment fingerprint and the environment fingerprint in a preset equipment access white list to perform identity authentication; wherein the identity information comprises: device parameter information and operating environment parameter information; the device parameter information includes: MAC address, IP, communication protocol, effective data and data format of the external network equipment; the operating environment parameter information includes: energy consumption changes, signal strength changes, and traffic changes for the extranet devices.
8. The apparatus according to claim 1, wherein the intranet processing module further comprises:
the access control unit is used for performing access control on the external network equipment according to a preset access control strategy and determining the access authority of the external network equipment;
the service monitoring unit is used for monitoring the process in the intranet processing module and timely processing the abnormal event when the abnormal event occurs so as to maintain the normal service of the intranet processing module;
the log recording unit is used for recording various operation logs and communication logs;
and the key certificate import unit is used for being in butt joint with the electric power unified password infrastructure so as to realize the distribution of the key of the external network equipment and the application and issuing of the digital certificate.
9. An isolation method suitable for a client side of a power internet of things is characterized by comprising the following steps:
analyzing a received first data message sent by the external network equipment to acquire key information, and performing protocol format conversion processing on the key information according to a data ferry protocol to acquire a second data message;
controlling the outer network processing module and the inner network processing module to be in a physical isolation state, and carrying out format verification on the second data message;
and after the second data message passes format verification, decrypting the second data message, and performing protocol format conversion processing on the decrypted second data message according to a power internet of things special communication protocol to obtain a third data message and send the third data message to the intranet equipment.
10. The method of claim 9, further comprising:
encrypting a received fourth data message sent by the intra-network equipment, and performing protocol format conversion processing on the encrypted fourth data according to a data ferry protocol to obtain a fifth data message;
controlling the outer network processing module and the inner network processing module to be in a physical isolation state, and carrying out format verification on the fifth data message;
and after the fifth data message passes the format verification, performing protocol format conversion processing on the fifth data message according to a communication protocol of the external network equipment to obtain a sixth data message and sending the sixth data message to the external network equipment.
11. The method of claim 9, further comprising: before analyzing a received first data message sent by an external network device, checking whether the message format of the first data message meets the admission requirement of the power Internet of things; if the verification is passed, analyzing the first data message; if the verification fails, rejecting the data transmission request of the external network equipment;
monitoring whether the data flow of the external network equipment meets the admission requirement of the power internet of things or not and whether abnormal data flow exists or not; if the abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if the abnormal data flow does not exist, allowing the data transmission request of the external network equipment.
12. The method of claim 9, wherein controlling the extranet processing module and the intranet processing module to be in a physically isolated state comprises:
controlling the outer network processing module and the inner network processing module to be in a physical cut-off state at the same time; if one of the outer network processing module and the inner network processing module is carrying out data interaction with the logic isolation unit, the logic isolation unit and the other module are in a disconnected state, and after the data interaction of the one module is finished and the isolation control signal is released, the other module can carry out data interaction with the logic isolation unit.
13. The method according to claim 9 or 10, wherein the method performs format check by using the following method, comprising:
checking whether the format of the data message to be transmitted conforms to a data ferry protocol; if the format check is passed, transmitting the data message to be transmitted; and if the format check fails, rejecting the data message to be transmitted.
14. The method of claim 9, further comprising:
acquiring the identity information of the external network equipment to be accessed according to the decrypted second data message, and performing identity authentication according to the identity information of the external network equipment to be accessed; if the identity authentication is successful, allowing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; if the identity authentication fails, refusing the to-be-accessed off-grid equipment to access the power internet of things for information interaction; wherein the key information comprises: identity information of the extranet device.
15. The method according to claim 14, wherein the performing identity authentication according to the identity information of the external network device to be accessed comprises:
respectively generating an equipment fingerprint and an operating environment fingerprint according to the identity information of the external equipment to be accessed and a preset fingerprint generation strategy, and comparing the equipment fingerprint and the operating environment fingerprint with the equipment fingerprint and the environment fingerprint in a preset equipment access white list to perform identity authentication; wherein the identity information comprises: device parameter information and operating environment parameter information; the device parameter information includes: MAC address, IP, communication protocol, effective data and data format of the external network equipment; the operating environment parameter information includes: energy consumption changes, signal strength changes, and traffic changes for the extranet devices.
16. The method of claim 9, further comprising:
performing access control on the external network equipment according to a preset access control strategy, and determining the access authority of the external network equipment;
monitoring the process in the intranet processing module, and timely processing the abnormal event when the abnormal event occurs so as to maintain the normal service of the intranet processing module;
recording various operation logs and communication logs;
and the device is in butt joint with the electric power unified password infrastructure to realize the distribution of the external network equipment key and the application and issuing of the digital certificate.
CN202010789502.2A 2020-08-07 2020-08-07 Isolation device and isolation method suitable for client side of electric power Internet of things Active CN112073375B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010789502.2A CN112073375B (en) 2020-08-07 2020-08-07 Isolation device and isolation method suitable for client side of electric power Internet of things

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010789502.2A CN112073375B (en) 2020-08-07 2020-08-07 Isolation device and isolation method suitable for client side of electric power Internet of things

Publications (2)

Publication Number Publication Date
CN112073375A true CN112073375A (en) 2020-12-11
CN112073375B CN112073375B (en) 2023-09-26

Family

ID=73662549

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010789502.2A Active CN112073375B (en) 2020-08-07 2020-08-07 Isolation device and isolation method suitable for client side of electric power Internet of things

Country Status (1)

Country Link
CN (1) CN112073375B (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112769774A (en) * 2020-12-24 2021-05-07 国网冀北电力有限公司信息通信分公司 Data ferrying system and method
CN113329018A (en) * 2021-05-28 2021-08-31 中国电子信息产业集团有限公司第六研究所 Novel security isolation IPsec VPN processing architecture
CN113506096A (en) * 2021-09-08 2021-10-15 国网浙江省电力有限公司 Inter-system interface method based on industrial internet identification analysis system
CN113612734A (en) * 2021-07-13 2021-11-05 共道网络科技有限公司 Cross-network remote court trial media stream transmission method and device
CN113645610A (en) * 2021-07-09 2021-11-12 厦门市美亚柏科信息股份有限公司 Mobile phone data parallel acquisition method and system based on intranet system
CN114024781A (en) * 2022-01-07 2022-02-08 广东电力信息科技有限公司 Electric power Internet of things low-speed stable equipment access method based on edge calculation
CN114039748A (en) * 2021-10-25 2022-02-11 中广核工程有限公司 Identity authentication method, system, computer device and storage medium
CN114124549A (en) * 2021-11-26 2022-03-01 绿盟科技集团股份有限公司 Method, system and device for safely accessing mails based on visible light system
CN114726574A (en) * 2022-02-28 2022-07-08 新华三信息安全技术有限公司 Safety isolation protection system and safety isolation protection method
CN114745182A (en) * 2022-04-12 2022-07-12 宇辰科技(山东)有限公司 Internal and external network application data safety interaction intelligent travel system and equipment thereof
CN114745454A (en) * 2022-04-11 2022-07-12 中国南方电网有限责任公司 Boundary protection device, system, method, computer equipment and storage medium
CN114944940A (en) * 2022-04-26 2022-08-26 国网山东省电力公司滨州供电公司 Electronic file processing system and method for electrical test data
CN114978784A (en) * 2022-08-02 2022-08-30 矩阵时光数字科技有限公司 Data protection equipment and system
CN115065498A (en) * 2022-04-15 2022-09-16 北京全路通信信号研究设计院集团有限公司 Peripheral ferry device and system thereof
CN115190379A (en) * 2022-07-28 2022-10-14 国核信息科技有限公司 Split type wind power vibration monitoring data transmission method and monitoring device
CN115208612A (en) * 2022-05-10 2022-10-18 北京市遥感信息研究所 Complex networking security system architecture
CN115664841A (en) * 2022-11-14 2023-01-31 济南大学 Data acquisition system and method with network isolation and one-way encryption transmission functions
CN116094828A (en) * 2023-02-14 2023-05-09 深圳市利谱信息技术有限公司 Dynamic protocol gateway system based on physical isolation
CN116319094A (en) * 2023-05-19 2023-06-23 北京安帝科技有限公司 Data safety transmission method, computer equipment and medium based on tobacco industry
CN117201207A (en) * 2023-11-08 2023-12-08 深圳市顺源科技有限公司 Industrial Internet of things system based on high-isolation mode network data conversion

Citations (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103619020A (en) * 2013-12-09 2014-03-05 成都达信通通讯设备有限公司 Mobile payment security system for wireless data private network physical isolation internet
CN103905451A (en) * 2014-04-03 2014-07-02 国家电网公司 System and method for trapping network attack of embedded device of smart power grid
CN104486336A (en) * 2014-12-12 2015-04-01 冶金自动化研究设计院 Device for safely isolating and exchanging industrial control networks
US20150150110A1 (en) * 2013-11-27 2015-05-28 International Business Machines Corporation Identifying and destroying potentially misappropriated access tokens
CN104683332A (en) * 2015-02-10 2015-06-03 杭州优稳自动化系统有限公司 Security isolation gateway in industrial control network and security isolation method thereof
CN105656883A (en) * 2015-12-25 2016-06-08 冶金自动化研究设计院 Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network
CN106250857A (en) * 2016-08-04 2016-12-21 深圳先进技术研究院 A kind of identity recognition device and method
CN106941494A (en) * 2017-03-30 2017-07-11 中国电力科学研究院 A kind of security isolation gateway and its application method suitable for power information acquisition system
CN106991317A (en) * 2016-12-30 2017-07-28 中国银联股份有限公司 Safe verification method, platform, device and system
CN107276987A (en) * 2017-05-17 2017-10-20 厦门奥普拓自控科技有限公司 A kind of the special line physical isolation industrial data means of communication and system
US20170346631A1 (en) * 2007-01-07 2017-11-30 Apple Inc. Securely recovering a computing device
CN207638693U (en) * 2017-12-29 2018-07-20 深圳市风云实业有限公司 Gateway is isolated
CN108965283A (en) * 2018-07-06 2018-12-07 中国电力财务有限公司 A kind of means of communication, device, application server and communication system
CN109005189A (en) * 2018-08-27 2018-12-14 广东电网有限责任公司信息中心 A kind of access transmission platform suitable for double net isolation
CN109525606A (en) * 2019-01-04 2019-03-26 安徽和信科技发展有限责任公司 A kind of Internet of Things security access terminal based on business data acquisition
CN109842585A (en) * 2017-11-27 2019-06-04 中国科学院沈阳自动化研究所 Network information security protective unit and means of defence towards industrial embedded system
CN109889532A (en) * 2019-03-08 2019-06-14 武汉大学 Internet of things equipment safety certification and cryptographic key negotiation method based on environmental context
CN110210858A (en) * 2019-05-31 2019-09-06 上海观安信息技术股份有限公司 A kind of air control guard system design method based on intelligent terminal identification
CN110472584A (en) * 2019-08-16 2019-11-19 四川九洲电器集团有限责任公司 A kind of communication equipment personal identification method, electronic equipment and computer program product
CN110493225A (en) * 2019-08-20 2019-11-22 杭州安恒信息技术股份有限公司 A kind of request transmission method, device, equipment and readable storage medium storing program for executing
CN110620791A (en) * 2019-10-10 2019-12-27 江苏亨通工控安全研究院有限公司 Industrial safety data ferrying system with early warning function
CN110855756A (en) * 2019-10-25 2020-02-28 珠海库奇科技有限公司 Meter reading management system and method based on Internet of things
CN110933055A (en) * 2019-11-19 2020-03-27 江苏恒宝智能系统技术有限公司 Authentication system based on Internet of things equipment
US20200106686A1 (en) * 2015-03-06 2020-04-02 Georgia Tech Research Corporation Device fingerprinting for cyber-physical systems
CN111447153A (en) * 2020-04-03 2020-07-24 北京天地和兴科技有限公司 Industrial equipment fingerprint identification method

Patent Citations (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170346631A1 (en) * 2007-01-07 2017-11-30 Apple Inc. Securely recovering a computing device
US20150150110A1 (en) * 2013-11-27 2015-05-28 International Business Machines Corporation Identifying and destroying potentially misappropriated access tokens
WO2015085809A1 (en) * 2013-12-09 2015-06-18 成都达信通通讯设备有限公司 Mobile payment security system with wireless data private network physically isolated from internet
CN103619020A (en) * 2013-12-09 2014-03-05 成都达信通通讯设备有限公司 Mobile payment security system for wireless data private network physical isolation internet
CN103905451A (en) * 2014-04-03 2014-07-02 国家电网公司 System and method for trapping network attack of embedded device of smart power grid
CN104486336A (en) * 2014-12-12 2015-04-01 冶金自动化研究设计院 Device for safely isolating and exchanging industrial control networks
CN104683332A (en) * 2015-02-10 2015-06-03 杭州优稳自动化系统有限公司 Security isolation gateway in industrial control network and security isolation method thereof
US20200106686A1 (en) * 2015-03-06 2020-04-02 Georgia Tech Research Corporation Device fingerprinting for cyber-physical systems
CN105656883A (en) * 2015-12-25 2016-06-08 冶金自动化研究设计院 Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network
CN106250857A (en) * 2016-08-04 2016-12-21 深圳先进技术研究院 A kind of identity recognition device and method
CN106991317A (en) * 2016-12-30 2017-07-28 中国银联股份有限公司 Safe verification method, platform, device and system
CN106941494A (en) * 2017-03-30 2017-07-11 中国电力科学研究院 A kind of security isolation gateway and its application method suitable for power information acquisition system
US20180337948A1 (en) * 2017-05-17 2018-11-22 Optimal Process Control Technologies Co., Ltd. Method of industrial data communication with dedicated physical channel isolation and a system applying the method
CN107276987A (en) * 2017-05-17 2017-10-20 厦门奥普拓自控科技有限公司 A kind of the special line physical isolation industrial data means of communication and system
CN109842585A (en) * 2017-11-27 2019-06-04 中国科学院沈阳自动化研究所 Network information security protective unit and means of defence towards industrial embedded system
US20200045023A1 (en) * 2017-11-27 2020-02-06 Shenyang Institute Of Automation, Chinese Academy Of Sciences Network guard unit for industrial embedded system and guard method
CN207638693U (en) * 2017-12-29 2018-07-20 深圳市风云实业有限公司 Gateway is isolated
CN108965283A (en) * 2018-07-06 2018-12-07 中国电力财务有限公司 A kind of means of communication, device, application server and communication system
CN109005189A (en) * 2018-08-27 2018-12-14 广东电网有限责任公司信息中心 A kind of access transmission platform suitable for double net isolation
CN109525606A (en) * 2019-01-04 2019-03-26 安徽和信科技发展有限责任公司 A kind of Internet of Things security access terminal based on business data acquisition
CN109889532A (en) * 2019-03-08 2019-06-14 武汉大学 Internet of things equipment safety certification and cryptographic key negotiation method based on environmental context
CN110210858A (en) * 2019-05-31 2019-09-06 上海观安信息技术股份有限公司 A kind of air control guard system design method based on intelligent terminal identification
CN110472584A (en) * 2019-08-16 2019-11-19 四川九洲电器集团有限责任公司 A kind of communication equipment personal identification method, electronic equipment and computer program product
CN110493225A (en) * 2019-08-20 2019-11-22 杭州安恒信息技术股份有限公司 A kind of request transmission method, device, equipment and readable storage medium storing program for executing
CN110620791A (en) * 2019-10-10 2019-12-27 江苏亨通工控安全研究院有限公司 Industrial safety data ferrying system with early warning function
CN110855756A (en) * 2019-10-25 2020-02-28 珠海库奇科技有限公司 Meter reading management system and method based on Internet of things
CN110933055A (en) * 2019-11-19 2020-03-27 江苏恒宝智能系统技术有限公司 Authentication system based on Internet of things equipment
CN111447153A (en) * 2020-04-03 2020-07-24 北京天地和兴科技有限公司 Industrial equipment fingerprint identification method

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112769774A (en) * 2020-12-24 2021-05-07 国网冀北电力有限公司信息通信分公司 Data ferrying system and method
CN112769774B (en) * 2020-12-24 2023-04-18 国网冀北电力有限公司信息通信分公司 Data ferrying system and method
CN113329018A (en) * 2021-05-28 2021-08-31 中国电子信息产业集团有限公司第六研究所 Novel security isolation IPsec VPN processing architecture
CN113645610B (en) * 2021-07-09 2024-04-02 厦门市美亚柏科信息股份有限公司 Mobile phone data parallel acquisition method and system based on intranet system
CN113645610A (en) * 2021-07-09 2021-11-12 厦门市美亚柏科信息股份有限公司 Mobile phone data parallel acquisition method and system based on intranet system
CN113612734A (en) * 2021-07-13 2021-11-05 共道网络科技有限公司 Cross-network remote court trial media stream transmission method and device
CN113506096A (en) * 2021-09-08 2021-10-15 国网浙江省电力有限公司 Inter-system interface method based on industrial internet identification analysis system
CN114039748A (en) * 2021-10-25 2022-02-11 中广核工程有限公司 Identity authentication method, system, computer device and storage medium
CN114124549A (en) * 2021-11-26 2022-03-01 绿盟科技集团股份有限公司 Method, system and device for safely accessing mails based on visible light system
CN114024781A (en) * 2022-01-07 2022-02-08 广东电力信息科技有限公司 Electric power Internet of things low-speed stable equipment access method based on edge calculation
CN114726574A (en) * 2022-02-28 2022-07-08 新华三信息安全技术有限公司 Safety isolation protection system and safety isolation protection method
CN114745454A (en) * 2022-04-11 2022-07-12 中国南方电网有限责任公司 Boundary protection device, system, method, computer equipment and storage medium
CN114745182A (en) * 2022-04-12 2022-07-12 宇辰科技(山东)有限公司 Internal and external network application data safety interaction intelligent travel system and equipment thereof
CN115065498B (en) * 2022-04-15 2024-03-22 北京全路通信信号研究设计院集团有限公司 Peripheral ferry device and system thereof
CN115065498A (en) * 2022-04-15 2022-09-16 北京全路通信信号研究设计院集团有限公司 Peripheral ferry device and system thereof
CN114944940B (en) * 2022-04-26 2023-10-03 国网山东省电力公司滨州供电公司 Electronic archive processing system and method for electrical test data
CN114944940A (en) * 2022-04-26 2022-08-26 国网山东省电力公司滨州供电公司 Electronic file processing system and method for electrical test data
CN115208612A (en) * 2022-05-10 2022-10-18 北京市遥感信息研究所 Complex networking security system architecture
CN115208612B (en) * 2022-05-10 2023-10-13 北京市遥感信息研究所 Complex networking safety system
CN115190379B (en) * 2022-07-28 2024-04-02 国核信息科技有限公司 Split wind power vibration monitoring data transmission method and monitoring device
CN115190379A (en) * 2022-07-28 2022-10-14 国核信息科技有限公司 Split type wind power vibration monitoring data transmission method and monitoring device
CN114978784A (en) * 2022-08-02 2022-08-30 矩阵时光数字科技有限公司 Data protection equipment and system
CN115664841A (en) * 2022-11-14 2023-01-31 济南大学 Data acquisition system and method with network isolation and one-way encryption transmission functions
CN116094828A (en) * 2023-02-14 2023-05-09 深圳市利谱信息技术有限公司 Dynamic protocol gateway system based on physical isolation
CN116094828B (en) * 2023-02-14 2023-11-17 深圳市利谱信息技术有限公司 Dynamic protocol gateway system based on physical isolation
CN116319094A (en) * 2023-05-19 2023-06-23 北京安帝科技有限公司 Data safety transmission method, computer equipment and medium based on tobacco industry
CN116319094B (en) * 2023-05-19 2023-08-11 北京安帝科技有限公司 Data safety transmission method, computer equipment and medium based on tobacco industry
CN117201207B (en) * 2023-11-08 2024-02-27 深圳市顺源科技有限公司 Industrial Internet of things system based on high-isolation mode network data conversion
CN117201207A (en) * 2023-11-08 2023-12-08 深圳市顺源科技有限公司 Industrial Internet of things system based on high-isolation mode network data conversion

Also Published As

Publication number Publication date
CN112073375B (en) 2023-09-26

Similar Documents

Publication Publication Date Title
CN112073375B (en) Isolation device and isolation method suitable for client side of electric power Internet of things
CN112150147A (en) Data security storage system based on block chain
CN111935714B (en) Identity authentication method in mobile edge computing network
CN105871873A (en) Security encryption authentication module for power distribution terminal communication and method thereof
CN101447907A (en) VPN secure access method and system thereof
CN105162808B (en) A kind of safe login method based on national secret algorithm
CN111954211B (en) Novel authentication key negotiation system of mobile terminal
CN109995530B (en) Safe distributed database interaction system suitable for mobile positioning system
CN110474921B (en) Perception layer data fidelity method for local area Internet of things
CN113127914A (en) Electric power Internet of things data security protection method
CN212486798U (en) Electric power sensing equipment based on block chain technology
CN107196932A (en) Managing and control system in a kind of document sets based on virtualization
CN104065485A (en) Power grid dispatching mobile platform safety guaranteeing and controlling method
CN111756627A (en) Cloud platform security access gateway of electric power monitored control system
CN112613006A (en) Power data sharing method and device, electronic equipment and storage medium
CN115941236A (en) Zero trust safety protection method for edge side of power distribution network
CN111970232A (en) Safe access system of intelligent service robot of electric power business hall
CN211352206U (en) IPSec VPN cryptographic machine based on quantum key distribution
CN114866245A (en) Block chain-based power data acquisition method and system
CN114268643A (en) Power distribution internet of things terminal based on active identification technology and management method
CN111064752B (en) Preset secret key sharing system and method based on public network
CN103269301A (en) Desktop type IPSecVPN cryptographic machine and networking method
CN107172078B (en) Security management and control method and system of core framework platform based on application service
CN116192481A (en) Analysis method for secure communication mechanism between cloud computing server models
CN107172462A (en) A kind of video-encryption and identity identifying method and security module

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant