CN112073375B - Isolation device and isolation method suitable for client side of electric power Internet of things - Google Patents

Isolation device and isolation method suitable for client side of electric power Internet of things Download PDF

Info

Publication number
CN112073375B
CN112073375B CN202010789502.2A CN202010789502A CN112073375B CN 112073375 B CN112073375 B CN 112073375B CN 202010789502 A CN202010789502 A CN 202010789502A CN 112073375 B CN112073375 B CN 112073375B
Authority
CN
China
Prior art keywords
external network
data
processing module
data message
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010789502.2A
Other languages
Chinese (zh)
Other versions
CN112073375A (en
Inventor
梁晓兵
翟峰
岑炜
付义伦
曹永峰
刘鹰
李保丰
王晖南
徐萌
许斌
孔令达
冯云
冯占成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Marketing Service Center of State Grid Shanxi Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Marketing Service Center of State Grid Shanxi Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, China Electric Power Research Institute Co Ltd CEPRI, Marketing Service Center of State Grid Shanxi Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202010789502.2A priority Critical patent/CN112073375B/en
Publication of CN112073375A publication Critical patent/CN112073375A/en
Application granted granted Critical
Publication of CN112073375B publication Critical patent/CN112073375B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y10/00Economic sectors
    • G16Y10/35Utilities, e.g. electricity, gas or water
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/08Protocols for interworking; Protocol conversion
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Health & Medical Sciences (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • General Business, Economics & Management (AREA)
  • Power Engineering (AREA)
  • Business, Economics & Management (AREA)
  • Medical Informatics (AREA)
  • General Health & Medical Sciences (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to an isolation device and an isolation method suitable for an electric power Internet of things client side, which are characterized in that an external network processing module is utilized to analyze a first data message sent by received external network equipment so as to acquire key information, and protocol format conversion processing is carried out on the key information according to a data ferrying protocol so as to acquire a second data message; the isolation exchange module is used for controlling the external network processing module and the internal network processing module to be in a physical isolation state, and format verification is carried out on the second data message; and after the second data message passes the format verification, the second data message is decrypted by using an intranet processing module, and the decrypted second data message is subjected to protocol format conversion processing according to a special communication protocol of the electric power Internet of things, so that a third data message is obtained and sent to intranet equipment, the safety isolation between an open client side access network and an electric power Internet of things core network is realized, and the core service system can be effectively prevented from being illegally invaded.

Description

Isolation device and isolation method suitable for client side of electric power Internet of things
Technical Field
The invention relates to the technical field of the Internet of things, in particular to an isolation device and an isolation method suitable for a client side of an electric power Internet of things.
Background
With the development of new technologies such as mobile interconnection and artificial intelligence, bidirectional interaction between power users and smart power grids is more and more frequent, and requirements of users on service forms and service quality of the power grids are also higher and higher. In order to meet the application requirements of power consumers, the perception and participation of the power consumers to the smart grid are enhanced, and the power Internet of things is generated accordingly. The electric power Internet of things has the characteristics of comprehensive sensing of running states, efficient information processing, convenience and flexibility in application and the like, connects electric power users, equipment, various enterprises and equipment, people and things, generates shared data, serves users, power grids, electric power enterprises, suppliers and society, plays a role in platform and sharing by taking the power grids as hubs, and provides more valuable services for the whole industry and more market subjects.
In order to promote interactivity between the electric power Internet of things and users, massive non-grid asset equipment with uncontrolled safety such as charging piles, external comprehensive energy equipment and the like are needed to be accessed to clients of the electric power Internet of things. The equipment can be connected with various electrical equipment in a convenient communication mode such as WIFI and the like, and collection and information interaction of electricity utilization data are realized. The method inevitably changes the electric power network from a closed service mode to an open service mode, and leads the electric power internet of things to be directly connected with the public network, so that the risk that the electric power internet of things is subjected to network attacks such as fake terminal access, trojan horse, virus, malicious code and the like is greatly increased, and malicious personnel invade the whole electric power network through a perception layer and attack and damage the whole electric power network. Thus, there is a need for an isolation device that enables network isolation and secure interaction of data between networks. However, the traditional isolation device or system has single function, large volume and power consumption, and relatively more required computing resources, and is mostly only suitable for boundary isolation of the traditional network, and can not meet the information security interaction requirement of the client-side uncontrolled device of the perception layer or the edge layer of the electric power Internet of things with low power consumption, low cost and multiple distribution requirements.
Therefore, research on the micro-isolation technology of the internet of things is urgently needed, and a network isolation device capable of being deployed on a sensing layer or an edge layer of the electric power internet of things is developed to safely isolate an access network which is opened to an electric power user from a core network of the electric power internet of things.
Disclosure of Invention
The invention provides an isolation device and an isolation method suitable for an electric power Internet of things client side, which are used for solving the problem of how to safely isolate an open Internet of things client side access network from an electric power Internet of things core network.
To solve the above-mentioned problems, according to an aspect of the present invention, there is provided an isolation device suitable for a client side of an electric power internet of things, the device comprising:
the external network processing module is used for analyzing the first data message sent by the received external network equipment to obtain key information, and carrying out protocol format conversion processing on the key information according to a data ferrying protocol to obtain a second data message and sending the second data message to the isolation exchange module;
the isolation exchange module is used for controlling the external network processing module and the internal network processing module to be in a physical isolation state, carrying out format verification on the second data message, and sending the second data message to the internal network processing module after the second data message passes the format verification;
And the intranet processing module is used for decrypting the second data message, converting the protocol format of the decrypted second data message according to a special communication protocol of the electric power Internet of things, and acquiring a third data message and sending the third data message to intranet equipment.
Preferably, wherein the apparatus further comprises:
the intranet processing module is used for encrypting the received fourth data message sent by the intranet equipment, converting the encrypted fourth data into a protocol format according to a data ferrying protocol, acquiring a fifth data message and sending the fifth data message to the isolation exchange module;
the isolation exchange module is used for controlling the external network processing module and the internal network processing module to be in a physical isolation state, carrying out format verification on the fifth data message, and sending the fifth data message to the external network processing module after the fifth data message passes the format verification;
and the external network processing module is used for carrying out protocol format conversion processing on the fifth data message according to the communication protocol of the external network equipment so as to acquire a sixth data message and sending the sixth data message to the external network equipment.
Preferably, the external network processing module further comprises:
the format verification unit is used for verifying whether the message format of the first data message meets the admission requirement of the electric power Internet of things; if the verification is passed, analyzing the first data message; if the verification is not passed, rejecting the data transmission request of the external network equipment;
The flow monitoring unit is used for monitoring whether the data flow of the external network equipment accords with the admission requirement of the electric power Internet of things or not and whether an abnormal data flow exists or not; if abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if no abnormal data stream exists, allowing the data transmission request of the external network equipment.
Preferably, the isolating and switching module controls the external network processing module and the internal network processing module to be in a physical isolated state, and includes:
controlling the external network processing module and the internal network processing module to be in a physical cut-off state at the same time; if one of the external network processing module and the internal network processing module is in data interaction with the logic isolation unit, the logic isolation unit is in a disconnected state with the other module, and after the data interaction of the one module to be subjected to data interaction is completed and the isolation control signal is released, the other module can be subjected to data interaction with the logic isolation unit.
Preferably, the isolating and switching module performs format verification by using the following manner, including:
checking whether the format of the data message to be transmitted accords with a data ferrying protocol; if the format check is passed, transmitting the data message to be transmitted; and if the format check is not passed, rejecting the data message to be transmitted.
Preferably, the intranet processing module further includes:
the identity identification unit is used for acquiring the identity information of the external network equipment to be accessed according to the decrypted second data message and carrying out identity identification according to the identity information of the external network equipment to be accessed; if the identity authentication is successful, allowing the network external equipment to be accessed to access the electric power Internet of things for information interaction; if the identity authentication fails, rejecting the network external equipment to be accessed to access the electric power Internet of things for information interaction; wherein the key information includes: identity information of the external network device.
Preferably, the identity identifying unit performs identity identification according to identity information of the external network device to be accessed, including:
generating device fingerprints and operation environment fingerprints according to identity information of the off-network device to be accessed according to a preset fingerprint generation strategy, and comparing the device fingerprints with the operation environment fingerprints with device fingerprints and environment fingerprints in a preset device access white list to perform identity authentication; wherein the identity information includes: device parameter information and operating environment parameter information; the device parameter information includes: the MAC address, IP, communication protocol, effective data and data format of the external network equipment; the operating environment parameter information includes: energy consumption changes, signal strength changes and traffic changes of the external network device.
Preferably, the intranet processing module further includes:
the access control unit is used for performing access control on the external network equipment according to a preset access control strategy and determining the external network equipment access right;
the business monitoring unit is used for monitoring the progress in the intranet processing module and timely processing the abnormal event when the abnormal event occurs so as to maintain that the intranet processing module can normally serve;
the log recording unit is used for recording various operation logs and communication logs;
the key certificate importing unit is used for interfacing with the electric unified password infrastructure to realize the distribution of the external network equipment key and the application and the issuing of the digital certificate.
According to another aspect of the present invention, there is provided an isolation method applicable to a client side of an electric power internet of things, the method comprising:
analyzing a first data message sent by the received external network equipment to obtain key information, and performing protocol format conversion processing on the key information according to a data ferrying protocol to obtain a second data message;
controlling the external network processing module and the internal network processing module to be in a physical isolation state, and performing format verification on the second data message;
After the second data message passes the format verification, decrypting the second data message, and performing protocol format conversion processing on the decrypted second data message according to a special communication protocol of the electric power internet of things so as to obtain a third data message and sending the third data message to the intranet equipment.
Preferably, wherein the method further comprises:
encrypting the fourth data message sent by the received in-network device, and performing protocol format conversion processing on the encrypted fourth data according to a data ferrying protocol to obtain a fifth data message;
controlling the external network processing module and the internal network processing module to be in a physical isolation state, and performing format verification on the fifth data message;
and after the fifth data message passes the format verification, carrying out protocol format conversion processing on the fifth data message according to a communication protocol of the external network equipment so as to acquire a sixth data message and sending the sixth data message to the external network equipment.
Preferably, wherein the method further comprises:
before analyzing a first data message sent by a received external network device, checking whether a message format of the first data message meets the admission requirement of the electric power Internet of things; if the verification is passed, analyzing the first data message; if the verification is not passed, rejecting the data transmission request of the external network equipment;
Monitoring whether the data flow of the external network equipment accords with the admission requirement of the electric power Internet of things or not, and whether an abnormal data flow exists or not; if abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if no abnormal data stream exists, allowing the data transmission request of the external network equipment.
Preferably, the controlling the external network processing module and the internal network processing module in a physically isolated state includes:
controlling the external network processing module and the internal network processing module to be in a physical cut-off state at the same time; if one of the external network processing module and the internal network processing module is in data interaction with the logic isolation unit, the logic isolation unit is in a disconnected state with the other module, and after the data interaction of the one module to be subjected to data interaction is completed and the isolation control signal is released, the other module can be subjected to data interaction with the logic isolation unit.
Preferably, the method performs format verification by using the following method, including:
checking whether the format of the data message to be transmitted accords with a data ferrying protocol; if the format check is passed, transmitting the data message to be transmitted; and if the format check is not passed, rejecting the data message to be transmitted.
Preferably, wherein the method further comprises:
acquiring identity information of the external network equipment to be accessed according to the decrypted second data message, and carrying out identity authentication according to the identity information of the external network equipment to be accessed; if the identity authentication is successful, allowing the network external equipment to be accessed to access the electric power Internet of things for information interaction; if the identity authentication fails, rejecting the network external equipment to be accessed to access the electric power Internet of things for information interaction; wherein the key information includes: identity information of the external network device.
Preferably, the performing identity authentication according to identity information of the external network device to be accessed includes:
generating device fingerprints and operation environment fingerprints according to identity information of the off-network device to be accessed according to a preset fingerprint generation strategy, and comparing the device fingerprints with the operation environment fingerprints with device fingerprints and environment fingerprints in a preset device access white list to perform identity authentication; wherein the identity information includes: device parameter information and operating environment parameter information; the device parameter information includes: the MAC address, IP, communication protocol, effective data and data format of the external network equipment; the operating environment parameter information includes: energy consumption changes, signal strength changes and traffic changes of the external network device.
Preferably, wherein the method further comprises:
performing access control on the external network equipment according to a preset access control strategy, and determining the external network equipment access right;
monitoring the process in the intranet processing module, and when an abnormal event occurs, timely processing the abnormal event to maintain that the intranet processing module can normally serve;
recording various operation logs and communication logs;
and interfacing with the electric unified password infrastructure to realize the distribution of the external network equipment key and the application and the issuing of the digital certificate.
The invention provides an isolation device and an isolation method suitable for an electric power Internet of things client side, which are characterized in that an external network processing module is utilized to analyze a first data message sent by received external network equipment to obtain key information, and protocol format conversion processing is carried out on the key information according to a data ferrying protocol to obtain a second data message; the isolation exchange module is used for controlling the external network processing module and the internal network processing module to be in a physical isolation state, and format verification is carried out on the second data message; and after the second data message passes the format verification, the second data message is decrypted by using an intranet processing module, and the decrypted second data message is subjected to protocol format conversion processing according to a special communication protocol of the electric power Internet of things, so that a third data message is obtained and sent to intranet equipment, the safety isolation between an open client side access network and an electric power Internet of things core network is realized, and the core service system can be effectively prevented from being illegally invaded.
Drawings
Exemplary embodiments of the present invention may be more completely understood in consideration of the following drawings:
fig. 1 is a schematic structural diagram of an isolation device 100 suitable for a client side of an electric power internet of things according to an embodiment of the present invention;
FIG. 2 is a logic architecture diagram of a network isolation device according to an embodiment of the present invention;
FIG. 3 is a flow chart of identity authentication according to an embodiment of the present invention;
FIG. 4 is a read-write logic diagram of an isolation device according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of transparent proxy mode-based application layer data exchange according to an embodiment of the present invention;
fig. 6 is a flowchart of an isolation method 600 suitable for use on a client side of an electric power internet of things according to an embodiment of the invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the examples described herein, which are provided to fully and completely disclose the present invention and fully convey the scope of the invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, like elements/components are referred to by like reference numerals.
Unless otherwise indicated, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. In addition, it will be understood that terms defined in commonly used dictionaries should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
Fig. 1 is a schematic structural diagram of an isolation device 100 suitable for a client side of an electric power internet of things according to an embodiment of the present invention. As shown in fig. 1, the isolation device suitable for the client side of the electric power internet of things provided by the invention realizes the safety isolation between the open client side access network and the core network of the electric power internet of things, and can effectively prevent the core service system from being illegally invaded. The isolation device 100 suitable for the client side of the electric power internet of things provided by the embodiment of the invention comprises: the device comprises an external network processing module 101, an isolated switching module 102 and an internal network processing module 103.
Preferably, the external network processing module 101 is configured to parse the first data packet sent by the received external network device to obtain key information, and perform protocol format conversion processing on the key information according to a data ferrying protocol, so as to obtain a second data packet and send the second data packet to the isolation switching module.
Preferably, the external network processing module 101 further includes:
the format verification unit is used for verifying whether the message format of the first data message meets the admission requirement of the electric power Internet of things; if the verification is passed, analyzing the first data message; if the verification is not passed, rejecting the data transmission request of the external network equipment;
the flow monitoring unit is used for monitoring whether the data flow of the external network equipment accords with the admission requirement of the electric power Internet of things or not and whether an abnormal data flow exists or not; if abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if no abnormal data stream exists, allowing the data transmission request of the external network equipment.
Fig. 2 is a logic architecture diagram of a micro network isolation device according to an embodiment of the present invention. As shown in fig. 2, in the embodiment of the present invention, the external network processing module includes: an external network communication sub-module and an external network service processing sub-module.
Wherein, the external network communication submodule includes: HPLC interface unit, WIFI interface unit and external ethernet interface unit; the external network equipment can realize network access through WIFI, HPLC, ethernet and other modes.
The external network service processing submodule mainly comprises an external network data receiving and transmitting unit, a format checking unit, a flow monitoring unit, an external network protocol conversion unit and an external network upgrading management unit. And the external network data receiving and transmitting unit is used for receiving the first data message sent by the external network equipment. The format verification unit is used for verifying whether the message format of the first data message meets the admission requirement of the electric power Internet of things; if the verification is passed, analyzing the first data message; and if the verification is not passed, rejecting the data transmission request of the external network equipment. The flow monitoring unit is used for monitoring whether the data flow of the external network equipment accords with the admission requirement of the electric power Internet of things or not and whether an abnormal data flow exists or not; if abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if no abnormal data stream exists, allowing the data transmission request of the external network equipment. The external network protocol conversion unit is used for analyzing the first data message to obtain key information, carrying out transmission layer protocol removal processing on the key information and carrying out encapsulation processing on the key information according to a data ferrying protocol to obtain a second data message and sending the second data message to the isolation exchange module. Wherein the key information includes: information such as equipment MAC information, IP addresses, instruction valid data sent by equipment and the like. The format of the data message before protocol conversion processing accords with the communication protocol of the external network equipment, and the data after protocol conversion processing accords with the data ferrying protocol. And the external network upgrading management unit is mainly responsible for upgrading and maintaining the software of the external network processing module.
Preferably, the isolation switch module 102 is configured to control the external network processing module and the internal network processing module to be in a physical isolation state, perform format verification on the second data packet, and send the second data packet to the internal network processing module after the second data packet passes the format verification.
Preferably, the isolation switch module 102 controls the external network processing module and the internal network processing module to be in a physically isolated state, including:
controlling the external network processing module and the internal network processing module to be in a physical cut-off state at the same time; if one of the external network processing module and the internal network processing module is in data interaction with the logic isolation unit, the logic isolation unit is in a disconnected state with the other module, and after the data interaction of the one module to be subjected to data interaction is completed and the isolation control signal is released, the other module can be subjected to data interaction with the logic isolation unit.
Preferably, the isolating and switching module performs format verification by using the following manner, including:
checking whether the format of the data message to be transmitted accords with a data ferrying protocol; if the format check is passed, transmitting the data message to be transmitted; and if the format check is not passed, rejecting the data message to be transmitted.
As shown in fig. 2, in an embodiment of the present invention, an isolation switch module includes: an isolated exchange main controller MCU and a network isolation sub-module; the network isolation sub-module includes: a logic isolation unit and a data exchange unit.
The data transmission method comprises the steps of controlling an external network processing module and an internal network processing module to process a physical isolation state through a logic isolation unit, performing format check on a second data message by utilizing a data exchange module, and after the second data message passes the format check, sending the second data message to the internal network processing module to finish data transmission. The logic isolation unit in the isolation exchange module is used for controlling the external network processing module and the internal network processing module to be in a physical cut-off state at the same moment; if one of the external network processing module and the internal network processing module is in data interaction with the logic isolation unit, the logic isolation unit is in a disconnected state with the other module, and after the data interaction of the one module to be subjected to data interaction is completed and the isolation control signal is released, the other module can be subjected to data interaction with the logic isolation unit. When checking whether the format of the second data message accords with the data ferry protocol, if the format check is passed, transmitting the data message to be transmitted; and if the format check is not passed, rejecting the data message to be transmitted.
The isolated exchange main controller MCU comprises at least 3 CPUs, wherein two CPUs are respectively used for processing intranet business and extranet business, and the other CPU is used for managing system configuration and security policy setting.
Preferably, the intranet processing module 103 is configured to decrypt the second data packet, and perform protocol format conversion processing on the decrypted second data packet according to a special communication protocol of the electric power internet of things, so as to obtain a third data packet and send the third data packet to the intranet device.
Preferably, the intranet processing module further includes:
the identity identification unit is used for acquiring the identity information of the external network equipment to be accessed according to the decrypted second data message and carrying out identity identification according to the identity information of the external network equipment to be accessed; if the identity authentication is successful, allowing the network external equipment to be accessed to access the electric power Internet of things for information interaction; if the identity authentication fails, rejecting the network external equipment to be accessed to access the electric power Internet of things for information interaction; wherein the key information includes: identity information of the external network device.
Preferably, the identity identifying unit performs identity identification according to identity information of the external network device to be accessed, including:
Generating device fingerprints and operation environment fingerprints according to identity information of the off-network device to be accessed according to a preset fingerprint generation strategy, and comparing the device fingerprints with the operation environment fingerprints with device fingerprints and environment fingerprints in a preset device access white list to perform identity authentication; wherein the identity information includes: device parameter information and operating environment parameter information; the device parameter information includes: the MAC address, IP, communication protocol, effective data and data format of the external network equipment; the operating environment parameter information includes: energy consumption changes, signal strength changes and traffic changes of the external network device.
Preferably, the intranet processing module further includes:
the access control unit is used for performing access control on the external network equipment according to a preset access control strategy and determining the external network equipment access right;
the business monitoring unit is used for monitoring the progress in the intranet processing module and timely processing the abnormal event when the abnormal event occurs so as to maintain that the intranet processing module can normally serve;
the log recording unit is used for recording various operation logs and communication logs;
The key certificate importing unit is used for interfacing with the electric unified password infrastructure to realize the distribution of the external network equipment key and the application and the issuing of the digital certificate.
As shown in fig. 2, in an embodiment of the present invention, the intranet processing module includes: an intranet communication sub-module, a password operation sub-module and an intranet service processing sub-module. Wherein, intranet communication submodule includes: and the power private network interface unit and the intranet Ethernet interface unit. A cryptographic operator module comprising: a key management unit and an algorithm operation unit. An intranet business processing sub-module, comprising: the system comprises an intranet data receiving and transmitting unit, an intranet protocol conversion unit, an identity recognition unit, a service monitoring unit, an access control unit, a key certificate importing unit, a log recording unit and an intranet upgrading management unit.
In an embodiment of the invention, the key management unit is used for being responsible for the security management of the whole life cycle of the key. And the algorithm operation unit is used for performing the operation of cryptographic algorithms such as SM1, SM2, SM3, SM4, SM7 and SM9 and the like on the second data message, and decrypting the second data message to obtain a decrypted second data message. After receiving the second message data sent by the isolation exchange module through the intranet data receiving and transmitting module, the intranet processing module decrypts the second message data through the algorithm operation module, performs protocol format conversion processing on the decrypted second message data by using the intranet protocol conversion unit according to the special communication protocol of the electric power internet of things so as to obtain a third message data, and sends the third message data after protocol conversion and encapsulation to intranet equipment by using the intranet data receiving and transmitting unit. Wherein, the format of the data message before protocol conversion processing accords with the data ferrying protocol; the data after protocol conversion processing accords with the special communication protocol of the electric power Internet of things. In addition, the intranet processing module also utilizes an identity recognition unit to carry out identity authentication according to the identity information of the extranet equipment to be accessed; if the identity authentication is successful, allowing the external network equipment to be counted to be accessed; and if the identity authentication fails, rejecting the external network equipment to be accessed to access. Specifically, as shown in fig. 3, the identity authentication process includes:
(1) The sensing equipment or the user electrical equipment uses the MAC, IP and communication protocol P r Valid data D v Data format D f And sending the equipment parameter information to an intranet processing module. The intranet processing module analyzes the legality and the effectiveness of the intranet processing module, and forms an equipment fingerprint D if the intranet processing module meets the requirement of the environment admission of the Internet of things fp And feeding back the verification result to the sensing device or the user electrical equipment.
(2) The sensing equipment or the user electrical equipment sends environmental parameter information such as energy consumption change Ec, signal intensity change Sc, flow change Fc and the like to the intranet processing module. Isolation device generates an "operating environment fingerprint" E fp And feeding back the received result to the sensing device or the user electrical equipment.
(3) The intranet processing module transmits the acquired fingerprint information to a background centralized management platform, and establishes a perception device admission white list W l
(4) When the equipment to be accessed is accessed to the isolation device in a WIFI, HPLC or Ethernet mode, the intranet processing module generates equipment fingerprints and operation environment fingerprints according to the identity information of the equipment outside the network to be accessed and a preset fingerprint generation strategy, and compares the equipment fingerprints and operation environment fingerprints with the equipment fingerprints and environment fingerprints in a preset equipment access white list so as to identify the identity; wherein the identity information includes: device parameter information and operating environment parameter information.
The isolation device of the embodiment of the invention realizes the encryption protection of service data/instructions mainly through bidirectional identity authentication, data encryption packaging and data integrity verification. The bidirectional identity authentication process comprises the following steps: and adopting cryptographic algorithms such as SM1, SM2 and SM3 of national cipher, and performing bidirectional identity authentication with a master station service application system based on mechanisms such as challenge response, digital certificate signature verification and the like. The data encryption packaging process comprises the following steps: and the packaging and data encryption of the service data and the control instruction are realized based on the special safety communication protocol of the electric power Internet of things. The data integrity verification process comprises the following steps: and the integrity of service data and control instructions is ensured through message authentication codes, digital signatures and data timeliness verification.
In an embodiment of the present invention, an access control unit is configured to perform access control on the external network device according to a preset access control policy, and determine an access right of the external network device. And the intranet upgrading management unit is used for upgrading and maintaining the software of the intranet processing module. The key certificate import unit is responsible for interfacing with the electric unified password infrastructure to realize the distribution of the external network equipment key and the application and the issuing of the digital certificate. The log recording unit is used for recording various operation logs, communication logs and other information for post analysis and tracing.
Preferably, wherein the apparatus further comprises:
the intranet processing module is used for encrypting the received fourth data message sent by the intranet equipment, converting the encrypted fourth data into a protocol format according to a data ferrying protocol, acquiring a fifth data message and sending the fifth data message to the isolation exchange module;
the isolation exchange module is used for controlling the external network processing module and the internal network processing module to be in a physical isolation state, carrying out format verification on the fifth data message, and sending the fifth data message to the external network processing module after the fifth data message passes the format verification;
and the external network processing module is used for carrying out protocol format conversion processing on the fifth data message according to the communication protocol of the external network equipment so as to acquire a sixth data message and sending the sixth data message to the external network equipment.
In the embodiment of the invention, when data is transmitted from an intranet to an external network, the intranet processing module is further used for encrypting the received fourth data message sent by the intranet equipment by using the algorithm operation unit, performing protocol format conversion processing on the encrypted fourth data by using the intranet protocol conversion unit according to the data ferrying protocol of the isolation exchange module so as to obtain a fifth data message, and sending the fifth data message to the isolation exchange module by using the intranet data receiving and sending unit. The data message before protocol conversion processing accords with a special communication protocol of the electric power internet of things, and the data message after protocol conversion processing accords with a data ferrying protocol of the isolation exchange module. And the isolation exchange module is also used for controlling the external network processing module and the internal network processing module to be in a physical isolation state, carrying out format verification on the fifth data message, and sending the fifth data message to the external network processing module after the fifth data message passes the format verification. And the external network processing module is also used for carrying out protocol format conversion processing on the fifth data message by using an external network protocol conversion unit according to the communication protocol of the external network equipment so as to acquire a sixth data message and sending the sixth data message to the external network equipment by using an external network data receiving and sending unit. Wherein, the data message before protocol conversion accords with the data ferrying protocol; the data message after protocol conversion accords with the communication protocol of the external network equipment.
Fig. 4 is a read-write logic diagram of an isolation device according to an embodiment of the present invention. As shown in FIG. 4, the isolation device in the embodiment of the invention mainly adopts an independent internal and external network read-write channel and an information ferrying mechanism to realize the safe isolation and information safe interaction of the internal and external networks. The object exchanged between the internal and external network processing modules is not an IP data message, but an application layer data message encapsulated by a special internal protocol, and any original IP data message cannot pass through the channel. The isolation device can thoroughly disconnect two networks or hosts at the physical layer of the network, and is responsible for 'ferrying' safe network data under the condition that an external network interface and an internal network interface are physically disconnected at the same moment. If one end network exchanges data through the isolation device, the isolation device is disconnected from the other end network. After the end performs data interaction and releases the isolation control signal, the other end can perform information interaction with the isolation device. The data at both ends can be stored in the buffer area of the isolation device, the state is checked before the buffer area is written, the data is written into the buffer area when the state is allowed, and otherwise, the data is waited. And checking the state before reading the buffer area, reading the data in the buffer area when the state is allowed, and otherwise, waiting. The specific data reading and writing process comprises the following steps: if the intranet processing module and the extranet processing module are to send data from one end network to the other end network, the data is written into the sending FIFO module, the FIFO receiving module is closed at the moment, and only the writing channel is in a communication state; if data is to be read from another processing unit, the data is written to the FIFO receiving module, and the FIFO transmitting module is turned off, only the read channel is in a connected state.
Fig. 5 is a schematic diagram of transparent proxy mode-based application layer data exchange according to an embodiment of the present invention. As shown in fig. 5, in the embodiment of the present invention, the isolation device mainly adopts a transparent proxy mode to implement application layer data exchange. The transparent proxy comprises a proxy engine and a proxy stub which are respectively positioned on different network processing units. The proxy stub is mainly used for network connection request checking. The proxy engine is mainly used for calling a transmission interface and exchanging information returned by an external network to the network processing unit through a high-speed exchange channel. The proxy engine and proxy stub conduct conversations and data communications based on the high speed switching channel and the proprietary protocol.
In terms of data confidentiality and integrity protection, the isolation device of the embodiment of the invention realizes business data/instruction encryption protection mainly through bidirectional identity authentication, data encryption packaging and data integrity verification. The bidirectional identity authentication process comprises the following steps: and adopting cryptographic algorithms such as SM1, SM2 and SM3 of national cipher, and performing bidirectional identity authentication with a master station service application system based on mechanisms such as challenge response, digital certificate signature verification and the like. The data encryption packaging process comprises the following steps: and the packaging and data encryption of the service data and the control instruction are realized based on the special safety communication protocol of the electric power Internet of things. The data integrity verification process comprises the following steps: and the integrity of service data and control instructions is ensured through message authentication codes, digital signatures and data timeliness verification.
The isolation device of the embodiment of the invention realizes the safe isolation between the open client access network and the core network of the electric power internet of things, and can effectively prevent the core service system from being illegally invaded.
Fig. 6 is a flowchart of an isolation method 600 suitable for use on a client side of an electric power internet of things according to an embodiment of the invention. As shown in fig. 6, in the isolation method 600 suitable for the client side of the electric power internet of things according to the embodiment of the present invention, starting from step 601, the received first data packet sent by the external network device is parsed in step 601 to obtain key information, and protocol format conversion processing is performed on the key information according to a data ferrying protocol to obtain a second data packet.
Preferably, wherein the method further comprises:
before analyzing a first data message sent by a received external network device, checking whether a message format of the first data message meets the admission requirement of the electric power Internet of things; if the verification is passed, analyzing the first data message; if the verification is not passed, rejecting the data transmission request of the external network equipment;
monitoring whether the data flow of the external network equipment accords with the admission requirement of the electric power Internet of things or not, and whether an abnormal data flow exists or not; if abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if no abnormal data stream exists, allowing the data transmission request of the external network equipment.
In step 602, the external network processing module and the internal network processing module are controlled to be in a physical isolation state, and format verification is performed on the second data message.
In step 603, after the second data packet passes the format verification, the second data packet is decrypted, and the decrypted second data packet is subjected to protocol format conversion according to the special communication protocol of the electric power internet of things, so as to obtain a third data packet and sent to the intranet device.
Preferably, wherein the method further comprises:
acquiring identity information of the external network equipment to be accessed according to the decrypted second data message, and carrying out identity authentication according to the identity information of the external network equipment to be accessed; if the identity authentication is successful, allowing the network external equipment to be accessed to access the electric power Internet of things for information interaction; if the identity authentication fails, rejecting the network external equipment to be accessed to access the electric power Internet of things for information interaction; wherein the key information includes: identity information of the external network device.
Preferably, the performing identity authentication according to identity information of the external network device to be accessed includes:
generating device fingerprints and operation environment fingerprints according to identity information of the off-network device to be accessed according to a preset fingerprint generation strategy, and comparing the device fingerprints with the operation environment fingerprints with device fingerprints and environment fingerprints in a preset device access white list to perform identity authentication; wherein the identity information includes: device parameter information and operating environment parameter information; the device parameter information includes: the MAC address, IP, communication protocol, effective data and data format of the external network equipment; the operating environment parameter information includes: energy consumption changes, signal strength changes and traffic changes of the external network device.
Preferably, wherein the method further comprises:
encrypting the fourth data message sent by the received in-network device, and performing protocol format conversion processing on the encrypted fourth data according to a data ferrying protocol to obtain a fifth data message;
controlling the external network processing module and the internal network processing module to be in a physical isolation state, and performing format verification on the fifth data message;
and after the fifth data message passes the format verification, carrying out protocol format conversion processing on the fifth data message according to a communication protocol of the external network equipment so as to acquire a sixth data message and sending the sixth data message to the external network equipment.
Preferably, the controlling the external network processing module and the internal network processing module in a physically isolated state includes:
controlling the external network processing module and the internal network processing module to be in a physical cut-off state at the same time; if one of the external network processing module and the internal network processing module is in data interaction with the logic isolation unit, the logic isolation unit is in a disconnected state with the other module, and after the data interaction of the one module to be subjected to data interaction is completed and the isolation control signal is released, the other module can be subjected to data interaction with the logic isolation unit.
Preferably, the method performs format verification by using the following method, including:
checking whether the format of the data message to be transmitted accords with a data ferrying protocol; if the format check is passed, transmitting the data message to be transmitted; and if the format check is not passed, rejecting the data message to be transmitted.
Preferably, wherein the method further comprises:
performing access control on the external network equipment according to a preset access control strategy, and determining the external network equipment access right;
monitoring the process in the intranet processing module, and when an abnormal event occurs, timely processing the abnormal event to maintain that the intranet processing module can normally serve;
recording various operation logs and communication logs;
and interfacing with the electric unified password infrastructure to realize the distribution of the external network equipment key and the application and the issuing of the digital certificate.
The isolation method 600 applicable to the client side of the electric power internet of things according to the embodiment of the present invention corresponds to the isolation device 100 applicable to the client side of the electric power internet of things according to another embodiment of the present invention, and is not described herein.
The invention has been described with reference to a few embodiments. However, as is well known to those skilled in the art, other embodiments than the above disclosed are equally possible within the scope of the invention.
Generally, all terms used are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise therein. All references to "a/an/the [ means, component, etc. ]" are to be interpreted openly as referring to at least one instance of said means, component, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, and any modifications and equivalents are intended to be included within the scope of the invention.

Claims (8)

1. An isolation device suitable for a client side of an electric power internet of things, the device comprising:
the external network processing module is used for analyzing the first data message sent by the received external network equipment to obtain key information, and carrying out protocol format conversion processing on the key information according to a data ferrying protocol to obtain a second data message and sending the second data message to the isolation exchange module;
the isolation exchange module is used for controlling the external network processing module and the internal network processing module to be in a physical isolation state, carrying out format verification on the second data message, and sending the second data message to the internal network processing module after the second data message passes the format verification;
the intranet processing module is used for decrypting the second data message, converting the protocol format of the decrypted second data message according to a special communication protocol of the electric power Internet of things, and acquiring a third data message and sending the third data message to intranet equipment;
wherein the apparatus further comprises:
the intranet processing module is used for encrypting the received fourth data message sent by the intranet equipment, converting the protocol format of the encrypted fourth data according to a data ferrying protocol to obtain a fifth data message and sending the fifth data message to the isolation exchange module;
The isolation exchange module is used for controlling the external network processing module and the internal network processing module to be in a physical isolation state, carrying out format verification on the fifth data message, and sending the fifth data message to the external network processing module after the fifth data message passes the format verification;
the external network processing module is used for carrying out protocol format conversion processing on the fifth data message according to a communication protocol of the external network equipment so as to acquire a sixth data message and sending the sixth data message to the external network equipment;
wherein, intranet processing module still includes:
the identity identification unit is used for acquiring the identity information of the external network equipment to be accessed according to the decrypted second data message and carrying out identity identification according to the identity information of the external network equipment to be accessed; if the identity authentication is successful, allowing the external network equipment to be accessed to access the electric power Internet of things for information interaction; if the identity authentication fails, rejecting the external network equipment to be accessed to the electric power Internet of things for information interaction; wherein the key information includes: identity information of the external network equipment;
the identity authentication process comprises the following steps:
(1) The sensing equipment or the user electrical equipment uses the MAC, IP and communication protocol P r Valid data D v Data format D f The device parameter information is sent to an intranet processing module; the intranet processing module analyzes the legality and the effectiveness of the intranet processing module, and forms an equipment fingerprint D if the intranet processing module meets the requirement of the environment admission of the Internet of things fp And feeding back the verification result to the sensing device or the user electrical equipment;
(2) The sensing equipment or the user electrical equipment sends environmental parameter information of energy consumption change Ec, signal intensity change Sc and flow change Fc to the intranet processing module; isolation device generates an "operating environment fingerprint" E fp And feeding back the receiving result to the sensing device or the user electrical equipment;
(3) The intranet processing module transmits the acquired fingerprint information to a background centralized management platform, and establishes a perception device admission white list W l
(4) When the equipment to be accessed is accessed to the isolation device through a WIFI, HPLC or Ethernet mode, the intranet processing module generates equipment fingerprints and operation environment fingerprints according to a preset fingerprint generation strategy again according to identity information of the external network equipment to be accessed, and compares the equipment fingerprints and operation environment fingerprints with equipment fingerprints and environment fingerprints in a preset equipment access white list so as to perform identity authentication; wherein the identity information includes: device parameter information and operating environment parameter information;
The identity identification unit performs identity identification according to identity information of external network equipment to be accessed, and comprises:
generating device fingerprints and operation environment fingerprints according to the identity information of the external network device to be accessed and a preset fingerprint generation strategy, and comparing the device fingerprints with the operation environment fingerprints with device fingerprints and environment fingerprints in a preset device access white list to perform identity authentication; wherein the identity information includes: device parameter information and operating environment parameter information; the device parameter information includes: the MAC address, IP, communication protocol, effective data and data format of the external network equipment; the operating environment parameter information includes: energy consumption change, signal intensity change and flow change of the external network equipment;
the isolation exchange module controls the external network processing module and the internal network processing module to be in a physical isolation state and comprises:
controlling the external network processing module and the internal network processing module to be in a physical cut-off state at the same time; if one of the external network processing module and the internal network processing module is in data interaction with the logic isolation unit, the logic isolation unit is in a disconnected state with the other module, and after the data interaction of the one module to be subjected to data interaction is completed and the isolation control signal is released, the other module can be subjected to data interaction with the logic isolation unit.
2. The apparatus of claim 1, wherein the extranet processing module further comprises:
the format verification unit is used for verifying whether the message format of the first data message meets the admission requirement of the electric power Internet of things; if the verification is passed, analyzing the first data message; if the verification is not passed, rejecting the data transmission request of the external network equipment;
the flow monitoring unit is used for monitoring whether the data flow of the external network equipment accords with the admission requirement of the electric power Internet of things or not and whether an abnormal data flow exists or not; if abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if no abnormal data stream exists, allowing the data transmission request of the external network equipment.
3. The apparatus of claim 1, wherein the quarantine exchange module performs format verification by:
checking whether the format of the data message to be transmitted accords with a data ferrying protocol; if the format check is passed, transmitting the data message to be transmitted; and if the format check is not passed, rejecting the data message to be transmitted.
4. The apparatus of claim 1, wherein the intranet processing module further comprises:
The access control unit is used for performing access control on the external network equipment according to a preset access control strategy and determining the access authority of the external network equipment;
the business monitoring unit is used for monitoring the progress in the intranet processing module and timely processing the abnormal event when the abnormal event occurs so as to maintain that the intranet processing module can normally serve;
the log recording unit is used for recording various operation logs and communication logs;
the key certificate importing unit is used for interfacing with the electric unified password infrastructure to realize the distribution of the external network equipment key and the application and the issuing of the digital certificate.
5. An isolation method suitable for a client side of an electric power internet of things, which is characterized by comprising the following steps:
analyzing a first data message sent by the received external network equipment to obtain key information, and performing protocol format conversion processing on the key information according to a data ferrying protocol to obtain a second data message;
controlling the external network processing module and the internal network processing module to be in a physical isolation state, and performing format verification on the second data message;
after the second data message passes the format verification, decrypting the second data message, and performing protocol format conversion processing on the decrypted second data message according to a special communication protocol of the electric power Internet of things to obtain a third data message and sending the third data message to the intranet equipment;
Wherein the method further comprises:
encrypting the received fourth data message sent by the intranet equipment, and performing protocol format conversion processing on the encrypted fourth data according to a data ferrying protocol to obtain a fifth data message;
controlling the external network processing module and the internal network processing module to be in a physical isolation state, and performing format verification on the fifth data message;
after the fifth data message passes the format verification, carrying out protocol format conversion processing on the fifth data message according to a communication protocol of the external network equipment so as to obtain a sixth data message and sending the sixth data message to the external network equipment;
wherein the method further comprises:
acquiring identity information of the external network equipment to be accessed according to the decrypted second data message, and carrying out identity authentication according to the identity information of the external network equipment to be accessed; if the identity authentication is successful, allowing the external network equipment to be accessed to access the electric power Internet of things for information interaction; if the identity authentication fails, rejecting the external network equipment to be accessed to the electric power Internet of things for information interaction; wherein the key information includes: identity information of the external network equipment;
the identity authentication process comprises the following steps:
(1) The sensing equipment or the user electrical equipment uses the MAC, IP and communication protocol P r Valid data D v Data format D f The device parameter information is sent to an intranet processing module; the intranet processing module analyzes the validity and the effectiveness of the intranet processing module, and if the intranet processing module accords with the environment of the Internet of thingsAdmission requirements, forming "device fingerprint" D fp And feeding back the verification result to the sensing device or the user electrical equipment;
(2) The sensing equipment or the user electrical equipment sends environmental parameter information of energy consumption change Ec, signal intensity change Sc and flow change Fc to the intranet processing module; isolation device generates an "operating environment fingerprint" E fp And feeding back the receiving result to the sensing device or the user electrical equipment;
(3) The intranet processing module transmits the acquired fingerprint information to a background centralized management platform, and establishes a perception device admission white list W l
(4) When the equipment to be accessed is accessed to the isolation device through a WIFI, HPLC or Ethernet mode, the intranet processing module generates equipment fingerprints and operation environment fingerprints according to a preset fingerprint generation strategy again according to identity information of the external network equipment to be accessed, and compares the equipment fingerprints and operation environment fingerprints with equipment fingerprints and environment fingerprints in a preset equipment access white list so as to perform identity authentication; wherein the identity information includes: device parameter information and operating environment parameter information;
The identity authentication according to the identity information of the external network equipment to be accessed comprises the following steps:
generating device fingerprints and operation environment fingerprints according to the identity information of the external network device to be accessed and a preset fingerprint generation strategy, and comparing the device fingerprints with the operation environment fingerprints with device fingerprints and environment fingerprints in a preset device access white list to perform identity authentication; wherein the identity information includes: device parameter information and operating environment parameter information; the device parameter information includes: the MAC address, IP, communication protocol, effective data and data format of the external network equipment; the operating environment parameter information includes: energy consumption change, signal intensity change and flow change of the external network equipment;
wherein, the control external network processing module and the internal network processing module are in a physical isolation state, and the control external network processing module and the internal network processing module comprise:
controlling the external network processing module and the internal network processing module to be in a physical cut-off state at the same time; if one of the external network processing module and the internal network processing module is in data interaction with the logic isolation unit, the logic isolation unit is in a disconnected state with the other module, and after the data interaction of the one module to be subjected to data interaction is completed and the isolation control signal is released, the other module can be subjected to data interaction with the logic isolation unit.
6. The method of claim 5, wherein the method further comprises: before analyzing a first data message sent by a received external network device, checking whether a message format of the first data message meets the admission requirement of the electric power Internet of things; if the verification is passed, analyzing the first data message; if the verification is not passed, rejecting the data transmission request of the external network equipment;
monitoring whether the data flow of the external network equipment accords with the admission requirement of the electric power Internet of things or not, and whether an abnormal data flow exists or not; if abnormal data flow exists, rejecting the data transmission request of the external network equipment; and if no abnormal data stream exists, allowing the data transmission request of the external network equipment.
7. The method of claim 5, wherein the method performs the format verification using the following method, comprising:
checking whether the format of the data message to be transmitted accords with a data ferrying protocol; if the format check is passed, transmitting the data message to be transmitted; and if the format check is not passed, rejecting the data message to be transmitted.
8. The method of claim 5, wherein the method further comprises:
Performing access control on the external network equipment according to a preset access control strategy, and determining the access authority of the external network equipment;
monitoring the process in the intranet processing module, and when an abnormal event occurs, timely processing the abnormal event to maintain that the intranet processing module can normally serve;
recording various operation logs and communication logs;
and interfacing with the electric unified password infrastructure to realize the distribution of the external network equipment key and the application and the issuing of the digital certificate.
CN202010789502.2A 2020-08-07 2020-08-07 Isolation device and isolation method suitable for client side of electric power Internet of things Active CN112073375B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010789502.2A CN112073375B (en) 2020-08-07 2020-08-07 Isolation device and isolation method suitable for client side of electric power Internet of things

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010789502.2A CN112073375B (en) 2020-08-07 2020-08-07 Isolation device and isolation method suitable for client side of electric power Internet of things

Publications (2)

Publication Number Publication Date
CN112073375A CN112073375A (en) 2020-12-11
CN112073375B true CN112073375B (en) 2023-09-26

Family

ID=73662549

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010789502.2A Active CN112073375B (en) 2020-08-07 2020-08-07 Isolation device and isolation method suitable for client side of electric power Internet of things

Country Status (1)

Country Link
CN (1) CN112073375B (en)

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112769774B (en) * 2020-12-24 2023-04-18 国网冀北电力有限公司信息通信分公司 Data ferrying system and method
CN113329018A (en) * 2021-05-28 2021-08-31 中国电子信息产业集团有限公司第六研究所 Novel security isolation IPsec VPN processing architecture
CN113645610B (en) * 2021-07-09 2024-04-02 厦门市美亚柏科信息股份有限公司 Mobile phone data parallel acquisition method and system based on intranet system
CN113612734A (en) * 2021-07-13 2021-11-05 共道网络科技有限公司 Cross-network remote court trial media stream transmission method and device
CN113506096B (en) * 2021-09-08 2021-12-17 国网浙江省电力有限公司 Inter-system interface method based on industrial internet identification analysis system
CN114039748A (en) * 2021-10-25 2022-02-11 中广核工程有限公司 Identity authentication method, system, computer device and storage medium
CN114124549A (en) * 2021-11-26 2022-03-01 绿盟科技集团股份有限公司 Method, system and device for safely accessing mails based on visible light system
CN114024781B (en) * 2022-01-07 2022-03-25 广东电力信息科技有限公司 Electric power Internet of things low-speed stable equipment access method based on edge calculation
CN114422493A (en) * 2022-01-19 2022-04-29 平安壹钱包电子商务有限公司 Data transmission method, device, equipment and storage medium of distributed system
CN114726574A (en) * 2022-02-28 2022-07-08 新华三信息安全技术有限公司 Safety isolation protection system and safety isolation protection method
CN114745454A (en) * 2022-04-11 2022-07-12 中国南方电网有限责任公司 Boundary protection device, system, method, computer equipment and storage medium
CN114745182A (en) * 2022-04-12 2022-07-12 宇辰科技(山东)有限公司 Internal and external network application data safety interaction intelligent travel system and equipment thereof
CN115065498B (en) * 2022-04-15 2024-03-22 北京全路通信信号研究设计院集团有限公司 Peripheral ferry device and system thereof
CN114944940B (en) * 2022-04-26 2023-10-03 国网山东省电力公司滨州供电公司 Electronic archive processing system and method for electrical test data
CN115208612B (en) * 2022-05-10 2023-10-13 北京市遥感信息研究所 Complex networking safety system
CN115190379B (en) * 2022-07-28 2024-04-02 国核信息科技有限公司 Split wind power vibration monitoring data transmission method and monitoring device
CN114978784B (en) * 2022-08-02 2022-11-29 矩阵时光数字科技有限公司 Data protection equipment and system
CN115484091A (en) * 2022-09-13 2022-12-16 国网智能电网研究院有限公司 Virtual power plant aggregation gateway device and internal and external network data transmission method
CN115664841A (en) * 2022-11-14 2023-01-31 济南大学 Data acquisition system and method with network isolation and one-way encryption transmission functions
CN116094828B (en) * 2023-02-14 2023-11-17 深圳市利谱信息技术有限公司 Dynamic protocol gateway system based on physical isolation
CN116319094B (en) * 2023-05-19 2023-08-11 北京安帝科技有限公司 Data safety transmission method, computer equipment and medium based on tobacco industry
CN117201207B (en) * 2023-11-08 2024-02-27 深圳市顺源科技有限公司 Industrial Internet of things system based on high-isolation mode network data conversion

Citations (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103619020A (en) * 2013-12-09 2014-03-05 成都达信通通讯设备有限公司 Mobile payment security system for wireless data private network physical isolation internet
CN103905451A (en) * 2014-04-03 2014-07-02 国家电网公司 System and method for trapping network attack of embedded device of smart power grid
CN104486336A (en) * 2014-12-12 2015-04-01 冶金自动化研究设计院 Device for safely isolating and exchanging industrial control networks
CN104683332A (en) * 2015-02-10 2015-06-03 杭州优稳自动化系统有限公司 Security isolation gateway in industrial control network and security isolation method thereof
CN105656883A (en) * 2015-12-25 2016-06-08 冶金自动化研究设计院 Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network
CN106250857A (en) * 2016-08-04 2016-12-21 深圳先进技术研究院 A kind of identity recognition device and method
CN106941494A (en) * 2017-03-30 2017-07-11 中国电力科学研究院 A kind of security isolation gateway and its application method suitable for power information acquisition system
CN106991317A (en) * 2016-12-30 2017-07-28 中国银联股份有限公司 Safe verification method, platform, device and system
CN107276987A (en) * 2017-05-17 2017-10-20 厦门奥普拓自控科技有限公司 A kind of the special line physical isolation industrial data means of communication and system
CN207638693U (en) * 2017-12-29 2018-07-20 深圳市风云实业有限公司 Gateway is isolated
CN108965283A (en) * 2018-07-06 2018-12-07 中国电力财务有限公司 A kind of means of communication, device, application server and communication system
CN109005189A (en) * 2018-08-27 2018-12-14 广东电网有限责任公司信息中心 A kind of access transmission platform suitable for double net isolation
CN109525606A (en) * 2019-01-04 2019-03-26 安徽和信科技发展有限责任公司 A kind of Internet of Things security access terminal based on business data acquisition
CN109842585A (en) * 2017-11-27 2019-06-04 中国科学院沈阳自动化研究所 Network information security protective unit and means of defence towards industrial embedded system
CN109889532A (en) * 2019-03-08 2019-06-14 武汉大学 Internet of things equipment safety certification and cryptographic key negotiation method based on environmental context
CN110210858A (en) * 2019-05-31 2019-09-06 上海观安信息技术股份有限公司 A kind of air control guard system design method based on intelligent terminal identification
CN110472584A (en) * 2019-08-16 2019-11-19 四川九洲电器集团有限责任公司 A kind of communication equipment personal identification method, electronic equipment and computer program product
CN110493225A (en) * 2019-08-20 2019-11-22 杭州安恒信息技术股份有限公司 A kind of request transmission method, device, equipment and readable storage medium storing program for executing
CN110620791A (en) * 2019-10-10 2019-12-27 江苏亨通工控安全研究院有限公司 Industrial safety data ferrying system with early warning function
CN110855756A (en) * 2019-10-25 2020-02-28 珠海库奇科技有限公司 Meter reading management system and method based on Internet of things
CN110933055A (en) * 2019-11-19 2020-03-27 江苏恒宝智能系统技术有限公司 Authentication system based on Internet of things equipment
CN111447153A (en) * 2020-04-03 2020-07-24 北京天地和兴科技有限公司 Industrial equipment fingerprint identification method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8239688B2 (en) * 2007-01-07 2012-08-07 Apple Inc. Securely recovering a computing device
US9742757B2 (en) * 2013-11-27 2017-08-22 International Business Machines Corporation Identifying and destroying potentially misappropriated access tokens
EP3265919B1 (en) * 2015-03-06 2021-09-29 Georgia Tech Research Corporation Device fingerprinting for cyber-physical systems

Patent Citations (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015085809A1 (en) * 2013-12-09 2015-06-18 成都达信通通讯设备有限公司 Mobile payment security system with wireless data private network physically isolated from internet
CN103619020A (en) * 2013-12-09 2014-03-05 成都达信通通讯设备有限公司 Mobile payment security system for wireless data private network physical isolation internet
CN103905451A (en) * 2014-04-03 2014-07-02 国家电网公司 System and method for trapping network attack of embedded device of smart power grid
CN104486336A (en) * 2014-12-12 2015-04-01 冶金自动化研究设计院 Device for safely isolating and exchanging industrial control networks
CN104683332A (en) * 2015-02-10 2015-06-03 杭州优稳自动化系统有限公司 Security isolation gateway in industrial control network and security isolation method thereof
CN105656883A (en) * 2015-12-25 2016-06-08 冶金自动化研究设计院 Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network
CN106250857A (en) * 2016-08-04 2016-12-21 深圳先进技术研究院 A kind of identity recognition device and method
CN106991317A (en) * 2016-12-30 2017-07-28 中国银联股份有限公司 Safe verification method, platform, device and system
CN106941494A (en) * 2017-03-30 2017-07-11 中国电力科学研究院 A kind of security isolation gateway and its application method suitable for power information acquisition system
CN107276987A (en) * 2017-05-17 2017-10-20 厦门奥普拓自控科技有限公司 A kind of the special line physical isolation industrial data means of communication and system
CN109842585A (en) * 2017-11-27 2019-06-04 中国科学院沈阳自动化研究所 Network information security protective unit and means of defence towards industrial embedded system
CN207638693U (en) * 2017-12-29 2018-07-20 深圳市风云实业有限公司 Gateway is isolated
CN108965283A (en) * 2018-07-06 2018-12-07 中国电力财务有限公司 A kind of means of communication, device, application server and communication system
CN109005189A (en) * 2018-08-27 2018-12-14 广东电网有限责任公司信息中心 A kind of access transmission platform suitable for double net isolation
CN109525606A (en) * 2019-01-04 2019-03-26 安徽和信科技发展有限责任公司 A kind of Internet of Things security access terminal based on business data acquisition
CN109889532A (en) * 2019-03-08 2019-06-14 武汉大学 Internet of things equipment safety certification and cryptographic key negotiation method based on environmental context
CN110210858A (en) * 2019-05-31 2019-09-06 上海观安信息技术股份有限公司 A kind of air control guard system design method based on intelligent terminal identification
CN110472584A (en) * 2019-08-16 2019-11-19 四川九洲电器集团有限责任公司 A kind of communication equipment personal identification method, electronic equipment and computer program product
CN110493225A (en) * 2019-08-20 2019-11-22 杭州安恒信息技术股份有限公司 A kind of request transmission method, device, equipment and readable storage medium storing program for executing
CN110620791A (en) * 2019-10-10 2019-12-27 江苏亨通工控安全研究院有限公司 Industrial safety data ferrying system with early warning function
CN110855756A (en) * 2019-10-25 2020-02-28 珠海库奇科技有限公司 Meter reading management system and method based on Internet of things
CN110933055A (en) * 2019-11-19 2020-03-27 江苏恒宝智能系统技术有限公司 Authentication system based on Internet of things equipment
CN111447153A (en) * 2020-04-03 2020-07-24 北京天地和兴科技有限公司 Industrial equipment fingerprint identification method

Also Published As

Publication number Publication date
CN112073375A (en) 2020-12-11

Similar Documents

Publication Publication Date Title
CN112073375B (en) Isolation device and isolation method suitable for client side of electric power Internet of things
CN105871873A (en) Security encryption authentication module for power distribution terminal communication and method thereof
CN106100836B (en) A kind of method and system of industrial user's authentication and encryption
CN101447907A (en) VPN secure access method and system thereof
CN107770182A (en) The date storage method and home gateway of home gateway
CN111935714B (en) Identity authentication method in mobile edge computing network
CN108712364B (en) Security defense system and method for SDN (software defined network)
CN103780609A (en) Cloud data processing method and device and cloud data security gateway
CN107196932A (en) Managing and control system in a kind of document sets based on virtualization
CN114866245B (en) Power data acquisition method and system based on block chain
CN112613006A (en) Power data sharing method and device, electronic equipment and storage medium
CN115550069A (en) Intelligent charging system for electric automobile and safety protection method thereof
CN112804215A (en) Video acquisition safety processing system and method based on zero trust mechanism
CN117313122A (en) Data sharing and exchanging management system based on block chain
CN116192481A (en) Analysis method for secure communication mechanism between cloud computing server models
CN111970232A (en) Safe access system of intelligent service robot of electric power business hall
WO2021170049A1 (en) Method and apparatus for recording access behavior
CN111064752B (en) Preset secret key sharing system and method based on public network
CN112995140B (en) Safety management system and method
CN115086085A (en) New energy platform terminal security access authentication method and system
CN107172462A (en) A kind of video-encryption and identity identifying method and security module
CN115314262B (en) Design method of trusted network card and networking method thereof
CN114095156B (en) Data protection method for rail transit mobile terminal
CN114928756B (en) Video data protection, encryption and verification method, system and equipment
Xie et al. Research and application of FTU distribution network automation security protection scheme based on embedded security chip

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant