CN112102516B - Intelligent robot inspection system for transformer substation and access operation method thereof - Google Patents

Intelligent robot inspection system for transformer substation and access operation method thereof Download PDF

Info

Publication number
CN112102516B
CN112102516B CN202011003574.6A CN202011003574A CN112102516B CN 112102516 B CN112102516 B CN 112102516B CN 202011003574 A CN202011003574 A CN 202011003574A CN 112102516 B CN112102516 B CN 112102516B
Authority
CN
China
Prior art keywords
robot
inspection
encryption
security
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011003574.6A
Other languages
Chinese (zh)
Other versions
CN112102516A (en
Inventor
张昊
刘新
马雷
刘冬兰
王睿
于灏
王文婷
赵晓红
赵洋
常英贤
陈剑飞
牛德玲
刘鑫
任天成
赵勇
吕国栋
王晓峰
井俊双
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202011003574.6A priority Critical patent/CN112102516B/en
Publication of CN112102516A publication Critical patent/CN112102516A/en
Application granted granted Critical
Publication of CN112102516B publication Critical patent/CN112102516B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C1/00Registering, indicating or recording the time of events or elapsed time, e.g. time-recorders for work people
    • G07C1/20Checking timed patrols, e.g. of watchman
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/18Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Multimedia (AREA)
  • Power Engineering (AREA)
  • Selective Calling Equipment (AREA)
  • Testing And Monitoring For Control Systems (AREA)
  • Remote Monitoring And Control Of Power-Distribution Networks (AREA)

Abstract

A transformer substation intelligent robot inspection system comprises a terminal security reinforcement unit, a security certification transmission proxy server and a security certification encryption platform, wherein the terminal security reinforcement unit is installed on an industrial personal computer of an inspection robot, the security certification transmission proxy server is arranged between an AP (access point) in an intelligent transformer substation and a router of a master control room, and the security certification encryption platform is arranged in an information intranet. The safety certification access and the data safety protection of the inspection robot are realized by installing the terminal safety strengthening unit in the inspection robot manual controller. The safety capability provided by the terminal safety reinforcing unit comprises digital certificate application, data encryption and decryption, key storage protection and terminal state monitoring, the encryption and decryption of data streams can be flexibly configured as required, and the safety of the intelligent robot inspection system of the transformer substation is improved.

Description

Intelligent robot inspection system for transformer substation and access operation method thereof
Technical Field
The invention belongs to the field of identity authentication and data encryption, and relates to a transformer substation intelligent robot inspection system and an access operation method thereof.
Background
The intelligent robot inspection system for the transformer substation uses an intelligent inspection robot as a core, integrates a robot technology, a power equipment non-contact detection technology, a multi-sensor fusion technology, a mode identification technology, a navigation positioning technology and an internet of things technology, adopts an autonomous or remote control mode to detect visible light, infrared and the like of equipment in the transformer substation, and finds out hidden troubles of power grid operation faults in time by comparing inspection data and analyzing trends.
The intelligent inspection robot is taken as a typical representative of an internet-of-things intelligent terminal and integrates functions of measurement, control and the like, the current robot inspection system is structured as shown in fig. 1, the system adopts an independent networking mode and is cascaded in a Virtual Private Network (VPN) mode, and a power information intranet is not accessed at present because the system has a safe access risk.
The potential network security risk of the inspection system of the intelligent inspection robot of the current transformer substation comprises the following three aspects:
1. an attacker accesses the network in the station by cracking the password of the wireless access point in the station, so that the attacker further invades the system;
2. an attacker changes the running track of the robot by tampering and replaying the contents of the robot control message, so that malicious control is realized;
3. an attacker can steal the inspection data of the robot by capturing data traffic, so that sensitive information is leaked.
In order to meet the requirement of accessing an intelligent inspection system of a transformer substation to an electric power information intranet while ensuring the security, a solution of introducing a security access gateway is generally adopted at present, in the scheme, the structure of the intelligent robot inspection system of the transformer substation is shown in fig. 2, a security access terminal hardware module is added at the flow outlet side of a robot, security access gateway equipment is added and deployed at a network inlet of the transformer substation, and data transmitted in the network is encrypted and protected in a mode of establishing an IPsec VPN channel between the security access terminal hardware module and the security access gateway. By the prior art, the proportion of the intelligent robot inspection system of the transformer substation adopting the safety access gateway is about 5%.
However, the security access gateway based solution has the following four problems:
1. a safety access terminal module needs to be added to the inspection robot body, but the installation space of the safety access terminal module is not reserved in most stock robots, so that the adjustment and the transformation of a hardware structure are difficult;
2. data in a channel transmission process between a Security access terminal hardware module and a Security access gateway is protected in a mode of Internet Protocol Security (IPsec for short) VPN, but information such as locally stored data and a secret key of a robot terminal is not encrypted and protected;
3. a full-flow encryption mode is adopted, fine flow selective encryption is not supported, and encryption and non-encryption state switching is not supported when the video flow is large or the network is unstable;
4. the capital cost of the newly added safety access equipment is higher, and the cost of the later operation and maintenance service of hardware is added, so that the pressure of the batch popularization cost is high.
Disclosure of Invention
In order to solve the defects in the prior art, the invention aims to provide a transformer substation intelligent robot inspection system and an access operation method thereof, wherein the inspection robot safety certification access and the data safety protection are realized by installing a terminal safety reinforcing unit in an inspection robot manual control machine, the safety capability provided by the terminal safety reinforcing unit comprises digital certificate application, data encryption and decryption, key storage protection, terminal state monitoring and the like, the encryption and decryption of a data stream can be flexibly configured as required, and the safety of the transformer substation intelligent robot inspection system is improved.
The invention adopts the following technical scheme:
a transformer substation intelligent robot inspection system comprises an inspection robot 110, a transformer substation master control upper computer 133, an in-station switch 132, an electric power intranet switch 141, a firewall 142 and a security encryption authentication server 143; the method is characterized in that:
the inspection robot 110 comprises a robot controller 116, and the robot controller 116 is communicated with an access AP antenna 121 in a transformer substation through a robot side antenna 118;
a security authentication transmission proxy server 131 is arranged between the access AP antenna 121 in the transformer substation and an in-station switch 132, and the in-station switch 132 is in communication connection with a transformer substation master control upper computer 133;
the in-station switch 132 is connected to the security encryption authentication server 143 through the intranet switch 141 and the firewall 142 in sequence.
A terminal security reinforcing unit 117 is arranged in the robot controller 116, and the terminal security reinforcing unit 117 comprises an identity authentication module, a data encryption/decryption module and a state monitoring module;
the inspection robot 110 identifies the identity of the intelligent inspection system of the access substation through an identity authentication module, encrypts the acquired data before transmission through the data encryption/decryption module, and decrypts the received operation instruction sent by the substation master control upper computer 133; and the state detection module detects the real-time state data of the inspection robot 110 and judges the safety state of the inspection robot 110.
After the robot is powered on, the identity authentication module checks whether a digital certificate exists, and if so, the identity authentication is carried out by using the digital certificate; if the digital certificate does not exist, the digital certificate needs to be applied to the security encryption authentication server 143 on line, and then authentication is carried out; if the authentication is passed, the robot is accessed to the intelligent inspection system of the transformer substation to execute an inspection task, otherwise, the safety encryption authentication server 143 refuses the robot to access to the intelligent inspection system of the transformer substation;
each robot corresponds to a digital certificate, the digital certificate can be loaded in a prefabricated or online application mode, and the digital certificate is bound with equipment information of the corresponding robot.
The sensing equipment of the inspection robot 110 comprises a visible light camera 111, a thermal imager 113 and a laser sensor 114, a data encryption/decryption module symmetrically encrypts data acquired by the sensing equipment by using a state cryptographic algorithm SM4 and sends the data to the security certification transmission proxy server 131 through a wireless channel, the security certification transmission proxy server 131 decrypts the received data by using an SM4 key and sends the decrypted data to the substation master control upper computer 133 and the NVR video server 134 after NAT mapping;
wherein, NAT is network address translation.
The state monitoring module collects the state information of the inspection robot 110 in real time and uploads the state information to the safety encryption authentication server 143 to be compared with historical verification information, the initial historical verification information is generated before the inspection robot 110 normally operates, and the initial historical verification information is stored on the safety encryption authentication server 143;
comparing the state information acquired in real time with the historical verification information, analyzing whether the inspection robot 110 is captured, debugged or attacked, further judging the safety state of the inspection robot 110, and when judging that the current robot has a safety risk, performing warning prompt on a display module of the safety encryption authentication server 143;
the state information of the inspection robot 110 refers to hardware and software information, and comprises equipment model, CPU model, network card MAC address, operating system model, kernel version, position information, memory state and running process information;
under normal conditions, the fingerprint of the inspection robot device does not change, the device fingerprint is formed by collecting software and hardware information of the robot by the terminal security strengthening unit 117, and when the fingerprint changes, the robot is attacked; when the inspection robot is captured, the storage equipment is taken down; the debugging process occurs in the running process of the inspection robot, no relevant debugging record of operation and maintenance personnel exists, and the safety state of the inspection robot is judged by utilizing the information of whether the inspection robot is captured, debugged and attacked.
The security authentication transmission proxy server 131 is responsible for forwarding identity authentication messages sent by the inspection robot 110 to the security encryption authentication server 143, encrypts the identity authentication messages by adopting a state encryption algorithm SM4 and forwards operation instruction information issued by the substation intelligent inspection control substation main control upper computer 133 to the inspection robot 110, and establishes an encryption channel with the inspection robot 110 through the terminal security reinforcement unit 117;
the identity authentication message is generated by the inspection robot 110, the inspection robot 110 sends an authentication request message to the security encryption authentication server 143 for authentication, the content of the authentication message is a character string obtained by encrypting the device fingerprint of the inspection robot by using a private key of a digital certificate, and the authentication server decrypts the device fingerprint of the inspection robot by using a public key in the digital certificate of the inspection robot after receiving the character string, restores the device fingerprint of the inspection robot and verifies the device fingerprint.
The security encryption authentication server 143 includes a terminal authentication module, which integrates a CA, performs generation, issuance, revocation of a digital certificate, reserves a northbound interface of an authentication service, and supports switching use of other CAs in a company as an authentication unit;
where CA is an authentication unit.
The security encryption authentication server 143 further includes an encryption/decryption operation and key management module, which is responsible for completing encryption/decryption operation of data stored at the server side, supports selective encryption of traffic by configuring the rules of the security authentication transmission proxy server 131 and the terminal security reinforcing unit 117, and is responsible for generation, distribution, and destruction of keys for the whole life cycle management.
The security encryption authentication server 143 further includes a display module for displaying hardware and software information of the inspection robot collected by the terminal security reinforcement unit 117 and dynamically drawing a network topology two-dimensional plan of the intelligent inspection system including sensing devices such as the visible light camera 111, the thermal imager 113 and the laser sensor 114.
The access operation method of the substation intelligent robot inspection system comprises the following steps:
step 1: after the inspection robot 110 is powered on, firstly scanning whether the SM2 digital certificate exists or not, and if not, initiating a certificate application process;
before executing the inspection task, the inspection robot 110 uses the digital certificate to initiate an identity authentication request;
step 2: after the identity authentication in the step 1 is completed, carrying out key agreement by using an SM2 public key of a robot digital certificate to negotiate an SM4 session key, sending an operation instruction to a security authentication transmission proxy server 131 by a substation master control upper computer 133 of the intelligent inspection control system of the substation, encrypting the instruction by using an SM4 session key by using the transmission proxy server, carrying out reverse mapping by using an NAT, sending the encrypted instruction to an inspection robot 110 through a wireless channel, calling a terminal security reinforcement unit 117 to decrypt an interface after the robot receives the instruction, and restoring an original operation instruction and executing, wherein the NAT is network address conversion;
and step 3: the data collected by encrypting the SM4 session key is sent to the security authentication transmission proxy server 131 through the AP via a wireless channel, and the data is decrypted;
and 4, step 4: the inspection robot 110 calls the white-box encryption interface to decrypt the local data encryption key, and performs storage and reading operations after encrypting and decrypting the data.
In the step 1, when the intelligent inspection robot 110 of the transformer substation is put into operation, the SM2 digital certificate can be issued to each inspection robot 110 in a filling or online application mode, the certificate is bound with robot equipment information, after the robot is powered on, whether the certificate exists or not is checked, that is, whether a certificate file exists or not is checked under a corresponding certificate directory, and if not, a certificate application process is initiated.
In the step 1, the intelligent inspection robot 110 of the transformer substation accesses an in-station AP, before executing an inspection task, initiates an identity authentication request by using a digital certificate of the intelligent inspection robot, the request is forwarded to the terminal security encryption authentication server 143 by the security authentication transmission proxy server 131, the terminal identity authentication is completed after passing the inspection, so that the intelligent inspection robot can access the intelligent inspection system of the transformer substation, if the authentication fails, the applied network access device is considered to be an illegal inspection robot terminal, the intelligent inspection robot terminal is refused to access the in-station network, and log recording is performed in the security encryption authentication server 143.
In the step 3, the traffic forwarding policy of the inspection robot is set in the security encryption authentication server 143, and whether encryption transmission is required to be performed on the corresponding data stream is configured according to the port number providing the service;
after receiving the collected data sent by the sensing device of the inspection robot, the industrial personal computer 116 encrypts the data stream to be encrypted by using the SM4 session key, sends the encrypted data stream to the security authentication transmission proxy server 131 through the AP via a wireless channel, decrypts the data flow by using the security authentication transmission proxy server 131, performs NAT conversion, and sends the data flow to the substation master control upper computer 133 and the NVR video server 134.
In the step 4, the terminal security reinforcing unit 117 collects software and hardware information of the robot to form an equipment fingerprint, performs Hash operation on the equipment fingerprint by using an SM3 Hash algorithm to obtain a digest value of the equipment fingerprint of the robot, and takes the first 128 bits of the digest value as a local data encryption key.
In the step 4, the local data encryption key and the private key of the robot digital certificate are protected by white box encryption;
when the local data is stored and read, the white box encryption interface is called to decrypt the local data encryption key, and the data is stored and read after being encrypted and decrypted.
Compared with the prior art, the invention has the beneficial effects that:
1. according to the access operation method of the transformer substation intelligent robot inspection system based on the terminal security reinforcement unit, the identity authentication capability based on the digital certificate is provided for the transformer substation intelligent inspection robot in a terminal security reinforcement unit deployment mode, and the access of counterfeit terminals is effectively prevented by binding the fingerprint information of terminal equipment in the digital certificate;
2. the access operation method of the transformer substation intelligent robot inspection system based on the terminal security reinforcement unit can conveniently realize the encrypted storage of local data and a secret key of a terminal, effectively avoids secret key theft and data leakage caused by flow eavesdropping, equipment capturing and cracking, and protects the storage security of the local data and the secret key of the terminal while ensuring the security of a data transmission process;
3. the access operation method of the transformer substation intelligent robot inspection system based on the terminal security reinforcement unit supports flexible flow encryption selection, and can flexibly configure flow to be encrypted according to requirements under different network conditions, so that the quality and stability of high-definition video service data of the transformer substation intelligent robot inspection are ensured;
4. compared with a hardware safety access terminal module, the mode of adopting the terminal safety reinforcing unit does not need to provide extra physical space inside the robot, the robot hardware equipment does not need to be adjusted and transformed, and meanwhile, the terminal safety reinforcing unit supports convenient upgrading and maintenance, so that the popularization and maintenance cost of the system is greatly reduced.
Drawings
FIG. 1 is a diagram of a patrol system architecture of an intelligent robot in a substation, which is not accessed to an information intranet 140 in the prior art;
in the figure, an inspection robot 210; an industrial personal computer 211; an infrared video server 212; a visible light camera 212; a thermal imager 213; a laser sensor 214; a small switch 215; a robot-side antenna 216; an exposed-at-risk surface 220; an intra-station access point AP 221; an intra-station main control room 230; a switch 231; an upper computer 232; NVR video server 233; an information intranet 240; an intranet switch 241; a firewall 242; various types of intranet services 243;
FIG. 2 is a diagram of a substation intelligent robot inspection system architecture based on a security access gateway in the prior art,
in the figure, an inspection robot 310; an industrial personal computer 311; an infrared video server 312; a visible light camera 313; a thermal imager 314; a laser sensor 315; the mini-switch 316; the mount pipe accesses the terminal module hardware 317; a robot-side antenna 318; an intra-station access point AP 321; an intra-station main control room 330; a secure access gateway 331; a three-layer switch 332; an upper computer 333; an NVR video server 334; an information intranet 340; a firewall 341; an intranet switch 342; various intranet services 343;
FIG. 3 is a transformer substation intelligent robot inspection system architecture based on a terminal security reinforcement unit provided by the invention;
in the figure, an inspection robot 110; a visible light camera 111; an infrared video server 112; a thermal imager 113; a laser sensor 114; a small form factor switch 115; an industrial personal computer 116; a terminal security reinforcement unit 117; a robot-side antenna 118; the risk exposure surface 120; an intra-station access point AP 121; an intra-station main control room 130; a secure authentication transfer proxy server 131; a switch 132; a substation master control upper computer 133; an NVR video server 134; an information intranet 140; an intranet switch 141; a firewall 142; a secure cryptographic authentication server 143.
Detailed Description
The present application is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present application is not limited thereby.
The intelligent inspection robot is as thing networking intelligent terminal typical representative, collects functions in an organic whole such as measurement, control, and transformer substation intelligent robot inspection system architecture is shown as figure 1 in the prior art, and the system of patrolling and examining specifically includes: an inspection robot 210; an industrial personal computer 211; an infrared video server 212; a visible light camera 212; a thermal imager 213; a laser sensor 214; a small switch 215; a robot-side antenna 216; an exposed-at-risk surface 220; an intra-station access point AP 221; an intra-station main control room 230; a switch 231; an upper computer 232; NVR video server 233; an information intranet 240; an intranet switch 241; a firewall 242; various types of intranet services 243; the system adopts an independent networking mode, cascade connection is carried out in a Virtual Private Network (VPN), and the system has no access to an electric power information intranet because of the safety access risk.
The potential network security risk of the inspection system of the intelligent inspection robot of the transformer substation comprises the following three aspects:
1. an attacker accesses the network in the station by cracking the wireless access point password in the station, so that the attacker further invades the system;
2. an attacker changes the running track of the robot by tampering and replaying the contents of the robot control message, so that malicious control is realized;
3. an attacker can steal the inspection data of the robot by capturing data traffic, so that sensitive information is leaked.
For satisfying the demand that the intelligent system of patrolling and examining of transformer substation inserts the electric power information intranet when guaranteeing the security, adopt the solution of introducing safe access gateway at present usually, the transformer substation intelligent robot based on safe access gateway among the prior art patrols and examines system architecture as shown in figure 2, patrols and examines the system and include: an inspection robot 310; an industrial personal computer 311; an infrared video server 312; a visible light camera 313; a thermal imager 314; a laser sensor 315; the mini-switch 316; the mount pipe accesses the terminal module hardware 317; a robot-side antenna 318; an intra-station access point AP 321; an intra-station main control room 330; a secure access gateway 331; a three-layer switch 332; an upper computer 333; an NVR video server 334; an information intranet 340; a firewall 341; an intranet switch 342; various intranet services 343;
a security access terminal hardware module is added on a robot flow outlet side, security access gateway equipment is additionally deployed on a network inlet in a station, and data transmitted in the network is encrypted and protected in a mode of establishing an IPsec VPN channel between the security access terminal hardware module and the security access gateway. By the prior art, the proportion of the intelligent robot inspection system of the transformer substation adopting the safety access gateway is about 5%.
However, the security access gateway based solution has the following four problems:
1. a safety access terminal module needs to be added to the inspection robot body, but the installation space of the safety access terminal module is not reserved in most stock robots, so that the adjustment and the transformation of a hardware structure are difficult;
2. data in a channel transmission process between a Security access terminal hardware module and a Security access gateway is protected in a mode of Internet Protocol Security (IPsec for short) VPN, but information such as locally stored data and a secret key of a robot terminal is not encrypted and protected;
3. a full-flow encryption mode is adopted, fine flow selective encryption is not supported, and encryption and non-encryption state switching is not supported when the video flow is large or the network is unstable;
4. the capital cost of the newly added safety access equipment is higher, and the cost of the later operation and maintenance service of hardware is added, so that the pressure of the batch popularization cost is high.
Fig. 3 is a diagram of the substation intelligent robot inspection system architecture based on the terminal security reinforcement unit 117.
The intelligent substation inspection system based on the terminal security strengthening unit 117 comprises the terminal security strengthening unit 117, a security certification transmission proxy server 131 and a security certification encryption platform.
The terminal security reinforces unit 117 mounted position and is patrolling and examining robot 110 industrial computer 116, includes:
and the identity authentication module is responsible for applying the digital certificate and authenticating the identity of the inspection robot 110.
And the data encryption module symmetrically encrypts data acquired by sensing equipment such as a visible light camera 111, a thermal imager 113 and a laser sensor 114 in the inspection robot 110, control instruction data of the robot and the like by using a cryptographic algorithm SM 4.
The state monitoring module collects hardware and software information of the inspection robot 110, including more than 70 types of terminals and state information such as equipment model, CPU model, network card MAC address, network information, operating system model, kernel version, position information, memory state and the like, analyzes whether the inspection robot 110 is captured, debugged and attacked or not by comparing with historical verification information, and further judges the safety state of the inspection robot 110.
The terminal security reinforcing unit 117 module provides the required security capability for the inspection robot 110 through an Application Programming Interface (API). The identity security authentication of the robot access system is realized through a digital certificate, the local data storage encryption and the data transmission encryption of the inspection robot 110 are realized based on a state secret algorithm, the real-time monitoring of the security state of the inspection robot 110 is realized by acquiring and analyzing the terminal equipment and the state information of the inspection robot 110, and the security capability is extended to the robot terminal.
The security authentication transmission proxy server 131 is deployed between an AP (access point) and a master control room router in an intelligent substation, is connected with a main control upper computer 133 and an NVR (network video recorder) video server 134 of the intelligent inspection control substation of the substation through the router, is accessed into an information intranet 140 through a firewall 142 in the north direction of a network in the substation, is connected with a security authentication encryption platform, and is responsible for data encryption and decryption and flow forwarding.
The security authentication transmission proxy server 131 is responsible for decrypting and forwarding authentication messages and data traffic sent by the robot, encrypting robot operation instruction information issued by the substation intelligent inspection control substation master control upper computer 133, and effectively solving the confidentiality problem of data transmission by establishing an encryption channel between the terminal security reinforcing unit 117 and the inspection robot 110.
The security authentication encryption platform is deployed in the information intranet 140, and includes:
the terminal authentication module integrates an authentication unit (CA), can realize generation, issuance, revocation and the like of a digital Certificate, reserves a north authentication service interface, and supports switching to use other CAs in a company as the authentication unit.
And the encryption and decryption operation and key management module is responsible for completing encryption and decryption operations of data and instructions, supporting the configuration of the flow needing to be encrypted and being responsible for the whole life cycle management of key generation, distribution, destruction and the like.
And the display module is in charge of visually displaying the terminal equipment information acquired by the terminal security reinforcing unit 117 and can dynamically draw a network topological graph of the current intelligent inspection system.
The safety certification encryption platform module integrates a certification module, an encryption and decryption operation module, a key management module and a web display module, realizes the identity certification access, encryption parameter configuration and full life cycle management of the key of the inspection robot 110, realizes the visual display of terminal state information, automatic discovery of an inspection system network topological graph and the like, and is convenient for the technology or management personnel to conveniently complete the system configuration and comprehensively master the system safety state.
As shown in fig. 3, the method for accessing and operating the inspection system of the intelligent robot in the substation based on the terminal security reinforcement unit 117 provided by the embodiment of the present invention includes the following steps:
step 1: adjusting the internal network of the robot, guiding data of sensing equipment such as a visible light camera 111, a thermal imager 113, laser and the like to pass through an industrial personal computer 116, and deploying a terminal security reinforcement unit, a security authentication transmission proxy server 131 and a security authentication encryption platform;
step 2: the process of the inspection robot 110 identity authentication comprises a process of initiating certificate application and a process of accessing the intelligent inspection system of the transformer substation;
step 2-1: when the intelligent inspection robot 110 of the transformer substation is put into operation, an SM2 digital certificate is issued to each inspection robot 110 in a filling or online application mode, and the certificate binds robot equipment information, such as the name of the transformer substation, the ID of the robot, the MAC address of a network card of the robot, and the like. After the robot is powered on, the robot firstly scans whether the SM2 digital certificate exists, and if not, a certificate application process is initiated.
Step 2-2: the intelligent inspection robot 110 of the transformer substation accesses an AP in a station, before an inspection task is executed, a digital certificate of the intelligent inspection robot is used for initiating an identity authentication request, the request is forwarded to a terminal authentication encryption security platform identity authentication service module by a security authentication transmission proxy server 131, terminal identity authentication is completed after the request passes the inspection, the intelligent inspection robot can access an intelligent inspection system of the transformer substation, and if the authentication fails, the intelligent inspection robot refuses to access the network in the station.
And step 3: after the identity authentication in the step 2 is completed, performing key agreement by using an SM2 public key of the robot digital certificate, and further controlling instruction transmission;
step 3-1: before the control command is transmitted, key negotiation needs to be carried out, and an SM4 session key is negotiated by utilizing an SM2 public key of the robot digital certificate.
Step 3-2: the intelligent substation inspection control master control upper computer 133 sends an operation instruction to the security authentication transmission proxy server 131, the transmission proxy server encrypts the instruction by using an SM4 session key, the encrypted instruction is sent to the inspection robot 110 through a wireless channel after NAT inverse mapping, and the robot calls a terminal security reinforcement unit 117 decryption interface after receiving the instruction, restores the original operation instruction and executes the operation instruction.
And 4, step 4: data acquired by encrypting the SM4 session key are sent to the security authentication transmission proxy server 131 through the AP through a wireless channel, and are sent to the substation master control upper computer 133 and the NVR video server 134 after decryption;
step 4-1: and configuring the security authentication encryption platform and specifying data to be encrypted and transmitted.
Step 4-2: after receiving the collected data sent by the sensing device of the inspection robot 110, the industrial personal computer 116 of the inspection robot 110 encrypts the data to be encrypted by using the SM4 session key, sends the encrypted data to the security authentication transmission proxy server 131 through the AP via a wireless channel, decrypts the data traffic by using the security authentication transmission proxy server 131, performs NAT conversion, and sends the data to the substation master control upper computer 133 and the NVR video server 134.
And 5: the inspection robot 110 calls the white box encryption interface to decrypt the local data encryption key, and stores and reads the encrypted data after encrypting and decrypting the data.
Step 5-1: the terminal security reinforcing unit 117 collects terminal software and hardware information to form an equipment fingerprint, performs Hash operation on the equipment fingerprint by using an SM3 Hash algorithm to obtain an abstract value of the equipment fingerprint, and takes the first 128 bits of the abstract value as a local data encryption key.
Step 5-2: the local data encryption key and the robot digital certificate private key are protected by white box encryption.
Step 5-3: when the local data is stored and read, the white box encryption interface is called to decrypt the local data encryption key, and the data is stored and read after being encrypted and decrypted.
The present applicant has described and illustrated embodiments of the present invention in detail with reference to the accompanying drawings, but it should be understood by those skilled in the art that the above embodiments are merely preferred embodiments of the present invention, and the detailed description is only for the purpose of helping the reader to better understand the spirit of the present invention, and not for limiting the scope of the present invention, and on the contrary, any improvement or modification made based on the spirit of the present invention should fall within the scope of the present invention.

Claims (12)

1. An intelligent robot inspection system for a transformer substation comprises an inspection robot (110), a transformer substation master control upper computer (133), an in-station switch (132), an electric power intranet switch (141), a firewall (142) and a security encryption authentication server (143); the method is characterized in that:
the inspection robot (110) comprises a robot controller (116), and the robot controller (116) is communicated with an AP antenna (121) accessed in a transformer substation through a robot side antenna (118);
a security authentication transmission proxy server (131) is arranged between an access AP antenna (121) and an in-station switch (132) in the transformer substation, and the in-station switch (132) is in communication connection with a main control upper computer (133) of the transformer substation;
the in-station switch (132) is connected to a security encryption authentication server (143) through an electric power intranet switch (141) and a firewall (142) in sequence;
a terminal security reinforcing unit (117) is arranged in the robot control machine (116), and the terminal security reinforcing unit (117) comprises an identity authentication module, a data encryption/decryption module and a state monitoring module;
the inspection robot (110) identifies the identity of the intelligent inspection system of the access substation through an identity authentication module, and encrypts the acquired data before transmission and decrypts the received operation instruction sent by the main control upper computer (133) of the substation through the data encryption/decryption module; the real-time state data of the inspection robot (110) is detected through the state monitoring module, and the safety state of the inspection robot (110) is judged;
after the robot is powered on, the identity authentication module checks whether a digital certificate exists, and if so, the identity authentication is carried out by using the digital certificate; if the digital certificate does not exist, the digital certificate is required to be applied to a security encryption authentication server (143) on line, and then authentication is carried out; if the authentication is passed, the robot is accessed to the intelligent inspection system of the transformer substation to execute an inspection task, otherwise, the safety encryption authentication server (143) refuses the robot to access to the intelligent inspection system of the transformer substation;
each robot corresponds to a digital certificate, the digital certificate can be loaded in a filling or online application mode, and the digital certificate is bound with equipment information of the corresponding robot;
the state monitoring module collects the state information of the inspection robot (110) in real time and uploads the state information to the security encryption authentication server (143) to be compared with historical verification information, and the security encryption authentication server (143) analyzes whether the inspection robot (110) is captured, debugged or attacked or not through comparison of the state information collected in real time and the historical verification information, so that the security state of the inspection robot (110) is judged;
comparing the state information acquired in real time with historical verification information, analyzing whether the inspection robot (110) is captured, debugged or attacked, further judging the safety state of the inspection robot (110), and when judging that the current robot has a safety risk, performing warning prompt on a display module of a safety encryption authentication server (143);
under normal conditions, the fingerprint of the inspection robot equipment does not change, the equipment fingerprint is formed by collecting software and hardware information of the robot by a terminal security reinforcing unit (117), and when the equipment fingerprint changes, the robot is attacked; when the inspection robot is captured, the storage equipment is taken down; the debugging process occurs in the running process of the inspection robot, no relevant debugging record of operation and maintenance personnel exists, and the safety state of the inspection robot is judged by utilizing the information of whether the inspection robot is captured, debugged and attacked;
the safety certification transmission proxy server (131) is responsible for forwarding identity certification messages sent to the safety encryption certification server (143) by the inspection robot (110), encrypting the identity certification messages by adopting a state secret algorithm SM4 and forwarding operation instruction information issued to the inspection robot (110) by a substation master control upper computer (133), and establishing an encryption channel between the inspection robot (110) and the terminal safety reinforcement unit (117);
the identity authentication message is generated by the inspection robot (110), the inspection robot (110) sends an authentication request message to the security encryption authentication server (143) for authentication, the content of the authentication message is a character string obtained by encrypting the equipment fingerprint of the inspection robot by using a private key of a digital certificate, and the authentication server decrypts the equipment fingerprint of the inspection robot by using a public key in the digital certificate of the inspection robot after receiving the character string, restores the equipment fingerprint of the inspection robot and verifies the equipment fingerprint.
2. The substation intelligent robot inspection system according to claim 1, characterized in that:
the sensing equipment of the inspection robot (110) comprises a visible light camera (111), a thermal imager (113) and a laser sensor (114), a data encryption/decryption module symmetrically encrypts data collected by the sensing equipment by using a state cryptographic algorithm SM4 and sends the data to a security certification transmission proxy server (131) through a wireless channel, the security certification transmission proxy server (131) decrypts the received data by using an SM4 key, and sends the decrypted data to a substation master control upper computer (133) and an NVR video server (134) after NAT mapping;
wherein, NAT is network address translation.
3. The substation intelligent robot inspection system according to claim 2, characterized in that:
the state information of the inspection robot (110) refers to hardware and software information and comprises equipment model, CPU model, network card MAC address, operating system model, kernel version, position information, memory state and running process information.
4. The substation intelligent robot inspection system according to claim 1, characterized in that:
the security encryption authentication server (143) comprises a terminal authentication module, which integrates a CA, executes generation, issuance and revocation of digital certificates, reserves a northbound interface of authentication service, and supports switching to use other CAs as authentication units;
where CA is an authentication unit.
5. The substation intelligent robot inspection system according to claim 4, characterized in that:
the security encryption authentication server (143) further comprises an encryption/decryption operation and key management module, which is responsible for completing the encryption/decryption operation of data stored in the server side, supports selective encryption of flow by configuring the rules of the security authentication transmission proxy server (131) and the terminal security reinforcing unit (117), and is responsible for the generation, distribution and destruction of keys in the whole life cycle management.
6. The substation intelligent robot inspection system according to claim 1 or 4, characterized in that:
the safety encryption authentication server (143) further comprises a display module, displays hardware and software information of the inspection robot collected by the terminal safety reinforcement unit (117), and dynamically draws a network topology two-dimensional plan of the intelligent robot inspection system of the transformer substation including a visible light camera (111), a thermal imager (113) and a laser sensor (114) sensing device.
7. The access operation method of the substation intelligent robot inspection system, which is realized by using the substation intelligent robot inspection system according to any one of claims 1 to 6, is characterized by comprising the following steps:
step 1: after the inspection robot (110) is powered on, firstly scanning whether the SM2 digital certificate exists or not, and if not, initiating a certificate application process;
before the inspection task is executed, the inspection robot (110) uses a digital certificate thereof to initiate an identity authentication request;
step 2: after the identity authentication in the step 1 is completed, a SM2 public key of a robot digital certificate is used for carrying out key agreement to negotiate an SM4 session key, a substation master control upper computer (133) of a substation intelligent inspection control system sends an operation instruction to a security authentication transmission proxy server (131), the transmission proxy server encrypts the instruction by using an SM4 session key, the instruction is sent to an inspection robot (110) through a wireless channel after NAT inverse mapping, the robot calls a terminal security reinforcing unit (117) to decrypt an interface after receiving the instruction, and an original operation instruction is restored and executed, wherein the NAT is network address conversion;
and step 3: the data collected by using SM4 session key encryption is sent to a security authentication transmission proxy server (131) through a wireless channel via AP, and the data is decrypted;
and 4, step 4: the inspection robot (110) calls the white box encryption interface to decrypt a local data encryption key, and stores and reads the data after encrypting and decrypting the data.
8. The access operation method of the substation intelligent robot inspection system according to claim 7, characterized in that:
in the step 1, when the intelligent inspection robot (110) of the transformer substation is put into operation, an SM2 digital certificate can be issued to each inspection robot (110) in a filling or online application mode, the digital certificate binds robot equipment information, after the robot is powered on, whether the certificate exists or not is checked, namely whether a certificate file exists or not under a corresponding certificate directory is checked, and if not, a certificate application flow is initiated.
9. The access operation method of the substation intelligent robot inspection system according to claim 7, characterized in that:
in the step 1, the intelligent inspection robot (110) of the transformer substation accesses an AP in the substation, before an inspection task is executed, a digital certificate of the intelligent inspection robot is used for initiating an identity authentication request, the request is forwarded to a terminal security encryption authentication server (143) by a security authentication transmission proxy server (131), the terminal identity authentication is completed after the verification is passed, the intelligent inspection robot can access an intelligent inspection system of the transformer substation, if the authentication fails, the intelligent inspection robot considers that the network access equipment is applied for non-legal inspection of the robot terminal, the intelligent inspection robot is refused to join the network in the substation, and log recording is performed in the security encryption authentication server (143).
10. The access operation method of the substation intelligent robot inspection system according to claim 7, characterized in that:
in the step 3, a traffic forwarding policy of the inspection robot is set in the security encryption authentication server (143), and whether encryption transmission is required to be performed on the corresponding data stream is configured according to the port number providing the service;
after receiving the collected data sent by the sensing equipment, the industrial personal computer (116) of the inspection robot encrypts data streams needing to be encrypted by using an SM4 session key, sends the data streams to the security authentication transmission proxy server (131) through a wireless channel and an AP, decrypts data flow by using the security authentication transmission proxy server (131), performs NAT (network address translation), and sends the data streams to the main control upper computer (133) and the NVR (network video recorder) video server (134) of the transformer substation.
11. The access operation method of the substation intelligent robot inspection system according to claim 7, characterized in that:
in the step 4, the terminal security reinforcing unit (117) collects the software and hardware information of the robot to form an equipment fingerprint, performs Hash operation on the equipment fingerprint by using an SM3 Hash algorithm to obtain a digest value of the equipment fingerprint of the robot, and takes the first 128 bits of the digest value as a local data encryption key.
12. The access operation method of the substation intelligent robot inspection system according to claim 7, characterized in that:
in the step 4, the local data encryption key and the private key of the robot digital certificate are protected by white box encryption;
when the local data is stored and read, the white box encryption interface is called to decrypt the local data encryption key, and the data is stored and read after being encrypted and decrypted.
CN202011003574.6A 2020-09-22 2020-09-22 Intelligent robot inspection system for transformer substation and access operation method thereof Active CN112102516B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011003574.6A CN112102516B (en) 2020-09-22 2020-09-22 Intelligent robot inspection system for transformer substation and access operation method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011003574.6A CN112102516B (en) 2020-09-22 2020-09-22 Intelligent robot inspection system for transformer substation and access operation method thereof

Publications (2)

Publication Number Publication Date
CN112102516A CN112102516A (en) 2020-12-18
CN112102516B true CN112102516B (en) 2022-08-02

Family

ID=73754920

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011003574.6A Active CN112102516B (en) 2020-09-22 2020-09-22 Intelligent robot inspection system for transformer substation and access operation method thereof

Country Status (1)

Country Link
CN (1) CN112102516B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113395254A (en) * 2021-04-22 2021-09-14 国网浙江省电力有限公司嘉兴供电公司 Power grid data communication system and method with converged internal network and external network
CN113364733B (en) * 2021-04-29 2022-04-15 国网浙江省电力有限公司嘉兴供电公司 Transformer substation field data encryption transmission method
CN113593073B (en) * 2021-07-30 2023-08-15 杭州新视窗信息技术有限公司 NFC intelligent inspection method based on background management system and inspection system
CN113891313B (en) * 2021-10-21 2024-03-19 四川华能嘉陵江水电有限责任公司 Communication access method for bulb tubular turbine and inspection monitoring equipment
CN114310889B (en) * 2021-12-28 2023-11-14 东旭蓝天智慧能源科技有限公司 Intelligent robot inspection system of transformer substation and access operation method thereof
CN114554082A (en) * 2022-01-19 2022-05-27 国网河南省电力公司郑州供电公司 Intelligent acquisition system for substation equipment meter
CN114629803A (en) * 2022-02-21 2022-06-14 厦门网为股份有限公司 Zero-trust data monitoring architecture and method based on security key
CN115242445B (en) * 2022-06-22 2024-03-26 北京航空航天大学 Robot cluster system security access system, method and computer readable medium

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101611504B1 (en) * 2009-09-25 2016-04-11 삼성전자 주식회사 Robot system and image processing method thereof
CN102097860A (en) * 2010-11-29 2011-06-15 广东峰杰科技有限公司 Intelligent robot patrol system for safety detection of substation
CN102280826B (en) * 2011-07-30 2013-11-20 山东鲁能智能技术有限公司 Intelligent robot inspection system and intelligent robot inspection method for transformer station
CN103235562B (en) * 2013-03-07 2016-01-20 河海大学常州校区 Transformer station is based on the comprehensive parameters detection system of crusing robot and method for inspecting
US9939814B1 (en) * 2017-05-01 2018-04-10 Savioke, Inc. Computer system and method for automated mapping by robots
CN107566743B (en) * 2017-10-30 2019-10-11 珠海市一微半导体有限公司 The video monitoring method of mobile robot
CN108092969A (en) * 2017-12-13 2018-05-29 国家电网公司 The system and method for Intelligent Mobile Robot acquisition image access electric power Intranet
CN110290350A (en) * 2019-06-26 2019-09-27 广东康云科技有限公司 A kind of real-time status monitoring method, system and the storage medium of crusing robot
CN110509278B (en) * 2019-09-06 2023-03-31 云南电网有限责任公司电力科学研究院 Centralized management system and method for transformer substation inspection robot
CN110995716B (en) * 2019-12-06 2022-09-02 国网浙江省电力有限公司电力科学研究院 Data transmission encryption and decryption method and system for transformer substation inspection robot
CN110996318B (en) * 2019-12-23 2021-07-23 广西电网有限责任公司电力科学研究院 Safety communication access system of intelligent inspection robot of transformer substation

Also Published As

Publication number Publication date
CN112102516A (en) 2020-12-18

Similar Documents

Publication Publication Date Title
CN112102516B (en) Intelligent robot inspection system for transformer substation and access operation method thereof
CN110996318B (en) Safety communication access system of intelligent inspection robot of transformer substation
CN112073375A (en) Isolation device and isolation method suitable for power Internet of things client side
CN106100836B (en) A kind of method and system of industrial user's authentication and encryption
US20070299781A1 (en) System and apparatus for credit data transmission
CN101420587A (en) Network video collecting device, network video monitoring system and method
JP2001292176A (en) Gateway device and method for integrating control/ information network
CN112995612B (en) Safe access method and system for power video monitoring terminal
CN108712364B (en) Security defense system and method for SDN (software defined network)
CN110336788A (en) A kind of data safety exchange method of internet of things equipment and mobile terminal
CN110493222A (en) A kind of power automation terminal remote management method and system
US20120290105A1 (en) Method for operating, monitoring and/or configuring an automation system of a technical plant
US20220182229A1 (en) Protected protocol for industrial control systems that fits large organizations
CN114363024A (en) Data encryption transmission method and device, terminal equipment and storage medium
CN108184091B (en) Video monitoring equipment deployment method and device
CN114553430A (en) SDP-based novel power service terminal safe access system
CN114143050A (en) Video data encryption system
CN115086085B (en) New energy platform terminal security access authentication method and system
CN113965425A (en) Access method, device and equipment of Internet of things equipment and computer readable storage medium
CN111245604A (en) Server data security interaction system and method
CN115604862A (en) Video streaming transmission method and system
CN114254352A (en) Data security transmission system, method and device
CN115333761B (en) Equipment communication method and device applied to ship and server
CN115835194B (en) NB-IOT terminal safety access system and access method
CN111654113A (en) Power distribution operation and maintenance method and system based on HTTPS communication technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant