Network security vulnerability detection method for non-contact type hydropower monitoring system
Technical Field
The invention belongs to the technical field of electric power industrial control safety, and particularly relates to a method for detecting network safety vulnerability of a non-contact type hydropower monitoring system.
Background
The hydropower monitoring system is a data acquisition and monitoring control system of a hydropower plant, and is an important system in an industrial control system, which is responsible for monitoring and controlling field operation equipment so as to realize various functions of data acquisition, equipment control, measurement, parameter adjustment, various signal alarms and the like. The system consists of an upper computer, network equipment, a lower computer and a local control unit controller.
The system belongs to the most core production system of a power plant, the safety level is defined as the third level according to the requirements of the national level protection system, and a third-party evaluating organization needs to be invited every year to carry out on-site level protection evaluation work. According to the standard of the information security technology network security level protection evaluation requirement, on-site evaluation is to use various vulnerability scanning and penetration testing tools to detect the vulnerability of the system, but in actual work, the power monitoring system is not upgraded and modified for many years, the conditions of old equipment, more system vulnerabilities, easy crash, blue screen and the like generally exist, in addition, the power grid has high requirement on the production stability of the power plant, the probability of abnormal movement of the power plant equipment caused by external interference is not low, the influence of factors such as serious evaluation is followed, and the like, the on-site evaluation mechanism often adopts observation, manual configuration and check and other modes to check the security of the monitoring system, the problems of real vulnerabilities and problems of the system and the equipment are difficult to find, the problems of detection work flow, incomplete coverage of detection contents, poor detection effect and the like are caused, and meanwhile, even if part of the equipment and the system can be accessed into the detection equipment to carry out vulnerability scanning and penetration testing, the problems of flow impact and load pressure on the system are caused, so that the abnormal movement of the equipment alarm, even the equipment and the shutdown and the accidents are caused, and the safety and stability of the power production are influenced.
Therefore, if a non-contact detection method which does not need physical contact and does not belong to wireless transmission (according to national regulations, the power monitoring system forbids to access equipment and devices with wireless functions) can be adopted, the whole set of environment from the upper computer to the lower computer of the hydropower monitoring system can be extracted in an isolated way, and the whole set of environment is restored on external equipment, so that the system can be detected truly, comprehensively, safely and effectively.
The two-dimensional Code is also called as a two-dimensional bar Code, a common two-dimensional Code is a QR Code, which is an ultra-popular coding mode on mobile equipment in recent years, and the QR Code can store information without networking, so that if the QR Code is used in a hydropower monitoring system, the information to be transmitted is stored in the two-dimensional Code, and then the storage data is obtained by scanning the two-dimensional Code, and the purpose of non-contact data transmission with the monitoring system can be realized. However, the amount of information stored in the conventional two-dimensional Code is small, a common two-color single layer (such as black and white) generally stores information of tens of K, a color (24 color) single layer can reach information of 1-2 MB, and the PM-Code is a 3D two-dimensional Code developed based on QR Code, has the characteristic of high storage capacity, and can theoretically accommodate information of about 1.236 GB.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a network security vulnerability detection method for a non-contact type hydropower monitoring system, and the method for detecting the network security vulnerability can be developed without physical contact with the hydropower monitoring system.
The invention is realized by the following technical scheme:
a method for detecting network security vulnerability of a non-contact hydropower monitoring system comprises the following steps:
step 1, extracting an upper computer mirror image of a hydropower monitoring system by a non-contact method, wherein the upper computer of the hydropower monitoring system refers to an engineer station computer, an operator station computer and a host server in the hydropower monitoring system;
step 2, extracting the configuration of network equipment of the hydropower monitoring system by a non-contact method, wherein the network equipment of the hydropower monitoring system refers to an exchanger, a router and firewall equipment in the hydropower monitoring system;
step 3, acquiring a firmware of a local control unit of the hydropower monitoring system, wherein the local control unit of the hydropower monitoring system is a PLC (programmable logic controller) used for controlling field production equipment in the hydropower monitoring system;
step 4, extracting the configuration of a lower computer of the hydropower monitoring system by a non-contact method, wherein the lower computer of the hydropower monitoring system is a local control unit in the hydropower monitoring system;
step 5, loading the upper computer image of the hydropower monitoring system extracted in the step 1 into a virtualized container so as to restore an upper computer environment, wherein the upper computer environment comprises an operating system environment and an application software environment;
step 6, generating virtual network nodes in a network simulator by using the network equipment configuration of the hydropower monitoring system extracted in the step 2, and loading corresponding network equipment configuration on each virtual network node so as to restore the network environment of the hydropower monitoring system;
step 7, building a firmware simulation environment by using the local control unit firmware obtained in the step 3, loading the firmware into the simulation environment, and simulating the operating environment of the local control unit;
step 8, adopting a network security vulnerability mining method, carrying out vulnerability mining in the upper computer environment, the network environment and the local control unit firmware simulation environment built in the steps 5, 6 and 7, and carrying out vulnerability verification on the vulnerability, wherein if the vulnerability can be successfully utilized, the environment has higher potential safety hazard; if the loophole cannot be successfully utilized, the environment has lower potential safety hazard;
step 9, performing configuration check on the lower computer configuration file extracted in the step 4 by using a configuration check method to find a leak existing in the configuration, wherein if the leak can be verified to be available by the sand table deduction, the lower computer environment has higher potential safety hazard; if the vulnerability is proved to be unavailable by the deduction of the sand table, the environment has lower potential safety hazard;
and step 10, adopting an international general vulnerability assessment system (CVSS) and a national level protection assessment method to perform vulnerability analysis on the discovered vulnerabilities by adopting a vulnerability analysis method to form a final vulnerability analysis report of the hydropower monitoring system.
Further, the non-contact method is a method that a detected object adopts a PM-Code three-layer two-dimensional Code technology to generate a color PM-Code three-layer two-dimensional Code capable of storing large-capacity information, then data required to be transmitted per se is packaged into a compressed file and inserted into the PM-Code three-layer two-dimensional Code, the compressed file is displayed through a display screen, then a detector identifies the two-dimensional Code in the display screen by using a scanning device with a camera, and compressed data is extracted from the two-dimensional Code, wherein the detected object refers to an upper computer, network equipment and a lower computer in a hydropower monitoring system; the detection person refers to a person who carries out detection work.
Further, the specific steps of the process of extracting the mirror image of the upper computer of the hydropower monitoring system by using a non-contact method comprise the following steps:
A. and (3) packing the mirror image of the upper computer: the upper computer packs an operating system and an environment configuration file of the upper computer into an image file (ISO file) by using an open source Docker container technology, wherein the image file comprises all data related to the operating system and the application program of the upper computer, such as the version of the operating system, the file system structure, partition information, an account system, configuration information, an application program list, a hardware environment and the like;
B. and (3) mirror image slicing: the mirror image file is divided into N subfiles D1, D2 and D3 … … Dn with the size not larger than 1GB according to the 1GB as a metering unit, wherein D1 to D n-1 All are 1GB in size, and Dn is less than 1GB;
C. and (3) generating a two-dimensional code: generating N PM-Code three-layer two-dimensional Code pictures DP1, DP2 and DP3 … … DPn by adopting a non-contact method;
D. and (3) mirror image slicing packaging: inserting the sub-files D1 to Dn of the mirror image slice into the data fields of the two-dimensional codes DP1 to DPn corresponding to the sub-files respectively to form a two-dimensional code picture containing mirror image data, and then displaying the two-dimensional code picture on a display screen of an upper computer;
E. mirror image slice extraction: a detector reads the two-dimensional code on a display screen of an upper computer by using a scanning device with a high-definition camera by adopting a non-contact method, so that mirror image slice data packaged in the two-dimensional code is extracted;
D. and (3) mirror image section recombination: and sequencing the mirror image slice data according to the sequence number of the mirror image slice data, namely D1 and D2 … … Dn, and recombining the mirror image slice data into a complete mirror image file (ISO format), so that the extraction of the upper computer environment is realized.
Further, the specific steps of the process of extracting the configuration of the network equipment of the hydropower monitoring system by using a non-contact method comprise:
A. centralized aggregation of network device configuration: sending configuration files of N network devices of the hydropower monitoring system to a shared directory of an upper computer operator station by adopting a Simple Network Management Protocol (SNMP) to generate configuration text files R1, R2 and R3 … … Rn, wherein the configuration files comprise information such as device models, system versions and detailed configuration;
B. packing and compressing the configuration text file: compressing the folders in which the configuration text files R1 to Rn are positioned into a compressed packet RF;
C. and (3) generating a two-dimensional code: generating 1 PM-Code three-layer two-dimensional Code picture RP1 by adopting a non-contact method;
D. and (3) packaging a configuration text file: inserting the configuration text file into a data field of a PM-Code three-layer two-dimensional Code picture RP1 to form a two-dimensional Code picture containing configuration file data, and then displaying the two-dimensional Code picture on a display screen of an upper computer;
E. extracting a configuration file: the detection person adopts a non-contact method, and uses a scanning device with a high-definition camera to read the two-dimensional code on the display screen of the upper computer, so that the network equipment configuration text file compressed packet RF packaged in the two-dimensional code is extracted, and then the RF is decompressed to obtain a folder containing the network configuration text files R1 and R2 … … Rn, thereby realizing the extraction of the network equipment configuration environment of the hydropower monitoring system.
Further, the concrete steps of the process of acquiring the firmware of the site control unit of the hydropower monitoring system comprise:
A. determining a firmware vendor: determining a firmware provider according to information such as a supply contract, a firmware version and the like of the local control unit;
B. firmware acquisition: the firmware is downloaded from a firmware vendor official network or provided directly in contact with the vendor.
Further, the concrete steps of extracting the configuration of the lower computer of the hydropower monitoring system by using a non-contact method comprise:
A. and (3) configuration downloading of a lower computer: downloading the configuration of the lower computer to the HMI local through a human-machine interaction interface (HMI) provided by the lower computer to generate a configuration file R of the lower computer;
B. packing and compressing the configuration file: compressing the configuration file R into a compressed packet RF;
C. and (3) generating a two-dimensional code: generating 1 PM-Code three-layer two-dimensional Code picture XP1 by adopting a non-contact method;
D. packaging the configuration file: inserting the configuration file into a data field of a PM-Code three-layer two-dimensional Code picture XP1 to form a two-dimensional Code picture containing configuration file data, and then displaying the two-dimensional Code picture on a lower computer HMI display screen;
E. extracting a configuration file: a detector reads the two-dimensional code on the HMI display screen of the lower computer by using a scanning device with a high-definition camera by adopting a non-contact method, so that the lower computer configuration file compression packet RF packaged in the two-dimensional code is extracted, and then the lower computer configuration file R is obtained after the RF is decompressed, thereby realizing the extraction of the lower computer configuration environment of the hydropower monitoring system;
F. extracting one by one according to the lower computer: and repeating the A, B, C, D, E steps for each lower computer to obtain configuration files XR1, XR2 and XR3 … … XRn of all the lower computers.
Further, the water and electricity monitoring system host computer mirror image that utilizes step 1 to extract loads this mirror image in the virtualization container to the concrete step of restoring host computer environment includes:
A. building a container: building a virtualized container by using an open-source Dokcer virtualized container technology;
B. mirror loading: loading the mirror image file of the upper computer in the container so as to realize the restoration of the environment of the upper computer;
C. and (3) environment inspection: and checking the upper computer environment restored in the container to confirm whether various kinds of configuration information are consistent with the actual upper computer environment.
Further, the concrete steps of utilizing the network equipment configuration of the hydropower monitoring system extracted in the step 2 to generate virtual network nodes in the network simulator, and loading the corresponding network equipment configuration on each virtual network node so as to restore the network environment of the hydropower monitoring system comprise:
A. building a network simulator: adopting an open-source network simulator Shadow to build a blank network environment without any network node;
B. virtual node generation: according to the extracted equipment model and system version information in the network equipment configuration file R1, a virtual network node with a corresponding model is manually established in an open-source network simulator Shadow, and meanwhile, the network equipment configuration file R1 is loaded into the virtual network node, so that the restoration of the network equipment environment is realized;
C. establishing virtual nodes one by one: and repeating the step A, B, and establishing other network virtual nodes one by one according to the network equipment configuration files R2 and R3 … … Rn, so that the restoration of the network environment of the water and electricity monitoring system is realized.
Further, the vulnerability mining method, the configuration checking method and the vulnerability analyzing method respectively adopt a network security vulnerability mining method, a configuration checking method and a vulnerability analyzing method which are adopted in an international universal vulnerability assessment system (CVSS) and a national level protection assessment method.
The invention has the beneficial effects that:
after the invention is applied, all data related to network security vulnerability detection, such as operating systems and configuration environments of all devices related to an upper computer, network equipment, a lower computer and a local control unit of a hydropower monitoring system, can be extracted from a real production environment into a virtual and simulated equipment environment, so that a completely independent, sufficiently real, safe and reliable evaluation environment for truthful operation is provided for a third-party evaluation mechanism for developing vulnerability detection, and the problems that the power production safety is affected due to accidents such as abnormal operation, failure, even halt of the production system and the devices and the like caused by the fact that the detection devices are required to be connected into the actual production environment in the existing evaluation mode or the detection flow form, incomplete detection coverage, poor detection effect and the like caused by manual detection such as observation, configuration verification and the like in the production environment are solved or the possible consequences caused by the third-party evaluation mechanism only in the production environment.
Drawings
Fig. 1 is a schematic flow chart of a method for detecting network security vulnerability of a non-contact hydropower monitoring system according to an embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the embodiments of the present invention are described in further detail below with reference to the accompanying drawings.
Examples
The embodiment of the invention discloses a method for detecting the network security vulnerability of a non-contact type hydropower monitoring system, which comprises the following steps, wherein the flow schematic diagram is shown in figure 1.
A method for detecting network security vulnerability of a non-contact hydropower monitoring system comprises the following steps:
s1, extracting an upper computer mirror image of a hydropower monitoring system by a non-contact method, wherein the upper computer of the hydropower monitoring system refers to an engineer station computer, an operator station computer and a host server in the hydropower monitoring system;
s2, extracting network equipment configuration of the hydropower monitoring system by a non-contact method, wherein the network equipment of the hydropower monitoring system refers to an exchanger, a router and firewall equipment in the hydropower monitoring system;
s3, acquiring a firmware of a local control unit of the hydropower monitoring system, wherein the local control unit of the hydropower monitoring system is a PLC (programmable logic controller) used for controlling field production equipment (such as a water turbine, a generator, a water pump and the like) in the hydropower monitoring system;
s4, extracting the configuration of a lower computer of the hydropower monitoring system by a non-contact method, wherein the lower computer of the hydropower monitoring system is a local control unit in the hydropower monitoring system;
s5, loading the mirror image in the virtualized container by using the upper computer mirror image of the hydropower monitoring system extracted in the S1, so as to restore an upper computer environment, wherein the upper computer environment comprises an operating system environment and an application software environment;
s6, generating virtual network nodes in the network simulator by utilizing the network equipment configuration of the hydropower monitoring system extracted in the S2, and loading corresponding network equipment configuration on each virtual network node so as to restore the network environment of the hydropower monitoring system;
s7, building a firmware simulation environment by using the local control unit firmware acquired in the S3, loading the firmware into the simulation environment, and simulating the operating environment of the local control unit;
s8, adopting a network security vulnerability mining method, carrying out vulnerability mining in the upper computer environment, the network environment and the local control unit firmware simulation environment which are set up in S5, S6 and S7, and verifying vulnerability of the vulnerability, wherein if the vulnerability can be successfully utilized, the environment has higher potential safety hazard; if the loophole cannot be successfully utilized, the environment has lower potential safety hazard;
s9, performing configuration check on the lower computer configuration file extracted in the step S4 by using a configuration check method to find a vulnerability existing in the configuration, wherein if the vulnerability can be deduced by a sand table to be available, the lower computer environment has higher potential safety hazard; if the vulnerability is proved to be unavailable by sand table deduction, the environment has lower potential safety hazard;
and S10, performing vulnerability analysis on the discovered vulnerabilities by adopting an international universal vulnerability assessment system (CVSS) and a national level protection assessment method to form a final vulnerability analysis report of the hydropower monitoring system.
Furthermore, the non-contact method is a method that a detected object adopts a PM-Code three-layer two-dimensional Code technology to generate a color PM-Code three-layer two-dimensional Code capable of storing large-capacity information, then data required to be transmitted per se is packaged into a compressed file and inserted into the three-layer two-dimensional Code, then the compressed file is displayed through a display screen, then a detector identifies the two-dimensional Code in the display screen by using a scanning device with a camera, and then compressed data is extracted from the two-dimensional Code, wherein the detected object refers to an upper computer, network equipment and a lower computer in a hydropower monitoring system; the detection person refers to a person who performs detection work.
Further, the specific steps of the process of extracting the mirror image of the upper computer of the hydropower monitoring system by using a non-contact method comprise:
A. and (3) packing the mirror image of the upper computer: the upper computer packs an operating system and an environment configuration file of the upper computer into an image file (ISO file) by using an open source Docker container technology, wherein the image file comprises all data related to the operating system and the application program of the upper computer, such as the version of the operating system, the file system structure, partition information, an account system, configuration information, an application program list, a hardware environment and the like;
B. and (3) mirror image slicing: the mirror image file is divided into N subfiles D1, D2 and D3 … … Dn with the weight of 1GB as a measurement unit, wherein the weight of the subfiles D1 to D is not more than 1GB n-1 All are 1GB in size, and Dn is less than 1GB;
C. and (3) generating a two-dimensional code: generating N PM-Code three-layer two-dimensional Code pictures DP1, DP2 and DP3 … … DPn by adopting a non-contact method;
D. and (3) mirror image slicing packaging: inserting the sub-files D1 to Dn of the mirror image slice into the data fields of the corresponding two-dimensional code pictures DP1 to DPn respectively to form two-dimensional code pictures containing mirror image data, and then displaying the two-dimensional code pictures on a display screen of an upper computer;
E. mirror image slice extraction: a detector reads the two-dimensional code on a display screen of an upper computer by using a scanning device with a high-definition camera by adopting a non-contact method, so that mirror image slice data D1 and D2 … … Dn packaged in the two-dimensional code are extracted;
D. and (3) mirror image section recombination: and sequencing the mirror image slice data according to the sequence number of the mirror image slice data, namely D1 and D2 … … Dn, and recombining the mirror image slice data into a complete mirror image file (ISO format), thereby realizing the extraction of the upper computer environment.
Further, the specific steps of the process of extracting the configuration of the network equipment of the hydropower monitoring system by using a non-contact method comprise:
A. centralized summarization of network device configuration: sending configuration files of N network devices of the hydropower monitoring system to a shared directory of an upper computer operator station by adopting a Simple Network Management Protocol (SNMP) to generate configuration text files R1, R2 and R3 … … Rn, wherein the configuration files comprise information such as device models, system versions and detailed configuration;
B. packing and compressing the configuration text file: compressing the folders in which the configuration text files R1 to Rn are positioned into a compressed packet RF;
C. generating a two-dimensional code: generating 1 PM-Code three-layer two-dimensional Code picture RP1 by adopting a non-contact method;
D. and (3) packaging a configuration text file: inserting the configuration text file into a data field of the PM-Code three-layer two-dimensional Code picture RP1 to form a two-dimensional Code picture containing configuration file data, and then displaying the two-dimensional Code picture on a display screen of an upper computer;
E. extracting a configuration text file: the detection person adopts a non-contact method, and uses a scanning device with a high-definition camera to read the two-dimensional code on the display screen of the upper computer, so that the network equipment configuration file compressed packet RF packaged in the two-dimensional code is extracted, and then the RF is decompressed to obtain a folder containing the network configuration text files R1 and R2 … … Rn, thereby realizing the extraction of the network equipment configuration environment of the hydropower monitoring system.
Further, the specific steps of the process of acquiring the firmware of the local control unit of the hydropower monitoring system comprise:
A. determining a firmware vendor: determining a firmware provider according to information such as a supply contract, a firmware version and the like of the local control unit;
B. firmware acquisition: the firmware is downloaded from a firmware vendor official network or provided by directly contacting the vendor.
Further, the concrete steps of extracting the configuration of the lower computer of the hydropower monitoring system by a non-contact method comprise:
A. and (3) configuration downloading of a lower computer: downloading the configuration of the lower computer to the local HMI through a human-machine interaction interface (HMI) provided by the lower computer to generate a configuration file R of the lower computer;
B. packing and compressing the configuration file: compressing the configuration file R into a compressed packet RF;
C. generating a two-dimensional code: generating 1 PM-Code three-layer two-dimensional Code picture XP1 by adopting a non-contact method;
D. and (3) packaging the configuration file: inserting the configuration file into a data field of a PM-Code three-layer two-dimensional Code picture XP1 to form a two-dimensional Code picture containing configuration file data, and then displaying the two-dimensional Code picture on a lower computer HMI display screen;
E. extracting a configuration file: a detector reads the two-dimensional code on the HMI display screen of the lower computer by using a scanning device with a high-definition camera by adopting a non-contact method, so that the lower computer configuration file compression packet RF packaged in the two-dimensional code is extracted, and then the lower computer configuration file R is obtained after the RF is decompressed, thereby realizing the extraction of the lower computer configuration environment of the hydropower monitoring system;
F. extracting one by one according to the lower computer: and repeating the A, B, C, D, E step for each lower computer to obtain configuration files XR1, XR2 and XR3 … … XRn of all the lower computers.
Further, utilize the water and electricity monitored control system host computer mirror image that S1 drawed, load this mirror image in the virtualized container to the concrete step of host computer environment is restoreed includes:
A. building a container: building a virtualized container by using an open-source Dokcer virtualized container technology;
B. mirror loading: loading the mirror image file of the upper computer in the container so as to realize the restoration of the environment of the upper computer;
C. and (3) environment inspection: and checking the upper computer environment restored in the container to confirm whether various kinds of configuration information are consistent with the actual upper computer environment.
Further, the concrete steps of utilizing the network equipment configuration of the hydropower monitoring system extracted in S2 to generate virtual network nodes in the network simulator, and loading the corresponding network equipment configuration on each virtual network node, thereby restoring the network environment of the hydropower monitoring system include:
A. building a network simulator: adopting an open source network simulator Shadow to build a blank network environment without any network node;
B. virtual node generation: according to the extracted equipment model and system version information in the network equipment configuration file R1, a virtual network node with a corresponding model is manually created in Shadow, and meanwhile, the network equipment configuration file R1 is loaded into the virtual network node, so that the restoration of the network equipment environment is realized;
C. establishing virtual nodes one by one: repeating the step A, B, and establishing other network virtual nodes one by one according to the network equipment configuration files R2 and R3 … … Rn, so that the restoration of the network environment of the water and electricity monitoring system is realized;
further, the vulnerability mining method, the configuration checking method and the vulnerability analyzing method respectively adopt a network security vulnerability mining method, a configuration checking method and a vulnerability analyzing method adopted in an international universal vulnerability assessment system (CVSS) and a national level protection assessment method.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.