CN112822212B - Network security vulnerability detection method for non-contact hydropower monitoring system - Google Patents
Network security vulnerability detection method for non-contact hydropower monitoring system Download PDFInfo
- Publication number
- CN112822212B CN112822212B CN202110165453.XA CN202110165453A CN112822212B CN 112822212 B CN112822212 B CN 112822212B CN 202110165453 A CN202110165453 A CN 202110165453A CN 112822212 B CN112822212 B CN 112822212B
- Authority
- CN
- China
- Prior art keywords
- configuration
- monitoring system
- environment
- network
- dimensional code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 106
- 238000001514 detection method Methods 0.000 title claims abstract description 28
- 238000000034 method Methods 0.000 claims abstract description 98
- 238000004519 manufacturing process Methods 0.000 claims abstract description 13
- 238000005065 mining Methods 0.000 claims abstract description 13
- 238000005516 engineering process Methods 0.000 claims abstract description 11
- 238000004088 simulation Methods 0.000 claims abstract description 10
- 238000000605 extraction Methods 0.000 claims description 12
- 238000004806 packaging method and process Methods 0.000 claims description 10
- 238000012038 vulnerability analysis Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 claims description 9
- 238000012856 packing Methods 0.000 claims description 8
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 claims description 7
- 239000004576 sand Substances 0.000 claims description 6
- 230000005611 electricity Effects 0.000 claims description 5
- 230000006835 compression Effects 0.000 claims description 3
- 238000007906 compression Methods 0.000 claims description 3
- 238000007689 inspection Methods 0.000 claims description 3
- 230000003993 interaction Effects 0.000 claims description 3
- 238000005259 measurement Methods 0.000 claims description 3
- 238000005192 partition Methods 0.000 claims description 3
- 230000006798 recombination Effects 0.000 claims description 3
- 238000005215 recombination Methods 0.000 claims description 3
- 238000012163 sequencing technique Methods 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 230000002776 aggregation Effects 0.000 claims description 2
- 238000004220 aggregation Methods 0.000 claims description 2
- 238000011065 in-situ storage Methods 0.000 claims 1
- 239000010410 layer Substances 0.000 description 16
- 238000011156 evaluation Methods 0.000 description 9
- 230000007246 mechanism Effects 0.000 description 3
- 208000012661 Dyskinesia Diseases 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000035515 penetration Effects 0.000 description 2
- 239000002356 single layer Substances 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K17/00—Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K19/00—Record carriers for use with machines and with at least a part designed to carry digital markings
- G06K19/06—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
- G06K19/06009—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code with optically detectable marking
- G06K19/06037—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code with optically detectable marking multi-dimensional coding
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K19/00—Record carriers for use with machines and with at least a part designed to carry digital markings
- G06K19/06—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
- G06K19/06009—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code with optically detectable marking
- G06K19/06046—Constructional details
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
Abstract
The invention discloses a method for detecting the network security vulnerability of a non-contact hydropower monitoring system, which comprises the following steps: extracting an upper computer mirror image, network equipment configuration and lower computer configuration by a non-contact method; acquiring the firmware of the local controller; restoring the environment of the upper computer by using the upper computer mirror; restoring the network environment by utilizing the configuration of the network equipment; building a site controller firmware simulation environment, and simulating and operating the firmware; carrying out vulnerability mining on the three restored environments to obtain vulnerabilities; checking the lower computer configuration to discover the loophole; and analyzing the vulnerability of the hydropower monitoring system according to all the discovered leaks. The invention realizes the detection of the network security vulnerability of the hydropower monitoring system by a non-contact technology, solves the problems of the existing detection method, such as flow form, poor authenticity, poor timeliness, influence on production safety and the like, and further improves the quality and efficiency of network security detection work.
Description
Technical Field
The invention belongs to the technical field of electric power industrial control safety, and particularly relates to a method for detecting network safety vulnerability of a non-contact type hydropower monitoring system.
Background
The hydropower monitoring system is a data acquisition and monitoring control system of a hydropower plant, and is an important system in an industrial control system, which is responsible for monitoring and controlling field operation equipment so as to realize various functions of data acquisition, equipment control, measurement, parameter adjustment, various signal alarms and the like. The system consists of an upper computer, network equipment, a lower computer and a local control unit controller.
The system belongs to the most core production system of a power plant, the safety level is defined as the third level according to the requirements of the national level protection system, and a third-party evaluating organization needs to be invited every year to carry out on-site level protection evaluation work. According to the standard of the information security technology network security level protection evaluation requirement, on-site evaluation is to use various vulnerability scanning and penetration testing tools to detect the vulnerability of the system, but in actual work, the power monitoring system is not upgraded and modified for many years, the conditions of old equipment, more system vulnerabilities, easy crash, blue screen and the like generally exist, in addition, the power grid has high requirement on the production stability of the power plant, the probability of abnormal movement of the power plant equipment caused by external interference is not low, the influence of factors such as serious evaluation is followed, and the like, the on-site evaluation mechanism often adopts observation, manual configuration and check and other modes to check the security of the monitoring system, the problems of real vulnerabilities and problems of the system and the equipment are difficult to find, the problems of detection work flow, incomplete coverage of detection contents, poor detection effect and the like are caused, and meanwhile, even if part of the equipment and the system can be accessed into the detection equipment to carry out vulnerability scanning and penetration testing, the problems of flow impact and load pressure on the system are caused, so that the abnormal movement of the equipment alarm, even the equipment and the shutdown and the accidents are caused, and the safety and stability of the power production are influenced.
Therefore, if a non-contact detection method which does not need physical contact and does not belong to wireless transmission (according to national regulations, the power monitoring system forbids to access equipment and devices with wireless functions) can be adopted, the whole set of environment from the upper computer to the lower computer of the hydropower monitoring system can be extracted in an isolated way, and the whole set of environment is restored on external equipment, so that the system can be detected truly, comprehensively, safely and effectively.
The two-dimensional Code is also called as a two-dimensional bar Code, a common two-dimensional Code is a QR Code, which is an ultra-popular coding mode on mobile equipment in recent years, and the QR Code can store information without networking, so that if the QR Code is used in a hydropower monitoring system, the information to be transmitted is stored in the two-dimensional Code, and then the storage data is obtained by scanning the two-dimensional Code, and the purpose of non-contact data transmission with the monitoring system can be realized. However, the amount of information stored in the conventional two-dimensional Code is small, a common two-color single layer (such as black and white) generally stores information of tens of K, a color (24 color) single layer can reach information of 1-2 MB, and the PM-Code is a 3D two-dimensional Code developed based on QR Code, has the characteristic of high storage capacity, and can theoretically accommodate information of about 1.236 GB.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a network security vulnerability detection method for a non-contact type hydropower monitoring system, and the method for detecting the network security vulnerability can be developed without physical contact with the hydropower monitoring system.
The invention is realized by the following technical scheme:
a method for detecting network security vulnerability of a non-contact hydropower monitoring system comprises the following steps:
step 1, extracting an upper computer mirror image of a hydropower monitoring system by a non-contact method, wherein the upper computer of the hydropower monitoring system refers to an engineer station computer, an operator station computer and a host server in the hydropower monitoring system;
step 2, extracting the configuration of network equipment of the hydropower monitoring system by a non-contact method, wherein the network equipment of the hydropower monitoring system refers to an exchanger, a router and firewall equipment in the hydropower monitoring system;
step 3, acquiring a firmware of a local control unit of the hydropower monitoring system, wherein the local control unit of the hydropower monitoring system is a PLC (programmable logic controller) used for controlling field production equipment in the hydropower monitoring system;
step 4, extracting the configuration of a lower computer of the hydropower monitoring system by a non-contact method, wherein the lower computer of the hydropower monitoring system is a local control unit in the hydropower monitoring system;
step 5, loading the upper computer image of the hydropower monitoring system extracted in the step 1 into a virtualized container so as to restore an upper computer environment, wherein the upper computer environment comprises an operating system environment and an application software environment;
step 6, generating virtual network nodes in a network simulator by using the network equipment configuration of the hydropower monitoring system extracted in the step 2, and loading corresponding network equipment configuration on each virtual network node so as to restore the network environment of the hydropower monitoring system;
step 8, adopting a network security vulnerability mining method, carrying out vulnerability mining in the upper computer environment, the network environment and the local control unit firmware simulation environment built in the steps 5, 6 and 7, and carrying out vulnerability verification on the vulnerability, wherein if the vulnerability can be successfully utilized, the environment has higher potential safety hazard; if the loophole cannot be successfully utilized, the environment has lower potential safety hazard;
step 9, performing configuration check on the lower computer configuration file extracted in the step 4 by using a configuration check method to find a leak existing in the configuration, wherein if the leak can be verified to be available by the sand table deduction, the lower computer environment has higher potential safety hazard; if the vulnerability is proved to be unavailable by the deduction of the sand table, the environment has lower potential safety hazard;
and step 10, adopting an international general vulnerability assessment system (CVSS) and a national level protection assessment method to perform vulnerability analysis on the discovered vulnerabilities by adopting a vulnerability analysis method to form a final vulnerability analysis report of the hydropower monitoring system.
Further, the non-contact method is a method that a detected object adopts a PM-Code three-layer two-dimensional Code technology to generate a color PM-Code three-layer two-dimensional Code capable of storing large-capacity information, then data required to be transmitted per se is packaged into a compressed file and inserted into the PM-Code three-layer two-dimensional Code, the compressed file is displayed through a display screen, then a detector identifies the two-dimensional Code in the display screen by using a scanning device with a camera, and compressed data is extracted from the two-dimensional Code, wherein the detected object refers to an upper computer, network equipment and a lower computer in a hydropower monitoring system; the detection person refers to a person who carries out detection work.
Further, the specific steps of the process of extracting the mirror image of the upper computer of the hydropower monitoring system by using a non-contact method comprise the following steps:
A. and (3) packing the mirror image of the upper computer: the upper computer packs an operating system and an environment configuration file of the upper computer into an image file (ISO file) by using an open source Docker container technology, wherein the image file comprises all data related to the operating system and the application program of the upper computer, such as the version of the operating system, the file system structure, partition information, an account system, configuration information, an application program list, a hardware environment and the like;
B. and (3) mirror image slicing: the mirror image file is divided into N subfiles D1, D2 and D3 … … Dn with the size not larger than 1GB according to the 1GB as a metering unit, wherein D1 to D n-1 All are 1GB in size, and Dn is less than 1GB;
C. and (3) generating a two-dimensional code: generating N PM-Code three-layer two-dimensional Code pictures DP1, DP2 and DP3 … … DPn by adopting a non-contact method;
D. and (3) mirror image slicing packaging: inserting the sub-files D1 to Dn of the mirror image slice into the data fields of the two-dimensional codes DP1 to DPn corresponding to the sub-files respectively to form a two-dimensional code picture containing mirror image data, and then displaying the two-dimensional code picture on a display screen of an upper computer;
E. mirror image slice extraction: a detector reads the two-dimensional code on a display screen of an upper computer by using a scanning device with a high-definition camera by adopting a non-contact method, so that mirror image slice data packaged in the two-dimensional code is extracted;
D. and (3) mirror image section recombination: and sequencing the mirror image slice data according to the sequence number of the mirror image slice data, namely D1 and D2 … … Dn, and recombining the mirror image slice data into a complete mirror image file (ISO format), so that the extraction of the upper computer environment is realized.
Further, the specific steps of the process of extracting the configuration of the network equipment of the hydropower monitoring system by using a non-contact method comprise:
A. centralized aggregation of network device configuration: sending configuration files of N network devices of the hydropower monitoring system to a shared directory of an upper computer operator station by adopting a Simple Network Management Protocol (SNMP) to generate configuration text files R1, R2 and R3 … … Rn, wherein the configuration files comprise information such as device models, system versions and detailed configuration;
B. packing and compressing the configuration text file: compressing the folders in which the configuration text files R1 to Rn are positioned into a compressed packet RF;
C. and (3) generating a two-dimensional code: generating 1 PM-Code three-layer two-dimensional Code picture RP1 by adopting a non-contact method;
D. and (3) packaging a configuration text file: inserting the configuration text file into a data field of a PM-Code three-layer two-dimensional Code picture RP1 to form a two-dimensional Code picture containing configuration file data, and then displaying the two-dimensional Code picture on a display screen of an upper computer;
E. extracting a configuration file: the detection person adopts a non-contact method, and uses a scanning device with a high-definition camera to read the two-dimensional code on the display screen of the upper computer, so that the network equipment configuration text file compressed packet RF packaged in the two-dimensional code is extracted, and then the RF is decompressed to obtain a folder containing the network configuration text files R1 and R2 … … Rn, thereby realizing the extraction of the network equipment configuration environment of the hydropower monitoring system.
Further, the concrete steps of the process of acquiring the firmware of the site control unit of the hydropower monitoring system comprise:
A. determining a firmware vendor: determining a firmware provider according to information such as a supply contract, a firmware version and the like of the local control unit;
B. firmware acquisition: the firmware is downloaded from a firmware vendor official network or provided directly in contact with the vendor.
Further, the concrete steps of extracting the configuration of the lower computer of the hydropower monitoring system by using a non-contact method comprise:
A. and (3) configuration downloading of a lower computer: downloading the configuration of the lower computer to the HMI local through a human-machine interaction interface (HMI) provided by the lower computer to generate a configuration file R of the lower computer;
B. packing and compressing the configuration file: compressing the configuration file R into a compressed packet RF;
C. and (3) generating a two-dimensional code: generating 1 PM-Code three-layer two-dimensional Code picture XP1 by adopting a non-contact method;
D. packaging the configuration file: inserting the configuration file into a data field of a PM-Code three-layer two-dimensional Code picture XP1 to form a two-dimensional Code picture containing configuration file data, and then displaying the two-dimensional Code picture on a lower computer HMI display screen;
E. extracting a configuration file: a detector reads the two-dimensional code on the HMI display screen of the lower computer by using a scanning device with a high-definition camera by adopting a non-contact method, so that the lower computer configuration file compression packet RF packaged in the two-dimensional code is extracted, and then the lower computer configuration file R is obtained after the RF is decompressed, thereby realizing the extraction of the lower computer configuration environment of the hydropower monitoring system;
F. extracting one by one according to the lower computer: and repeating the A, B, C, D, E steps for each lower computer to obtain configuration files XR1, XR2 and XR3 … … XRn of all the lower computers.
Further, the water and electricity monitoring system host computer mirror image that utilizes step 1 to extract loads this mirror image in the virtualization container to the concrete step of restoring host computer environment includes:
A. building a container: building a virtualized container by using an open-source Dokcer virtualized container technology;
B. mirror loading: loading the mirror image file of the upper computer in the container so as to realize the restoration of the environment of the upper computer;
C. and (3) environment inspection: and checking the upper computer environment restored in the container to confirm whether various kinds of configuration information are consistent with the actual upper computer environment.
Further, the concrete steps of utilizing the network equipment configuration of the hydropower monitoring system extracted in the step 2 to generate virtual network nodes in the network simulator, and loading the corresponding network equipment configuration on each virtual network node so as to restore the network environment of the hydropower monitoring system comprise:
A. building a network simulator: adopting an open-source network simulator Shadow to build a blank network environment without any network node;
B. virtual node generation: according to the extracted equipment model and system version information in the network equipment configuration file R1, a virtual network node with a corresponding model is manually established in an open-source network simulator Shadow, and meanwhile, the network equipment configuration file R1 is loaded into the virtual network node, so that the restoration of the network equipment environment is realized;
C. establishing virtual nodes one by one: and repeating the step A, B, and establishing other network virtual nodes one by one according to the network equipment configuration files R2 and R3 … … Rn, so that the restoration of the network environment of the water and electricity monitoring system is realized.
Further, the vulnerability mining method, the configuration checking method and the vulnerability analyzing method respectively adopt a network security vulnerability mining method, a configuration checking method and a vulnerability analyzing method which are adopted in an international universal vulnerability assessment system (CVSS) and a national level protection assessment method.
The invention has the beneficial effects that:
after the invention is applied, all data related to network security vulnerability detection, such as operating systems and configuration environments of all devices related to an upper computer, network equipment, a lower computer and a local control unit of a hydropower monitoring system, can be extracted from a real production environment into a virtual and simulated equipment environment, so that a completely independent, sufficiently real, safe and reliable evaluation environment for truthful operation is provided for a third-party evaluation mechanism for developing vulnerability detection, and the problems that the power production safety is affected due to accidents such as abnormal operation, failure, even halt of the production system and the devices and the like caused by the fact that the detection devices are required to be connected into the actual production environment in the existing evaluation mode or the detection flow form, incomplete detection coverage, poor detection effect and the like caused by manual detection such as observation, configuration verification and the like in the production environment are solved or the possible consequences caused by the third-party evaluation mechanism only in the production environment.
Drawings
Fig. 1 is a schematic flow chart of a method for detecting network security vulnerability of a non-contact hydropower monitoring system according to an embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the embodiments of the present invention are described in further detail below with reference to the accompanying drawings.
Examples
The embodiment of the invention discloses a method for detecting the network security vulnerability of a non-contact type hydropower monitoring system, which comprises the following steps, wherein the flow schematic diagram is shown in figure 1.
A method for detecting network security vulnerability of a non-contact hydropower monitoring system comprises the following steps:
s1, extracting an upper computer mirror image of a hydropower monitoring system by a non-contact method, wherein the upper computer of the hydropower monitoring system refers to an engineer station computer, an operator station computer and a host server in the hydropower monitoring system;
s2, extracting network equipment configuration of the hydropower monitoring system by a non-contact method, wherein the network equipment of the hydropower monitoring system refers to an exchanger, a router and firewall equipment in the hydropower monitoring system;
s3, acquiring a firmware of a local control unit of the hydropower monitoring system, wherein the local control unit of the hydropower monitoring system is a PLC (programmable logic controller) used for controlling field production equipment (such as a water turbine, a generator, a water pump and the like) in the hydropower monitoring system;
s4, extracting the configuration of a lower computer of the hydropower monitoring system by a non-contact method, wherein the lower computer of the hydropower monitoring system is a local control unit in the hydropower monitoring system;
s5, loading the mirror image in the virtualized container by using the upper computer mirror image of the hydropower monitoring system extracted in the S1, so as to restore an upper computer environment, wherein the upper computer environment comprises an operating system environment and an application software environment;
s6, generating virtual network nodes in the network simulator by utilizing the network equipment configuration of the hydropower monitoring system extracted in the S2, and loading corresponding network equipment configuration on each virtual network node so as to restore the network environment of the hydropower monitoring system;
s7, building a firmware simulation environment by using the local control unit firmware acquired in the S3, loading the firmware into the simulation environment, and simulating the operating environment of the local control unit;
s8, adopting a network security vulnerability mining method, carrying out vulnerability mining in the upper computer environment, the network environment and the local control unit firmware simulation environment which are set up in S5, S6 and S7, and verifying vulnerability of the vulnerability, wherein if the vulnerability can be successfully utilized, the environment has higher potential safety hazard; if the loophole cannot be successfully utilized, the environment has lower potential safety hazard;
s9, performing configuration check on the lower computer configuration file extracted in the step S4 by using a configuration check method to find a vulnerability existing in the configuration, wherein if the vulnerability can be deduced by a sand table to be available, the lower computer environment has higher potential safety hazard; if the vulnerability is proved to be unavailable by sand table deduction, the environment has lower potential safety hazard;
and S10, performing vulnerability analysis on the discovered vulnerabilities by adopting an international universal vulnerability assessment system (CVSS) and a national level protection assessment method to form a final vulnerability analysis report of the hydropower monitoring system.
Furthermore, the non-contact method is a method that a detected object adopts a PM-Code three-layer two-dimensional Code technology to generate a color PM-Code three-layer two-dimensional Code capable of storing large-capacity information, then data required to be transmitted per se is packaged into a compressed file and inserted into the three-layer two-dimensional Code, then the compressed file is displayed through a display screen, then a detector identifies the two-dimensional Code in the display screen by using a scanning device with a camera, and then compressed data is extracted from the two-dimensional Code, wherein the detected object refers to an upper computer, network equipment and a lower computer in a hydropower monitoring system; the detection person refers to a person who performs detection work.
Further, the specific steps of the process of extracting the mirror image of the upper computer of the hydropower monitoring system by using a non-contact method comprise:
A. and (3) packing the mirror image of the upper computer: the upper computer packs an operating system and an environment configuration file of the upper computer into an image file (ISO file) by using an open source Docker container technology, wherein the image file comprises all data related to the operating system and the application program of the upper computer, such as the version of the operating system, the file system structure, partition information, an account system, configuration information, an application program list, a hardware environment and the like;
B. and (3) mirror image slicing: the mirror image file is divided into N subfiles D1, D2 and D3 … … Dn with the weight of 1GB as a measurement unit, wherein the weight of the subfiles D1 to D is not more than 1GB n-1 All are 1GB in size, and Dn is less than 1GB;
C. and (3) generating a two-dimensional code: generating N PM-Code three-layer two-dimensional Code pictures DP1, DP2 and DP3 … … DPn by adopting a non-contact method;
D. and (3) mirror image slicing packaging: inserting the sub-files D1 to Dn of the mirror image slice into the data fields of the corresponding two-dimensional code pictures DP1 to DPn respectively to form two-dimensional code pictures containing mirror image data, and then displaying the two-dimensional code pictures on a display screen of an upper computer;
E. mirror image slice extraction: a detector reads the two-dimensional code on a display screen of an upper computer by using a scanning device with a high-definition camera by adopting a non-contact method, so that mirror image slice data D1 and D2 … … Dn packaged in the two-dimensional code are extracted;
D. and (3) mirror image section recombination: and sequencing the mirror image slice data according to the sequence number of the mirror image slice data, namely D1 and D2 … … Dn, and recombining the mirror image slice data into a complete mirror image file (ISO format), thereby realizing the extraction of the upper computer environment.
Further, the specific steps of the process of extracting the configuration of the network equipment of the hydropower monitoring system by using a non-contact method comprise:
A. centralized summarization of network device configuration: sending configuration files of N network devices of the hydropower monitoring system to a shared directory of an upper computer operator station by adopting a Simple Network Management Protocol (SNMP) to generate configuration text files R1, R2 and R3 … … Rn, wherein the configuration files comprise information such as device models, system versions and detailed configuration;
B. packing and compressing the configuration text file: compressing the folders in which the configuration text files R1 to Rn are positioned into a compressed packet RF;
C. generating a two-dimensional code: generating 1 PM-Code three-layer two-dimensional Code picture RP1 by adopting a non-contact method;
D. and (3) packaging a configuration text file: inserting the configuration text file into a data field of the PM-Code three-layer two-dimensional Code picture RP1 to form a two-dimensional Code picture containing configuration file data, and then displaying the two-dimensional Code picture on a display screen of an upper computer;
E. extracting a configuration text file: the detection person adopts a non-contact method, and uses a scanning device with a high-definition camera to read the two-dimensional code on the display screen of the upper computer, so that the network equipment configuration file compressed packet RF packaged in the two-dimensional code is extracted, and then the RF is decompressed to obtain a folder containing the network configuration text files R1 and R2 … … Rn, thereby realizing the extraction of the network equipment configuration environment of the hydropower monitoring system.
Further, the specific steps of the process of acquiring the firmware of the local control unit of the hydropower monitoring system comprise:
A. determining a firmware vendor: determining a firmware provider according to information such as a supply contract, a firmware version and the like of the local control unit;
B. firmware acquisition: the firmware is downloaded from a firmware vendor official network or provided by directly contacting the vendor.
Further, the concrete steps of extracting the configuration of the lower computer of the hydropower monitoring system by a non-contact method comprise:
A. and (3) configuration downloading of a lower computer: downloading the configuration of the lower computer to the local HMI through a human-machine interaction interface (HMI) provided by the lower computer to generate a configuration file R of the lower computer;
B. packing and compressing the configuration file: compressing the configuration file R into a compressed packet RF;
C. generating a two-dimensional code: generating 1 PM-Code three-layer two-dimensional Code picture XP1 by adopting a non-contact method;
D. and (3) packaging the configuration file: inserting the configuration file into a data field of a PM-Code three-layer two-dimensional Code picture XP1 to form a two-dimensional Code picture containing configuration file data, and then displaying the two-dimensional Code picture on a lower computer HMI display screen;
E. extracting a configuration file: a detector reads the two-dimensional code on the HMI display screen of the lower computer by using a scanning device with a high-definition camera by adopting a non-contact method, so that the lower computer configuration file compression packet RF packaged in the two-dimensional code is extracted, and then the lower computer configuration file R is obtained after the RF is decompressed, thereby realizing the extraction of the lower computer configuration environment of the hydropower monitoring system;
F. extracting one by one according to the lower computer: and repeating the A, B, C, D, E step for each lower computer to obtain configuration files XR1, XR2 and XR3 … … XRn of all the lower computers.
Further, utilize the water and electricity monitored control system host computer mirror image that S1 drawed, load this mirror image in the virtualized container to the concrete step of host computer environment is restoreed includes:
A. building a container: building a virtualized container by using an open-source Dokcer virtualized container technology;
B. mirror loading: loading the mirror image file of the upper computer in the container so as to realize the restoration of the environment of the upper computer;
C. and (3) environment inspection: and checking the upper computer environment restored in the container to confirm whether various kinds of configuration information are consistent with the actual upper computer environment.
Further, the concrete steps of utilizing the network equipment configuration of the hydropower monitoring system extracted in S2 to generate virtual network nodes in the network simulator, and loading the corresponding network equipment configuration on each virtual network node, thereby restoring the network environment of the hydropower monitoring system include:
A. building a network simulator: adopting an open source network simulator Shadow to build a blank network environment without any network node;
B. virtual node generation: according to the extracted equipment model and system version information in the network equipment configuration file R1, a virtual network node with a corresponding model is manually created in Shadow, and meanwhile, the network equipment configuration file R1 is loaded into the virtual network node, so that the restoration of the network equipment environment is realized;
C. establishing virtual nodes one by one: repeating the step A, B, and establishing other network virtual nodes one by one according to the network equipment configuration files R2 and R3 … … Rn, so that the restoration of the network environment of the water and electricity monitoring system is realized;
further, the vulnerability mining method, the configuration checking method and the vulnerability analyzing method respectively adopt a network security vulnerability mining method, a configuration checking method and a vulnerability analyzing method adopted in an international universal vulnerability assessment system (CVSS) and a national level protection assessment method.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (9)
1. A network security vulnerability detection method of a non-contact hydropower monitoring system is characterized by comprising the following steps:
step 1, extracting an upper computer mirror image of a hydropower monitoring system by a non-contact method, wherein the upper computer of the hydropower monitoring system refers to an engineer station computer, an operator station computer and a host server in the hydropower monitoring system;
2, extracting network equipment configuration of the hydropower monitoring system by a non-contact method, wherein the network equipment of the hydropower monitoring system refers to an exchanger, a router and firewall equipment in the hydropower monitoring system;
step 3, acquiring a firmware of a local control unit of the hydropower monitoring system, wherein the local control unit of the hydropower monitoring system is a PLC (programmable logic controller) used for controlling field production equipment in the hydropower monitoring system;
step 4, extracting the configuration of a lower computer of the hydropower monitoring system by a non-contact method, wherein the lower computer of the hydropower monitoring system refers to a local control unit in the hydropower monitoring system;
step 5, loading the upper computer image of the hydropower monitoring system extracted in the step 1 into a virtualized container so as to restore an upper computer environment, wherein the upper computer environment comprises an operating system environment and an application software environment;
step 6, generating virtual network nodes in a network simulator by using the network equipment configuration of the hydropower monitoring system extracted in the step 2, and loading corresponding network equipment configuration on each virtual network node so as to restore the network environment of the hydropower monitoring system;
step 7, building a firmware simulation environment by using the local control unit firmware obtained in the step 3, loading the firmware into the simulation environment, and simulating the operating environment of the local control unit;
step 8, adopting a network security vulnerability mining method, carrying out vulnerability mining in the upper computer environment, the network environment and the local control unit firmware simulation environment built in the steps 5, 6 and 7, and carrying out vulnerability verification on the vulnerability, wherein if the vulnerability can be successfully utilized, the environment has higher potential safety hazard; if the loophole cannot be successfully utilized, the environment has lower potential safety hazard;
step 9, performing configuration check on the lower computer configuration file extracted in the step 4 by using a configuration check method to find a vulnerability existing in the configuration, wherein if the vulnerability can be deduced by a sand table to be available, the lower computer environment has higher potential safety hazard; if the vulnerability is proved to be unavailable by the deduction of the sand table, the environment has lower potential safety hazard;
and step 10, adopting an international general vulnerability assessment system CVSS and a national level protection assessment method to perform vulnerability analysis on the discovered vulnerabilities by adopting a vulnerability analysis method to form a final vulnerability analysis report of the hydropower monitoring system.
2. The method as claimed in claim 1, wherein the non-contact method is a method in which the detected object adopts a PM-Code three-layer two-dimensional Code technology to generate a color PM-Code three-layer two-dimensional Code capable of storing large-capacity information, then data to be transmitted is packed into a compressed file, the compressed file is inserted into the PM-Code three-layer two-dimensional Code and displayed through a display screen, then a detector identifies the two-dimensional Code in the display screen by using a scanning device with a camera, and compressed data is extracted from the two-dimensional Code, wherein the detected object refers to an upper computer, network equipment and a lower computer in a hydropower monitoring system; the detection person refers to a person who performs detection work.
3. The method as claimed in claim 1, wherein the specific steps of the process of extracting the mirror image of the upper computer of the hydropower monitoring system by using a non-contact method comprise:
A. and (4) mirror image packaging of the upper computer: the upper computer packs an operating system and an environment configuration file of the upper computer into an image file, namely an ISO file, by using an open source Docker container technology, wherein the image file comprises the version of the operating system, the file system structure, partition information, an account system, configuration information, an application program list and all data related to the operating system and the application program of the upper computer in the hardware environment;
B. and (3) mirror image slicing: the mirror image file is divided into N sub-files D1, D2 and D2 with the size not larger than 1GB according to 1GB as a measurement unit,D3 … … Dn, wherein D1 to D n-1 All are 1GB in size, and Dn is less than 1GB;
C. and (3) generating a two-dimensional code: generating N PM-Code three-layer two-dimensional Code pictures DP1, DP2 and DP3 … … DPn by adopting a non-contact method;
D. mirror image slicing and packaging: inserting the sub files D1 to Dn of the mirror image slice into the data fields of the corresponding two-dimensional code pictures DP1 to DPn respectively to form two-dimensional code pictures containing mirror image data, and then displaying the two-dimensional code pictures on a display screen of an upper computer;
E. mirror image slice extraction: a detector reads the two-dimensional code on a display screen of an upper computer by using a scanning device with a high-definition camera by adopting a non-contact method, so that mirror image slice data packaged in the two-dimensional code is extracted;
D. and (3) mirror image section recombination: and sequencing the mirror image slice data according to the sequence number of the mirror image slice data, namely D1 and D2 … … Dn, and recombining the mirror image slice data into a complete mirror image file, thereby realizing the extraction of the upper computer environment.
4. The method of claim 1, wherein the specific steps of the process of extracting a hydroelectric monitoring system network equipment configuration in a non-contact manner comprise:
A. centralized aggregation of network device configuration: sending configuration files of N network devices of the hydropower monitoring system to a shared directory of an upper computer operator station by adopting a Simple Network Management Protocol (SNMP) to generate configuration text files R1, R2 and R3 … … Rn, wherein the configuration files comprise device models, system versions and detailed configuration information;
B. packing and compressing the configuration text file: compressing the folders in which the configuration text files R1 to Rn are positioned into a compressed packet RF;
C. and (3) generating a two-dimensional code: generating 1 PM-Code three-layer two-dimensional Code picture RP1 by adopting a non-contact method;
D. and (3) packaging a configuration text file: inserting the configuration text file into a data field of a PM-Code three-layer two-dimensional Code picture RP1 to form a two-dimensional Code picture containing configuration file data, and then displaying the two-dimensional Code picture on a display screen of an upper computer;
E. extracting a configuration text file: the detection person adopts a non-contact method, and uses a scanning device with a high-definition camera to read the two-dimensional code on the display screen of the upper computer, so that the network equipment configuration text file compressed packet RF packaged in the two-dimensional code is extracted, and then the RF is decompressed to obtain a folder containing the network configuration text files R1 and R2 … … Rn, thereby realizing the extraction of the network equipment configuration environment of the hydropower monitoring system.
5. The method of claim 1, wherein the specific steps of the process of obtaining the hydropower monitoring system in-situ control unit firmware comprise:
A. determining a firmware vendor: determining a firmware provider according to a supply contract and firmware version information of the local control unit;
B. firmware acquisition: the firmware is downloaded from a firmware vendor official network or provided directly in contact with the vendor.
6. The method of claim 1, wherein the specific step of extracting the configuration of the lower computer of the hydroelectric monitoring system by a non-contact method comprises:
A. and (3) configuration downloading of a lower computer: downloading the configuration of the lower computer to the local HMI through a human-computer interaction interface HMI provided by the lower computer to generate a configuration file R of the lower computer;
B. packing and compressing the configuration file: compressing the configuration file R into a compressed packet RF;
C. and (3) generating a two-dimensional code: generating 1 PM-Code three-layer two-dimensional Code picture XP1 by adopting a non-contact method;
D. and (3) packaging the configuration file: inserting the configuration file into a data field of a PM-Code three-layer two-dimensional Code picture XP1 to form a two-dimensional Code picture containing configuration file data, and then displaying the two-dimensional Code picture on a lower computer HMI display screen;
E. extracting a configuration file: a detector reads the two-dimensional code on the HMI display screen of the lower computer by using a scanning device with a high-definition camera by adopting a non-contact method, so that the lower computer configuration file compression packet RF packaged in the two-dimensional code is extracted, and then the lower computer configuration file R is obtained after the RF is decompressed, thereby realizing the extraction of the lower computer configuration environment of the hydropower monitoring system;
F. extracting one by one according to the lower computer: and repeating the A, B, C, D, E steps for each lower computer to obtain configuration files XR1, XR2 and XR3 … … XRn of all the lower computers.
7. The method according to claim 1, wherein the specific step of restoring the environment of the upper computer by using the upper computer image of the hydropower monitoring system extracted in the step 1 and loading the image in the virtualized container comprises:
A. and (3) constructing a container: building a virtualized container by using an open-source Dokcer virtualized container technology;
B. mirror loading: loading the upper computer mirror image file in the container so as to realize the reduction of the upper computer environment;
C. and (3) environment inspection: and checking the upper computer environment restored in the container to confirm whether various kinds of configuration information are consistent with the actual upper computer environment.
8. The method of claim 1, wherein the step of creating virtual network nodes in the network simulator using the network equipment configurations of the hydro-power monitoring system extracted in step 2, and loading the corresponding network equipment configurations on each virtual network node to restore the network environment of the hydro-power monitoring system comprises:
A. building a network simulator: adopting an open source network simulator Shadow to build a blank network environment without any network node;
B. virtual node generation: according to the extracted equipment model and system version information in the network equipment configuration file R1, a virtual network node with a corresponding model is manually established in an open-source network simulator Shadow, and meanwhile, the network equipment configuration file R1 is loaded into the virtual network node, so that the restoration of a network equipment environment is realized;
C. establishing virtual nodes one by one: and repeating the step A, B, and establishing other network virtual nodes one by one according to the network equipment configuration files R2 and R3 … … Rn, so that the restoration of the network environment of the water and electricity monitoring system is realized.
9. The method according to claim 1, wherein the network security vulnerability mining method, the configuration checking method and the vulnerability analysis method respectively adopt a network security vulnerability mining method, a configuration checking method and a vulnerability analysis method adopted in an international universal vulnerability assessment system (CVSS) and a national level protection assessment method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110165453.XA CN112822212B (en) | 2021-02-06 | 2021-02-06 | Network security vulnerability detection method for non-contact hydropower monitoring system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110165453.XA CN112822212B (en) | 2021-02-06 | 2021-02-06 | Network security vulnerability detection method for non-contact hydropower monitoring system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112822212A CN112822212A (en) | 2021-05-18 |
| CN112822212B true CN112822212B (en) | 2022-12-02 |
Family
ID=75862033
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110165453.XA Active CN112822212B (en) | 2021-02-06 | 2021-02-06 | Network security vulnerability detection method for non-contact hydropower monitoring system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112822212B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1805385A (en) * | 2006-01-11 | 2006-07-19 | 西安电子科技大学 | Network security emulation system and its emulation method |
| JP2007241328A (en) * | 2006-03-03 | 2007-09-20 | Namco Bandai Games Inc | Program, information storage medium, two-dimensional code generation system, image generation system and printed matter |
| CN202512586U (en) * | 2012-03-05 | 2012-10-31 | 江西省电力公司柘林水电厂 | Hydropower plant device point inspection positioning system based on PDF417 two-dimensional bar code |
| CN104125222A (en) * | 2014-07-18 | 2014-10-29 | 国网上海市电力公司 | Information intranet security hole monitoring processing method |
| CN104201785A (en) * | 2014-09-25 | 2014-12-10 | 国家电网公司 | Debugging method and system for hydroelectric power station monitoring system |
| CN104850816A (en) * | 2015-06-05 | 2015-08-19 | 中国电力科学研究院 | IPv6-based video monitoring and radio frequency identification two-dimensional code system in transformer station inspection |
| CN105429133A (en) * | 2015-12-07 | 2016-03-23 | 国网智能电网研究院 | Information network attack-oriented vulnerability node evaluation method for power grid |
| CN111404917A (en) * | 2020-03-11 | 2020-07-10 | 江苏亨通工控安全研究院有限公司 | Industrial control simulation equipment-based threat information analysis and detection method and system |
| CN112134761A (en) * | 2020-09-23 | 2020-12-25 | 国网四川省电力公司电力科学研究院 | Electric power Internet of things terminal vulnerability detection method and system based on firmware analysis |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007004209A1 (en) * | 2005-06-30 | 2007-01-11 | Raw Analysis Ltd. | Method and system for network vulnerability assessment |
| CN107239705B (en) * | 2017-05-25 | 2020-07-24 | 中国东方电气集团有限公司 | Non-contact type industrial control system or equipment static vulnerability detection system and detection method |
| CN107347074B (en) * | 2017-08-09 | 2019-09-06 | 中国信息通信研究院 | A kind of method of determining network equipment safety |
| CN107590029B (en) * | 2017-09-16 | 2020-09-22 | 国家电网公司 | Data backup and recovery method for computer monitoring system of hydropower station |
-
2021
- 2021-02-06 CN CN202110165453.XA patent/CN112822212B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1805385A (en) * | 2006-01-11 | 2006-07-19 | 西安电子科技大学 | Network security emulation system and its emulation method |
| JP2007241328A (en) * | 2006-03-03 | 2007-09-20 | Namco Bandai Games Inc | Program, information storage medium, two-dimensional code generation system, image generation system and printed matter |
| CN202512586U (en) * | 2012-03-05 | 2012-10-31 | 江西省电力公司柘林水电厂 | Hydropower plant device point inspection positioning system based on PDF417 two-dimensional bar code |
| CN104125222A (en) * | 2014-07-18 | 2014-10-29 | 国网上海市电力公司 | Information intranet security hole monitoring processing method |
| CN104201785A (en) * | 2014-09-25 | 2014-12-10 | 国家电网公司 | Debugging method and system for hydroelectric power station monitoring system |
| CN104850816A (en) * | 2015-06-05 | 2015-08-19 | 中国电力科学研究院 | IPv6-based video monitoring and radio frequency identification two-dimensional code system in transformer station inspection |
| CN105429133A (en) * | 2015-12-07 | 2016-03-23 | 国网智能电网研究院 | Information network attack-oriented vulnerability node evaluation method for power grid |
| CN111404917A (en) * | 2020-03-11 | 2020-07-10 | 江苏亨通工控安全研究院有限公司 | Industrial control simulation equipment-based threat information analysis and detection method and system |
| CN112134761A (en) * | 2020-09-23 | 2020-12-25 | 国网四川省电力公司电力科学研究院 | Electric power Internet of things terminal vulnerability detection method and system based on firmware analysis |
Non-Patent Citations (3)
| Title |
|---|
| Staged Method of Code Similarity Analysis for Firmware Vulnerability Detection;Wang Yisen, Shen Jianjing,Lin Jian,Lou Rui;《IEEE Access》;20190117;全文 * |
| 火电厂工控系统网络安全风险及防护;曾卫东,杨新民,崔逸群;《热力发电》;20200922;全文 * |
| 电力工控系统攻击仿真验证关键技术研究;王继业等;《电力信息与通信技术》;20170615(第06期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112822212A (en) | 2021-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103746882B (en) | The method of intelligent substation station level test | |
| CN106597947A (en) | Substation equipment test method and system, server and tester | |
| CN107332347B (en) | Intelligent substation secondary intelligence Computer Aided Design platform | |
| CN106330593B (en) | Protocol detection method and device | |
| CN103812699A (en) | Monitoring management system based on cloud computing | |
| CN108519929B (en) | CRC (cyclic redundancy check) method and device for bus protection configuration management and control of intelligent substation | |
| CN103200051A (en) | Intelligent substation message simulation testing and association message analysis system and method | |
| CN103973513B (en) | The remote monitoring method and system of a kind of full scope simulator of nuclear power station | |
| CN106126423A (en) | The method of testing of game application, Apparatus and system | |
| CN107608291A (en) | A kind of intelligent substation application function linkage rule verification method and system | |
| WO2015149596A1 (en) | Iec61850-based communication simulation method for leakage current on-line monitoring device | |
| CN110991037A (en) | Intelligent substation test simulation system based on SCD | |
| CN1972287B (en) | Communication protocol record analysis apparatus and its analysis method | |
| CN113868126A (en) | Application debugging method, device and storage medium of equipment | |
| CN109165625A (en) | A kind of test report intelligent generation method based on image recognition | |
| CN112822212B (en) | Network security vulnerability detection method for non-contact hydropower monitoring system | |
| CN102156795B (en) | Simulation information system of digital transformer station based on transformer station configuration description file | |
| CN110198222A (en) | A kind of distribution power automation terminal plug and play test method and test main website | |
| CN104993584A (en) | Information preserving failure generating method and system | |
| CN108965053B (en) | Method, device and system for testing software pressure of upper computer | |
| CN112698584B (en) | Substation one-key sequential control simulation test method, device, equipment and medium | |
| CN105406996A (en) | Method for intelligent substation station control layer MMS communication simulation | |
| CN110166322A (en) | A kind of detection method and relevant apparatus of metering automation terminal | |
| CN106204326B (en) | Power distribution terminal IED equipment detection method for power distribution system | |
| CN201004645Y (en) | Recording and analysis device for communication regulation breach |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20210518 Assignee: XIAOWAN HYDRAULIC POWER PLANT OF HUANENG LANCANG RIVER HYDROPOWER CO.,LTD. Assignor: Xi'an Thermal Power Research Institute Co.,Ltd. Contract record no.: X2024980001505 Denomination of invention: A non-contact network security vulnerability detection method for hydropower monitoring systems Granted publication date: 20221202 License type: Common License Record date: 20240126 |