CN113098980A - Portable safety operation and maintenance system for power monitoring system - Google Patents
Portable safety operation and maintenance system for power monitoring system Download PDFInfo
- Publication number
- CN113098980A CN113098980A CN202110518337.1A CN202110518337A CN113098980A CN 113098980 A CN113098980 A CN 113098980A CN 202110518337 A CN202110518337 A CN 202110518337A CN 113098980 A CN113098980 A CN 113098980A
- Authority
- CN
- China
- Prior art keywords
- maintenance
- module
- risk
- sshenc
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
Abstract
The invention discloses a portable safe operation and maintenance system for a power monitoring system, which comprises a safe operation and maintenance monitoring agent module and a safe operation and maintenance gateway module; the safety operation and maintenance monitoring agent module is arranged on the operation and maintenance terminal and is used for monitoring in cooperation with the safety operation and maintenance gateway module; the safety operation and maintenance gateway module is arranged between the operation and maintenance terminal and the operated and maintained object and used for identifying and blocking risk operation in operation and maintenance work in real time. The invention has the capability of analyzing high-risk instructions of various electric power industrial control protocols, and reduces the risks such as abnormal tripping and the like caused by operation and maintenance misoperation; a USB safety zone mechanism is designed, and the risks of virus propagation and the like caused by external USB flash disk in the electric power operation and maintenance site are avoided; the more nimble operation and maintenance personnel identity management and control method, the operation and maintenance record retention mode and the like are designed, the influence on operation and maintenance work is smaller, the operation and maintenance record is more practical, and the safety is high, the operability is good, the flexibility ratio is high, and the operation and maintenance record is stable and reliable.
Description
Technical Field
The invention belongs to the field of electrical automation, and particularly relates to a portable safe operation and maintenance system for an electric power monitoring system.
Background
With the development of economic technology and the improvement of living standard of people, electric energy becomes essential secondary energy in production and life of people, and brings endless convenience to production and life of people. Therefore, stable and reliable operation of the power system becomes one of the most important tasks of the power system.
When the operation and maintenance of the power monitoring system are carried out in a transformer substation, a power plant and other places, an operation and maintenance terminal such as a portable computer is generally required to be accessed. However, since the external operation and maintenance terminal has a complex source, security control is difficult, and high-risk behaviors such as virus propagation and network external connection are easy to occur. At this time, if the external operation and maintenance terminal successfully accesses the core control area, the network security event caused by the external operation and maintenance terminal may further cause serious consequences such as tripping and power off. Therefore, it is very important to perform effective safety protection on the field operation and maintenance of the power monitoring system.
As the transformer substations and the power plants are numerous and widely distributed, the traditional fixed operation and maintenance fort machine is not suitable and a portable safe operation and maintenance system is required. The portable safe operation and maintenance system is deployed between the operated and maintained object and the operation and maintenance terminal, and plays roles in network connection control and operation and maintenance process recording. However, the existing portable safe operation and maintenance system has the following three limitations: firstly, the operation and maintenance connection is limited only by the source address, the destination address and the port in a large range of coarse granularity, and the deep identification and blocking of the high-risk operation and maintenance instruction of the power industry control are lacked; secondly, when the operation and maintenance terminal uses the USB flash disk to transmit files to the operated and maintained object, the files cannot be effectively identified and blocked aiming at the industrial power control viruses; thirdly, the operation and maintenance actual conditions of the transformer substation and the power plant are not adhered to the design of the business process, so that the system is extremely troublesome to work and use, inflexible in operation and maintenance and the like.
Disclosure of Invention
The invention aims to provide a portable safe operation and maintenance system for a power monitoring system, which has high safety, good operability, high flexibility, stability and reliability.
The invention provides a portable safe operation and maintenance system for a power monitoring system, which comprises a safe operation and maintenance monitoring agent module and a safe operation and maintenance gateway module; the safety operation and maintenance monitoring agent module is arranged on the operation and maintenance terminal and is used for monitoring in cooperation with the safety operation and maintenance gateway module; the safety operation and maintenance gateway module is arranged between the operation and maintenance terminal and the operated and maintained object and used for identifying and blocking risk operation in operation and maintenance work in real time.
The safety operation and maintenance gateway module comprises an operation and maintenance flow risk management and control module, a USB management module, an operation and maintenance personnel identity authentication module, an audit record module and a basic management function module; the operation and maintenance flow risk management and control module, the USB management module, the operation and maintenance personnel identity authentication module and the audit record module are all connected with the basic management function module; the operation and maintenance flow risk management and control module is used for realizing operation and maintenance object management and control and risk instruction identification; the USB management module is used for managing a USB data transmission process; the operation and maintenance personnel identity authentication module is used for authenticating the identity of personnel in the operation and maintenance process; the audit record module is used for generating an audit report of the operation and maintenance task and recording the operation and maintenance process; and the basic management function module is used for providing data and service support for a portable safety operation and maintenance system of the power monitoring system.
The operation and maintenance flow risk control module comprises an operation and maintenance object control module, an electric power operation and maintenance risk instruction monitoring module and an industrial control virus monitoring module; the operation and maintenance object control module is used for realizing operation and maintenance control of the network port and the serial port; the electric power operation and maintenance risk instruction monitoring module is used for analyzing risk instructions in real time and managing and controlling the identified risk instructions; the industrial control virus monitoring module is used for controlling the virus appearing in the operation and maintenance process.
The operation and maintenance object control module is used for realizing operation and maintenance control of the network port and the serial port, and specifically adopts the following steps to control:
aiming at the network port connection mode: an operation and maintenance worker configures an IP address of an operation and maintenance object, an IP address used by an operation and maintenance terminal, an operation and maintenance protocol type and a destination port number in a portable safe operation and maintenance system for the power monitoring system; then, when the set port number belongs to the set high-risk port number, alarming is carried out;
aiming at the serial port connection mode: configuring a serial port number to be used by an operation and maintenance worker in a portable safety operation and maintenance system for the power monitoring system; and only the configured network connection and serial port are allowed to be started by controlling the bottom-layer network card and the serial port.
The electric power operation and maintenance risk instruction monitoring module is used for analyzing risk instructions in real time and managing and controlling the identified risk instructions, and specifically adopts the following steps to manage and control:
after the network port connection or the serial port connection is established, the specific type of the flow is identified after the flow is analyzed by the electric power industry control protocol, and then the unencrypted flow is analyzed to the protocol field level by the protocol analysis engine, so that a protocol instruction is identified; and then comparing the obtained protocol instruction with a set high-risk instruction list: if the comparison and matching are successful, recording, and blocking or alarming aiming at the instruction; and if the flow is the encrypted flow, the safety operation and maintenance monitoring agent module performs risk instruction matching and handling.
The risk instruction matching and handling are carried out by the safety operation and maintenance monitoring agent module, and the risk instruction matching and handling specifically comprises two stages of session key recovery and real-time traffic decryption:
stage one: the session key recovery stage is implemented as follows: the safety operation and maintenance monitoring agent module automatically performs a HOOK SSH process on the terminal, and then searches the whole memory space of the SSH process; searching the sshenc structure body on the heap memory through the verifiable attribute in the sshenc structure body;
the attribute name and length include:
char name-4 bytes; const struct sshcipher-4 bytes;
int enabled-4 bytes; u _ int key _ len-4 bytes;
u _ int iv _ len-4 bytes; u _ int block _ size-4 bytes;
u _ char _ key-4 bytes; u _ char iv-4 bytes;
the steps for obtaining the sshenc structure are as follows:
step 1: acquiring a continuous readable address segment on a heap memory, wherein the starting address is a region _ start, and the ending address is a region _ end; setting the initial value of a sliding pointer ptr equal to region _ start;
step 2: ssh _ enc _ size is the fixed length of the sshenc structure, if ptr + ssh _ enc _ size < region _ end, then step 3 is entered, otherwise step 1 is entered;
and step 3: according to the length and the arrangement sequence of each attribute in the sshenc structure, forming a sshenc structure by bytes from the address ptr to the address ptr + ssh _ enc _ size;
and 4, step 4: matching the character string pointed by the name attribute with a preset name dictionary: if the read sshenc.name character string is not in the dictionary, the search fails, and step 9 is entered; otherwise, different sshenc.names specify different key _ len and block _ size values, which are named fix _ key _ len and fix _ block _ size for distinction;
and 5: the method comprises the following steps that (1) a cifer structure pointer points to one sshcipher structure body, the first attribute of the structure body is a cifer _ name string pointer, if a string pointed by the cifer _ name is different from the sshenc name, searching fails, and the step 9 is entered;
step 6: if the sshenc.key _ len is not equal to the fix _ key _ len obtained in the step 4, the search fails, and the step 9 is entered;
and 7: if the block _ size is not equal to the fix _ block _ size obtained in the step 4, the search fails, and the step 9 is entered;
and 8: reading a key value through sshenc.key and sshenc.key _ len; reading iv values via sshenc.iv and sshenc.iv _ len; the search of the sshenc structure is successful, and the search process is finished;
and step 9: shifting to step 2 when ptr is ptr + 4;
after the encryption key is successfully acquired, entering a second stage of analyzing the encrypted flow: the safety operation and maintenance monitoring agent module reads flow data from the network card in real time, and attempts to decrypt all keys searched in the previous stage by traversing for the flow transmitted by using the ssh protocol; and the industrial control high-risk instruction matching process after the decryption is successful is the same as that of the plaintext protocol.
The industrial control virus monitoring module is used for managing and controlling the virus appearing in the operation and maintenance process, and specifically adopts the following steps to manage and control:
and for a plaintext file transmission protocol, directly carrying out industrial control virus scanning on files in flow: if the virus is found, directly blocking or alarming;
and for the encrypted file transmission protocol, the safety operation and maintenance monitoring agent module is used for monitoring industrial control viruses.
The safety operation and maintenance monitoring agent module is used for monitoring the industrial control viruses, and specifically, the same key extraction and flow decryption steps as those in the risk instruction matching module are used for extracting files in the flow and scanning and matching the industrial control viruses.
The USB management module divides the USB interface into an external USB port and an internal USB port; the external USB port is used for connecting a USB flash disk of an operation and maintenance person, and the internal USB port is used for connecting a USB interface of an operated and maintained object; by limiting the folder right, only files are allowed to be copied in or out from the external USB disk, and programs are prohibited from being executed from the external USB disk; virus detection is carried out on all files copied into the operation and maintenance object from the external USB disk: if the virus is found, the copying of the corresponding file is directly prohibited, and an alarm is given.
The operation and maintenance personnel identity authentication module is used for inputting a user name, a password and a fingerprint in advance, so that the double-factor identity authentication of personnel in an operation and maintenance main body unit is realized; meanwhile, only identity card information is recorded and identified, and actual operation and maintenance operators are recorded, so that the operation and maintenance personnel of a third-party manufacturer are controlled.
The audit record module adopts screen recording, network port and serial port flow audit, external equipment access audit and work ticket and work record image retention modes to perform audit record.
The portable safe operation and maintenance system for the power monitoring system has the capability of analyzing high-risk instructions of various power industrial control protocols, and can greatly reduce risks such as abnormal tripping caused by misoperation of operation and maintenance; meanwhile, a USB safety zone mechanism is designed, so that the risks of virus propagation and the like caused by external USB flash disks in the electric power operation and maintenance site can be avoided; finally, the invention designs a more flexible operation and maintenance personnel identity control method, operation and maintenance record retention mode and the like, has less influence on the field operation and maintenance work of the power monitoring system, and the operation and maintenance record is more suitable for auditors to carry out safety event investigation and normal audit; therefore, the invention has high safety, good operability, high flexibility, stability and reliability.
Drawings
FIG. 1 is a functional block diagram of the system of the present invention.
Detailed Description
FIG. 1 shows a functional block diagram of the system of the present invention: the invention provides a portable safe operation and maintenance system for a power monitoring system, which comprises a safe operation and maintenance monitoring agent module and a safe operation and maintenance gateway module; the safety operation and maintenance monitoring agent module is arranged on the operation and maintenance terminal and is used for monitoring in cooperation with the safety operation and maintenance gateway module; the safety operation and maintenance gateway module is arranged between the operation and maintenance terminal and the operated and maintained object and used for identifying and blocking risk operation in operation and maintenance work in real time.
In specific implementation, the safe operation and maintenance gateway module comprises an operation and maintenance flow risk management and control module, a USB management module, an operation and maintenance personnel identity authentication module, an audit record module and a basic management function module; the operation and maintenance flow risk management and control module, the USB management module, the operation and maintenance personnel identity authentication module and the audit record module are all connected with the basic management function module; the operation and maintenance flow risk management and control module is used for realizing operation and maintenance object management and control and risk instruction identification; the USB management module is used for managing a USB data transmission process; the operation and maintenance personnel identity authentication module is used for authenticating the identity of personnel in the operation and maintenance process; the audit record module is used for generating an audit report of the operation and maintenance task and recording the operation and maintenance process; and the basic management function module is used for providing data and service support for a portable safety operation and maintenance system of the power monitoring system.
The operation and maintenance flow risk control module comprises an operation and maintenance object control module, an electric operation and maintenance risk instruction monitoring module and an industrial control virus monitoring module; the operation and maintenance object control module is used for realizing operation and maintenance control of the network port and the serial port; the electric power operation and maintenance risk instruction monitoring module is used for analyzing risk instructions in real time and managing and controlling the identified risk instructions; the industrial control virus monitoring module is used for controlling the virus appearing in the operation and maintenance process.
The operation and maintenance object control module performs control by adopting the following steps:
aiming at the network port connection mode: an operation and maintenance worker configures an IP address of an operation and maintenance object, an IP address used by an operation and maintenance terminal, an operation and maintenance protocol type (IEC103, IEC104, ssh, Telnet and the like) and a destination port number in a portable safe operation and maintenance system for the power monitoring system; then, when the set port number belongs to the set high-risk port number (such as 445) and the like, alarming is carried out;
aiming at the serial port connection mode: configuring a serial port number to be used by an operation and maintenance worker in a portable safety operation and maintenance system for the power monitoring system; and only the configured network connection and serial port are allowed to be started by controlling the bottom-layer network card and the serial port.
The electric power operation and maintenance risk instruction monitoring module adopts the following steps to manage and control:
after the network port connection or the serial port connection is established, the specific type (including protocols such as IEC103, IEC104, IEC61850, Modbus, ssh, Telnet, Rlogic and the like) of the flow is identified after the flow is analyzed through the electric power industry control protocol, and then the non-encrypted flow is analyzed to the protocol field level through a protocol analysis engine, so that a protocol instruction is identified; and then comparing the obtained protocol instruction with a set high-risk instruction list: if the comparison and matching are successful, recording, and blocking or alarming aiming at the instruction; and if the flow is the encrypted flow, the safety operation and maintenance monitoring agent module performs risk instruction matching and handling.
In specific implementation, the safety operation and maintenance monitoring agent module carries out monitoring by adopting the following steps: the method specifically comprises two stages of recovering a session key and decrypting flow in real time:
stage one: the session key recovery stage is implemented as follows: the safety operation and maintenance monitoring agent module automatically performs a HOOK SSH process on the terminal, and then searches the whole memory space of the SSH process; searching the sshenc structure body on the heap memory through the verifiable attribute in the sshenc structure body;
the attribute name and length include:
char name-4 bytes; const struct sshcipher-4 bytes;
int enabled-4 bytes; u _ int key _ len-4 bytes;
u _ int iv _ len-4 bytes; u _ int block _ size-4 bytes;
u _ char _ key-4 bytes; u _ char iv-4 bytes;
the steps for obtaining the sshenc structure are as follows:
step 1: acquiring a continuous readable address segment on a heap memory, wherein the starting address is a region _ start, and the ending address is a region _ end; setting the initial value of a sliding pointer ptr equal to region _ start;
step 2: ssh _ enc _ size is the fixed length of the sshenc structure, if ptr + ssh _ enc _ size < region _ end, then step 3 is entered, otherwise step 1 is entered;
and step 3: according to the length and the arrangement sequence of each attribute in the sshenc structure, forming a sshenc structure by bytes from the address ptr to the address ptr + ssh _ enc _ size;
and 4, step 4: matching the character string pointed by the name attribute with a preset name dictionary: if the read sshenc.name character string is not in the dictionary, the search fails, and step 9 is entered; otherwise, different sshenc.names specify different key _ len and block _ size values, which are named fix _ key _ len and fix _ block _ size for distinction;
and 5: the method comprises the following steps that (1) a cifer structure pointer points to one sshcipher structure body, the first attribute of the structure body is a cifer _ name string pointer, if a string pointed by the cifer _ name is different from the sshenc name, searching fails, and the step 9 is entered;
step 6: if the sshenc.key _ len is not equal to the fix _ key _ len obtained in the step 4, the search fails, and the step 9 is entered;
and 7: if the block _ size is not equal to the fix _ block _ size obtained in the step 4, the search fails, and the step 9 is entered;
and 8: reading a key value through sshenc.key and sshenc.key _ len; reading iv values via sshenc.iv and sshenc.iv _ len; the search of the sshenc structure is successful, and the search process is finished;
and step 9: shifting to step 2 when ptr is ptr + 4;
after the encryption key is successfully acquired, entering a second stage of analyzing the encrypted flow: the safety operation and maintenance monitoring agent module reads flow data from the network card in real time, and attempts to decrypt all keys searched in the previous stage by traversing for the flow transmitted by using the ssh protocol; the industrial control high-risk instruction matching process after the decryption is successful is the same as that of a plaintext protocol;
the industrial control virus monitoring module adopts the following steps to control:
and for a plaintext file transmission protocol, directly carrying out industrial control virus scanning on files in flow: if the virus is found, directly blocking or alarming;
and for the encrypted file transmission protocol, the safety operation and maintenance monitoring agent module is used for monitoring industrial control viruses.
In specific implementation, the safety operation and maintenance monitoring agent module carries out industrial control virus monitoring by adopting the following steps: and extracting files in the flow by using the same key extraction and flow decryption steps in the risk instruction matching module, and scanning and matching industrial control viruses.
The USB management module divides the USB interface into an external USB port and an internal USB port; the external USB port is used for connecting a USB flash disk of an operation and maintenance person, and the internal USB port is used for connecting a USB interface of an operated and maintained object; by limiting the folder right, only files are allowed to be copied in or out from the external USB disk, and programs are prohibited from being executed from the external USB disk; virus detection is carried out on all files copied into the operation and maintenance object from the external USB disk: if the virus is found, the copying of the corresponding file is directly prohibited, and an alarm is given.
The operation and maintenance personnel identity authentication module is used for inputting a user name, a password and a fingerprint in advance, so that the double-factor identity authentication of personnel in an operation and maintenance main unit is realized; meanwhile, only identity card information is recorded and identified, and actual operation and maintenance operators are recorded, so that the operation and maintenance personnel of a third-party manufacturer are controlled.
The audit record module carries out audit record by adopting a screen recording mode, a network port and serial port flow audit mode, an external device access audit mode and a work ticket and work record image retention mode;
in specific implementation, auditing records are carried out by adopting modes of screen recording, network and serial port flow auditing, external equipment access auditing, work ticket and work record image retention and the like; as the operation and maintenance of the power site is carried out by about 80% in a graphical interface mode, screen recording is an important part of operation and maintenance recording; the operation and maintenance terminal is connected with the safety operation and maintenance gateway module by a video graphics array (VGA or HDMI), and the safety operation and maintenance gateway module displays and records the transmitted real-time images of the operation and maintenance terminal; the module outputs flow auditing results such as high-risk instruction alarming, industrial control virus alarming, key flow packets and the like, the USB management module outputs auditing records such as USB plug-in record, file transmission record, dangerous file alarming and the like, and the operation and maintenance personnel identity authentication module outputs the recording conditions of the operation and maintenance personnel composition and the like; meanwhile, the safe operation and maintenance gateway module can carry out image retention on paper work records and work tickets generated on site and is related to corresponding operation and maintenance tasks; after one operation and maintenance task is finished, the audit record module can generate an audit report aiming at the operation and maintenance task, and the audit report comprises operation and maintenance time, place, risk alarm and the like.
For the basic management function module, the basic management function module mainly provides basic services, including data support, service support, underlying architecture, data processing and other general services.
Claims (10)
1. A portable safe operation and maintenance system for a power monitoring system is characterized by comprising a safe operation and maintenance monitoring agent module and a safe operation and maintenance gateway module; the safety operation and maintenance monitoring agent module is arranged on the operation and maintenance terminal and is used for monitoring in cooperation with the safety operation and maintenance gateway module; the safety operation and maintenance gateway module is arranged between the operation and maintenance terminal and the operated and maintained object and used for identifying and blocking risk operation in operation and maintenance work in real time.
2. The portable security operation and maintenance system for the power monitoring system according to claim 1, wherein the security operation and maintenance gateway module comprises an operation and maintenance flow risk management and control module, a USB management module, an operation and maintenance personnel identity authentication module, an audit record module and a basic management function module; the operation and maintenance flow risk management and control module, the USB management module, the operation and maintenance personnel identity authentication module and the audit record module are all connected with the basic management function module; the operation and maintenance flow risk management and control module is used for realizing operation and maintenance object management and control and risk instruction identification; the USB management module is used for managing a USB data transmission process; the operation and maintenance personnel identity authentication module is used for authenticating the identity of personnel in the operation and maintenance process; the audit record module is used for generating an audit report of the operation and maintenance task and recording the operation and maintenance process; and the basic management function module is used for providing data and service support for a portable safety operation and maintenance system of the power monitoring system.
3. The portable safety operation and maintenance system for the power monitoring system according to claim 2, wherein the operation and maintenance flow risk management and control module comprises an operation and maintenance object management and control module, a power operation and maintenance risk instruction monitoring module and an industrial control virus monitoring module; the operation and maintenance object control module is used for realizing operation and maintenance control of the network port and the serial port; the electric power operation and maintenance risk instruction monitoring module is used for analyzing risk instructions in real time and managing and controlling the identified risk instructions; the industrial control virus monitoring module is used for controlling the virus appearing in the operation and maintenance process.
4. The portable safety operation and maintenance system for the power monitoring system according to claim 3, wherein the operation and maintenance object management and control module is configured to implement operation and maintenance management and control of an internet access and a serial port, and specifically, the following steps are adopted to perform management and control:
aiming at the network port connection mode: an operation and maintenance worker configures an IP address of an operation and maintenance object, an IP address used by an operation and maintenance terminal, an operation and maintenance protocol type and a destination port number in a portable safe operation and maintenance system for the power monitoring system; then, when the set port number belongs to the set high-risk port number, alarming is carried out;
aiming at the serial port connection mode: configuring a serial port number to be used by an operation and maintenance worker in a portable safety operation and maintenance system for the power monitoring system; and only the configured network connection and serial port are allowed to be started by controlling the bottom-layer network card and the serial port.
5. The portable safety operation and maintenance system for the power monitoring system according to claim 4, wherein the power operation and maintenance risk instruction monitoring module is configured to analyze the risk instruction in real time and manage the identified risk instruction, specifically, the following steps are adopted to manage and control:
after the network port connection or the serial port connection is established, the specific type of the flow is identified after the flow is analyzed by the electric power industry control protocol, and then the unencrypted flow is analyzed to the protocol field level by the protocol analysis engine, so that a protocol instruction is identified; and then comparing the obtained protocol instruction with a set high-risk instruction list: if the comparison and matching are successful, recording, and blocking or alarming aiming at the instruction; and if the flow is the encrypted flow, the safety operation and maintenance monitoring agent module performs risk instruction matching and handling.
6. The portable security operation and maintenance system for power monitoring system according to claim 5, wherein the security operation and maintenance monitoring agent module performs risk instruction matching and handling, specifically including two phases of session key recovery and real-time traffic decryption:
stage one: the session key recovery stage is implemented as follows: the safety operation and maintenance monitoring agent module automatically processes the HOOKSSH process on the terminal, and then searches the whole memory space of the SSH process; searching the sshenc structure body on the heap memory through the verifiable attribute in the sshenc structure body;
the attribute name and length include:
char name-4 bytes; const struct sshcipher-4 bytes;
int enabled-4 bytes; u _ int key _ len-4 bytes;
u _ int iv _ len-4 bytes; u _ int block _ size-4 bytes;
u _ char _ key-4 bytes; u _ char iv-4 bytes;
the steps for obtaining the sshenc structure are as follows:
step 1: acquiring a continuous readable address segment on a heap memory, wherein the starting address is a region _ start, and the ending address is a region _ end; setting the initial value of a sliding pointer ptr equal to region _ start;
step 2: ssh _ enc _ size is the fixed length of the sshenc structure, if ptr + ssh _ enc _ size < region _ end, then step 3 is entered, otherwise step 1 is entered;
and step 3: according to the length and the arrangement sequence of each attribute in the sshenc structure, forming a sshenc structure by bytes from the address ptr to the address ptr + ssh _ enc _ size;
and 4, step 4: matching the character string pointed by the name attribute with a preset name dictionary: if the read sshenc.name character string is not in the dictionary, the search fails, and step 9 is entered; otherwise, different sshenc.names specify different key _ len and block _ size values, which are named fix _ key _ len and fix _ block _ size for distinction;
and 5: the method comprises the following steps that (1) a cifer structure pointer points to one sshcipher structure body, the first attribute of the structure body is a cifer _ name string pointer, if a string pointed by the cifer _ name is different from the sshenc name, searching fails, and the step 9 is entered;
step 6: if the sshenc.key _ len is not equal to the fix _ key _ len obtained in the step 4, the search fails, and the step 9 is entered;
and 7: if the block _ size is not equal to the fix _ block _ size obtained in the step 4, the search fails, and the step 9 is entered;
and 8: reading a key value through sshenc.key and sshenc.key _ len; reading iv values via sshenc.iv and sshenc.iv _ len; the search of the sshenc structure is successful, and the search process is finished;
and step 9: shifting to step 2 when ptr is ptr + 4;
after the encryption key is successfully acquired, entering a second stage of analyzing the encrypted flow: the safety operation and maintenance monitoring agent module reads flow data from the network card in real time, and attempts to decrypt all keys searched in the previous stage by traversing for the flow transmitted by using the ssh protocol; and the industrial control high-risk instruction matching process after the decryption is successful is the same as that of the plaintext protocol.
7. The portable safety operation and maintenance system for the power monitoring system according to claim 6, wherein the industrial control virus monitoring module is configured to manage and control viruses occurring in the operation and maintenance process, specifically, the following steps are adopted to manage and control:
and for a plaintext file transmission protocol, directly carrying out industrial control virus scanning on files in flow: if the virus is found, directly blocking or alarming;
and for the encrypted file transmission protocol, the safety operation and maintenance monitoring agent module is used for monitoring industrial control viruses.
8. The portable security operation and maintenance system for power monitoring system according to claim 7, wherein the security operation and maintenance monitoring agent module performs industrial control virus monitoring, specifically, the same key extraction and traffic decryption steps as those in the risk instruction matching module are used to extract files in the traffic for industrial control virus scanning and matching.
9. The portable safety operation and maintenance system for power monitoring system according to claim 8, wherein said USB management module divides the USB interface into an external USB port and an internal USB port; the external USB port is used for connecting a USB flash disk of an operation and maintenance person, and the internal USB port is used for connecting a USB interface of an operated and maintained object; by limiting the folder right, only files are allowed to be copied in or out from the external USB disk, and programs are prohibited from being executed from the external USB disk; virus detection is carried out on all files copied into the operation and maintenance object from the external USB disk: if the virus is found, the copying of the corresponding file is directly prohibited, and an alarm is given.
10. The portable safety operation and maintenance system for the power monitoring system according to claim 9, wherein the operation and maintenance personnel identity authentication module is used for entering a user name, a password and a fingerprint in advance, so that the double-factor identity authentication of personnel in an operation and maintenance main unit is realized; meanwhile, only identity card information is recorded and identified, and actual operation and maintenance operators are recorded, so that the operation and maintenance personnel of a third-party manufacturer are controlled; the audit record module adopts screen recording, network port and serial port flow audit, external equipment access audit and work ticket and work record image retention modes to perform audit record.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110518337.1A CN113098980B (en) | 2021-05-12 | 2021-05-12 | Portable safety operation and maintenance system for power monitoring system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110518337.1A CN113098980B (en) | 2021-05-12 | 2021-05-12 | Portable safety operation and maintenance system for power monitoring system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113098980A true CN113098980A (en) | 2021-07-09 |
| CN113098980B CN113098980B (en) | 2022-08-02 |
Family
ID=76665443
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110518337.1A Active CN113098980B (en) | 2021-05-12 | 2021-05-12 | Portable safety operation and maintenance system for power monitoring system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113098980B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113765780A (en) * | 2021-09-27 | 2021-12-07 | 北京珞安科技有限责任公司 | Portable operation and maintenance gateway based on Internet of things |
| CN115118509A (en) * | 2022-06-29 | 2022-09-27 | 国网河南省电力公司电力科学研究院 | Substation secondary equipment debugging file permission detection method and security control device |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050086197A1 (en) * | 2003-09-30 | 2005-04-21 | Toufic Boubez | System and method securing web services |
| EP1641215A2 (en) * | 2004-09-28 | 2006-03-29 | Layer 7 Technologies, Inc. | System and method for bridging identities in a service oriented architecture |
| CN101494624A (en) * | 2008-10-22 | 2009-07-29 | 珠海市鸿瑞信息技术有限公司 | Electric force special public network communication secure gateway |
| CN109617918A (en) * | 2019-01-21 | 2019-04-12 | 深圳锚丁科技工程有限公司 | A kind of safe O&M gateway and its O&M method |
| CN209803662U (en) * | 2019-05-10 | 2019-12-17 | 国家电网有限公司 | Handheld terminal for safely isolating data of transformer substation |
| CN110611665A (en) * | 2019-08-30 | 2019-12-24 | 杭州希益丰新业科技有限公司 | Safe operation and maintenance gateway method for telecontrol operation and maintenance of power secondary system |
| CN111062504A (en) * | 2019-12-31 | 2020-04-24 | 国电南瑞科技股份有限公司 | AR technology-based intelligent power distribution station operation and maintenance system and method |
| CN111435390A (en) * | 2019-01-11 | 2020-07-21 | 中国电力科学研究院有限公司 | Safety protection method for operation and maintenance tool of power distribution terminal |
| CN111710122A (en) * | 2020-04-30 | 2020-09-25 | 国网天津市电力公司 | Safe power utilization management system based on ubiquitous power Internet of things |
| CN112422527A (en) * | 2020-11-03 | 2021-02-26 | 中国南方电网有限责任公司 | Safety protection system, method and device of transformer substation electric power monitoring system |
-
2021
- 2021-05-12 CN CN202110518337.1A patent/CN113098980B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050086197A1 (en) * | 2003-09-30 | 2005-04-21 | Toufic Boubez | System and method securing web services |
| EP1641215A2 (en) * | 2004-09-28 | 2006-03-29 | Layer 7 Technologies, Inc. | System and method for bridging identities in a service oriented architecture |
| CN101494624A (en) * | 2008-10-22 | 2009-07-29 | 珠海市鸿瑞信息技术有限公司 | Electric force special public network communication secure gateway |
| CN111435390A (en) * | 2019-01-11 | 2020-07-21 | 中国电力科学研究院有限公司 | Safety protection method for operation and maintenance tool of power distribution terminal |
| CN109617918A (en) * | 2019-01-21 | 2019-04-12 | 深圳锚丁科技工程有限公司 | A kind of safe O&M gateway and its O&M method |
| CN209803662U (en) * | 2019-05-10 | 2019-12-17 | 国家电网有限公司 | Handheld terminal for safely isolating data of transformer substation |
| CN110611665A (en) * | 2019-08-30 | 2019-12-24 | 杭州希益丰新业科技有限公司 | Safe operation and maintenance gateway method for telecontrol operation and maintenance of power secondary system |
| CN111062504A (en) * | 2019-12-31 | 2020-04-24 | 国电南瑞科技股份有限公司 | AR technology-based intelligent power distribution station operation and maintenance system and method |
| CN111710122A (en) * | 2020-04-30 | 2020-09-25 | 国网天津市电力公司 | Safe power utilization management system based on ubiquitous power Internet of things |
| CN112422527A (en) * | 2020-11-03 | 2021-02-26 | 中国南方电网有限责任公司 | Safety protection system, method and device of transformer substation electric power monitoring system |
Non-Patent Citations (2)
| Title |
|---|
| LEI CHEN: "Based on ZigBee wireless sensor network the monitoring system design for chemical production process toxic and harmful gas", 《2010 INTERNATIONAL CONFERENCE ON COMPUTER, MECHATRONICS, CONTROL AND ELECTRONIC ENGINEERING》 * |
| 郭丽: "基于USBKEY的安全认证网关的设计", 《信息科技》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113765780A (en) * | 2021-09-27 | 2021-12-07 | 北京珞安科技有限责任公司 | Portable operation and maintenance gateway based on Internet of things |
| CN115118509A (en) * | 2022-06-29 | 2022-09-27 | 国网河南省电力公司电力科学研究院 | Substation secondary equipment debugging file permission detection method and security control device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113098980B (en) | 2022-08-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113098980B (en) | Portable safety operation and maintenance system for power monitoring system | |
| CN101401061B (en) | Cascading security architecture | |
| CN104751036B (en) | A kind of computer information safe system | |
| CN112217835B (en) | Message data processing method and device, server and terminal equipment | |
| KR100783446B1 (en) | System, apparatus and method for providing data security using the usb device | |
| CN115733681A (en) | Data security management platform for preventing data loss | |
| CN109063476A (en) | A kind of computer system to ensure information security | |
| CN103413088A (en) | Computer document operational safety audit system | |
| CN108390857B (en) | Method and device for exporting file from high-sensitivity network to low-sensitivity network | |
| CN116032464A (en) | Property data encryption system based on quantum communication | |
| CN204680024U (en) | Computer security based on dynamic human face recognition technology is taken precautions against and early warning system | |
| CN103457723B (en) | A kind of encryption method and the encryption device based on it | |
| JP2006094258A (en) | Terminal device, its policy forcing method, and its program | |
| CN111061593B (en) | Electronic evidence obtaining system and method | |
| CN112287346A (en) | IRP analysis-based encrypted Lesso software real-time monitoring system and method | |
| CN112800408B (en) | Industrial control equipment fingerprint extraction and identification method based on active detection | |
| CN108777621A (en) | A method of obtaining means of payment Alipay transaction record | |
| KR101612893B1 (en) | Privacy information scanning system and scanning method | |
| CN114297687A (en) | Data transmission system and data transmission method | |
| CN111062008B (en) | Remote electronic evidence obtaining system and method | |
| CN116527303B (en) | Industrial control equipment information extraction method and device based on marked flow comparison | |
| CN108985107A (en) | A kind of encrypted electronic evidence-obtaining auditing system | |
| CN115688071B (en) | Processing method and system for preventing smart watch information from being tampered | |
| CN110569646B (en) | File recognition method and medium | |
| CN210605707U (en) | Data security protection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |