CN113882908A - Passive monitoring algorithm-based steam turbine network security offline monitoring system and method - Google Patents
Passive monitoring algorithm-based steam turbine network security offline monitoring system and method Download PDFInfo
- Publication number
- CN113882908A CN113882908A CN202010636106.6A CN202010636106A CN113882908A CN 113882908 A CN113882908 A CN 113882908A CN 202010636106 A CN202010636106 A CN 202010636106A CN 113882908 A CN113882908 A CN 113882908A
- Authority
- CN
- China
- Prior art keywords
- dpu
- network
- control
- control unit
- steam turbine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 97
- 238000000034 method Methods 0.000 title claims abstract description 59
- 238000004422 calculation algorithm Methods 0.000 title claims abstract description 23
- 230000002159 abnormal effect Effects 0.000 claims description 65
- 238000004458 analytical method Methods 0.000 claims description 32
- 238000004088 simulation Methods 0.000 claims description 26
- 238000010219 correlation analysis Methods 0.000 claims description 12
- 238000005516 engineering process Methods 0.000 claims description 9
- 238000012986 modification Methods 0.000 claims description 4
- 230000004048 modification Effects 0.000 claims description 4
- 238000012545 processing Methods 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 description 6
- 230000004044 response Effects 0.000 description 5
- 238000005206 flow analysis Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000002411 adverse Effects 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000010248 power generation Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
Images
Classifications
-
- F—MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
- F01—MACHINES OR ENGINES IN GENERAL; ENGINE PLANTS IN GENERAL; STEAM ENGINES
- F01D—NON-POSITIVE DISPLACEMENT MACHINES OR ENGINES, e.g. STEAM TURBINES
- F01D21/00—Shutting-down of machines or engines, e.g. in emergency; Regulating, controlling, or safety means not otherwise provided for
- F01D21/003—Arrangements for testing or measuring
-
- F—MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
- F01—MACHINES OR ENGINES IN GENERAL; ENGINE PLANTS IN GENERAL; STEAM ENGINES
- F01D—NON-POSITIVE DISPLACEMENT MACHINES OR ENGINES, e.g. STEAM TURBINES
- F01D25/00—Component parts, details, or accessories, not provided for in, or of interest apart from, other groups
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/06—Energy or water supply
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Mechanical Engineering (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Economics (AREA)
- General Health & Medical Sciences (AREA)
- Water Supply & Treatment (AREA)
- Public Health (AREA)
- Human Resources & Organizations (AREA)
- Marketing (AREA)
- Primary Health Care (AREA)
- Strategic Management (AREA)
- Tourism & Hospitality (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Testing And Monitoring For Control Systems (AREA)
Abstract
The invention belongs to the technical field of steam turbine network safety protection, and particularly relates to a steam turbine network safety off-line monitoring system and method based on a passive monitoring algorithm.
Description
Technical Field
The invention belongs to the technical field of steam turbine network security protection, and particularly relates to a system and a method for monitoring the steam turbine network security offline based on a passive monitoring algorithm.
Background
In the thermal power generation process, a steam turbine is one of the main control targets. The steam turbine control and protection system realizes the control and protection functions of the steam turbine and mainly comprises a steam turbine control system and a steam turbine protection system. The steam turbine control system specifically refers to a steam turbine control unit of a Distributed Control System (DCS) of a power plant and a digital electro-hydraulic control system (DEH) of the steam turbine, and the steam turbine protection system specifically refers to a steam turbine Emergency Trip System (ETS) and a steam turbine safety monitoring system (TSI).
The main function of the steam turbine control system is to collect the operation parameters (pressure, temperature, rotating speed, power, etc.) of the steam turbine and control the opening of the steam inlet valve (main steam valve and regulating valve) of the steam turbine, so as to ensure that the steam turbine operates under the given parameters; the main function of the turbine protection system is to detect whether the operating parameters (rotation speed, vibration, oil pressure, temperature, etc.) of the turbine exceed the limit values, and close the steam inlet valve of the turbine in time when the operating parameters exceed the limit values, so as to ensure the safe shutdown of the turbine in an uncontrolled state.
In the prior art, an integrated DCS is widely adopted to cover all functions of a DCS turbine control unit, DEH and ETS, and an integrated DCS system mainly comprises a DPU control unit and an I/O card, wherein a main control logic of a turbine is operated in the DPU control unit, and the I/O card realizes input and output of physical signals corresponding to the control logic in the DPU.
At present, a steam turbine control protection system mainly adopts a digital control technology based on a computer technology and a network communication technology, the reliability and the instantaneity of system operation are ensured through special software and hardware design, the probability of system faults is reduced, the safety design of the system is insufficient, and particularly, the software design level has vulnerability risks.
With the continuous development of industrial internet technology, an industrial control system is no longer a physically isolated and isolated system, and increasingly severe network security risks become problems to be faced by a steam turbine control protection system. Once the system is under network attack, the control and protection system of the steam turbine has the possibility of system failure and system runaway, and may further change the operation state of the steam turbine, thereby causing serious production safety accidents. Particularly, the integrated DCS which adopts the same model and is communicated with the network has the possibility that the control system and the protection system are paralyzed and failed at the same time.
The main current method for judging whether a turbine control protection system is attacked by a network attack is based on analysis of network flow and monitoring software implanted into a control system, and the two methods mainly have the following problems:
1. the method based on the network flow analysis lacks the analysis of the self state of the control system, can not effectively prove whether the control protection system is really out of control under the network attack, and simultaneously has the false alarm phenomenon to mislead field workers to implement improper emergency response plans, so the application difficulty in the actual engineering is larger;
2. although the method of embedding the monitoring software can make up the defects of the network flow analysis method, new software needs to be added into the control system and the original configuration needs to be modified, and if the control system manufacturer is not matched, the method can hardly be realized in engineering implementation. In addition, the method of using the implanted monitoring software independently cannot be distinguished effectively.
Therefore, it is necessary to adopt a new monitoring method of the control system and combine with the network flow monitoring to realize a comprehensive monitoring and analyzing method which has practical engineering value and is easy to implement on the basis of the unchanged software and hardware structure of the existing turbine control and protection system, and focus on the network security incident which may cause the turbine security accident.
Disclosure of Invention
The invention aims to solve the problems in the prior art, and provides a method for comprehensively monitoring the network safety of a steam turbine control and protection system by combining a mature network flow acquisition method on the basis of not implanting other software programs into the original steam turbine control and protection system, so that a serious network safety event causing adverse effects on the normal operation of a steam turbine can be found, and system faults and the non-serious network safety event caused by non-network safety can be effectively distinguished.
In order to achieve the above object, the turbine network security offline monitoring system based on the passive monitoring algorithm in the technical scheme of the present invention is characterized in that: the system comprises a comprehensive analysis module, a control unit monitoring module and a network flow monitoring module, wherein the network flow monitoring module is accessed to a system network, performs mirror image acquisition on an Ethernet flow data packet of a steam turbine control protection system in the system network and analyzes a network abnormal event;
the steam turbine control protection system in the system network comprises a plurality of field control stations, each field control station comprises a DPU (distributed processing unit) control unit, and a control unit monitoring module is connected with each field control station and used for acquiring a DPU control single operation result; the DPU simulation unit is the same as the control logic or control algorithm of the DPU control unit and is used for simulating the operation of the DPU control unit in a normal working state in a standard simulation environment;
the control unit monitoring module is used for simultaneously acquiring a real-time operation result of the DPU control unit and a reference operation result of the DPU simulation unit in simulated operation under an ideal environment, and comparing and analyzing the real-time operation result and the reference operation result to obtain an abnormal event of the DPU control unit;
and the comprehensive analysis module collects the network abnormal events and the DPU control unit abnormal events to perform correlation analysis.
The field control station comprises a DPU control unit, a control network and a physical I/O interface of a monitored steam turbine control protection system, wherein a control unit monitoring module is connected to the control network through the physical I/O interface and is connected to the system network through the DPU control unit; the physical I/O interface comprises an input type I/O card and an output type I/O card; and the control unit monitoring module acquires the operation result of the DPU control unit through a physical I/O interface and a control network.
And the engineer station and the operator station acquire or generate instructions to a DPU control unit in the field control station through the system network.
Correspondingly, the invention also provides a technical scheme of a monitoring method corresponding to the system, in particular to a turbine network safety off-line monitoring method based on a passive monitoring algorithm, which is characterized by comprising the following steps:
acquiring network data, namely acquiring an Ethernet flow data packet of a steam turbine control protection system by a network flow acquisition method based on a switch mirroring technology;
analyzing the network data abnormity, namely analyzing the known network attack characteristics and the network protocol characteristics in the Ethernet traffic data packet based on a rule matching method combining a black list and a white list of a rule set; when any one or more messages in the Ethernet flow data packet conform to any rule in the rule matching method, reporting and recording a network abnormal event;
a system operation result monitoring step, wherein a monitored steam turbine control protection system is accessed through a physical I/O interface, a state input value and a real-time operation result of a specific control logic in a DPU (digital power unit) control unit of the monitored steam turbine control protection system are acquired, meanwhile, the state input value of the specific control logic in the DPU control unit of the monitored steam turbine control protection system is input into a DPU simulation unit for simulating the operation of the DPU control unit under an ideal state, and a reference operation result of the DPU simulation unit for simulating the operation of the DPU control unit of the monitored steam turbine control protection system is acquired; comparing the real-time operation result with the simulation operation result, calculating the error, judging that the DPU control unit is abnormal if the comparison error exceeds an error threshold value set manually, and recording and reporting an abnormal event of the DPU;
a correlation analysis step of performing correlation analysis on the network abnormal event in the network data abnormal analysis step and the DPU abnormal event in the system operation result monitoring step based on a time axis through an independent comprehensive analysis module/device/system, specifically, on the basis of a time point of occurrence of the network abnormal event, correspondingly checking the DPU abnormal event in a plurality of minutes thereafter for correlation, and on the basis of the time point of occurrence of the DPU abnormal event, correspondingly checking the network abnormal event in a plurality of minutes before for correlation; the two analysis strategies run simultaneously, and the network security event or the abnormal information of the control unit is guaranteed not to be reported in a missing mode.
A comprehensive analysis step, namely judging whether the network abnormal events and the network safety events corresponding to the DPU abnormal events can affect the safety of the steam turbine body or not according to the analysis result of the correlation analysis step; the comprehensive analysis results have various conditions, and under different conditions, the influence of the network attack on the steam turbine is different, so different emergency response plans should be formulated.
In the system operation result monitoring step, based on the existing control logic or control method in the DPU control unit of the monitored steam turbine control protection system, the existing control logic or control method is copied to the DPU simulation unit for simulating the operation of the DPU control unit under an ideal state to operate, a reference operation result which corresponds to the real-time operation result of the DPU control unit and is used as a comparison reference standard is obtained, and if the error value between the real-time operation result and the reference operation result exceeds a set error threshold value xi, the DPU control unit is judged to be abnormal.
Specifically, the error value between the real-time operation result and the reference operation resultWherein, f (x) is a real-time operation result obtained by the DPU control unit of the monitored steam turbine control protection system operating normally according to the existing control logic or control method, that is, an operation function operation result corresponding to the existing control logic or control method, such as a PID controller function,the DPU simulation unit simulates the reference operation result of operation under an ideal state according to the same control logic or control method in the DPU control unit of the monitored steam turbine control protection system, namely F (x) represents the system operation condition under a real working condition, andthe system is represented by the due operation condition of the system in an ideal state, if the difference between the two exceeds a system difference threshold value xi, the system is judged to be abnormal in operation under the real working condition, the physical meaning of xi refers to the deviation of the same algorithm in the implementation of two different physical systems, specifically,due to the difference of hardware and software and the noise of a physical I/O signal, the calculation result of the control logic in the monitoring system may deviate from the calculation result of the control logic in the DPU control unit of the target system, so that the error value error between the set real-time calculation result and the reference calculation result is greater than the error threshold value xi, and the target system control unit is judged to be abnormal.
The Ethernet flow data packet comprises data messages and control instruction messages among all engineer stations, operator stations and DPU control units in the steam turbine control protection system.
The data messages comprise collected data sent by the DPU control units to the engineer station and/or the operator station and data exchange among the DPU control units.
The control instruction message refers to a specific message which is issued by the engineer station and the operator station to the DPU control unit and has a control function, wherein the specific message comprises restart, configuration modification and control logic downloading instructions.
The known network attack characteristics refer to specific network messages which are disclosed and definitely damaged, and rules are set for the messages in a blacklist mode.
The network protocol features refer to a specific network protocol with definite keywords and identification features used by a steam turbine control protection system manufacturer, and possibly have an equipment authentication function, and the messages are set with rules in a white list mode.
Compared with the prior art, the technical scheme of the invention utilizes the original control logic or the newly added control logic of the steam turbine control protection system to realize the state monitoring of the steam turbine control protection system under the conditions of not changing the hardware of the original system and not implanting other software programs into the original system.
The severity of the network security event cannot be finely distinguished only by analyzing the network traffic, so that the emergency response plan cannot be refined, and the effect of the scheme in actual field application is poor. According to the technical scheme, the control unit monitoring based on the physical signal is added on the basis of the original network flow analysis, so that general network safety events and serious network safety events which possibly affect the safety of the steam turbine body can be effectively distinguished, and an emergency response scheme designed based on the method has a guiding significance for power plant operators.
Compared with the technology of implanting other software or requiring the original factory to provide a data interface, the technical scheme of the invention has smaller modification difficulty on the field control protection system, can be applied to products of a plurality of control system manufacturers and has higher project realizable degree. Meanwhile, compared with monitoring software running in the control unit, the method utilizes a control logic configuration method necessary for the control system, certain confusion exists, and a hacker is difficult to distinguish the control logic for controlling the steam turbine from the control logic for checking, so that the possibility of being attacked by a network is low. And based on the algorithm of passive monitoring, the original control logic or method of the system to be detected is copied into the simulation system, the influence of environmental factors is eliminated, the correct operation result theoretically obtained by the DPU is directly simulated and is used as the reference data for monitoring the abnormal DPU, and the method is very direct and cannot influence the normal operation of the system.
Drawings
The foregoing and following detailed description of the invention will be apparent when read in conjunction with the following drawings, in which:
FIG. 1 is a schematic structural diagram of a preferred embodiment of the on-line monitoring system of the present invention;
FIG. 2 is a logic diagram of a preferred embodiment of the on-line monitoring method of the present invention.
Detailed Description
The technical solutions for achieving the objects of the present invention are further illustrated by the following specific examples, and it should be noted that the technical solutions claimed in the present invention include, but are not limited to, the following examples.
Example 1
As a specific embodiment of the steam turbine network security real-time online monitoring system, as shown in fig. 1, the steam turbine network security offline monitoring system based on the passive monitoring algorithm includes a comprehensive analysis module, a control unit monitoring module, and a network traffic monitoring module which is connected to a system network, performs mirror image acquisition on an ethernet traffic data packet of a steam turbine control protection system in the system network, and analyzes a network abnormal event; the network flow monitoring module collects the full network communication flow in the network by accessing a system network switch mirror image port of a target system. When the target system is a dual-network redundant structure, two exchanger mirror ports of the dual-network are accessed at the same time, and all the flow in the two networks is collected; in order to ensure that the network traffic monitoring module does not interfere with the target system, it is considered to add an isolation device between the network traffic monitoring module and the target system to ensure that the traffic at the mirror port is transmitted to the network traffic monitoring module in a one-way manner.
The steam turbine control protection system in the system network comprises a plurality of field control stations, each field control station comprises a DPU (distributed processing unit) control unit, and a control unit monitoring module is connected with each field control station and used for acquiring a DPU control single operation result; the DPU simulation unit is the same as the control logic or control algorithm of the DPU control unit and is arranged in a standard simulation environment and used for simulating the operation of the DPU control unit in a normal working state, namely the DPU control unit normally operates to obtain a real-time data result in an actual environment, and the DPU simulation unit operates in the same logic as the DPU control unit in the standard environment to obtain a theoretical correct operation result of the DPU control unit as a reference; the control unit monitoring module is used for simultaneously acquiring a real-time operation result of the DPU control unit and a reference operation result of the DPU simulation unit in simulated operation under an ideal environment, and comparing and analyzing the real-time operation result and the reference operation result to obtain an abnormal event of the DPU control unit;
the comprehensive analysis module collects the network abnormal events and the DPU control unit abnormal events for correlation analysis, can consider to adopt an independent high-performance device/system, can also consider to integrate the network abnormal events with the network flow monitoring module and the control unit monitoring module in the same high-performance device/system, and preferably provides a human-machine interface (HMI) for field operation personnel of the power plant for displaying network safety comprehensive analysis results and viewing abnormal event records reported by the network flow monitoring module or the control unit monitoring module. And meanwhile, the function of managing the network flow monitoring module or the control unit monitoring module is achieved.
Namely, the system is composed of a network flow monitoring module, a control unit monitoring module and a comprehensive analysis module 3.
Further, the field control station comprises a DPU control unit, a control network and a physical I/O interface of the monitored steam turbine control protection system, wherein the control unit monitoring module is connected to the control network through the physical I/O interface and is connected to the system network through the DPU control unit; the physical I/O interface comprises an input type I/O card and an output type I/O card; the control unit monitoring module acquires the operation result of the DPU control unit through a physical I/O interface and a control network; that is, the control unit monitoring module utilizes the idle channels of the input type I/O card and the output type I/O card of the target system, and generally requires that the corresponding I/O card is an analog input or output card, preferably, the signal range of the I/O card includes but is not limited to ± 10V DC voltage signal, ± 5V DC voltage signal, 0-10V DC voltage signal, 1-5V DC voltage signal, 4-20mA current signal, 0-20mA current signal, etc., no other switching module/device/system should be connected in series between the control unit monitoring module and the IO card of the target system, and meanwhile, a cable conforming to the national standard related to the turbine control protection system is adopted to ensure that the measured noise and the signal delay are small enough.
Preferably, the system network is further connected with a plurality of engineer stations and operator stations, and the engineer stations and the operator stations acquire or generate instructions from the DPU control units in the field control stations through the system network.
Example 2
Correspondingly, as a specific implementation scheme of the real-time offline monitoring method for the network security of the steam turbine, the embodiment specifically discloses a method comprising a network data acquisition step, a network data anomaly analysis step, a system operation result monitoring step, an association analysis step and a comprehensive analysis step, specifically:
the network data acquisition step is to acquire an Ethernet flow data packet of the steam turbine control protection system by a network flow acquisition method based on a switch mirroring technology; the data of the system can not be influenced and tampered by acquiring the Ethernet flow of the steam turbine control protection system by using a network flow acquisition method based on a switch mirroring technology, and the acquired flow completely covers data messages and control instruction messages among all engineer stations, operator stations and DPU control units in the steam turbine control protection system. The data message mainly refers to collected data sent by the DPU control unit to the engineer station and the operator station, and data exchange among the multiple DPU control units. The control instruction message mainly refers to specific messages with control functions issued by an engineer station and an operator station to a DPU control unit, and includes but is not limited to restart, configuration modification, control logic downloading and the like
The step of analyzing the network data anomaly is to analyze the known network attack characteristics and the network protocol characteristics in the Ethernet traffic data packet based on a rule matching method combining a rule set into a black list and a white list; when any one or more messages in the Ethernet flow data packet conform to any rule in the rule matching method, reporting and recording a network abnormal event; known network attack characteristics mainly refer to specific network messages which are disclosed and are definitely harmful to the specific network messages, the messages set rules in a blacklist mode, and network protocol characteristics mainly refer to specific network protocols used by manufacturers of steam turbine control protection systems, and the protocols have definite keywords and identification characteristics and possibly have the function of equipment authentication. The messages are set with rules in a white list mode, and when any one or more messages in the collected network flow accords with any rule in the set rule set, network abnormal events are reported and recorded.
The system operation result monitoring step is to access the monitored steam turbine control protection system through a physical I/O interface, acquire a state input value and a real-time operation result of a specific control logic in a DPU (digital power unit) control unit of the monitored steam turbine control protection system, input the state input value of the specific control logic in the DPU control unit of the monitored steam turbine control protection system into a DPU simulation unit for simulating the operation of the DPU control unit in an ideal state, and acquire a reference operation result of the DPU simulation unit simulating the operation of the DPU control unit of the monitored steam turbine control protection system; comparing the real-time operation result with the simulation operation result, calculating the error, judging that the DPU control unit is abnormal if the comparison error exceeds an error threshold value set manually, and recording and reporting an abnormal event of the DPU;
the correlation analysis step is to perform correlation analysis on the network abnormal event in the network data abnormal analysis step and the DPU abnormal event in the system operation result monitoring step based on a time axis through an independent comprehensive analysis module/device/system, and the like, specifically:
1. correspondingly checking DPU abnormal events in a plurality of minutes after the network abnormal event occurs and associating the DPU abnormal events on the basis of the time point of the network abnormal event;
2. and associating the network abnormal events in a plurality of minutes before the detection on the basis of the time point of the DPU abnormal event.
The two analysis strategies run simultaneously, and the network security event or the abnormal information of the control unit is guaranteed not to be reported in a missing mode.
The comprehensive analysis step is to judge whether the network abnormal events and the network safety events corresponding to the DPU abnormal events can affect the safety of the steam turbine body according to the analysis result of the correlation analysis step; the comprehensive analysis results have various conditions, and under different conditions, the influence of the network attack on the steam turbine is different, so different emergency response plans should be formulated.
Preferably, in the step of monitoring the system operation result, based on an existing control logic or control method in a DPU control unit of the monitored turbine control protection system, the existing control logic or control method is copied to a DPU simulation unit for simulating the operation of the DPU control unit under an ideal state to operate, so as to obtain a reference operation result which is a comparison reference standard and corresponds to a real-time operation result of the DPU control unit, and if an error value between the real-time operation result and the reference operation result exceeds a set error threshold value ξ, it is determined that the DPU control unit is abnormal.
Specifically, the error value between the real-time operation result and the reference operation resultWherein, f (x) is a real-time operation result obtained by the DPU control unit of the monitored steam turbine control protection system operating normally according to the existing control logic or control method, that is, an operation function operation result corresponding to the existing control logic or control method, such as a PID controller function,the DPU simulation unit simulates the reference operation result of operation under an ideal state according to the same control logic or control method in the DPU control unit of the monitored steam turbine control protection system, namely F (x) represents the system operation condition under a real working condition, andthe actual operation condition of the system in an ideal state is represented, if the difference between the actual operation condition and the ideal operation condition exceeds a system difference threshold xi, the system operation under the real working condition is judged to be abnormal, the physical meaning of xi refers to the deviation existing in the implementation of the same algorithm in two different physical systems, specifically, due to the difference of hardware and software and the noise of a physical I/O signal, the calculation result of a control logic in a monitoring system may have deviation with the calculation result of the control logic in a DPU control unit of a target system, and therefore, the error value error between the set real-time operation result and the reference operation result is greater than the error threshold xi, and the control unit of the target system is judged to be abnormal.
As described above, an example of the results of a practical application is given here in the form of a table (Table 1)
TABLE 1
That is, in the actual operation, the results of the anomaly analysis of the network data and the results of the system operation do not correspond to table 1:
when the network anomaly analysis shows that the system is abnormal and the system operation result monitoring shows that the system is normal, the system can be judged to have no anomaly but network data errors caused by network data or instruction errors, at the moment, the system can be judged to be a general network safety accident, the emergency plan can be set to be that a unit keeps normal operation, and a system network, an engineer station and an operator station are checked without stopping for checking;
when the network abnormity analysis shows normal and the system operation result monitoring shows abnormity, the system can be judged to be in fault or attacked, and the 'control system fault' processing is required to be installed at the moment;
when the network abnormity analysis and the system operation result monitoring both show abnormity, the serious network safety accident can be determined, the shutdown maintenance is required, and the control protection system of the steam turbine is thoroughly checked.
Claims (10)
1. The steam turbine network security off-line monitoring system based on the passive monitoring algorithm is characterized in that: the system comprises a comprehensive analysis module, a control unit monitoring module and a network flow monitoring module, wherein the network flow monitoring module is accessed to a system network, performs mirror image acquisition on an Ethernet flow data packet of a steam turbine control protection system in the system network and analyzes a network abnormal event;
the steam turbine control protection system in the system network comprises a plurality of field control stations, each field control station comprises a DPU (distributed processing unit) control unit, and a control unit monitoring module is connected with each field control station and used for acquiring a DPU control single operation result; the DPU simulation unit is the same as the control logic or control algorithm of the DPU control unit and is used for simulating the operation of the DPU control unit in a normal working state in a standard simulation environment;
the control unit monitoring module is used for simultaneously acquiring a real-time operation result of the DPU control unit and a reference operation result of the DPU simulation unit in simulated operation under an ideal environment, and comparing and analyzing the real-time operation result and the reference operation result to obtain an abnormal event of the DPU control unit;
and the comprehensive analysis module collects the network abnormal events and the DPU control unit abnormal events to perform correlation analysis.
2. The turbine network security offline monitoring system based on passive monitoring algorithm according to claim 1, characterized in that: the field control station comprises a DPU control unit, a control network and a physical I/O interface of a monitored steam turbine control protection system, wherein a control unit monitoring module is connected to the control network through the physical I/O interface and is connected to the system network through the DPU control unit; the physical I/O interface comprises an input type I/O card and an output type I/O card; and the control unit monitoring module acquires the operation result of the DPU control unit through a physical I/O interface and a control network.
3. The turbine network security offline monitoring system based on passive monitoring algorithm according to claim 1 and 2, characterized in that: and the engineer station and the operator station acquire or generate instructions to a DPU control unit in the field control station through the system network.
4. The method for monitoring the network security of the steam turbine off line based on the passive monitoring algorithm is characterized by comprising the following steps:
acquiring network data, namely acquiring an Ethernet flow data packet of a steam turbine control protection system by a network flow acquisition method based on a switch mirroring technology;
analyzing the network data abnormity, namely analyzing the known network attack characteristics and the network protocol characteristics in the Ethernet traffic data packet based on a rule matching method combining a black list and a white list of a rule set; when any one or more messages in the Ethernet flow data packet conform to any rule in the rule matching method, reporting and recording a network abnormal event;
a system operation result monitoring step, wherein a monitored steam turbine control protection system is accessed through a physical I/O interface, a state input value and a real-time operation result of a specific control logic in a DPU (digital power unit) control unit of the monitored steam turbine control protection system are acquired, meanwhile, the state input value of the specific control logic in the DPU control unit of the monitored steam turbine control protection system is input into a DPU simulation unit for simulating the operation of the DPU control unit under an ideal state, and a reference operation result of the DPU simulation unit for simulating the operation of the DPU control unit of the monitored steam turbine control protection system is acquired; comparing the real-time operation result with the simulation operation result, calculating the error, judging that the DPU control unit is abnormal if the comparison error exceeds an error threshold value set manually, and recording and reporting an abnormal event of the DPU;
a correlation analysis step of performing correlation analysis on the network abnormal event in the network data abnormal analysis step and the DPU abnormal event in the system operation result monitoring step based on a time axis through an independent comprehensive analysis module/device/system, specifically, on the basis of a time point of occurrence of the network abnormal event, correspondingly checking the DPU abnormal event in a plurality of minutes thereafter for correlation, and on the basis of the time point of occurrence of the DPU abnormal event, correspondingly checking the network abnormal event in a plurality of minutes before for correlation;
and a comprehensive analysis step, namely judging whether the network abnormal events and the network safety events corresponding to the DPU abnormal events can influence the safety of the steam turbine body or not according to the analysis result of the correlation analysis step.
5. The method for monitoring the safety of the steam turbine network off line based on the passive monitoring algorithm according to claim 4, is characterized in that: in the system operation result monitoring step, based on the existing control logic or control method in the DPU control unit of the monitored steam turbine control protection system, the existing control logic or control method is copied to the DPU simulation unit for simulating the operation of the DPU control unit under an ideal state to operate, a reference operation result which corresponds to the real-time operation result of the DPU control unit and is used as a comparison reference standard is obtained, and if the error value between the real-time operation result and the reference operation result exceeds a set error threshold value xi, the DPU control unit is judged to be abnormal.
6. The method for monitoring the safety of the steam turbine network off line based on the passive monitoring algorithm according to claim 5, is characterized in that: error value between real-time operation result and reference operation resultWherein, F (x) is a real-time operation result obtained by the DPU control unit of the monitored steam turbine control protection system operating normally according to the existing control logic or control method, namely, the operation result of the operation function corresponding to the existing control logic or control method,the method is characterized in that a DPU simulation unit simulates a running reference operation result in an ideal state according to the same control logic or control method in a DPU control unit of a monitored steam turbine control protection system, and if an error value error between a real-time operation result and the reference operation result is greater than an error threshold value xi, the target system control unit is judged to be abnormal.
7. The method for monitoring the safety of the steam turbine network off line based on the passive monitoring algorithm according to claim 4, is characterized in that: the Ethernet flow data packet comprises data messages and control instruction messages among all engineer stations, operator stations and DPU control units in the steam turbine control protection system.
8. The method for monitoring the safety of the steam turbine network off line based on the passive monitoring algorithm according to claim 7, is characterized in that: the data messages comprise collected data sent by the DPU control units to the engineer station and/or the operator station and data exchange among the DPU control units.
9. The method for monitoring the safety of the steam turbine network off line based on the passive monitoring algorithm according to claim 4, is characterized in that: the control instruction message refers to a specific message which is issued by the engineer station and the operator station to the DPU control unit and has a control function, wherein the specific message comprises restart, configuration modification and control logic downloading instructions.
10. The method for monitoring the safety of the steam turbine network off line based on the passive monitoring algorithm according to claim 4, is characterized in that: the known network attack characteristics refer to specific network messages which are disclosed and are definitely damaged, and rules are set for the messages in a blacklist mode; the network protocol characteristics refer to a specific network protocol which is used by a steam turbine control protection system manufacturer and has definite keywords and identification characteristics, the specific network protocol has an equipment authentication function, and the messages are set with rules in a white list mode.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010636106.6A CN113882908B (en) | 2020-07-03 | 2020-07-03 | Steam turbine network safety off-line monitoring system and method based on passive monitoring algorithm |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010636106.6A CN113882908B (en) | 2020-07-03 | 2020-07-03 | Steam turbine network safety off-line monitoring system and method based on passive monitoring algorithm |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113882908A true CN113882908A (en) | 2022-01-04 |
CN113882908B CN113882908B (en) | 2023-07-25 |
Family
ID=79013321
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010636106.6A Active CN113882908B (en) | 2020-07-03 | 2020-07-03 | Steam turbine network safety off-line monitoring system and method based on passive monitoring algorithm |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113882908B (en) |
Citations (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
AU2007200820A1 (en) * | 2001-08-07 | 2007-03-15 | Siemens Aktiengesellschaft | Method and process management system for the operation of a technical plant |
KR100757679B1 (en) * | 2006-11-30 | 2007-09-10 | 엘에스산전 주식회사 | Integrated control system for the dearator process of combined cycle thermal plant and method therefor |
CN101629496A (en) * | 2009-07-30 | 2010-01-20 | 杭州和利时自动化有限公司 | Digital electrohydraulic control system of steam turbine with isolated network operation |
CN102141808A (en) * | 2010-09-28 | 2011-08-03 | 上海电力学院 | Embedded type fault pre-diagnosis system and method for steam turbine generator unit |
CN202628203U (en) * | 2012-05-12 | 2012-12-26 | 山东鲁冶瑞宝电气自动化有限公司 | Integral control system for small steam turbine generator units |
US20160085237A1 (en) * | 2013-03-29 | 2016-03-24 | Hitachi, Ltd. | Information controller, information control system, and information control method |
CN106959685A (en) * | 2017-03-31 | 2017-07-18 | 中国东方电气集团有限公司 | A kind of system and method for the steam turbine DEH control system leak test based on RT LAB technologies |
JP2017129894A (en) * | 2016-01-18 | 2017-07-27 | 三菱電機株式会社 | Cyberattack detection system |
US9794278B1 (en) * | 2013-12-19 | 2017-10-17 | Symantec Corporation | Network-based whitelisting approach for critical systems |
CN107666424A (en) * | 2016-07-28 | 2018-02-06 | 通用电器技术有限公司 | There are the system and method without configuration process bus of framework redundancy in digital transformer substation |
US20180159877A1 (en) * | 2016-12-07 | 2018-06-07 | General Electric Company | Multi-mode boundary selection for threat detection in industrial asset control system |
CN108279659A (en) * | 2018-04-12 | 2018-07-13 | 广东省轻工业高级技工学校 | Steam turbine DCS control systems and monitor supervision platform |
CN109372593A (en) * | 2018-11-16 | 2019-02-22 | 华南理工大学 | HMI control system and control method under a kind of steam turbine DCS system |
JP2019046207A (en) * | 2017-09-04 | 2019-03-22 | 三菱電機株式会社 | Security countermeasure supporting system for plant |
CN109915218A (en) * | 2019-03-07 | 2019-06-21 | 东方电气自动控制工程有限公司 | A kind of electro-hydraulic converting member fault diagnosis system of DEH system |
EP3608734A1 (en) * | 2018-08-07 | 2020-02-12 | Rolls-Royce Corporation | Distributed control and monitoring system for multiple platforms |
CN111262722A (en) * | 2019-12-31 | 2020-06-09 | 中国广核电力股份有限公司 | Safety monitoring method for industrial control system network |
CN210745181U (en) * | 2019-12-18 | 2020-06-12 | 中国东方电气集团有限公司 | Network safety monitoring and warning device of power generation equipment |
-
2020
- 2020-07-03 CN CN202010636106.6A patent/CN113882908B/en active Active
Patent Citations (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
AU2007200820A1 (en) * | 2001-08-07 | 2007-03-15 | Siemens Aktiengesellschaft | Method and process management system for the operation of a technical plant |
KR100757679B1 (en) * | 2006-11-30 | 2007-09-10 | 엘에스산전 주식회사 | Integrated control system for the dearator process of combined cycle thermal plant and method therefor |
CN101629496A (en) * | 2009-07-30 | 2010-01-20 | 杭州和利时自动化有限公司 | Digital electrohydraulic control system of steam turbine with isolated network operation |
CN102141808A (en) * | 2010-09-28 | 2011-08-03 | 上海电力学院 | Embedded type fault pre-diagnosis system and method for steam turbine generator unit |
CN202628203U (en) * | 2012-05-12 | 2012-12-26 | 山东鲁冶瑞宝电气自动化有限公司 | Integral control system for small steam turbine generator units |
US20160085237A1 (en) * | 2013-03-29 | 2016-03-24 | Hitachi, Ltd. | Information controller, information control system, and information control method |
US9794278B1 (en) * | 2013-12-19 | 2017-10-17 | Symantec Corporation | Network-based whitelisting approach for critical systems |
JP2017129894A (en) * | 2016-01-18 | 2017-07-27 | 三菱電機株式会社 | Cyberattack detection system |
CN107666424A (en) * | 2016-07-28 | 2018-02-06 | 通用电器技术有限公司 | There are the system and method without configuration process bus of framework redundancy in digital transformer substation |
US20180159877A1 (en) * | 2016-12-07 | 2018-06-07 | General Electric Company | Multi-mode boundary selection for threat detection in industrial asset control system |
CN106959685A (en) * | 2017-03-31 | 2017-07-18 | 中国东方电气集团有限公司 | A kind of system and method for the steam turbine DEH control system leak test based on RT LAB technologies |
JP2019046207A (en) * | 2017-09-04 | 2019-03-22 | 三菱電機株式会社 | Security countermeasure supporting system for plant |
CN108279659A (en) * | 2018-04-12 | 2018-07-13 | 广东省轻工业高级技工学校 | Steam turbine DCS control systems and monitor supervision platform |
EP3608734A1 (en) * | 2018-08-07 | 2020-02-12 | Rolls-Royce Corporation | Distributed control and monitoring system for multiple platforms |
CN109372593A (en) * | 2018-11-16 | 2019-02-22 | 华南理工大学 | HMI control system and control method under a kind of steam turbine DCS system |
CN109915218A (en) * | 2019-03-07 | 2019-06-21 | 东方电气自动控制工程有限公司 | A kind of electro-hydraulic converting member fault diagnosis system of DEH system |
CN210745181U (en) * | 2019-12-18 | 2020-06-12 | 中国东方电气集团有限公司 | Network safety monitoring and warning device of power generation equipment |
CN111262722A (en) * | 2019-12-31 | 2020-06-09 | 中国广核电力股份有限公司 | Safety monitoring method for industrial control system network |
Non-Patent Citations (4)
Title |
---|
康荣保;张晓;杜艳霞;: "工业控制系统信息安全防护技术研究", no. 08 * |
张毅;王德宽;刘晓波;文正国;: "巨型水电厂计算机监控系统总体结构分析探讨", 水电站机电技术, no. 01, pages 14 - 17 * |
桑梓;: "基于信息物理融合的汽轮机数字电液控制系统信息安全仿真测试方法研究", no. 02 * |
陈珍顺;: "DCS系统DPU网络故障导致操作失控案例分析", 内蒙古电力技术, no. 01, pages 94 - 97 * |
Also Published As
Publication number | Publication date |
---|---|
CN113882908B (en) | 2023-07-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3101581B1 (en) | Security system for industrial control infrastructure using dynamic signatures | |
US20140283047A1 (en) | Intelligent cyberphysical intrusion detection and prevention systems and methods for industrial control systems | |
CN112799358B (en) | Industrial control safety defense system | |
CN112737936A (en) | Edge computing gateway for equipment pre-maintenance | |
US20230164156A1 (en) | Detection of abnormal events | |
CN111273174A (en) | Motor group fault early warning method and device | |
CN112866262B (en) | Power plant safety I area situation perception platform based on neural network | |
CN113671909A (en) | Safety monitoring system and method for steel industrial control equipment | |
CA2927826C (en) | Industrial control system smart hardware monitoring | |
CN113958377B (en) | Real-time online monitoring system and method for network security of steam turbine | |
CN110207996A (en) | Turbine engine failure method for early warning and device | |
CN117289659A (en) | Intelligent automatic monitoring system for centralized control operation of power plant | |
CN113882908B (en) | Steam turbine network safety off-line monitoring system and method based on passive monitoring algorithm | |
Vasel | One plant, one system: Benefits of integrating process and power automation | |
CN106199403B (en) | A kind of protection system in heat power engineering status monitoring and diagnostic method | |
US20200280570A1 (en) | Method for Monitoring an Industrial Network | |
CN112995175B (en) | Method for carrying out network safety protection based on power generation state of hydroelectric generating set | |
de Moura et al. | Towards safer industrial serial networks: An expert system framework for anomaly detection | |
de Moura et al. | Non-IP Industrial Networks: An Agnostic Anomaly Detection System | |
Chou et al. | Modbus packet analysis and attack mode for SCADA system | |
Nurkholiq et al. | Redesign integrated control system GTG and HRSG to reduce loss of electrical production at combined cycle power plant muara karang | |
US20240241494A1 (en) | Computer-implemented method and surveillance arrangement for identifying manipulations of cyber-physical-systems as well as computer-implemented-tool and cyber-physical-system | |
CN114839938B (en) | DCS industrial control network security audit analysis system and method | |
CN113835415B (en) | Measurement and control system and data fusion method of aeroengine control system tester | |
Zhang et al. | Research on operation mechanism, information collection and compliance model of hydropower monitoring system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20220622 Address after: 610000 18 West core road, hi-tech West District, Chengdu, Sichuan Applicant after: DONGFANG ELECTRIC Co.,Ltd. Address before: 610036 Shu Han Road, Jinniu District, Chengdu, Sichuan Province, No. 333 Applicant before: DONGFANG ELECTRIC Corp. |
|
TA01 | Transfer of patent application right | ||
GR01 | Patent grant | ||
GR01 | Patent grant |