CN114095223A - IEC 60870-5-104-based power device safety access system and control method thereof - Google Patents
IEC 60870-5-104-based power device safety access system and control method thereof Download PDFInfo
- Publication number
- CN114095223A CN114095223A CN202111341888.1A CN202111341888A CN114095223A CN 114095223 A CN114095223 A CN 114095223A CN 202111341888 A CN202111341888 A CN 202111341888A CN 114095223 A CN114095223 A CN 114095223A
- Authority
- CN
- China
- Prior art keywords
- station module
- slave station
- master station
- access system
- power device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 18
- 230000005540 biological transmission Effects 0.000 claims abstract description 26
- 230000000977 initiatory effect Effects 0.000 claims description 2
- 238000004891 communication Methods 0.000 description 6
- 230000003993 interaction Effects 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004886 process control Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/143—Termination or inactivation of sessions, e.g. event-controlled end of session
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Remote Monitoring And Control Of Power-Distribution Networks (AREA)
Abstract
The invention discloses a power device safety access system based on IEC60870-5-104 and a control method thereof, wherein the system comprises: 104 master station module and 104 slave station module; 104 the master station module is positioned in the master station device, and 104 the slave station module is positioned in the slave station module; the 104 master station prestores the safety information of all slave station devices to be connected, and the 104 slave station module prestores the safety information; and the 104 master station module and the 104 slave station module carry out encryption security authentication data transmission through a preset encryption mode. Through the 104 master station module of the ASDU security authentication master station device and the 104 slave station module of the slave station device, information encryption of the 104 master station module and the 104 slave station module during transmission of security authentication data is realized, access of non-authentication or illegal devices is effectively avoided, the possibility that illegal devices replace legal devices is avoided, service data leakage or tampering is avoided, and the connection security of power equipment is improved.
Description
Technical Field
The invention relates to the technical field of information transmission of power equipment, in particular to a power device safety access system based on IEC60870-5-104 and a control method thereof.
Background
The IEC60870-5-104 telecontrol protocol (hereinafter referred to as the IEC104 protocol) is an international standard widely applied to industries such as electric power and urban rail transit, is suitable for data transmission between a dispatching master station and a transformer substation or between the dispatching master station and a telecontrol Unit (RTU) for Ethernet, and is a matching standard of IEC60870-5 series standards. The IEC104 protocol transmits an Application Service Data Unit (ASDU) of the IEC101 through a network protocol TCP/IP, and after the ASDU mode of the IEC101 protocol is combined, the standardization of the protocol and the reliability of communication can be well guaranteed. In order to ensure the communication reliability of an application layer ASDU, the IEC104 protocol encapsulates an APCI transmission interface, specifies a processing mechanism for preventing message loss and message repeated transmission, and has the advantages of good real-time performance, high reliability, large data flow, convenience for information quantity expansion, network transmission support and the like.
The IEC104 specification defines three message formats: i format, S format, U format. The I-format message is used for transmitting information and comprises an Application Service Data Unit (ASDU); the S-format message is used for responding to the reception of the confirmation message under the condition that no I-format message responds, and does not contain an ASDU; the U-format message is used for process control of data transmission, mainly realizes the data transmission (STARTDT) of the substation, the data transmission (STOPDT) of the stop substation and the TCP link test (TESTFR), and does not contain ASDUs.
The IEC104 protocol uses a reliable transmission protocol TCP of a network transmission layer for communication, and is generally divided into a master station and a slave station. The master station (control end) is a TCP client, the slave station (controlled end) is a TCP server end, namely the master station actively performs TCP connection, the slave station passively responds to the TCP connection, and the master station and the slave station start normal 104 message interaction after establishing the TCP connection; both parties typically use the default TCP port number 2404.
In actual substation engineering projects, the IEC104 protocol is mainly used for scheduling communications with telemechanical devices or moving devices in a substation and in-station on-site devices. When the dispatching is communicated with the moving device, the dispatching is used as an IEC104 master station, the telecontrol device in the transformer substation is used as an IEC104 slave station, the dispatching initiatively initiates TCP connection to the moving device, and normal transformer substation service data interaction is carried out after the connection is established through three-way handshaking. When the moving device communicates with the in-station on-site device, the telecontrol device serves as an IEC104 master station, the on-site device serves as an IEC104 slave station, the telecontrol device actively initiates TCP connection to the on-site device, and service interaction is carried out after connection is established.
In general, if two electric devices need to communicate with each other according to the IEC104 protocol, the two electric devices need to be divided into a master device and a slave device. The master station device and the slave station device both need to support an IEC104 communication protocol, wherein the master station device serves as a TCP client and actively initiates a TCP connection request to the slave station device; the slave station device is used as a TCP server and monitors and waits for the TCP connection of the master station device; and the master station device and the slave station device establish communication connection after carrying out three-way handshake of the TCP protocol, and then the two parties start to interact service messages. However, the IEC104 protocol itself does not have a corresponding secure access authentication mechanism, and any master station device can initiate connection and access to a slave station device to perform service data interaction, and the slave station device lacks an effective access authentication mechanism for the accessed master station device, and cannot effectively avoid access of unauthorized or illegal devices, so that the possibility of illegal device replacement exists, which easily causes service data leakage or tampering, and has a certain security risk.
Disclosure of Invention
The invention aims to provide an IEC 60870-5-104-based power device safety access system and a control method thereof, wherein an ASDU safety certification verifies a 104 master station module of a master station device and a 104 slave station module of a slave station device, so that information encryption of the 104 master station module and the 104 slave station module during transmission of safety certification data is realized, the access of non-certified or non-certified devices is effectively avoided, the possibility of replacing a legal device with a illegal device is avoided, service data leakage or tampering is avoided, and the safety of power equipment connection is improved.
In order to solve the above technical problem, a first aspect of an embodiment of the present invention provides an electrical device secure access system based on IEC60870-5-104, including: 104 master station module and 104 slave station module;
the 104 master station module is positioned in the master station device, and the 104 slave station module is positioned in the slave station module;
the 104 master station prestores the safety information of all the slave station devices to be connected, and the 104 slave station module prestores the safety information;
and the 104 master station module and the 104 slave station module perform encryption security authentication data transmission through a preset encryption mode.
Further, the preset encryption mode is ASDU security authentication.
Further, the format of the ASDU security authentication type packet includes: type identification, variable structure qualifier, transmission reason, application service unit public address, information body address and information body content.
Further, the 104 slave station module further comprises: IP addresses of all the master station devices to be connected.
Further, the security information includes: IP address, username, and password.
Further, the 104 master station module and the 104 slave station module establish a TCP connection through handshaking for a preset number of times.
Correspondingly, a second aspect of the embodiment of the invention provides a control method for a power device safety access system based on IEC60870-5-104, which is used for controlling the power device safety access system based on IEC60870-5-104 and comprises the following steps
The master station module transmits encrypted security information based on 104;
decrypting the security information based on the 104 slave station module and judging whether security authentication is passed;
if so, information transmission is carried out, otherwise, the TCP connection is closed.
Further, before the master station module sends the encrypted security information based on 104, the method further includes:
initiating a TCP connection to the 104 slave station module through 104 master station module;
judging whether the IP address of the 104 master station module is in a pre-stored safety list or not based on the 104 slave station module;
if so, the TCP connection is established, otherwise, the TCP connection is closed.
Further, the security information includes: IP address, username, and password.
The technical scheme of the embodiment of the invention has the following beneficial technical effects:
through the 104 master station module of the ASDU security authentication master station device and the 104 slave station module of the slave station device, information encryption of the 104 master station module and the 104 slave station module during transmission of security authentication data is realized, access of non-authentication or illegal devices is effectively avoided, the possibility that illegal devices replace legal devices is avoided, service data leakage or tampering is avoided, and the connection security of power equipment is improved.
Drawings
FIG. 1 is a schematic diagram of a power device security access system based on IEC60870-5-104 according to an embodiment of the present invention;
FIG. 2 is a flowchart of a method for controlling a secure access system of an electrical device based on IEC60870-5-104 according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings in conjunction with the following detailed description. It should be understood that the description is intended to be exemplary only, and is not intended to limit the scope of the present invention. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present invention.
Referring to fig. 1, a first aspect of the embodiment of the present invention provides a power device security access system based on IEC60870-5-104, including: 104 master station module and 104 slave station module; 104 the master station module is positioned in the master station device, and 104 the slave station module is positioned in the slave station module; the 104 master station prestores the safety information of all slave station devices to be connected, and the 104 slave station module prestores the safety information; and the 104 master station module and the 104 slave station module carry out encryption security authentication data transmission through a preset encryption mode.
According to the technical scheme, the information encryption of the 104 master station module and the 104 slave station module when the 104 master station module and the 104 slave station module transmit the security authentication data is realized through the 104 master station module of the ASDU security authentication master station device and the 104 slave station module of the slave station device, the access of non-authentication or illegal devices is effectively avoided, the possibility that illegal devices replace legal devices is eliminated, the leakage or tampering of service data is avoided, and the connection security of power equipment is improved.
Further, the preset encryption mode is ASDU security authentication.
Further, the format of the ASDU security authentication type packet includes: type identification, variable structure qualifier, transmission reason, application service unit public address, information body address and information body content.
The safety authentication type of the ASDU is defined by the extended IEC104 protocol, namely, the ASDU type identification is extended, and the content of the information body is added with user name and password information for safety authentication. For the extended data unit structure, a frame format FT1.2 is adopted, and the format, type, address, structure qualifier, transfer reason, and the like maintain compatibility with 104 basic services. The specific ASDU structure is defined in table 1, for example, the extended ASDU type identifier is 248, the information user name and the password information, and the length is limited to 32 bytes at the maximum. Specifically, the results are shown in Table 1.
Table 1IEC104 extended security ASDU message structure definition
Further, 104 the slave station module further comprises: IP addresses of all master station devices to be connected.
Further, the security information includes: IP address, username, and password.
Further, the master station module 104 and the slave station module 104 establish a TCP connection through a handshake of a preset number of times.
Accordingly, referring to fig. 2, a second aspect of the embodiment of the present invention provides a method for controlling a power device security access system based on IEC60870-5-104, for controlling the power device security access system, including the following steps:
and step S200, the master station module transmits the encrypted safety information based on 104.
And step S300, decrypting the security information from the station module based on 104, and judging whether the security authentication is passed.
And step S400, if so, carrying out information transmission, and otherwise, closing the TCP connection.
Further, before the master station module sends the encrypted security information based on 104, the method further includes:
step S110, the master station module initiates a TCP connection to the 104 slave station module through 104.
And step S120, judging 104 whether the IP address of the master station module is in a pre-stored safety list based on the 104 slave station module.
And step S130, if so, establishing the TCP connection, otherwise, closing the TCP connection.
Further, the security information includes: IP address, username, and password.
The above control method is described below with a specific embodiment.
S1, deploying 104 the master station module (namely SC104 module) on the master station device, and configuring the IP address, the user name and the password of the slave station device.
S2, deploying 104 the slave station module (namely the SS104 module) on the slave station device, configuring the local user name and password configuration, and adding the IP address of the master station device in S1 to the IP address white list allowing access.
The S3, SS104 module listens 2404 to the port waiting for a TCP connection.
The S4 and SC104 module initiates a TCP connection to the 2404 port of the slave device IP configured.
The S5 and the SS104 module and the SC104 module complete three-way handshake to establish TCP connection and establish IEC104 link.
The S6 and SC104 modules respectively encrypt the configured slave station device user name and password by adopting an AES algorithm, construct a security authentication message (the ASDU type is 248) by using the encrypted data, and then send the message to the SS104 module.
The S7 and SS104 modules receive the security authentication message, analyze and decrypt the user name and password therein respectively, compare the decrypted user name and password information with the local user name and password, and if the comparison is consistent, perform S8; if not, the current TCP connection is closed and the flow goes to S3.
And S8, the master station device and the slave station device complete safety certification and start normal service data interaction.
According to the control method of the IEC 60870-5-104-based power device safety access system, the information encryption of the 104 master station module and the 104 slave station module of the 104 slave station module during the transmission of safety authentication data is realized through the ASDU safety authentication verification master station module and the 104 slave station module of the slave station device, the access of non-authentication or illegal devices is effectively avoided, the possibility that illegal devices replace legal devices is avoided, the leakage or the falsification of service data is avoided, and the safety of power equipment connection is improved.
The embodiment of the invention aims to protect a power device safety access system based on IEC60870-5-104 and a control method thereof, wherein the system comprises: 104 master station module and 104 slave station module; 104 the master station module is positioned in the master station device, and 104 the slave station module is positioned in the slave station module; the 104 master station prestores the safety information of all slave station devices to be connected, and the 104 slave station module prestores the safety information; and the 104 master station module and the 104 slave station module carry out encryption security authentication data transmission through a preset encryption mode. The technical scheme has the following effects:
through the 104 master station module of the ASDU security authentication master station device and the 104 slave station module of the slave station device, information encryption of the 104 master station module and the 104 slave station module during transmission of security authentication data is realized, access of non-authentication or illegal devices is effectively avoided, the possibility that illegal devices replace legal devices is avoided, service data leakage or tampering is avoided, and the connection security of power equipment is improved.
It is to be understood that the above-described embodiments of the present invention are merely illustrative of or explaining the principles of the invention and are not to be construed as limiting the invention. Therefore, any modification, equivalent replacement, improvement and the like made without departing from the spirit and scope of the present invention should be included in the protection scope of the present invention. Further, it is intended that the appended claims cover all such variations and modifications as fall within the scope and boundaries of the appended claims or the equivalents of such scope and boundaries.
Claims (9)
1. An IEC 60870-5-104-based power device secure access system, comprising: 104 master station module and 104 slave station module;
the 104 master station module is positioned in the master station device, and the 104 slave station module is positioned in the slave station module;
the 104 master station prestores the safety information of all the slave station devices to be connected, and the 104 slave station module prestores the safety information;
and the 104 master station module and the 104 slave station module perform encryption security authentication data transmission through a preset encryption mode.
2. The IEC60870-5-104 based power device secure access system of claim 1,
the preset encryption mode is ASDU security authentication.
3. The IEC60870-5-104 based power device security access system of claim 2,
the ASDU security authentication type message format comprises: type identification, variable structure qualifier, transmission reason, application service unit public address, information body address and information body content.
4. The IEC60870-5-104 based power device secure access system of claim 1,
the 104 slave station module further comprises: IP addresses of all the master station devices to be connected.
5. The IEC60870-5-104 based power device secure access system of claim 1,
the security information includes: IP address, username, and password.
6. The IEC60870-5-104 based power device secure access system of claim 1,
and the 104 master station module and the 104 slave station module establish TCP connection through handshaking for preset times.
7. A control method for the power device safety access system based on IEC60870-5-104, which is used for controlling the power device safety access system based on IEC60870-5-104 as claimed in any one of claims 1-6, comprising the following steps
The master station module transmits encrypted security information based on 104;
decrypting the security information based on the 104 slave station module and judging whether security authentication is passed;
if so, information transmission is carried out, otherwise, the TCP connection is closed.
8. The IEC60870-5-104 based power device security access system control method of claim 7, wherein before the master station module based on 104 transmits the encrypted security information, the method further comprises:
initiating a TCP connection to the 104 slave station module through 104 master station module;
judging whether the IP address of the 104 master station module is in a pre-stored safety list or not based on the 104 slave station module;
if so, the TCP connection is established, otherwise, the TCP connection is closed.
9. The IEC60870-5-104 based power device security access system control method of claim 7,
the security information includes: IP address, username, and password.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111341888.1A CN114095223A (en) | 2021-11-12 | 2021-11-12 | IEC 60870-5-104-based power device safety access system and control method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111341888.1A CN114095223A (en) | 2021-11-12 | 2021-11-12 | IEC 60870-5-104-based power device safety access system and control method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114095223A true CN114095223A (en) | 2022-02-25 |
Family
ID=80300382
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111341888.1A Pending CN114095223A (en) | 2021-11-12 | 2021-11-12 | IEC 60870-5-104-based power device safety access system and control method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114095223A (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113542212A (en) * | 2021-05-21 | 2021-10-22 | 国网辽宁省电力有限公司鞍山供电公司 | Virtual power plant peak regulation instruction safety certification method |
-
2021
- 2021-11-12 CN CN202111341888.1A patent/CN114095223A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113542212A (en) * | 2021-05-21 | 2021-10-22 | 国网辽宁省电力有限公司鞍山供电公司 | Virtual power plant peak regulation instruction safety certification method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101438243B1 (en) | Sim based authentication | |
| CN106941491B (en) | Safety application data link layer equipment of electricity utilization information acquisition system and communication method | |
| CN110636052B (en) | Power consumption data transmission system | |
| US20100034386A1 (en) | Device manager repository | |
| US20100119069A1 (en) | Network relay device, communication terminal, and encrypted communication method | |
| US11218873B2 (en) | Communication system and method | |
| CN103026657A (en) | Method and apparatus for providing a key certificate in a tamperproof manner | |
| CN112422560A (en) | Lightweight substation secure communication method and system based on secure socket layer | |
| US11804972B2 (en) | Fluid meter communicating with an electromechanical valve | |
| CN115085943A (en) | Edge computing method and platform for safe encryption of electric power Internet of things in north and south directions | |
| CN111064738A (en) | TLS (transport layer Security) secure communication method and system | |
| CN104994061A (en) | Intelligent transformer station process layer switch MMS safety communication device and method | |
| CN107659935B (en) | Authentication method, authentication server, network management system and authentication system | |
| CN115802348A (en) | Low-power consumption NB-IoT terminal and secure communication mechanism | |
| CN111064752B (en) | Preset secret key sharing system and method based on public network | |
| CN111884995B (en) | Intelligent distribution transformer terminal safety access framework for energy interconnected distribution network and application | |
| WO2010124569A1 (en) | Method and system for user access control | |
| CN115835194A (en) | NB-IOT (network B-Internet of things) terminal security access system and access method | |
| CN114095223A (en) | IEC 60870-5-104-based power device safety access system and control method thereof | |
| CN114157509B (en) | Encryption method and device with SSL and IPsec based on cryptographic algorithm | |
| CN114301967B (en) | Control method, device and equipment for narrowband Internet of things | |
| CN115086085A (en) | New energy platform terminal security access authentication method and system | |
| CN110351308B (en) | Virtual private network communication method and virtual private network device | |
| CN110191152B (en) | Safe and reliable communication method for intelligent meter | |
| US11778036B2 (en) | Management of communication between a terminal and a network server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |