CN114243909A - Digital power grid safety isolation system - Google Patents
Digital power grid safety isolation system Download PDFInfo
- Publication number
- CN114243909A CN114243909A CN202111432076.8A CN202111432076A CN114243909A CN 114243909 A CN114243909 A CN 114243909A CN 202111432076 A CN202111432076 A CN 202111432076A CN 114243909 A CN114243909 A CN 114243909A
- Authority
- CN
- China
- Prior art keywords
- data
- processor
- power grid
- extranet
- intranet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 22
- 238000001514 detection method Methods 0.000 claims abstract description 22
- 230000005540 biological transmission Effects 0.000 claims abstract description 17
- 238000012432 intermediate storage Methods 0.000 claims description 16
- 241000700605 Viruses Species 0.000 claims description 4
- 239000000126 substance Substances 0.000 claims description 2
- 238000000034 method Methods 0.000 abstract description 11
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 8
- 230000003993 interaction Effects 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 238000003860 storage Methods 0.000 description 7
- 238000001228 spectrum Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 238000004590 computer program Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- LHMQDVIHBXWNII-UHFFFAOYSA-N 3-amino-4-methoxy-n-phenylbenzamide Chemical compound C1=C(N)C(OC)=CC=C1C(=O)NC1=CC=CC=C1 LHMQDVIHBXWNII-UHFFFAOYSA-N 0.000 description 1
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H02—GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
- H02J—CIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
- H02J13/00—Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
- H02J13/00001—Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by the display of information or by user interaction, e.g. supervisory control and data acquisition systems [SCADA] or graphical user interfaces [GUI]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
-
- H—ELECTRICITY
- H02—GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
- H02J—CIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
- H02J13/00—Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
- H02J13/00002—Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by monitoring
-
- H—ELECTRICITY
- H02—GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
- H02J—CIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
- H02J13/00—Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
- H02J13/00006—Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02E—REDUCTION OF GREENHOUSE GAS [GHG] EMISSIONS, RELATED TO ENERGY GENERATION, TRANSMISSION OR DISTRIBUTION
- Y02E60/00—Enabling technologies; Technologies with a potential or indirect contribution to GHG emissions mitigation
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/12—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them characterised by data transport means between the monitoring, controlling or managing units and monitored, controlled or operated electrical equipment
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/12—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them characterised by data transport means between the monitoring, controlling or managing units and monitored, controlled or operated electrical equipment
- Y04S40/128—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them characterised by data transport means between the monitoring, controlling or managing units and monitored, controlled or operated electrical equipment involving the use of Internet protocol
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Physics & Mathematics (AREA)
- Power Engineering (AREA)
- Human Computer Interaction (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Mathematical Physics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to a digital power grid safety isolation system. The method and the device can detect whether the power grid data have intrusion information in real time, avoid the digital power grid from being attacked by hackers of the Internet, realize the isolation between the digital power grid and the external Internet, and further improve the safety of the digital power grid. The system comprises: the system comprises a plurality of intrusion detection nodes, an intrusion detector, an internal network processor and an external network processor, wherein the intrusion detection nodes are deployed at different positions of a digital power grid and used for acquiring power grid data of the digital power grid and sending the power grid data to the intrusion detector; the intrusion detector is used for judging whether intrusion information exists in the power grid data according to a preset rule, if so, generating an alarm signal and sending the alarm signal to the intranet processor; and the internal network processor is used for stopping data transmission with the external network processor according to the alarm signal.
Description
Technical Field
The application relates to the technical field of network security, in particular to a digital power grid security isolation system.
Background
The digital power grid is characterized in that a traditional power grid is digitally transformed by applying new-generation digital technologies such as cloud computing, big data, Internet of things, mobile internet, artificial intelligence and block chains, the production element function of the data is exerted, energy flow and service flow are led and optimized by data flow, flexibility, openness, interactivity, economy, shareability and the like are enhanced, and the power grid is more intelligent, safe, reliable, green and efficient.
In order to ensure that the power grid is prevented from being invaded and attacked by hackers in the operation process, the digital power grid is generally divided into an internal network and an external network by a physical isolation technology in the building and application processes, and the internal network and the external network need to carry out controllable data interaction under specific conditions, so that the normal data interaction between the internal network and the external network needs to be ensured, and the hacker invasion and attack need to be detected and shielded. The current physical isolation of the internal network and the external network generally realizes the protection of the internal network through the following three aspects: (1) the on-off of the isolating switch component; (2) splitting and recombining protocols; (3) fine-grained access control and log management.
However, the existing internal and external network isolation method can realize the isolation function of known attack types of a local system, but does not have the real-time detection function of physical isolation attacks.
Disclosure of Invention
In view of the above, it is necessary to provide a digital power grid security isolation system for solving the above technical problems.
The application provides a digital power grid safety isolation system. The system comprises a plurality of intrusion detection nodes, an intrusion detector, an intranet processor and an extranet processor, wherein,
the plurality of intrusion detection nodes are deployed at a plurality of different positions of a digital power grid and used for acquiring power grid data of the digital power grid and sending the power grid data to the intrusion detector;
the intrusion detector is used for judging whether intrusion information exists in the power grid data according to a preset rule, if so, generating an alarm signal and sending the alarm signal to the intranet processor;
and the internal network processor is used for stopping data transmission with the external network processor according to the alarm signal.
In one embodiment, the system further comprises a switch controller, a first control switch, a second control switch, and an intermediate memory; wherein the content of the first and second substances,
the switch controller is respectively connected with the first controllable switch, the second controllable switch and the intermediate storage, and is used for controlling the opening and closing of the first controllable switch and the second controllable switch, and at least one of the first controllable switch and the second controllable switch is in an open state.
In one embodiment, the external network processor performs protocol stripping operation on a data packet from the external network to obtain original data, the original data is cached in the intermediate memory, the internal network processor reads corresponding original data from the intermediate memory, the internal network processor writes data into the intermediate memory, and the external network processor reads data from the intermediate memory, encapsulates the data according to a protocol, and transmits the encapsulated data to the external network.
In one embodiment, the first controllable switch and the second controllable switch are respectively used for controlling the on-off of data transmission between the intranet and the extranet by controlling the on-off of a power supply between the extranet processor and the intermediate memory; the second controllable switch is also used for controlling the on-off of the data transmission between the intermediate storage and the intranet processor by controlling the on-off of the power supply between the intermediate storage and the intranet processor.
In one embodiment, the extranet processor runs a first network attack detection program, and the first network attack detection program is used for detecting and intercepting software attacks from the extranet.
In one embodiment, the intranet processor runs a second network attack detection program, and the second network attack detection program is used for detecting and intercepting computer viruses from the intermediate storage.
In one embodiment, the extranet processor further comprises an extranet security chip, and the extranet security chip is used for identity authentication and data encryption and decryption.
In one embodiment, the intranet processor further comprises an intranet security chip, and the intranet security chip is used for identity authentication and data encryption and decryption.
In one embodiment, the algorithm used for encrypting and decrypting the data comprises at least one of a symmetric cryptographic algorithm, an asymmetric cryptographic algorithm and a hash cryptographic algorithm.
In one embodiment, the intermediate memory is an SRAM buffer, and the switch controller is an FPGA logic controller.
According to the digital power grid safety isolation system, the power grid data are obtained in real time through the plurality of intrusion detection nodes installed at different positions of the digital power grid, the power grid data are sent to the intrusion detector, whether intrusion information exists in the short power grid data or not is solved through the intrusion detector, if the intrusion information exists, an alarm signal is generated and sent to the internal network processor, and the internal network processor terminates data transmission with the external network processor according to the alarm signal. The embodiment can detect whether the power grid data has intrusion information in real time, avoid the digital power grid from being attacked by hackers of the Internet, and improve the safety of the digital power grid.
Drawings
FIG. 1 is a diagram of an embodiment of an application environment of a digital power grid security isolation system;
FIG. 2 is a schematic structural diagram of a digital power grid security isolation system in one embodiment;
fig. 3 is a schematic structural diagram of a digital power grid security isolation system in another embodiment;
FIG. 4 is a diagram showing an internal structure of a computer device according to an embodiment
Fig. 5 is an internal structural view of a computer device in another embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The digital power grid security isolation system provided by the embodiment of the application can be applied to the application environment shown in fig. 1. Fig. 1 includes an internal network, an external network, and a digital power grid security isolation system located between the internal network and the external network, where the internal network is a digital power grid, the external network generally refers to the internet, and since the number and scale of various network devices in a conventional power grid are increasing, in order to improve the service efficiency and facilitate management of the power grid, various power grid devices in the power grid are intelligentized and digitized, for example, various devices in the power grid are added to an intelligent chip, so as to be able to monitor various power data, such as voltage, current, etc., in real time. Therefore, it is desirable to provide a digital grid security isolation system for protecting data security of a digital grid. The system can isolate the internal network from the external network, avoid the internal network from being invaded by hackers from the Internet, and simultaneously avoid information leakage of the internal network, and can realize limited information interaction between the internal network and the external network through the system, and the system can be realized in a form of combining hardware with software.
In one embodiment, as shown in fig. 2, fig. 2 shows a schematic structural diagram of a digital power grid security isolation system, which includes a plurality of intrusion detection nodes 201, an intrusion detector 202, an internal network processor 203 and an external network processor 204, where the plurality of intrusion detection nodes are deployed at a plurality of different locations of a digital power grid, and are configured to acquire wireless spectrum data of the digital power grid and send the wireless spectrum data to the intrusion detector; the intrusion detector is used for judging whether intrusion information exists in the wireless frequency spectrum data according to the wireless frequency spectrum data, generating an alarm signal if the intrusion information exists, and sending the alarm signal to the intranet processor; and the internal network processor is used for stopping data transmission with the external network processor according to the alarm signal.
The extranet processor 204 and the intranet processor 203 can be formed by computer computers, and can be used for performing visual supervision and management on extranet and intranet data interaction by special staff and discovering alarm signals in time. Alternatively, the extranet and intranet processors may be comprised of servers or server clusters.
The intrusion detectors 202 are distributed at different positions of the intranet, specifically, all device names, device IDs, device functions, device importance levels, device average data throughput per unit time, and device positions of the intranet are counted, where the device is a device with a data processing function, such as a computer, a server, a switch, or a router; the rules for arranging the plurality of intrusion detectors are as follows: the method comprises the steps of constructing an intranet equipment statistical graph and a data transmission path graph based on a GIS (Geographic Information System) technology, dividing the intranet equipment statistical graph into a plurality of areas according to the data transmission path graph, presetting an initial intrusion detection node at the central position of each area, and if the signal range overlapping area of adjacent intrusion nodes exceeds a preset range threshold value, setting a final intrusion detection node in the middle of the adjacent intrusion detection nodes and deleting the original adjacent initial intrusion detection nodes. The intrusion detection node is used for monitoring frequency spectrum change information caused by the equipment in the signal receiving range in the data interaction process.
Alternatively, the number of intrusion detectors around the device may be increased as appropriate according to the importance level of the device, so as to improve detection accuracy. Intrusion detectors may also be usedTransmitting an interference signal if the center frequency f of the intruder has been detectedsSum bandwidth Δ fsThen the center frequency of the interfering signal may be chosen to be approximately equal to fsA bandwidth of fs2 to 5 times of, or more than fs3-5 times of the total weight of the product.
Specifically, intrusion detection nodes 201 are installed at different network locations of a digital power grid (i.e., an intranet), and these intrusion detection nodes may acquire wired network data in real time or acquire wireless spectrum data transmitted wirelessly. When power grid data pass through the intrusion detection node, the intrusion detection node can intercept the data, the power grid data are firstly sent to the intrusion detector 202, an intrusion detection program is installed on the intrusion detector 202, whether the power grid data meet a preset rule or not is judged through a preset program (or called as a preset rule) so as to judge whether intrusion information exists in the power grid data or not, if yes, an alarm signal is generated, and the alarm signal is sent to the intranet processor 203; the alarm signal includes a source address of the power grid data, and if the source address is an address from the external network, the internal network processor 203 stops data interaction with the external network processor.
In the embodiment, the power grid data are acquired in real time through the plurality of intrusion detection nodes installed at different positions of the digital power grid, the power grid data are sent to the intrusion detector, whether intrusion information exists in the short power grid data is solved through the intrusion detector, if so, an alarm signal is generated and sent to the internal network processor, and the internal network processor terminates data transmission with the external network processor according to the alarm signal. The embodiment can detect whether the power grid data has intrusion information in real time, avoid the digital power grid from being attacked by hackers of the Internet, and improve the safety of the digital power grid.
In an embodiment, as shown in fig. 3, fig. 3 is another structural schematic diagram of a digital power grid security isolation system, the system further includes a first controllable switch 301, an intermediate memory 302, a second controllable switch 303, and a switch controller 304, wherein the extranet processor 204, the first controllable switch 301, the intermediate memory 302, the second controllable switch 303, and the intranet processor 203 are sequentially connected, the switch controller 304 is respectively connected to the first controllable switch 301, the second controllable switch 303, and the intermediate memory 302, the switch controller 304 is configured to control the first controllable switch 301 and the second controllable switch 303 to be opened and closed, and ensure that at least one of the first controllable switch and the second controllable switch is in an open state;
specifically, the first controllable switch and the second controllable switch control the on-off of data transmission between the external network processor and the intermediate storage by controlling the on-off of the power supply between the external network processor and the intermediate storage, and the second controllable switch controls the on-off of data transmission between the intermediate storage and the internal network processor by controlling the on-off of the power supply between the intermediate storage and the internal network processor.
For example, when there is no data transmission requirement, the first controllable switch and the second controllable switch are both in an off state, when data is sent from the external network to the internal network, the second controllable switch is closed first, the first controllable switch is kept in the on state, the data is sent from the external network to the intermediate storage through the external network processor, once all data are written, a notification signal is returned to notify the switch controller, the first controllable switch is switched to the off state, then the second controllable switch is opened, the internal processor reads the cache data of the intermediate storage, once all data enter, the second controllable switch is controlled to be closed, the first controllable switch is kept in the on state, and the state of the original network is restored.
If data need to be sent from the internal network to the external network, the first controllable switch is closed, the second controllable switch is kept open, then the data are written into the intermediate storage from the inside to the outside for caching, then the first controllable switch is opened, the second controllable switch is closed, the cached data are sent to the external network through the external network processor, and finally the two switches are restored to the initial state (the initial state is the state that the first controllable switch is opened and the second controllable switch is closed).
Optionally, the intermediate memory is an SRAM buffer, and the switch controller is an FPGA logic controller.
In the embodiment, the switch controller controls at least one of the first controllable switch and the second controllable switch to be in an open state, and the intermediate memory is arranged for caching data, so that the data of the external network can be queued and processed without being lost, and meanwhile, enough time can be provided for the internal network to detect whether the data in the intermediate memory contains internet hacking.
In an embodiment, the extranet processor 204 performs a protocol stripping operation on a data packet from the extranet to obtain original data, and caches the original data in the intermediate memory, and the intranet processor 203 reads corresponding original data from the intermediate memory; on the other hand, when the intranet needs to send data to the extranet, the intranet processor 203 writes data into the intermediate memory, and the extranet processor 204 reads data from the intermediate memory, encapsulates the data according to a protocol, and then transmits the encapsulated data to the extranet.
According to the embodiment, the effective transmission between the internal network and the external network according to respective protocols can be realized through protocol processing.
In one embodiment, the extranet processor runs a first network attack detection program for detecting and intercepting software attacks from the extranet, such as trojan horses, viruses, spoofing attacks, email attacks, listening attacks, vulnerability attacks, and the like.
The above-mentioned intranet processor includes a second network attack detecting program for detecting and intercepting viruses and attacks contained in the intermediate storage data. The outer network processor carries out first attack detection on the external data, and the inner network processor carries out second data detection on the data, so that the inner network is further prevented from being attacked.
In one embodiment, the extranet processor and the intranet processor are respectively provided with a security chip for identity authentication and data encryption and decryption. The security chip comprises a symmetric state secret algorithm module, an asymmetric state secret algorithm module, a hash state secret algorithm module, a bus module, a low-power-consumption processor, an auxiliary security circuit, an interface module, an RAM and an ROM, wherein the low-power-consumption processor is respectively connected with the symmetric state secret algorithm module, the asymmetric state secret algorithm module, the hash state secret algorithm module, the auxiliary security circuit, the interface module, the RAM and the ROM through the bus module. The secret trusted algorithms include SM1(SM1 cryptographical algorithm, quotient secret number 1 algorithm), SM2, SM3, SM4, SM7, SM9 and the like, wherein SM1, SM4 and SM7 are symmetric cryptographic algorithms, SM2 and SM9 are asymmetric cryptographic algorithms, and SM3 is a hash cryptographic algorithm. The interface module comprises an I2C interface, an SPI interface, a GPIO interface, a UART interface, a timer, a 7816 interface, an SWP interface, an ADC interface, a DAC interface and an MCC interface. The auxiliary safety circuit comprises a true random number generator, a PUF circuit and a division accelerator. The PUF circuit is a physical unclonable function circuit, and the unique related characteristic information of the chip is extracted by utilizing the physical randomness of the Internet of things security chip generated by factors such as temperature, process limitation and the like in the manufacturing process, the information is fixed and unchanged, and the Internet of things security chips are different from one another. The division accelerator is specifically 16/8 division accelerator, and can quickly realize large prime number judgment in key generation. The bus module adopts an AMBA bus structure and comprises an AHB high-performance bus and an APB peripheral bus, the low-power-consumption processor performs data interaction with the symmetric cryptographic algorithm module, the asymmetric cryptographic algorithm module, the hash cryptographic algorithm module, the RAM, the ROM, the PUF circuit and the division accelerator through the AHB high-performance bus, and the low-power-consumption processor performs data interaction with the true random number generator and the interface module through the APB peripheral bus.
In one embodiment, a computer device is provided, which may be a server, and may be used to implement the functions of the extranet processor or the intranet processor, and the internal structure diagram thereof may be as shown in fig. 4. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer equipment is used for storing the alarm signal and intermediate data generated after the internal and external networks process the transmission data. The network interface of the computer device is used for communicating with an external terminal through a network connection.
In one embodiment, a computer device is provided, which may be a terminal and may be used to implement the functions of the above-mentioned extranet processor or intranet processor, and the internal structure diagram thereof may be as shown in fig. 5. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the configurations shown in fig. 4-5 are only block diagrams of some of the configurations relevant to the present application, and do not constitute a limitation on the computing devices to which the present application may be applied, and that a particular computing device may include more or less components than shown, or combine certain components, or have a different arrangement of components.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), Magnetic Random Access Memory (MRAM), Ferroelectric Random Access Memory (FRAM), Phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.
Claims (10)
1. A digital power grid security isolation system, which comprises a plurality of intrusion detection nodes, an intrusion detector, an intranet processor and an extranet processor, wherein,
the plurality of intrusion detection nodes are deployed at a plurality of different positions of a digital power grid and used for acquiring power grid data of the digital power grid and sending the power grid data to the intrusion detector;
the intrusion detector is used for judging whether intrusion information exists in the power grid data according to a preset rule, if so, generating an alarm signal and sending the alarm signal to the intranet processor;
and the internal network processor is used for stopping data transmission with the external network processor according to the alarm signal.
2. The system of claim 1, further comprising a switch controller, a first control switch, a second control switch, and an intermediate memory; wherein the content of the first and second substances,
the switch controller is respectively connected with the first controllable switch, the second controllable switch and the intermediate storage, and is used for controlling the opening and closing of the first controllable switch and the second controllable switch, and at least one of the first controllable switch and the second controllable switch is in an open state.
3. The system of claim 2, wherein the extranet processor performs a protocol stripping operation on a data packet from the extranet to obtain original data, the original data is buffered in the intermediate memory, the extranet processor reads corresponding original data from the intermediate memory, the extranet processor writes data into the intermediate memory, and the extranet processor reads data from the intermediate memory, encapsulates the data according to a protocol, and transmits the encapsulated data to the extranet.
4. The system according to claim 2, wherein the first controllable switch and the second controllable switch are respectively used for controlling the on-off of data transmission between the intranet and the extranet by controlling the on-off of a power supply between the extranet processor and the intermediate memory; the second controllable switch is also used for controlling the on-off of the data transmission between the intermediate storage and the intranet processor by controlling the on-off of the power supply between the intermediate storage and the intranet processor.
5. The system according to claim 4, wherein the extranet processor runs a first cyber attack detecting program for detecting and intercepting software attacks from the extranet.
6. The system of claim 4, wherein the intranet processor has a second cyber attack detection program running thereon, the second cyber attack detection program being configured to detect and intercept the computer virus from the intermediate storage.
7. The system of claim 4, further comprising an extranet security chip in the extranet processor, wherein the extranet security chip is used for identity authentication and data encryption and decryption.
8. The system according to claim 4, wherein the intranet processor further comprises an intranet security chip, and the intranet security chip is used for identity authentication and data encryption and decryption.
9. The system according to claim 8, wherein the algorithm used for encrypting and decrypting the data comprises at least one of a symmetric cryptographic algorithm, an asymmetric cryptographic algorithm and a hash cryptographic algorithm.
10. The system of any one of claims 1 to 9, wherein the intermediate memory is an SRAM buffer and the switch controller is an FPGA logic controller.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111432076.8A CN114243909A (en) | 2021-11-29 | 2021-11-29 | Digital power grid safety isolation system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111432076.8A CN114243909A (en) | 2021-11-29 | 2021-11-29 | Digital power grid safety isolation system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114243909A true CN114243909A (en) | 2022-03-25 |
Family
ID=80751704
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111432076.8A Pending CN114243909A (en) | 2021-11-29 | 2021-11-29 | Digital power grid safety isolation system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114243909A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114629730A (en) * | 2022-05-16 | 2022-06-14 | 华能国际电力江苏能源开发有限公司 | Regional company computer network security interconnection method and system |
| CN116455074A (en) * | 2023-04-19 | 2023-07-18 | 贵州电网有限责任公司 | Data processing method and device applied to power grid dispatching and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1791008A (en) * | 2004-12-17 | 2006-06-21 | 北邮英科(北京)信息技术研究所有限公司 | Isolation method and isolation switch apparatus between multiple different safety class networks |
| CN202535368U (en) * | 2012-04-24 | 2012-11-14 | 珠海市鸿瑞软件技术有限公司 | Gigabit physical isolation device hot standby |
| CN109525572A (en) * | 2018-11-08 | 2019-03-26 | 郑州云海信息技术有限公司 | A kind of internet site safety monitoring guard system and method |
-
2021
- 2021-11-29 CN CN202111432076.8A patent/CN114243909A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1791008A (en) * | 2004-12-17 | 2006-06-21 | 北邮英科(北京)信息技术研究所有限公司 | Isolation method and isolation switch apparatus between multiple different safety class networks |
| CN202535368U (en) * | 2012-04-24 | 2012-11-14 | 珠海市鸿瑞软件技术有限公司 | Gigabit physical isolation device hot standby |
| CN109525572A (en) * | 2018-11-08 | 2019-03-26 | 郑州云海信息技术有限公司 | A kind of internet site safety monitoring guard system and method |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114629730A (en) * | 2022-05-16 | 2022-06-14 | 华能国际电力江苏能源开发有限公司 | Regional company computer network security interconnection method and system |
| CN114629730B (en) * | 2022-05-16 | 2022-08-12 | 华能国际电力江苏能源开发有限公司 | Regional company computer network security interconnection method and system |
| CN116455074A (en) * | 2023-04-19 | 2023-07-18 | 贵州电网有限责任公司 | Data processing method and device applied to power grid dispatching and electronic equipment |
| CN116455074B (en) * | 2023-04-19 | 2024-02-20 | 贵州电网有限责任公司 | Data processing method and device applied to power grid dispatching and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Tahsien et al. | Machine learning based solutions for security of Internet of Things (IoT): A survey | |
| Mamdouh et al. | Securing the internet of things and wireless sensor networks via machine learning: A survey | |
| Khanam et al. | A survey of security challenges, attacks taxonomy and advanced countermeasures in the internet of things | |
| Deogirikar et al. | Security attacks in IoT: A survey | |
| Park et al. | A comprehensive survey on core technologies and services for 5G security: Taxonomies, issues, and solutions | |
| Puthal et al. | SEEN: A selective encryption method to ensure confidentiality for big sensing data streams | |
| Gupta et al. | Computational intelligence based intrusion detection systems for wireless communication and pervasive computing networks | |
| Assiri et al. | IoT security and privacy issues | |
| Abidoye et al. | DDoS attacks in WSNs: detection and countermeasures | |
| Islam et al. | An analysis of cybersecurity attacks against internet of things and security solutions | |
| Vijayakumaran et al. | A reliable next generation cyber security architecture for industrial internet of things environment | |
| CN114243909A (en) | Digital power grid safety isolation system | |
| Gupta et al. | A survey on security for IoT via machine learning | |
| Geetha et al. | Cloud integrated iot enabled sensor network security: research issues and solutions | |
| Dwivedi et al. | A survey on security over sensor-cloud | |
| Salim et al. | Securing Smart Cities using LSTM algorithm and lightweight containers against botnet attacks | |
| Haque et al. | A comprehensive study of cyber security attacks, classification, and countermeasures in the internet of things | |
| Kadhim et al. | Security threats in wireless network communication-status, challenges, and future trends | |
| Momand et al. | A systematic and comprehensive survey of recent advances in intrusion detection systems using machine learning: deep learning, datasets, and attack taxonomy | |
| Anitha Ruth et al. | Secure data storage and intrusion detection in the cloud using MANN and dual encryption through various attacks | |
| Fei et al. | A Systematic Review of IoT Security: Research Potential, Challenges, and Future Directions | |
| Tyagi et al. | Threats to security of wireless sensor networks | |
| KR20130085473A (en) | Encryption system for intrusion detection system of cloud computing service | |
| Nazir et al. | Internet of Things security: Issues, challenges and counter-measures | |
| Shah et al. | A study of security attacks on internet of things and its possible solutions |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220325 |