CN114513342B - Intelligent substation communication data safety monitoring method and system - Google Patents

Intelligent substation communication data safety monitoring method and system Download PDF

Info

Publication number
CN114513342B
CN114513342B CN202210077767.9A CN202210077767A CN114513342B CN 114513342 B CN114513342 B CN 114513342B CN 202210077767 A CN202210077767 A CN 202210077767A CN 114513342 B CN114513342 B CN 114513342B
Authority
CN
China
Prior art keywords
security
configuration file
security monitoring
configuration
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210077767.9A
Other languages
Chinese (zh)
Other versions
CN114513342A (en
Inventor
王德辉
沈健
张敏
侯明国
罗凌璐
左欢欢
李超
相蓉
王萍萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Hunan Electric Power Co Ltd
State Grid Liaoning Electric Power Co Ltd
Nari Technology Co Ltd
State Grid Electric Power Research Institute
Original Assignee
State Grid Corp of China SGCC
State Grid Hunan Electric Power Co Ltd
State Grid Liaoning Electric Power Co Ltd
Nari Technology Co Ltd
State Grid Electric Power Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Hunan Electric Power Co Ltd, State Grid Liaoning Electric Power Co Ltd, Nari Technology Co Ltd, State Grid Electric Power Research Institute filed Critical State Grid Corp of China SGCC
Priority to CN202210077767.9A priority Critical patent/CN114513342B/en
Publication of CN114513342A publication Critical patent/CN114513342A/en
Application granted granted Critical
Publication of CN114513342B publication Critical patent/CN114513342B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种智能变电站通信数据安全监测方法及系统,所述方法包括:基于变电站全站SCD配置文件及安全要求生成数据安全监测规则配置文件、安全监测策略配置文件和交换机转发配置文件;将数据安全监测规则配置文件、安全监测策略配置文件下发至安全监测设备,将安全监测策略配置文件和交换机转发配置文件下发至变电站网络交换机;响应于从安全监测设备和变电站网络交换机接收到其上送的安全事件信息,进行告警展示、信息记录处理和控制。本发明通过全站SCD配置信息生成安全监测依据,实时对通信数据进行安全监测检查,并进行安全事件控制及告警,提高智能变电站通信网络安全,保障智能变电站保护控制和自动化监控系统的可靠稳定运行。

The invention discloses a communication data security monitoring method and system of an intelligent substation. The method includes: generating a data security monitoring rule configuration file, a security monitoring policy configuration file, and a switch forwarding configuration file based on the substation-wide SCD configuration file and safety requirements; Send the data security monitoring rule configuration file and the security monitoring policy configuration file to the security monitoring device, and send the security monitoring policy configuration file and the switch forwarding configuration file to the substation network switch; in response to receiving from the security monitoring device and the substation network switch The security event information sent by it is used for alarm display, information recording, processing and control. The invention generates safety monitoring basis through the SCD configuration information of the whole station, performs safety monitoring and inspection on communication data in real time, and performs safety event control and alarm, improves the communication network security of the smart substation, and ensures the reliable and stable operation of the protection control and automatic monitoring system of the smart substation .

Description

一种智能变电站通信数据安全监测方法及系统A method and system for monitoring communication data security of smart substation

技术领域Technical Field

本发明涉及电力系统自动化控制和网络通信技术领域,具体涉及一种智能变电站通信数据安全监测方法及系统。The present invention relates to the technical field of power system automation control and network communication, and in particular to a method and system for securely monitoring communication data of an intelligent substation.

背景技术Background Art

随着智能变电站技术的逐步推广,基于数据信息网络化传输的监控系统正逐步取代基于二次电缆硬连接的传统模式。目前智能变电站网络在逻辑上由站控层网络、间隔层网络和过程层网络组成,物理上配置两层,即站控层和过程层。站内自动化设备根据IEC61850标准进行统一建模,应用基于IEC61850定义的统一的数据接口模型,通过站控层MMS(Manufacturing Message Specification,制造报文规范)网交换设备及过程层GOOSE(Generic Object Oriented Substation Event,面向通用对象的变电站事件)、SV(Sampled Value,采样值)网交换设备实现信息共享与交互。而当前智能变电站内业务报文处于明文传输,站内通信没有进行网络攻击和攻击防护的部署。With the gradual promotion of smart substation technology, the monitoring system based on networked data information transmission is gradually replacing the traditional mode based on hard connection of secondary cables. At present, the smart substation network is logically composed of the station control layer network, the bay layer network and the process layer network, and is physically configured with two layers, namely the station control layer and the process layer. The automation equipment in the station is uniformly modeled according to the IEC61850 standard, and the unified data interface model defined by IEC61850 is applied to realize information sharing and interaction through the station control layer MMS (Manufacturing Message Specification) network switching equipment and the process layer GOOSE (Generic Object Oriented Substation Event) and SV (Sampled Value) network switching equipment. However, the business messages in the current smart substation are in plain text transmission, and there is no deployment of network attacks and attack protection in the station communication.

随着网络安全严峻态势出现,变电站在电网安全中所处的重要位置,需要进行变电站内数据通信的安全监测及安全防护。With the emergence of a severe network security situation, substations play an important role in power grid security, and it is necessary to conduct security monitoring and security protection of data communications within substations.

发明内容Summary of the invention

发明目的:针对现有技术的不足,本发明提供一种智能变电站通信数据安全监测系统及方法,实现变电站内数据通信的安全监测及安全防护。Purpose of the invention: In view of the deficiencies in the prior art, the present invention provides a smart substation communication data security monitoring system and method to achieve security monitoring and security protection of data communications within the substation.

技术方案:为了实现上述发明目的,本发明采用如下技术方案:Technical solution: In order to achieve the above-mentioned invention object, the present invention adopts the following technical solution:

一种智能变电站通信数据安全监测方法,包括以下步骤:A method for monitoring communication data security of a smart substation comprises the following steps:

基于变电站全站SCD配置文件及安全要求生成数据安全监测规则配置文件、安全监测策略配置文件和交换机转发配置文件;Generate data security monitoring rule configuration file, security monitoring policy configuration file and switch forwarding configuration file based on the substation-wide SCD configuration file and security requirements;

将数据安全监测规则配置文件、安全监测策略配置文件下发至安全监测设备,将安全监测策略配置文件和交换机转发配置文件下发至变电站网络交换机;Send the data security monitoring rule configuration file and the security monitoring policy configuration file to the security monitoring device, and send the security monitoring policy configuration file and the switch forwarding configuration file to the substation network switch;

响应于接收到从安全监测设备和变电站网络交换机上送的安全事件信息,对安全事件信息进行告警展示、信息记录处理,其中安全监测设备上送的安全事件信息是所述安全监测设备按数据安全监测规则配置信息实时监测网络上的业务数据报文,并按配置的安全监测策略进行数据报文监测处理及上报的安全事件;变电站网络交换机上送的安全事件信息是所述变电站网络交换机根据安全监测策略配置信息和交换机转发配置信息,实时监测网络接入设备情况、物理链路状态、数据流量信息,按安全监测策略配置信息处理并上报的安全事件。In response to receiving security event information sent from the security monitoring device and the substation network switch, the security event information is displayed as an alarm and recorded, wherein the security event information sent by the security monitoring device is the security event that the security monitoring device monitors the business data packets on the network in real time according to the data security monitoring rule configuration information, and performs data packet monitoring, processing and reporting according to the configured security monitoring strategy; the security event information sent by the substation network switch is the security event that the substation network switch monitors the network access device status, physical link status, data flow information in real time according to the security monitoring policy configuration information and the switch forwarding configuration information, and processes and reports according to the security monitoring policy configuration information.

作为优选,数据安全监测规则配置文件的生成方法包括:Preferably, the method for generating a data security monitoring rule configuration file includes:

读取SCD配置文件内容,读取配置界面输入的安全检查参数,所述安全检查参数包括业务报文检查字段、检查深度、业务报文类型范围、终端设备网络参数;Read the content of the SCD configuration file and read the security check parameters entered in the configuration interface, wherein the security check parameters include the service message check field, check depth, service message type range, and terminal device network parameters;

基于SCD配置文件解析提取出终端设备网络参数,基于由SCD配置文件解析提取的终端设备网络参数和配置界面输入的终端设备网络参数提取出所有变电站终端设备网络参数;基于SCD配置文件解析提取出IED设备goose/sv业务订阅关系、业务数据项的定义信息、业务数据发送周期;基于配置界面输入的安全检查参数解析出安全规则信息,所述安全规则信息包括以下一项或多项:业务流量带宽范围、报文检查规则、终端设备接入规则、网络参数范围规则、二层业务应用检查规则、三层业务应用检查规则;Based on the SCD configuration file, the terminal equipment network parameters are extracted, and based on the terminal equipment network parameters extracted by the SCD configuration file and the terminal equipment network parameters input in the configuration interface, the network parameters of all substation terminal equipment are extracted; based on the SCD configuration file, the IED device goose/sv service subscription relationship, the definition information of the service data item, and the service data sending cycle are extracted; based on the security check parameters input in the configuration interface, the security rule information is parsed, and the security rule information includes one or more of the following: service traffic bandwidth range, message check rules, terminal equipment access rules, network parameter range rules, layer 2 service application check rules, and layer 3 service application check rules;

根据所述安全规则信息、所有变电站终端设备网络参数以及IED设备goose/sv业务订阅关系、业务数据项的定义信息、业务数据发送周期生成数据安全监测规则配置文件,数据安全监测规则配置文件的内容包括以下至少一项:变电站业务报文描述和报文检查策略配置。A data security monitoring rule configuration file is generated based on the security rule information, network parameters of all substation terminal devices, goose/sv service subscription relationship of IED devices, definition information of business data items, and business data sending cycle. The content of the data security monitoring rule configuration file includes at least one of the following: substation business message description and message inspection strategy configuration.

作为优选,安全监测策略配置文件的生成方法包括:Preferably, the method for generating a security monitoring policy configuration file includes:

读取SCD配置文件内容,读取配置界面输入的安全策略参数,所述安全策略参数包括安全事件、归并参数、安全事件上报策略、异常非法事件对应处理动作;Read the contents of the SCD configuration file and the security policy parameters entered in the configuration interface, including security events, merging parameters, security event reporting policies, and corresponding processing actions for abnormal and illegal events;

基于SCD配置文件解析提取出IED设备goose/sv业务订阅关系、业务数据项的定义信息、网络连接关系、终端网络参数,基于配置界面输入的安全策略参数解析出安全策略信息,所述安全策略信息包括以下一项或多项:超限值流量处理、异常报文处理、非法接入设备处理、非法报文处理、非法及异常报文溯源;Based on the SCD configuration file, the goose/sv service subscription relationship of the IED device, the definition information of the service data item, the network connection relationship, and the terminal network parameters are extracted. Based on the security policy parameters input in the configuration interface, the security policy information is parsed. The security policy information includes one or more of the following: over-limit flow processing, abnormal message processing, illegal access device processing, illegal message processing, and illegal and abnormal message tracing;

根据所述安全策略信息和IED设备goose/sv业务订阅关系、业务数据项的定义信息、网络连接关系、终端网络参数生成安全监测策略配置文件,安全监测策略配置文件的内容包括以下至少一项:告警定义、事件定义、告警及事件归并配置、异常报文处理策略配置、流量告警阈值、超限值流量处理策略配置、非法接入设备处理策略配置、非法报文处理策略配置、非法及异常报文溯源策略配置。A security monitoring policy configuration file is generated based on the security policy information and the IED device goose/sv service subscription relationship, the definition information of the service data items, the network connection relationship, and the terminal network parameters. The content of the security monitoring policy configuration file includes at least one of the following: alarm definition, event definition, alarm and event merging configuration, abnormal message processing policy configuration, traffic alarm threshold, over-limit traffic processing policy configuration, illegal access device processing policy configuration, illegal message processing policy configuration, and illegal and abnormal message tracing policy configuration.

异常报文处理策略、超限值流量处理策略包括:告警、丢弃、限速、转发、记录;非法接入设备处理策略包括:告警、设备信息记录、接入端口阻断;非法报文处理策略包括:告警、丢弃、限速、重定向、记录。Abnormal message processing strategies and over-limit traffic processing strategies include: alarm, discard, speed limit, forwarding, and recording; illegal access device processing strategies include: alarm, device information recording, and access port blocking; illegal message processing strategies include: alarm, discard, speed limit, redirection, and recording.

作为优选,交换机转发配置文件的生成方法包括:Preferably, the method for generating a switch forwarding configuration file includes:

读取SCD配置文件内容,读取配置界面输入的转发安全参数,所述转发安全参数包括转发安全事件及动作、转发安全事件上报条件;Read the contents of the SCD configuration file and read the forwarding security parameters entered in the configuration interface, wherein the forwarding security parameters include forwarding security events and actions, and forwarding security event reporting conditions;

基于SCD配置文件解析提取出IED设备goose/sv业务订阅关系、网络连接关系、终端网络参数,基于配置界面输入的转发安全参数解析出转发安全策略信息,转发安全策略信息包括:流量告警策略、超限值流量处理策略、报文异常处理策略、非法接入设备处理策略、非法报文处理策略、网络拓扑变化策略;其中超限值流量处理策略和报文异常处理策略包括:告警、丢弃、限速、转发、记录;非法接入设备处理策略包括:告警、设备信息记录、接入端口阻断;非法报文处理策略包括:告警、丢弃、限速、重定向、记录;Based on the SCD configuration file, the goose/sv service subscription relationship, network connection relationship, and terminal network parameters of the IED device are extracted. Based on the forwarding security parameters entered in the configuration interface, the forwarding security policy information is parsed. The forwarding security policy information includes: traffic alarm policy, over-limit traffic processing policy, message exception processing policy, illegal access device processing policy, illegal message processing policy, and network topology change policy; among them, the over-limit traffic processing policy and message exception processing policy include: alarm, discard, speed limit, forwarding, and recording; the illegal access device processing policy includes: alarm, device information recording, and access port blocking; the illegal message processing policy includes: alarm, discard, speed limit, redirection, and recording;

根据所述转发安全策略信息和IED设备goose/sv业务订阅关系、网络连接关系、终端网络参数生成交换机转发配置文件,交换机转发配置文件内容包括以下至少一项:转发表配置、转发表查找异常策略配置、业务流策略配置、接口连接的终端信息、未知流量策略配置、异常报文策略配置、网络拓扑变更策略。A switch forwarding configuration file is generated according to the forwarding security policy information and the IED device goose/sv service subscription relationship, network connection relationship, and terminal network parameters. The switch forwarding configuration file includes at least one of the following: forwarding table configuration, forwarding table search exception policy configuration, business flow policy configuration, terminal information of interface connection, unknown traffic policy configuration, abnormal message policy configuration, and network topology change policy.

作为优选,安全监测设备上报安全事件的方法包括:安全监测设备根据数据安全监测规则配置文件的规则对变电站业务报文进行检测,当变电站二层业务报文MAC地址、业务应用序号、业务报文数据项不满足二层业务检查配置规则时为非法报文;当变电站三层业务报文MAC地址、IP地址、端口号、业务报文数据项不满足三层业务检查配置规则时为非法报文,根据安全监测策略配置文件进行告警展示、信息记录处理,其中二层业务检查配置规则包含合法MAC地址、SCD配置的组播MAC地址、合法业务应用序号、组播MAC和业务应用序号对应关系、数据项合法范围、合法报文类型;三层业务检查配置规则包含报文地址异常、合法报文地址、合法端口号、业务报文数据项范围、合法报文类型。Preferably, the method for the security monitoring device to report security incidents includes: the security monitoring device detects the substation business message according to the rules of the data security monitoring rule configuration file, and when the substation's Layer 2 business message MAC address, business application serial number, and business message data item do not meet the Layer 2 business inspection configuration rules, it is an illegal message; when the substation's Layer 3 business message MAC address, IP address, port number, and business message data item do not meet the Layer 3 business inspection configuration rules, it is an illegal message, and alarm display and information recording are performed according to the security monitoring policy configuration file, wherein the Layer 2 business inspection configuration rules include a legal MAC address, a multicast MAC address configured by SCD, a legal business application serial number, the correspondence between multicast MAC and business application serial number, a legal range of data items, and a legal message type; the Layer 3 business inspection configuration rules include message address anomalies, legal message addresses, legal port numbers, business message data item ranges, and legal message types.

作为优选,变电站网络交换机上报安全事件的方法包括:变电站网络交换机实时采集进入接口的报文,根据交换机转发配置文件进行报文的转发和过滤;对报文流量进行硬件统计,当报文流量超过配置流量阈值时认定发生了安全事件;终端设备接入时,终端信息不在合法设备列表里时认定为安全事件;网络拓扑变更时,变更拓扑不在合法拓扑列表时认定为安全事件;出现非法报文时认定为安全事件;出现的安全事件根据安全监测策略配置文件进行告警展示、信息记录处理。Preferably, the method for reporting security incidents by a substation network switch includes: the substation network switch collects messages entering the interface in real time, forwards and filters the messages according to the switch forwarding configuration file; performs hardware statistics on the message traffic, and determines that a security incident has occurred when the message traffic exceeds the configured traffic threshold; when a terminal device is connected, it is determined as a security incident when the terminal information is not in the legal device list; when the network topology changes, it is determined as a security incident when the changed topology is not in the legal topology list; when an illegal message occurs, it is determined as a security incident; and the security incident that occurs is displayed as an alarm and information is recorded and processed according to the security monitoring policy configuration file.

作为优选,所述方法还包括:响应于接收到从安全监测设备和变电站网络交换机上送的安全事件信息,向变电站网络交换机下发安全策略指令,变电站网络交换机基于下发的安全策略指令对指定报文数据流执行安全策略动作,所述安全策略动作包括流量抑制、丢弃、记录存储、重定向中的一种或多种。Preferably, the method further includes: in response to receiving security event information sent from the security monitoring device and the substation network switch, issuing security policy instructions to the substation network switch, and the substation network switch executes security policy actions on the specified message data flow based on the issued security policy instructions, and the security policy actions include one or more of traffic suppression, discarding, record storage, and redirection.

本发明还提供一种智能变电站通信数据安全监测系统,包括:The present invention also provides a smart substation communication data security monitoring system, comprising:

安全监测主控系统模块,用于基于变电站全站SCD配置文件及安全要求生成数据安全监测规则配置文件、安全监测策略配置文件和交换机转发配置文件,并将数据安全监测规则配置文件、安全监测策略配置文件下发至安全监测设备,将安全监测策略配置文件和交换机转发配置文件下发至变电站网络交换机,以及用于响应于接收到从安全监测设备和变电站网络交换机上送的安全事件信息,对安全事件信息进行告警展示、信息记录处理;The safety monitoring main control system module is used to generate a data safety monitoring rule configuration file, a safety monitoring policy configuration file and a switch forwarding configuration file based on the substation-wide SCD configuration file and safety requirements, and to send the data safety monitoring rule configuration file and the safety monitoring policy configuration file to the safety monitoring device, and to send the safety monitoring policy configuration file and the switch forwarding configuration file to the substation network switch, and to respond to the safety event information sent from the safety monitoring device and the substation network switch, and to perform alarm display and information recording processing on the safety event information;

安全监测设备,用于按数据安全监测规则配置信息实时监测网络上的业务数据报文,并按配置的安全监测策略进行数据报文监测处理及上报安全事件;Security monitoring equipment, used to monitor business data packets on the network in real time according to the data security monitoring rule configuration information, and to monitor and process data packets and report security events according to the configured security monitoring strategy;

变电站网络交换机,用于根据安全监测策略配置信息和交换机转发配置信息,实时监测网络接入设备情况、物理链路状态、数据流量信息,按安全监测策略配置信息处理安全事件并上报。The substation network switch is used to monitor the network access device status, physical link status, and data flow information in real time according to the security monitoring policy configuration information and the switch forwarding configuration information, and to process and report security incidents according to the security monitoring policy configuration information.

本发明还提供一种计算机设备,包括:The present invention also provides a computer device, comprising:

一个或多个处理器;one or more processors;

存储器;以及Memory; and

一个或多个程序,其中所述一个或多个程序被存储在所述存储器中,并且被配置为由所述一个或多个处理器执行,所述程序被处理器执行时实现如上所述的智能变电站通信数据安全监测方法的步骤。One or more programs, wherein the one or more programs are stored in the memory and are configured to be executed by the one or more processors, and when the programs are executed by the processors, the steps of the smart substation communication data security monitoring method as described above are implemented.

本发明还提供一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现如上所述的智能变电站通信数据安全监测方法的步骤。The present invention also provides a computer-readable storage medium having a computer program stored thereon, and when the computer program is executed by a processor, the steps of the smart substation communication data security monitoring method as described above are implemented.

有益效果:本发明基于全站SCD配置文件和安全要求和提取信息,生成安全监测依据,根据安全策略实时监测智能变电站通信网络的数据合法性,实时对通信网络上的非法报文进行捕获记录、溯源及告警。通过网络安全监测设备和变电站网络交换机,能够实时监测变电站通信业务数据报文、网络终端设备接入情况、网络链路运行情况,识别异常攻击报文和异常网络工况并按安全策略进行异常处理。本发明对于提高智能变电站通信网络安全,保障智能变电站保护控制和自动化监控系统的可靠稳定运行具有促进作用。Beneficial effects: The present invention generates a security monitoring basis based on the whole station SCD configuration file and security requirements and extracted information, monitors the data legitimacy of the smart substation communication network in real time according to the security policy, and captures, records, traces and alarms illegal messages on the communication network in real time. Through network security monitoring equipment and substation network switches, it is possible to monitor substation communication service data messages, network terminal equipment access conditions, and network link operation conditions in real time, identify abnormal attack messages and abnormal network conditions, and handle exceptions according to security policies. The present invention has a promoting effect on improving the security of smart substation communication networks and ensuring the reliable and stable operation of smart substation protection control and automation monitoring systems.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1为根据本发明实施例的智能变电站通信数据安全监测系统结构框图;FIG1 is a block diagram of a smart substation communication data security monitoring system according to an embodiment of the present invention;

图2为根据本发明实施例的智能变电站通信数据安全监测方法中配置文件生成流程图。FIG2 is a flow chart of configuration file generation in a method for secure monitoring of communication data in a smart substation according to an embodiment of the present invention.

具体实施方式DETAILED DESCRIPTION

下面结合附图对本发明的技术方案作进一步说明。The technical solution of the present invention is further described below in conjunction with the accompanying drawings.

如图1所示,一种智能变电站通信数据安全监测系统,包括;安全监测主控系统模块、安全监测设备、变电站网络交换机。安全监测主控系统模块部署在服务器主机上,通过MMS接口或snmp管理接口连接安全监测设备及变电站网络交换机。安全监测设备是专用网络报文分析设备,接收并识别数据安全监测规则配置文件、安全监测策略配置文件信息,实时监测所有变电站业务报文,安全监测设备的全部功能也可以作为功能模块部署在交换机上。安全监测设备也称为安全监测装置、网络安全监测装置或网络安全监测设备,在本发明描述中可以互换地使用。安全监测设备可按不同组网原则分布式布置。例如,安全监测设备可部署在中心交换机接口上,过程层业务报文的所有数据流通过组播地址引流给安全监测设备,站控层业务报文通过交换机复制重定向给安全监测设备。安全监测设备也可作为变电站交换机的网络安全监测功能模块,集成在变电站交换机设备上,由交换机实现智能变电站通信数据安全监测系统的网络安全监测装置功能。As shown in FIG1 , a smart substation communication data security monitoring system includes: a security monitoring main control system module, a security monitoring device, and a substation network switch. The security monitoring main control system module is deployed on the server host, and the security monitoring device and the substation network switch are connected through the MMS interface or the snmp management interface. The security monitoring device is a dedicated network message analysis device that receives and identifies data security monitoring rule configuration files and security monitoring policy configuration file information, and monitors all substation service messages in real time. All functions of the security monitoring device can also be deployed on the switch as a functional module. The security monitoring device is also called a security monitoring device, a network security monitoring device, or a network security monitoring device, which can be used interchangeably in the description of the present invention. The security monitoring device can be distributed according to different networking principles. For example, the security monitoring device can be deployed on the interface of the central switch, and all data streams of the process layer service message are directed to the security monitoring device through the multicast address, and the station control layer service message is copied and redirected to the security monitoring device through the switch. The security monitoring device can also be used as a network security monitoring function module of the substation switch, integrated on the substation switch device, and the switch realizes the network security monitoring device function of the smart substation communication data security monitoring system.

变电站网络交换机上运行独立的安全监控模块,接收主控模块下发的安全策略指令、安全策略配置及转发配置信息;变电站网络交换机实时采集安全策略定义的网络监控信息,包括终端接入事件、终端设备信息、链路状态、链路统计信息等信息,对识别出的安全事件进行记录及告警上报;响应安全策略指令,对指定的异常报文数据流进行抑制。An independent security monitoring module runs on the substation network switch, which receives security policy instructions, security policy configuration and forwarding configuration information issued by the main control module; the substation network switch collects network monitoring information defined by the security policy in real time, including terminal access events, terminal equipment information, link status, link statistics and other information, and records and reports alarms for identified security events; it responds to security policy instructions and suppresses specified abnormal message data flows.

变电站业务报文包括IEC61850定义的MMS报文、GOOSE报文、SV报文,但不限于IEC61850报文。Substation service messages include MMS messages, GOOSE messages, and SV messages defined in IEC61850, but are not limited to IEC61850 messages.

基于该智能变电站通信数据安全监测系统的通信数据安全监测方法,包括以下步骤:The communication data security monitoring method based on the intelligent substation communication data security monitoring system comprises the following steps:

1)在安全监测主控系统模块上,通过加载变电站全站SCD配置文件、设置安全规则要求,生成数据安全监测规则配置文件、安全监测策略配置文件和交换机转发配置文件。1) On the security monitoring main control system module, by loading the substation-wide SCD configuration file and setting security rule requirements, a data security monitoring rule configuration file, a security monitoring policy configuration file, and a switch forwarding configuration file are generated.

2)安全监测主控系统模块向交换机下发安数据全监测规则配置文件、安全监测策略配置文件、交换机转发配置文件给变电站交换机。在本实施例中,安全监测设备功能作为功能模块部署在交换机上,由交换机实现安全监测设备功能;2) The security monitoring main control system module sends the security data monitoring rule configuration file, security monitoring policy configuration file, and switch forwarding configuration file to the substation switch. In this embodiment, the security monitoring device function is deployed on the switch as a functional module, and the switch implements the security monitoring device function;

3)变电站交换机按数据安全监测规则配置信息实时监测网络上的业务数据报文,并按配置的安全监测策略进行数据报文监测处理及上报安全事件;变电站网络交换机根据安全监测策略配置信息和交换机转发配置信息,实时监测网络接入设备情况、物理链路状态、数据流量信息等信息,按安全监测策略配置信息处理安全事件并上报。3) The substation switch monitors the business data packets on the network in real time according to the data security monitoring rule configuration information, and monitors and processes the data packets and reports security events according to the configured security monitoring strategy; the substation network switch monitors the network access equipment status, physical link status, data flow information and other information in real time according to the security monitoring policy configuration information and switch forwarding configuration information, and processes and reports security events according to the security monitoring policy configuration information.

4)变电站安全监测主控系统模块接收网络安全监测设备和变电站网络交换机上送的安全事件信息,对安全事件信息进行告警展示、信息记录等处理。变电站安全监测主控系统模块下发防护策略给变电站网络交换机,变电站网络交换机按下发的安全策略指令对指定非法报文数据流进行安全策略动作执行,策略动作包括流量抑制、丢弃、记录存储、重定向等。4) The substation security monitoring main control system module receives security event information sent by network security monitoring equipment and substation network switches, and performs alarm display, information recording and other processing on the security event information. The substation security monitoring main control system module sends protection strategies to the substation network switches, and the substation network switches execute security strategy actions on the designated illegal message data flows according to the security strategy instructions sent. The strategy actions include flow suppression, discarding, record storage, redirection, etc.

在本发明实施例中,在安全监测主控系统模块上,通过配置管理工具基于全站的SCD配置文件、用户应用的安全法规及企业安全规范,生成数据安全监测规则配置文件、安全监测策略配置文件和交换机转发配置文件。In an embodiment of the present invention, on the security monitoring main control system module, a data security monitoring rule configuration file, a security monitoring policy configuration file and a switch forwarding configuration file are generated through a configuration management tool based on the SCD configuration file of the entire site, the security regulations of user applications and the enterprise security specifications.

数据安全监测规则配置文件内容包括变电站所有业务报文数据字段描述信息、报文数据字段检查范围、数据报文分析检查深度、业务报文范围等规则配置。如图2,在安全监测主控系统模块上,加载全站SCD配置文件,并在安全监测主控系统模块配置生成界面设置业务报文检查字段、检查深度、业务报文类型范围、终端网络参数等安全检查参数,由安全监测主控系统模块配置文件生成功能按SCD配置文件内容和配置参数,由SCD文件和配置输入的终端网络参数解析提取出终端设备网络参数,终端网络参数包括设备名、IP地址、MAC地址;由SCD文件解析提取出IED设备goose/sv业务订阅关系、业务数据项的定义信息、业务数据发送周期,由配置输入的安全检查参数解析安全策略信息,根据上述解析提取的中间数据信息,分析计算后生成数据安全监测规则配置文件,内容包括:变电站业务报文描述和报文检查策略配置,数据安全监测规则配置文件内容及格式的示例如下,其中!--开头的文字表示注释,是对本段代码的含义的说明:The content of the data security monitoring rule configuration file includes the description information of all business message data fields of the substation, the inspection range of message data fields, the depth of data message analysis inspection, the business message range and other rule configurations. As shown in Figure 2, on the security monitoring main control system module, load the whole station SCD configuration file, and set the business message inspection field, inspection depth, business message type range, terminal network parameters and other security inspection parameters in the configuration generation interface of the security monitoring main control system module. The configuration file generation function of the security monitoring main control system module extracts the terminal device network parameters from the SCD file and the terminal network parameters input by the configuration according to the content and configuration parameters of the SCD configuration file. The terminal network parameters include the device name, IP address, and MAC address; the SCD file is parsed to extract the IED device goose/sv business subscription relationship, the definition information of the business data item, and the business data sending cycle. The security policy information is parsed by the security inspection parameters input by the configuration. According to the intermediate data information extracted by the above analysis, the data security monitoring rule configuration file is generated after analysis and calculation. The content includes: substation business message description and message inspection policy configuration. The content and format of the data security monitoring rule configuration file are as follows, where! --The text at the beginning indicates a comment, which explains the meaning of this code segment:

安全监测策略配置文件内容包括安全事件归并配置、安全事件上送配置、异常报文规则及动作配置、安全事件记录配置等策略信息。如图2,在安全监测控制系统模块上,同数据安全监测规则配置文件生成步骤,首先加载全站SCD配置文件,并在安全监测控制系统模块配置生成界面设置安全事件、归并参数、安全事件上报策略、异常非法事件对应动作处理等安全策略参数,由安全监测主控系统模块配置文件生成功能按SCD配置文件内容和配置参数,其中由SCD配置文件解析提取出IED设备goose/sv业务订阅关系、业务数据项的定义信息、网络连接关系、终端网络参数,根据配置输入的安全策略参数解析安全策略信息,根据上述解析提取的中间数据信息,分析计算后生成安全监测策略配置文件,主要内容有:告警定义、事件定义、告警及事件归并配置、异常处理策略配置等信息,安全监测策略配置文件内容及格式的示例如下,其中!--开头的文字表示注释,是对本段代码的含义的说明:The content of the security monitoring policy configuration file includes policy information such as security event merging configuration, security event sending configuration, abnormal message rules and action configuration, and security event recording configuration. As shown in Figure 2, on the security monitoring control system module, the same data security monitoring rule configuration file generation step is used. First, the entire station SCD configuration file is loaded, and security policy parameters such as security events, merging parameters, security event reporting strategies, and abnormal illegal event corresponding action processing are set in the security monitoring control system module configuration generation interface. The security monitoring main control system module configuration file generation function is based on the SCD configuration file content and configuration parameters. The SCD configuration file is parsed to extract the IED device goose/sv service subscription relationship, the definition information of the service data item, the network connection relationship, and the terminal network parameters. The security policy information is parsed according to the security policy parameters input by the configuration. According to the intermediate data information extracted by the above parsing, the security monitoring policy configuration file is generated after analysis and calculation. The main contents include: alarm definition, event definition, alarm and event merging configuration, abnormal handling strategy configuration, etc. The content and format of the security monitoring policy configuration file are as follows, where! The text at the beginning of -- indicates a comment, which is an explanation of the meaning of this code:

交换机转发配置文件内容包括装置MAC地址信息、装置所连接端口信息、组播转发信息、告警设置信息等配置信息。这里装置指的是交换机所连接的IED设备。如图2,在安全监测主控系统模块上,同数据安全监测规则配置文件生成步骤,首先加载全站SCD配置文件,并在安全监测主控系统模块配置生成界面设置转发安全事件动作、转发安全事件上报等安全策略参数,由安全监测主控系统模块配置文件生成功能按SCD配置文件内容和配置参数,其中由SCD配置文件解析提取出IED设备goose/sv业务订阅关系、网络连接关系、终端网络参数,根据配置输入的安全策略参数解析安全策略信息,根据上述解析提取的中间数据信息,分析计算后生成交换机转发配置文件,内容包括:转发表表及对应流策略配置、接口连接的终端信息、未知流量策略配置等,交换机转发配置文件内容及格式的示例如下,其中!--开头的文字表示注释,是对本段代码的含义的说明:The switch forwarding configuration file includes configuration information such as the device MAC address information, the port information to which the device is connected, the multicast forwarding information, and the alarm setting information. Here, the device refers to the IED device connected to the switch. As shown in Figure 2, on the security monitoring main control system module, the same data security monitoring rule configuration file generation step is used. First, the entire station SCD configuration file is loaded, and the security policy parameters such as forwarding security event actions and forwarding security event reporting are set in the security monitoring main control system module configuration generation interface. The security monitoring main control system module configuration file generation function is based on the SCD configuration file content and configuration parameters. The SCD configuration file is parsed to extract the IED device goose/sv service subscription relationship, network connection relationship, and terminal network parameters. The security policy information is parsed according to the security policy parameters input by the configuration. According to the intermediate data information extracted by the above parsing, the switch forwarding configuration file is generated after analysis and calculation. The content includes: forwarding table and corresponding flow policy configuration, terminal information connected to the interface, unknown flow policy configuration, etc. The content and format of the switch forwarding configuration file are as follows, where! The text at the beginning of -- indicates a comment, which is an explanation of the meaning of this code:

由安全监测主控系统模块把生成的配置文件下发给网络安全监测装置和变电站网络交换机;网络安全监测装置按数据安全监测规则配置、安全监测策略配置实时监控变电站网络业务报文,并对安全事件进行上报告警。如上所述,所述网络安全监测装置是专用网络报文分析设备或者作为功能模块集成在变电站交换机中,接收并识别数据安全监测规则配置文件、安全监测策略配置文件信息,实时监测所有变电站业务报文,识别出非法报文后,按策略记录报文、丢弃、告警等操作。The security monitoring main control system module sends the generated configuration file to the network security monitoring device and the substation network switch; the network security monitoring device monitors the substation network service message in real time according to the data security monitoring rule configuration and the security monitoring policy configuration, and reports the security incident. As mentioned above, the network security monitoring device is a dedicated network message analysis device or integrated into the substation switch as a functional module, receives and identifies the data security monitoring rule configuration file and the security monitoring policy configuration file information, monitors all substation service messages in real time, and after identifying the illegal message, records the message, discards it, issues an alarm, etc. according to the policy.

例如,网络安全监测装置或集成了网络安全监测装置功能的交换机,识别出源mac地址没有在安全配置文件内,或源/目的mac是安全配置文件内指定非法地址范围内时,即为非法报文;goose/sv报文内的appid不在配置文件内时为非法报文、目的mac和appid不对应时为非法报文等等,识别出非法报文后,按策略进行处置,如对非法报文进行记录、告警、丢弃、重定向转发、阻断非法报文发送装置的物理链路等动作即为对应策略动作。按安全监测规则配置文件识别出非法报文,按安全监测策略配置文件对对应的非法报文事件进行策略动作执行。触发了安全监测规则配置文件内的规则的报文为非法报文。For example, when a network security monitoring device or a switch with integrated network security monitoring device function identifies that the source MAC address is not in the security configuration file, or the source/destination MAC is within the illegal address range specified in the security configuration file, it is an illegal message; when the appid in the goose/sv message is not in the configuration file, it is an illegal message; when the destination MAC and appid do not correspond, it is an illegal message, etc., after identifying the illegal message, it is handled according to the policy, such as recording, alarming, discarding, redirecting and forwarding the illegal message, blocking the physical link of the illegal message sending device, etc., which are corresponding policy actions. Illegal messages are identified according to the security monitoring rule configuration file, and the corresponding illegal message events are executed according to the security monitoring policy configuration file. Messages that trigger the rules in the security monitoring rule configuration file are illegal messages.

在本发明的实施方式中,由变电站网络交换机安全监控模块执行安全策略指令、安全策略配置及转发配置信息,运行在交换机上的独立安全监控模块,实时采集安全策略定义的网络监控信息,包括终端接入事件、终端设备信息、链路状态、链路统计信息等信息;对识别出的安全事件进行记录及告警上报;响应安全策略指令,对指定的异常报文数据流进行策略动作,策略动作包括带宽限制、报文丢弃、报文采集记录。In an embodiment of the present invention, the security policy instructions, security policy configuration and forwarding configuration information are executed by the security monitoring module of the substation network switch. The independent security monitoring module running on the switch collects network monitoring information defined by the security policy in real time, including terminal access events, terminal equipment information, link status, link statistics and other information; records and reports alarms for identified security events; responds to security policy instructions, and performs policy actions on specified abnormal message data flows, and the policy actions include bandwidth limitation, message discarding, and message collection and recording.

交换机实时采集进入接口的报文,由交换机上的多核cpu对采集的报文按安全监测规则配置文件的规则进行解析检测,任何规则内对应字段不满足配置要求,都是非法异常报文;交换机硬件芯片对报文流量进行硬件统计,任何超过配置流量阈值的报文流属于安全事件之一,安全事件包括:异常流量、业务流超时中断、终端设备接入网络、物理链路异常等;安全事件都是已知并且可以分类归并,对应的处理策略按事件级别进行设定,例如,终端设备接入网络,属于高级别安全事件,需要立即告警上报并阻断设备接入的端口;物理链路中断属于高级别安全事件,需要立即告警上报;业务流量突发根据用户定义的按级别,对突发超过阈值流量进行丢弃并告警上报,或仅丢弃超阈值流量不告警。策略动作的确定是按用户、企业、行业的网络安全要求来确定。The switch collects the messages entering the interface in real time, and the multi-core CPU on the switch parses and detects the collected messages according to the rules of the security monitoring rule configuration file. Any corresponding field in any rule that does not meet the configuration requirements is an illegal abnormal message; the switch hardware chip performs hardware statistics on the message traffic, and any message flow that exceeds the configured traffic threshold is one of the security events, including: abnormal traffic, service flow timeout interruption, terminal device access to the network, physical link abnormality, etc.; security events are known and can be classified and merged, and the corresponding processing strategy is set according to the event level. For example, terminal device access to the network is a high-level security event, which requires immediate alarm reporting and blocking of the device access port; physical link interruption is a high-level security event and requires immediate alarm reporting; service traffic bursts are based on the user-defined level, and the bursts exceeding the threshold are discarded and reported with an alarm, or only the exceeding threshold traffic is discarded without an alarm. The determination of policy actions is determined according to the network security requirements of users, enterprises, and industries.

在本发明的实施方式中,安全监测主控系统模块是集成在后台监控系统或网络安全监控系统里;在系统调试、SCD配置变更时,按安全法规和安全技术规范基于SCD生成数据安全监控规则、安全监控策略和交换机转发配置,并下发给网络安全监测设备及交换机,即时生效安全配置并监测运行。在系统运行时,安全监测主控系统模块实时接收网络安全监测设备和变电站网络交换机的安全事件信息,对安全事件信息进行分析处理、实时显示告警,并根据处理结果向交换机下发异常报文抑制策略指令。In the implementation mode of the present invention, the security monitoring main control system module is integrated in the background monitoring system or the network security monitoring system; when the system is debugged and the SCD configuration is changed, the data security monitoring rules, security monitoring strategies and switch forwarding configurations are generated based on the SCD according to the safety regulations and safety technical specifications, and sent to the network security monitoring equipment and the switch, and the security configuration takes effect immediately and the monitoring operation is carried out. When the system is running, the security monitoring main control system module receives the security event information of the network security monitoring equipment and the substation network switch in real time, analyzes and processes the security event information, displays alarms in real time, and sends abnormal message suppression strategy instructions to the switch according to the processing results.

电网公司规范要求的过程层网络只允许goose/sv报文传输,但存在有用户要求通信网络里仅白名单(有转发表的报文)数据转发,其他报文丢弃等需求,此外对于如DOS攻击防御、非法报文还应进行过滤。而目前没有专门针对网络传输的安全规范要求,都是穿插在各种不同规范里的,如电力行业标准、企业标准、省公司或地市公司要求等。本发明通过基于全站的SCD配置文件、用户应用的安全法规及企业安全规范通过配置管理工具自动解析生成安全监测依据,实时对通信数据进行安全监测检查,并按安全策略向系统主控进行安全事件控制及告警,提高智能变电站通信网络安全,保障智能变电站保护控制和自动化监控系统的可靠稳定运行。The process layer network required by the power grid company specification only allows goose/sv message transmission, but there are users who require that only whitelist (messages with forwarding tables) data be forwarded in the communication network, and other messages be discarded. In addition, DOS attack defense and illegal messages should also be filtered. However, there are currently no security specifications specifically for network transmission, and they are all interspersed in various specifications, such as power industry standards, enterprise standards, provincial companies or municipal company requirements. The present invention automatically parses and generates security monitoring basis through configuration management tools based on the SCD configuration file of the entire station, the security regulations of user applications and the enterprise security specifications, performs security monitoring and inspection on communication data in real time, and controls and warns the system master according to the security policy. The security of the communication network of the smart substation is improved, and the reliable and stable operation of the protection control and automatic monitoring system of the smart substation is guaranteed.

本发明实施方式中的多个装置之间所交互的消息或者信息的名称仅用于说明性的目的,而并不是用于对这些消息或信息的范围进行限制。The names of the messages or information exchanged between multiple devices in the embodiments of the present invention are only used for illustrative purposes, and are not used to limit the scope of these messages or information.

本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present invention may be provided as methods, systems, or computer program products. Therefore, the present invention may take the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to the flowchart and/or block diagram of the method, device (system), and computer program product according to the embodiment of the present invention. It should be understood that each process and/or box in the flowchart and/or block diagram, as well as the combination of the process and/or box in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing device produce a device for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to operate in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

最后应当说明的是:以上实施例仅用以说明本发明的技术方案而非对其限制,尽管参照上述实施例对本发明进行了详细的说明,所属领域的普通技术人员应当理解:依然可以对本发明的具体实施方式进行修改或者等同替换,而未脱离本发明精神和范围的任何修改或者等同替换,其均应涵盖在本发明的权利要求保护范围之内。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention rather than to limit it. Although the present invention has been described in detail with reference to the above embodiments, ordinary technicians in the relevant field should understand that the specific implementation methods of the present invention can still be modified or replaced by equivalents, and any modifications or equivalent replacements that do not depart from the spirit and scope of the present invention should be covered within the scope of protection of the claims of the present invention.

Claims (10)

1. The intelligent substation communication data safety monitoring method is characterized by comprising the following steps of:
generating a data security monitoring rule configuration file, a security monitoring strategy configuration file and a switch forwarding configuration file based on the substation total station SCD configuration file and the security requirement;
the data security monitoring rule configuration file and the security monitoring strategy configuration file are issued to the security monitoring equipment, and the security monitoring strategy configuration file and the switch forwarding configuration file are issued to the transformer substation network switch;
responding to the received security event information sent from the security monitoring equipment and the substation network switch, carrying out alarm display and information recording processing on the security event information, wherein the security event information sent by the security monitoring equipment is a security event which is obtained by the security monitoring equipment and is obtained by carrying out real-time monitoring on service data messages on a network according to configuration information of data security monitoring rules and carrying out monitoring processing and reporting on the data messages according to the configured security monitoring strategies; the security event information sent by the substation network switch is security events which are processed and reported by the substation network switch according to the security monitoring policy configuration information and the switch forwarding configuration information, and the network access equipment condition, the physical link state and the data flow information are monitored in real time;
the method for generating the security monitoring policy configuration file comprises the following steps:
reading SCD configuration file content, and reading security policy parameters input by a configuration interface, wherein the security policy parameters comprise security events, merging parameters, security event reporting policies and processing actions corresponding to abnormal illegal events;
analyzing and extracting a goose/sv service subscription relation of IED equipment, definition information of service data items, a network connection relation and terminal network parameters based on an SCD configuration file, analyzing and extracting security policy information based on security policy parameters input by a configuration interface, wherein the security policy information comprises one or more of the following items: the method comprises the steps of ultra-limit flow processing, abnormal message processing, illegal access equipment processing, illegal message processing, illegal and abnormal message tracing;
generating a security monitoring policy configuration file according to the security policy information and the IED equipment goose/sv service subscription relationship, the definition information of service data items, the network connection relationship and the terminal network parameters, wherein the content of the security monitoring policy configuration file comprises at least one of the following: alarm definition, event definition, alarm and event merging configuration, abnormal message processing strategy configuration, flow alarm threshold value, overrun flow processing strategy configuration, illegal access equipment processing strategy configuration, illegal message tracing strategy configuration.
2. The intelligent substation communication data security monitoring method according to claim 1, wherein the method for generating the data security monitoring rule configuration file comprises the following steps:
reading SCD configuration file content, and reading security inspection parameters input by a configuration interface, wherein the security inspection parameters comprise a service message inspection field, inspection depth, a service message type range and terminal equipment network parameters;
extracting network parameters of terminal equipment based on the SCD configuration file analysis, and extracting network parameters of all substation terminal equipment based on the terminal equipment network parameters extracted by the SCD configuration file analysis and the terminal equipment network parameters input by the configuration interface; analyzing and extracting a goose/sv service subscription relation of IED equipment, definition information of service data items and a service data sending period based on the SCD configuration file; resolving security rule information based on security check parameters input by a configuration interface, wherein the security rule information comprises one or more of the following: service flow bandwidth range, message inspection rule, terminal equipment access rule, network parameter range rule, two-layer service application inspection rule and three-layer service application inspection rule;
generating a data security monitoring rule configuration file according to the security rule information, network parameters of all substation terminal equipment, a goose/sv service subscription relation of the IED equipment, definition information of service data items and a service data sending period, wherein the content of the data security monitoring rule configuration file comprises at least one of the following: and describing a substation service message and configuring a message checking strategy.
3. The intelligent substation communication data security monitoring method according to claim 1, wherein the abnormal message processing strategy and the overrun flow processing strategy comprise: alarming, discarding, limiting speed, forwarding and recording; the illegal access device processing strategy comprises the following steps: alarming, recording equipment information and blocking an access port; the illegal message processing strategy comprises the following steps: alert, discard, speed limit, redirect, record.
4. The intelligent substation communication data security monitoring method according to claim 1, wherein the method for generating the switch forwarding configuration file comprises the following steps:
reading SCD configuration file content, and reading forwarding security parameters input by a configuration interface, wherein the forwarding security parameters comprise forwarding security events, actions and forwarding security event reporting conditions;
analyzing and extracting a goose/sv service subscription relation, a network connection relation and terminal network parameters of IED equipment based on an SCD configuration file, analyzing and extracting forwarding security policy information based on forwarding security parameters input by a configuration interface, wherein the forwarding security policy information comprises: a flow alarm strategy, an overrun flow processing strategy, a message exception processing strategy, an illegal access equipment processing strategy, an illegal message processing strategy and a network topology change strategy; the over-limit flow processing strategy and the message exception processing strategy comprise the following steps: alarming, discarding, limiting speed, forwarding and recording; the illegal access device processing strategy comprises the following steps: alarming, recording equipment information and blocking an access port; the illegal message processing strategy comprises the following steps: alarming, discarding, limiting speed, redirecting and recording;
generating a switch forwarding configuration file according to the forwarding security policy information, the IED equipment goose/sv service subscription relationship, the network connection relationship and the terminal network parameter, wherein the switch forwarding configuration file comprises at least one of the following contents: forwarding table configuration, forwarding table searching abnormal strategy configuration, service flow strategy configuration, terminal information of interface connection, unknown flow strategy configuration, abnormal message strategy configuration and network topology changing strategy.
5. The intelligent substation communication data security monitoring method according to claim 1, wherein the method for reporting the security event by the security monitoring device comprises the following steps: the security monitoring equipment detects the service message of the transformer substation according to the rule of the data security monitoring rule configuration file, and the security monitoring equipment is an illegal message when the MAC address, the service application serial number and the service message data item of the second-layer service message of the transformer substation do not meet the second-layer service inspection configuration rule; when the MAC address, IP address, port number and service message data item of the three-layer service message of the transformer substation do not meet the three-layer service checking configuration rule, the three-layer service checking configuration rule is an illegal message, alarm display and information recording processing are carried out according to the security monitoring policy configuration file, wherein the two-layer service checking configuration rule comprises a legal MAC address, a multicast MAC address configured by SCD, a legal service application serial number, a corresponding relation of multicast MAC and service application serial number, a legal range of the data item and a legal message type; the three-layer service checking configuration rule comprises abnormal message address, legal port number, service message data item range and legal message type.
6. The intelligent substation communication data security monitoring method according to claim 1, wherein the method for reporting the security event by the substation network switch comprises the following steps: the network switch of the transformer substation collects the message entering the interface in real time, and forwards and filters the message according to the forwarding configuration file of the switch; carrying out hardware statistics on the message flow, and recognizing that a safety event occurs when the message flow exceeds a configured flow threshold; when the terminal equipment is accessed, the terminal information is not in the legal equipment list and is identified as a security event; when the network topology is changed, the changed topology is not identified as a security event when the legal topology list is changed; when illegal messages appear, the illegal messages are identified as security events; and the security event is displayed and recorded according to the security monitoring policy configuration file.
7. The intelligent substation communication data security monitoring method according to claim 1, further comprising: in response to receiving security event information uploaded from the security monitoring device and the substation network switch, issuing a security policy instruction to the substation network switch, the substation network switch performing security policy actions on the specified message data stream based on the issued security policy instruction, the security policy actions including one or more of traffic suppression, discarding, record storage, redirection.
8. An intelligent substation communication data security monitoring system, characterized by comprising:
the security monitoring master control system module is used for generating a data security monitoring rule configuration file, a security monitoring strategy configuration file and an exchanger forwarding configuration file based on the substation total station SCD configuration file and security requirements, issuing the data security monitoring rule configuration file and the security monitoring strategy configuration file to the security monitoring equipment, issuing the security monitoring strategy configuration file and the exchanger forwarding configuration file to the substation network exchanger, and carrying out alarm display and information recording processing on the security event information in response to receiving the security event information sent from the security monitoring equipment and the substation network exchanger;
the safety monitoring equipment is used for configuring information according to data safety monitoring rules to monitor service data messages on a network in real time, and carrying out data message monitoring processing and reporting safety events according to configured safety monitoring strategies;
the substation network switch is used for monitoring the condition of network access equipment, the physical link state and the data flow information in real time according to the security monitoring policy configuration information and the switch forwarding configuration information, processing security events according to the security monitoring policy configuration information and reporting the security events;
the method for generating the security monitoring policy configuration file comprises the following steps:
reading SCD configuration file content, and reading security policy parameters input by a configuration interface, wherein the security policy parameters comprise security events, merging parameters, security event reporting policies and processing actions corresponding to abnormal illegal events;
analyzing and extracting a goose/sv service subscription relation of IED equipment, definition information of service data items, a network connection relation and terminal network parameters based on an SCD configuration file, analyzing and extracting security policy information based on security policy parameters input by a configuration interface, wherein the security policy information comprises one or more of the following items: the method comprises the steps of ultra-limit flow processing, abnormal message processing, illegal access equipment processing, illegal message processing, illegal and abnormal message tracing;
generating a security monitoring policy configuration file according to the security policy information and the IED equipment goose/sv service subscription relationship, the definition information of service data items, the network connection relationship and the terminal network parameters, wherein the content of the security monitoring policy configuration file comprises at least one of the following: alarm definition, event definition, alarm and event merging configuration, abnormal message processing strategy configuration, flow alarm threshold value, overrun flow processing strategy configuration, illegal access equipment processing strategy configuration, illegal message tracing strategy configuration.
9. A computer device, comprising:
one or more processors;
a memory; and
one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, which when executed by the processor implement the steps of the intelligent substation communication data security monitoring method of any of claims 1-7.
10. A computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the steps of the intelligent substation communication data security monitoring method according to any of claims 1-7.
CN202210077767.9A 2022-01-24 2022-01-24 Intelligent substation communication data safety monitoring method and system Active CN114513342B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210077767.9A CN114513342B (en) 2022-01-24 2022-01-24 Intelligent substation communication data safety monitoring method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210077767.9A CN114513342B (en) 2022-01-24 2022-01-24 Intelligent substation communication data safety monitoring method and system

Publications (2)

Publication Number Publication Date
CN114513342A CN114513342A (en) 2022-05-17
CN114513342B true CN114513342B (en) 2023-08-04

Family

ID=81550070

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210077767.9A Active CN114513342B (en) 2022-01-24 2022-01-24 Intelligent substation communication data safety monitoring method and system

Country Status (1)

Country Link
CN (1) CN114513342B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826790B (en) * 2022-06-30 2022-11-15 浪潮电子信息产业股份有限公司 Block chain monitoring method, device, equipment and storage medium
CN118041693B (en) * 2024-04-11 2024-07-23 国网浙江省电力有限公司杭州市富阳区供电公司 A security defense method, system, device and medium for a switch

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013118889A1 (en) * 2012-02-10 2013-08-15 株式会社 東芝 Transformer substation automation system and automatic recognition method for terminal
CN103326469A (en) * 2013-06-14 2013-09-25 广东电网公司电力科学研究院 Method and device for monitoring GOOSE communication status of intelligent substation
CN107947367A (en) * 2017-12-07 2018-04-20 国网四川省电力公司技能培训中心 One kind protection equipment on-line monitoring and intelligent diagnosis system
CN110224894A (en) * 2019-06-18 2019-09-10 国网四川省电力公司内江供电公司 A kind of transformer station process layer network management system for monitoring
CN110768846A (en) * 2019-10-31 2020-02-07 国网四川省电力公司阿坝供电公司 Intelligent substation network safety protection system
CN111882194A (en) * 2020-07-21 2020-11-03 国家电网有限公司 Intelligent substation relay protection state monitoring and diagnostic system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9998443B2 (en) * 2016-02-22 2018-06-12 International Business Machines Corporation Retrospective discovery of shared credentials

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013118889A1 (en) * 2012-02-10 2013-08-15 株式会社 東芝 Transformer substation automation system and automatic recognition method for terminal
CN103326469A (en) * 2013-06-14 2013-09-25 广东电网公司电力科学研究院 Method and device for monitoring GOOSE communication status of intelligent substation
CN107947367A (en) * 2017-12-07 2018-04-20 国网四川省电力公司技能培训中心 One kind protection equipment on-line monitoring and intelligent diagnosis system
CN110224894A (en) * 2019-06-18 2019-09-10 国网四川省电力公司内江供电公司 A kind of transformer station process layer network management system for monitoring
CN110768846A (en) * 2019-10-31 2020-02-07 国网四川省电力公司阿坝供电公司 Intelligent substation network safety protection system
CN111882194A (en) * 2020-07-21 2020-11-03 国家电网有限公司 Intelligent substation relay protection state monitoring and diagnostic system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《基于神经网络的电力终端安全监测及信息攻击检测策略研究》;张睿智;《信息科技》(第2021年第07期);全文 *

Also Published As

Publication number Publication date
CN114513342A (en) 2022-05-17

Similar Documents

Publication Publication Date Title
CN108055282A (en) Industry control abnormal behaviour analysis method and system based on self study white list
US10681079B2 (en) Method for mitigation of cyber attacks on industrial control systems
Yang et al. Multidimensional intrusion detection system for IEC 61850-based SCADA networks
CN105515180B (en) A kind of intelligent substation communication network dynamic monitoring system and its monitoring method
CN110401642A (en) A method for collecting and analyzing industrial control traffic
CN108063753A (en) A kind of information safety monitoring method and system
CN114513342B (en) Intelligent substation communication data safety monitoring method and system
CN108763957A (en) A kind of safety auditing system of database, method and server
CN114125083B (en) Industrial network distributed data acquisition method, device, electronic equipment and medium
CN107294764A (en) Intelligent supervision method and intelligent monitoring system
CN109391613A (en) A kind of intelligent substation method for auditing safely based on SCD parsing
CN105553957A (en) Network safety situation awareness early-warning method and system based big data
CN109150869B (en) A system and method for collecting and analyzing switch information
CN104852927A (en) Safety comprehensive management system based on multi-source heterogeneous information
CN114567463B (en) Industrial network information safety monitoring and protecting system
CN105488396B (en) A kind of intelligent grid service security gateway system based on data stream association analytical technology
CN111556083A (en) Network attack physical side and information side collaborative source tracing device of power grid information physical system
CN112702333B (en) Data security detection method and device
CN110958231A (en) Industrial control safety event monitoring platform and method based on Internet
CN116257021A (en) Intelligent network security situation monitoring and early warning platform for industrial control system
CN110661811A (en) Firewall policy management method and device
CN115883236A (en) Power Grid Intelligent Terminal Collaborative Attack Monitoring System
CN106357470A (en) Quick sensing method for network threat based on SDN controller
CN112350846A (en) Asset learning method, device, equipment and storage medium for intelligent substation
CN113271303A (en) Botnet detection method and system based on behavior similarity analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant