CN114513342B - Intelligent substation communication data safety monitoring method and system - Google Patents

Intelligent substation communication data safety monitoring method and system Download PDF

Info

Publication number
CN114513342B
CN114513342B CN202210077767.9A CN202210077767A CN114513342B CN 114513342 B CN114513342 B CN 114513342B CN 202210077767 A CN202210077767 A CN 202210077767A CN 114513342 B CN114513342 B CN 114513342B
Authority
CN
China
Prior art keywords
security
configuration file
configuration
message
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210077767.9A
Other languages
Chinese (zh)
Other versions
CN114513342A (en
Inventor
王德辉
沈健
张敏
侯明国
罗凌璐
左欢欢
李超
相蓉
王萍萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Hunan Electric Power Co Ltd
State Grid Liaoning Electric Power Co Ltd
Nari Technology Co Ltd
State Grid Electric Power Research Institute
Original Assignee
State Grid Corp of China SGCC
State Grid Hunan Electric Power Co Ltd
State Grid Liaoning Electric Power Co Ltd
Nari Technology Co Ltd
State Grid Electric Power Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Hunan Electric Power Co Ltd, State Grid Liaoning Electric Power Co Ltd, Nari Technology Co Ltd, State Grid Electric Power Research Institute filed Critical State Grid Corp of China SGCC
Priority to CN202210077767.9A priority Critical patent/CN114513342B/en
Publication of CN114513342A publication Critical patent/CN114513342A/en
Application granted granted Critical
Publication of CN114513342B publication Critical patent/CN114513342B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and a system for monitoring communication data safety of an intelligent substation, wherein the method comprises the following steps: generating a data security monitoring rule configuration file, a security monitoring strategy configuration file and a switch forwarding configuration file based on the substation total station SCD configuration file and the security requirement; the data security monitoring rule configuration file and the security monitoring strategy configuration file are issued to the security monitoring equipment, and the security monitoring strategy configuration file and the switch forwarding configuration file are issued to the transformer substation network switch; in response to receiving the security event information sent by the security monitoring device and the substation network switch, alarm display, information recording processing and control are performed. According to the invention, the safety monitoring basis is generated through the total station SCD configuration information, the safety monitoring and inspection are carried out on the communication data in real time, the safety event control and the alarm are carried out, the safety of the intelligent substation communication network is improved, and the reliable and stable operation of the intelligent substation protection control and the automatic monitoring system is ensured.

Description

Intelligent substation communication data safety monitoring method and system
Technical Field
The invention relates to the technical field of automatic control and network communication of power systems, in particular to a method and a system for monitoring communication data safety of an intelligent substation.
Background
With the gradual popularization of intelligent substation technology, a monitoring system based on data information networking transmission is gradually replacing a traditional mode based on secondary cable hard connection. The current intelligent substation network logically consists of a station control layer network, a spacer layer network and a process layer network, and physically configures two layers, namely a station control layer and a process layer. The in-station automation equipment performs unified modeling according to IEC61850 standard, applies a unified data interface model defined based on IEC61850, and realizes information sharing and interaction through station control layer MMS (Manufacturing Message Specification ) network switching equipment and process layer GOOSE (Generic Object Oriented Substation Event, general object oriented substation event) and SV (Sampled Value) network switching equipment. And the service message in the current intelligent substation is in clear text transmission, and the communication in the intelligent substation is not deployed for network attack and attack protection.
Along with the severe situation of network security, the important position of the transformer substation in the power grid security needs to be monitored and protected safely by data communication in the transformer substation.
Disclosure of Invention
The invention aims to: aiming at the defects of the prior art, the invention provides an intelligent substation communication data safety monitoring system and method, which realize safety monitoring and safety protection of data communication in a substation.
The technical scheme is as follows: in order to achieve the above purpose, the present invention adopts the following technical scheme:
a communication data safety monitoring method of an intelligent substation comprises the following steps:
generating a data security monitoring rule configuration file, a security monitoring strategy configuration file and a switch forwarding configuration file based on the substation total station SCD configuration file and the security requirement;
the data security monitoring rule configuration file and the security monitoring strategy configuration file are issued to the security monitoring equipment, and the security monitoring strategy configuration file and the switch forwarding configuration file are issued to the transformer substation network switch;
responding to the received security event information sent from the security monitoring equipment and the substation network switch, carrying out alarm display and information recording processing on the security event information, wherein the security event information sent by the security monitoring equipment is a security event which is obtained by the security monitoring equipment and is obtained by carrying out real-time monitoring on service data messages on a network according to configuration information of data security monitoring rules and carrying out monitoring processing and reporting on the data messages according to the configured security monitoring strategies; the security event information sent by the substation network switch is security events which are processed and reported by the substation network switch according to the security monitoring policy configuration information and the switch forwarding configuration information, and the condition of network access equipment, the physical link state and the data flow information are monitored in real time.
Preferably, the method for generating the data security monitoring rule configuration file comprises the following steps:
reading SCD configuration file content, and reading security inspection parameters input by a configuration interface, wherein the security inspection parameters comprise a service message inspection field, inspection depth, a service message type range and terminal equipment network parameters;
extracting network parameters of terminal equipment based on the SCD configuration file analysis, and extracting network parameters of all substation terminal equipment based on the terminal equipment network parameters extracted by the SCD configuration file analysis and the terminal equipment network parameters input by the configuration interface; analyzing and extracting a goose/sv service subscription relation of IED equipment, definition information of service data items and a service data sending period based on the SCD configuration file; resolving security rule information based on security check parameters input by a configuration interface, wherein the security rule information comprises one or more of the following: service flow bandwidth range, message inspection rule, terminal equipment access rule, network parameter range rule, two-layer service application inspection rule and three-layer service application inspection rule;
generating a data security monitoring rule configuration file according to the security rule information, network parameters of all substation terminal equipment, a goose/sv service subscription relation of the IED equipment, definition information of service data items and a service data sending period, wherein the content of the data security monitoring rule configuration file comprises at least one of the following: and describing a substation service message and configuring a message checking strategy.
Preferably, the method for generating the security monitoring policy configuration file comprises the following steps:
reading SCD configuration file content, and reading security policy parameters input by a configuration interface, wherein the security policy parameters comprise security events, merging parameters, security event reporting policies and processing actions corresponding to abnormal illegal events;
analyzing and extracting a goose/sv service subscription relation of IED equipment, definition information of service data items, a network connection relation and terminal network parameters based on an SCD configuration file, analyzing and extracting security policy information based on security policy parameters input by a configuration interface, wherein the security policy information comprises one or more of the following items: the method comprises the steps of ultra-limit flow processing, abnormal message processing, illegal access equipment processing, illegal message processing, illegal and abnormal message tracing;
generating a security monitoring policy configuration file according to the security policy information and the IED equipment goose/sv service subscription relationship, the definition information of service data items, the network connection relationship and the terminal network parameters, wherein the content of the security monitoring policy configuration file comprises at least one of the following: alarm definition, event definition, alarm and event merging configuration, abnormal message processing strategy configuration, flow alarm threshold value, overrun flow processing strategy configuration, illegal access equipment processing strategy configuration, illegal message tracing strategy configuration.
The abnormal message processing strategy and the overrun flow processing strategy comprise the following steps: alarming, discarding, limiting speed, forwarding and recording; the illegal access device processing strategy comprises the following steps: alarming, recording equipment information and blocking an access port; the illegal message processing strategy comprises the following steps: alert, discard, speed limit, redirect, record.
Preferably, the method for generating the forwarding configuration file of the switch comprises the following steps:
reading SCD configuration file content, and reading forwarding security parameters input by a configuration interface, wherein the forwarding security parameters comprise forwarding security events, actions and forwarding security event reporting conditions;
analyzing and extracting a goose/sv service subscription relation, a network connection relation and terminal network parameters of IED equipment based on an SCD configuration file, analyzing and extracting forwarding security policy information based on forwarding security parameters input by a configuration interface, wherein the forwarding security policy information comprises: a flow alarm strategy, an overrun flow processing strategy, a message exception processing strategy, an illegal access equipment processing strategy, an illegal message processing strategy and a network topology change strategy; the over-limit flow processing strategy and the message exception processing strategy comprise the following steps: alarming, discarding, limiting speed, forwarding and recording; the illegal access device processing strategy comprises the following steps: alarming, recording equipment information and blocking an access port; the illegal message processing strategy comprises the following steps: alarming, discarding, limiting speed, redirecting and recording;
generating a switch forwarding configuration file according to the forwarding security policy information, the IED equipment goose/sv service subscription relationship, the network connection relationship and the terminal network parameter, wherein the switch forwarding configuration file comprises at least one of the following contents: forwarding table configuration, forwarding table searching abnormal strategy configuration, service flow strategy configuration, terminal information of interface connection, unknown flow strategy configuration, abnormal message strategy configuration and network topology changing strategy.
Preferably, the method for reporting the security event by the security monitoring device comprises the following steps: the security monitoring equipment detects the service message of the transformer substation according to the rule of the data security monitoring rule configuration file, and the security monitoring equipment is an illegal message when the MAC address, the service application serial number and the service message data item of the second-layer service message of the transformer substation do not meet the second-layer service inspection configuration rule; when the MAC address, IP address, port number and service message data item of the three-layer service message of the transformer substation do not meet the three-layer service checking configuration rule, the three-layer service checking configuration rule is an illegal message, alarm display and information recording processing are carried out according to the security monitoring policy configuration file, wherein the two-layer service checking configuration rule comprises a legal MAC address, a multicast MAC address configured by SCD, a legal service application serial number, a corresponding relation of multicast MAC and service application serial number, a legal range of the data item and a legal message type; the three-layer service checking configuration rule comprises abnormal message address, legal port number, service message data item range and legal message type.
Preferably, the method for reporting the security event by the substation network switch comprises the following steps: the network switch of the transformer substation collects the message entering the interface in real time, and forwards and filters the message according to the forwarding configuration file of the switch; carrying out hardware statistics on the message flow, and recognizing that a safety event occurs when the message flow exceeds a configured flow threshold; when the terminal equipment is accessed, the terminal information is not in the legal equipment list and is identified as a security event; when the network topology is changed, the changed topology is not identified as a security event when the legal topology list is changed; when illegal messages appear, the illegal messages are identified as security events; and the security event is displayed and recorded according to the security monitoring policy configuration file.
Preferably, the method further comprises: in response to receiving security event information uploaded from the security monitoring device and the substation network switch, issuing a security policy instruction to the substation network switch, the substation network switch performing security policy actions on the specified message data stream based on the issued security policy instruction, the security policy actions including one or more of traffic suppression, discarding, record storage, redirection.
The invention also provides a communication data safety monitoring system of the intelligent substation, which comprises the following steps:
the security monitoring master control system module is used for generating a data security monitoring rule configuration file, a security monitoring strategy configuration file and an exchanger forwarding configuration file based on the substation total station SCD configuration file and security requirements, issuing the data security monitoring rule configuration file and the security monitoring strategy configuration file to the security monitoring equipment, issuing the security monitoring strategy configuration file and the exchanger forwarding configuration file to the substation network exchanger, and carrying out alarm display and information recording processing on the security event information in response to receiving the security event information sent from the security monitoring equipment and the substation network exchanger;
the safety monitoring equipment is used for configuring information according to data safety monitoring rules to monitor service data messages on a network in real time, and carrying out data message monitoring processing and reporting safety events according to configured safety monitoring strategies;
the transformer substation network switch is used for monitoring the condition of network access equipment, the physical link state and the data flow information in real time according to the security monitoring policy configuration information and the switch forwarding configuration information, processing security events according to the security monitoring policy configuration information and reporting.
The present invention also provides a computer device comprising:
one or more processors;
a memory; and
one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, which when executed by the processors implement the steps of the intelligent substation communication data security monitoring method as described above.
The invention also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor implements the steps of the intelligent substation communication data security monitoring method as described above.
The beneficial effects are that: the invention generates a safety monitoring basis based on the total station SCD configuration file and the safety requirement and the extracted information, monitors the data validity of the intelligent substation communication network in real time according to the safety strategy, and captures, records, traces and alarms illegal messages on the communication network in real time. Through the network security monitoring equipment and the substation network switch, the communication service data message of the substation, the access condition of the network terminal equipment and the network link operation condition can be monitored in real time, the abnormal attack message and the abnormal network working condition are identified, and the abnormal processing is carried out according to the security policy. The intelligent substation communication network control system has a promotion effect on improving the safety of the intelligent substation communication network and guaranteeing the reliable and stable operation of the intelligent substation protection control and automatic monitoring system.
Drawings
FIG. 1 is a block diagram of an intelligent substation communication data security monitoring system according to an embodiment of the present invention;
fig. 2 is a flowchart of configuration file generation in an intelligent substation communication data security monitoring method according to an embodiment of the present invention.
Detailed Description
The technical scheme of the invention is further described below with reference to the accompanying drawings.
As shown in fig. 1, an intelligent substation communication data security monitoring system includes; the system comprises a safety monitoring main control system module, safety monitoring equipment and a transformer substation network switch. The safety monitoring main control system module is deployed on the server host and is connected with the safety monitoring equipment and the transformer substation network switch through an MMS interface or a snmp management interface. The safety monitoring equipment is special network message analysis equipment, receives and identifies data safety monitoring rule configuration files and safety monitoring strategy configuration file information, monitors all transformer substation service messages in real time, and can be deployed on the switch as a functional module. The security monitoring device is also referred to as a security monitoring apparatus, network security monitoring apparatus or network security monitoring device and may be used interchangeably in the description of the invention. The safety monitoring devices may be distributed according to different networking principles. For example, the security monitoring device may be deployed on a central switch interface, all data streams of process layer traffic messages are directed to the security monitoring device via multicast addresses, and station layer traffic messages are redirected to the security monitoring device via switch replication. The safety monitoring equipment can also be used as a network safety monitoring function module of a substation switch, is integrated on the substation switch equipment, and realizes the function of a network safety monitoring device of the intelligent substation communication data safety monitoring system by the switch.
An independent security monitoring module is operated on a transformer substation network switch, and security policy instructions, security policy configuration and forwarding configuration information issued by a main control module are received; the network switch of the transformer substation collects network monitoring information defined by security policies in real time, wherein the network monitoring information comprises information such as terminal access events, terminal equipment information, link states, link statistics information and the like, and records and reports alarms of the identified security events; and responding to the security policy instruction, and suppressing the designated abnormal message data flow.
The substation service message comprises an MMS message defined by IEC61850, a GOOSE message and an SV message, but is not limited to the IEC61850 message.
The communication data safety monitoring method based on the intelligent substation communication data safety monitoring system comprises the following steps:
1) And on the safety monitoring main control system module, a data safety monitoring rule configuration file, a safety monitoring strategy configuration file and a switch forwarding configuration file are generated by loading a substation total station SCD configuration file and setting safety rule requirements.
2) The security monitoring main control system module transmits security data security monitoring rule configuration files, security monitoring strategy configuration files and switch forwarding configuration files to the substation switch. In this embodiment, the safety monitoring device function is deployed as a functional module on the switch, and the switch implements the safety monitoring device function;
3) The substation switch configures the service data message on the network according to the data security monitoring rule configuration information, and monitors and processes the data message according to the configured security monitoring policy and reports the security event; the substation network switch monitors information such as network access equipment conditions, physical link states, data flow information and the like in real time according to the security monitoring policy configuration information and switch forwarding configuration information, processes security events according to the security monitoring policy configuration information and reports the security events.
4) The substation safety monitoring main control system module receives safety event information sent by the network safety monitoring equipment and the substation network switch, and performs alarm display, information recording and other processing on the safety event information. The substation security monitoring main control system module issues a protection strategy to the substation network switch, and the substation network switch executes security strategy actions on the appointed illegal message data stream according to the issued security strategy instruction, wherein the strategy actions comprise flow suppression, discarding, record storage, redirection and the like.
In the embodiment of the invention, on a security monitoring main control system module, a data security monitoring rule configuration file, a security monitoring strategy configuration file and a switch forwarding configuration file are generated by a configuration management tool based on a total station SCD configuration file, user applied security regulations and enterprise security specifications.
The data security monitoring rule configuration file comprises rule configuration such as description information of all service message data fields of the transformer substation, a message data field inspection range, a data message analysis inspection depth, a service message range and the like. As shown in fig. 2, loading a total station SCD configuration file on a security monitoring main control system module, configuring and generating security inspection parameters such as a service message inspection field, inspection depth, a service message type range, terminal network parameters and the like at a configuration generation interface of the security monitoring main control system module, analyzing and extracting terminal equipment network parameters according to the content and the configuration parameters of the SCD configuration file by a security monitoring main control system module configuration file generation function and by the SCD configuration file and the terminal network parameters input by configuration, wherein the terminal network parameters comprise an equipment name, an IP address and an MAC address; analyzing and extracting a goose/sv service subscription relation of IED equipment, definition information of service data items and a service data sending period from an SCD file, analyzing safety strategy information from safety check parameters input by configuration, analyzing and calculating according to the analyzed and extracted intermediate data information to generate a data safety monitoring rule configuration file, wherein the content comprises the following steps: examples of substation business message description and message inspection policy configuration, data security monitoring rule configuration file content and format are as follows, wherein ≡! The initial text represents the annotation, which is an explanation of the meaning of the code of this paragraph:
the security monitoring policy configuration file content comprises policy information such as security event merging configuration, security event uploading configuration, abnormal message rule and action configuration, security event recording configuration and the like. As shown in fig. 2, in the step of generating the same data security monitoring rule configuration file on the security monitoring control system module, firstly, loading a total station SCD configuration file, setting security policy parameters such as security event, merging parameter, security event reporting policy, abnormal illegal event corresponding action processing and the like in the security monitoring control system module configuration generation interface, and generating a security monitoring policy configuration file by the security monitoring main control system module configuration file generation function according to the content and the configuration parameters of the SCD configuration file, wherein the SCD configuration file analyzes and extracts the operation subscription relation of IED equipment goose/sv service, definition information of service data items, network connection relation and terminal network parameters, analyzes the security policy information according to the security policy parameters input by configuration, analyzes and calculates the intermediate data information according to the analysis and the analysis, and generates the security monitoring policy configuration file, and the main content is as follows: information such as alarm definition, event definition, alarm and event merging configuration, exception handling policy configuration, and the like, examples of security monitoring policy configuration file content and format are as follows, wherein ≡! The initial text represents the annotation, which is an explanation of the meaning of the code of this paragraph:
the switch forwarding configuration file content comprises configuration information such as device MAC address information, device connected port information, multicast forwarding information, alarm setting information and the like. The arrangement here refers to the IED device to which the switch is connected. As shown in fig. 2, in the step of generating the configuration file of the same data security monitoring rule on the security monitoring main control system module, firstly, loading the configuration file of the total station SCD, setting security policy parameters such as action of forwarding security event and reporting of forwarding security event on the configuration generation interface of the security monitoring main control system module, and generating the configuration file according to the content and the configuration parameters of the SCD by the configuration file generating function of the security monitoring main control system module, wherein the configuration file is used for analyzing and extracting the goose/sv service subscription relationship, the network connection relationship and the terminal network parameters of the IED equipment, analyzing the security policy information according to the security policy parameters input by configuration, analyzing and calculating the intermediate data information according to the analysis and extraction, and generating the forwarding configuration file of the switch, which comprises the following steps: examples of forwarding table and corresponding flow policy configuration, interfacing terminal information, unknown flow policy configuration, etc., switch forwarding profile content and format are as follows, where-! The initial text represents the annotation, which is an explanation of the meaning of the code of this paragraph:
the security monitoring main control system module transmits the generated configuration file to a network security monitoring device and a transformer substation network switch; the network safety monitoring device is configured according to the data safety monitoring rule and the safety monitoring strategy, monitors the network service message of the transformer substation in real time, and reports the safety event to the police. As described above, the network security monitoring device is a dedicated network message analysis device or is integrated in a substation switch as a functional module, and receives and identifies data security monitoring rule configuration files and security monitoring policy configuration file information, monitors all substation service messages in real time, and records the operations of message, discarding, alarm and the like according to policies after identifying illegal messages.
For example, the network security monitoring device or the switch integrated with the function of the network security monitoring device recognizes that the source mac address is not in the security configuration file, or the source/destination mac is in the specified illegal address range in the security configuration file, and is an illegal message; the app id in the goose/sv message is an illegal message when the app id is not in the configuration file, the target mac is an illegal message when the app id is not corresponding, and the like, and after the illegal message is identified, the illegal message is treated according to the strategy, for example, actions such as recording, alarming, discarding, redirecting and forwarding the illegal message, blocking a physical link of an illegal message sending device, and the like are corresponding strategy actions. And identifying illegal messages according to the security monitoring rule configuration file, and executing strategy actions according to illegal message events corresponding to the security monitoring strategy configuration file. The message triggering the rule in the security monitoring rule configuration file is an illegal message.
In the embodiment of the invention, a security policy instruction, security policy configuration and forwarding configuration information are executed by a security monitoring module of a network switch of a transformer substation, and an independent security monitoring module running on the switch acquires network monitoring information defined by the security policy in real time, wherein the network monitoring information comprises information such as terminal access events, terminal equipment information, link states, link statistics information and the like; recording and reporting the identified security event and the alarm; and responding to the security policy instruction, and performing policy actions on the specified abnormal message data stream, wherein the policy actions comprise bandwidth limitation, message discarding and message collection recording.
The switch collects the message entering the interface in real time, the multi-core cpu on the switch analyzes and detects the collected message according to the rule of the security monitoring rule configuration file, and the corresponding field in any rule does not meet the configuration requirement and is an illegal abnormal message; the hardware chip of the exchanger carries out hardware statistics on the message flow, any message flow exceeding the threshold value of the configured flow belongs to one of the security events, and the security event comprises: abnormal traffic, interruption of service flow overtime, access of terminal equipment to a network, abnormal physical link and the like; security events are known and can be classified and merged, and corresponding processing strategies are set according to event levels, for example, terminal equipment accesses a network, belongs to high-level security events, and needs to immediately alarm and report and block ports accessed by the equipment; the physical link interruption belongs to a high-level security event and needs to be immediately reported by an alarm; and discarding the burst traffic exceeding the threshold value according to the user-defined level and reporting the alarm, or discarding the traffic exceeding the threshold value without alarm. The determination of the policy actions is determined by the network security requirements of the user, enterprise, industry.
In the embodiment of the invention, the security monitoring main control system module is integrated in a background monitoring system or a network security monitoring system; when the system is debugged and SCD configuration is changed, data security monitoring rules, security monitoring strategies and switch forwarding configuration are generated based on the SCD according to security regulations and security technical specifications, and are issued to network security monitoring equipment and switches, and the security configuration is immediately validated and the monitoring operation is performed. When the system operates, the safety monitoring main control system module receives the safety event information of the network safety monitoring equipment and the transformer substation network switch in real time, analyzes and processes the safety event information, displays an alarm in real time, and issues an abnormal message suppression strategy instruction to the switch according to a processing result.
The process layer network required by the power grid company specification only allows the goose/sv message transmission, but has the requirements that users require only white list (message with forwarding table) data forwarding in the communication network, other messages are discarded, and the like, and in addition, the DOS attack defense and illegal messages are filtered. At present, no safety specification requirement specific to network transmission is inserted into various specifications, such as power industry standards, enterprise standards, province company or local market company requirements, and the like. According to the invention, the security monitoring basis is automatically generated by analyzing the SCD configuration file, the security regulations applied by the user and the enterprise security specifications through the configuration management tool, the communication data is subjected to security monitoring check in real time, and security event control and alarm are carried out on the system main control according to the security policy, so that the security of the intelligent substation communication network is improved, and the reliable and stable operation of the intelligent substation protection control and automatic monitoring system is ensured.
The names of messages or information interacted between the devices in the embodiments of the present invention are for illustrative purposes only and are not intended to limit the scope of such messages or information.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.

Claims (10)

1. The intelligent substation communication data safety monitoring method is characterized by comprising the following steps of:
generating a data security monitoring rule configuration file, a security monitoring strategy configuration file and a switch forwarding configuration file based on the substation total station SCD configuration file and the security requirement;
the data security monitoring rule configuration file and the security monitoring strategy configuration file are issued to the security monitoring equipment, and the security monitoring strategy configuration file and the switch forwarding configuration file are issued to the transformer substation network switch;
responding to the received security event information sent from the security monitoring equipment and the substation network switch, carrying out alarm display and information recording processing on the security event information, wherein the security event information sent by the security monitoring equipment is a security event which is obtained by the security monitoring equipment and is obtained by carrying out real-time monitoring on service data messages on a network according to configuration information of data security monitoring rules and carrying out monitoring processing and reporting on the data messages according to the configured security monitoring strategies; the security event information sent by the substation network switch is security events which are processed and reported by the substation network switch according to the security monitoring policy configuration information and the switch forwarding configuration information, and the network access equipment condition, the physical link state and the data flow information are monitored in real time;
the method for generating the security monitoring policy configuration file comprises the following steps:
reading SCD configuration file content, and reading security policy parameters input by a configuration interface, wherein the security policy parameters comprise security events, merging parameters, security event reporting policies and processing actions corresponding to abnormal illegal events;
analyzing and extracting a goose/sv service subscription relation of IED equipment, definition information of service data items, a network connection relation and terminal network parameters based on an SCD configuration file, analyzing and extracting security policy information based on security policy parameters input by a configuration interface, wherein the security policy information comprises one or more of the following items: the method comprises the steps of ultra-limit flow processing, abnormal message processing, illegal access equipment processing, illegal message processing, illegal and abnormal message tracing;
generating a security monitoring policy configuration file according to the security policy information and the IED equipment goose/sv service subscription relationship, the definition information of service data items, the network connection relationship and the terminal network parameters, wherein the content of the security monitoring policy configuration file comprises at least one of the following: alarm definition, event definition, alarm and event merging configuration, abnormal message processing strategy configuration, flow alarm threshold value, overrun flow processing strategy configuration, illegal access equipment processing strategy configuration, illegal message tracing strategy configuration.
2. The intelligent substation communication data security monitoring method according to claim 1, wherein the method for generating the data security monitoring rule configuration file comprises the following steps:
reading SCD configuration file content, and reading security inspection parameters input by a configuration interface, wherein the security inspection parameters comprise a service message inspection field, inspection depth, a service message type range and terminal equipment network parameters;
extracting network parameters of terminal equipment based on the SCD configuration file analysis, and extracting network parameters of all substation terminal equipment based on the terminal equipment network parameters extracted by the SCD configuration file analysis and the terminal equipment network parameters input by the configuration interface; analyzing and extracting a goose/sv service subscription relation of IED equipment, definition information of service data items and a service data sending period based on the SCD configuration file; resolving security rule information based on security check parameters input by a configuration interface, wherein the security rule information comprises one or more of the following: service flow bandwidth range, message inspection rule, terminal equipment access rule, network parameter range rule, two-layer service application inspection rule and three-layer service application inspection rule;
generating a data security monitoring rule configuration file according to the security rule information, network parameters of all substation terminal equipment, a goose/sv service subscription relation of the IED equipment, definition information of service data items and a service data sending period, wherein the content of the data security monitoring rule configuration file comprises at least one of the following: and describing a substation service message and configuring a message checking strategy.
3. The intelligent substation communication data security monitoring method according to claim 1, wherein the abnormal message processing strategy and the overrun flow processing strategy comprise: alarming, discarding, limiting speed, forwarding and recording; the illegal access device processing strategy comprises the following steps: alarming, recording equipment information and blocking an access port; the illegal message processing strategy comprises the following steps: alert, discard, speed limit, redirect, record.
4. The intelligent substation communication data security monitoring method according to claim 1, wherein the method for generating the switch forwarding configuration file comprises the following steps:
reading SCD configuration file content, and reading forwarding security parameters input by a configuration interface, wherein the forwarding security parameters comprise forwarding security events, actions and forwarding security event reporting conditions;
analyzing and extracting a goose/sv service subscription relation, a network connection relation and terminal network parameters of IED equipment based on an SCD configuration file, analyzing and extracting forwarding security policy information based on forwarding security parameters input by a configuration interface, wherein the forwarding security policy information comprises: a flow alarm strategy, an overrun flow processing strategy, a message exception processing strategy, an illegal access equipment processing strategy, an illegal message processing strategy and a network topology change strategy; the over-limit flow processing strategy and the message exception processing strategy comprise the following steps: alarming, discarding, limiting speed, forwarding and recording; the illegal access device processing strategy comprises the following steps: alarming, recording equipment information and blocking an access port; the illegal message processing strategy comprises the following steps: alarming, discarding, limiting speed, redirecting and recording;
generating a switch forwarding configuration file according to the forwarding security policy information, the IED equipment goose/sv service subscription relationship, the network connection relationship and the terminal network parameter, wherein the switch forwarding configuration file comprises at least one of the following contents: forwarding table configuration, forwarding table searching abnormal strategy configuration, service flow strategy configuration, terminal information of interface connection, unknown flow strategy configuration, abnormal message strategy configuration and network topology changing strategy.
5. The intelligent substation communication data security monitoring method according to claim 1, wherein the method for reporting the security event by the security monitoring device comprises the following steps: the security monitoring equipment detects the service message of the transformer substation according to the rule of the data security monitoring rule configuration file, and the security monitoring equipment is an illegal message when the MAC address, the service application serial number and the service message data item of the second-layer service message of the transformer substation do not meet the second-layer service inspection configuration rule; when the MAC address, IP address, port number and service message data item of the three-layer service message of the transformer substation do not meet the three-layer service checking configuration rule, the three-layer service checking configuration rule is an illegal message, alarm display and information recording processing are carried out according to the security monitoring policy configuration file, wherein the two-layer service checking configuration rule comprises a legal MAC address, a multicast MAC address configured by SCD, a legal service application serial number, a corresponding relation of multicast MAC and service application serial number, a legal range of the data item and a legal message type; the three-layer service checking configuration rule comprises abnormal message address, legal port number, service message data item range and legal message type.
6. The intelligent substation communication data security monitoring method according to claim 1, wherein the method for reporting the security event by the substation network switch comprises the following steps: the network switch of the transformer substation collects the message entering the interface in real time, and forwards and filters the message according to the forwarding configuration file of the switch; carrying out hardware statistics on the message flow, and recognizing that a safety event occurs when the message flow exceeds a configured flow threshold; when the terminal equipment is accessed, the terminal information is not in the legal equipment list and is identified as a security event; when the network topology is changed, the changed topology is not identified as a security event when the legal topology list is changed; when illegal messages appear, the illegal messages are identified as security events; and the security event is displayed and recorded according to the security monitoring policy configuration file.
7. The intelligent substation communication data security monitoring method according to claim 1, further comprising: in response to receiving security event information uploaded from the security monitoring device and the substation network switch, issuing a security policy instruction to the substation network switch, the substation network switch performing security policy actions on the specified message data stream based on the issued security policy instruction, the security policy actions including one or more of traffic suppression, discarding, record storage, redirection.
8. An intelligent substation communication data security monitoring system, characterized by comprising:
the security monitoring master control system module is used for generating a data security monitoring rule configuration file, a security monitoring strategy configuration file and an exchanger forwarding configuration file based on the substation total station SCD configuration file and security requirements, issuing the data security monitoring rule configuration file and the security monitoring strategy configuration file to the security monitoring equipment, issuing the security monitoring strategy configuration file and the exchanger forwarding configuration file to the substation network exchanger, and carrying out alarm display and information recording processing on the security event information in response to receiving the security event information sent from the security monitoring equipment and the substation network exchanger;
the safety monitoring equipment is used for configuring information according to data safety monitoring rules to monitor service data messages on a network in real time, and carrying out data message monitoring processing and reporting safety events according to configured safety monitoring strategies;
the substation network switch is used for monitoring the condition of network access equipment, the physical link state and the data flow information in real time according to the security monitoring policy configuration information and the switch forwarding configuration information, processing security events according to the security monitoring policy configuration information and reporting the security events;
the method for generating the security monitoring policy configuration file comprises the following steps:
reading SCD configuration file content, and reading security policy parameters input by a configuration interface, wherein the security policy parameters comprise security events, merging parameters, security event reporting policies and processing actions corresponding to abnormal illegal events;
analyzing and extracting a goose/sv service subscription relation of IED equipment, definition information of service data items, a network connection relation and terminal network parameters based on an SCD configuration file, analyzing and extracting security policy information based on security policy parameters input by a configuration interface, wherein the security policy information comprises one or more of the following items: the method comprises the steps of ultra-limit flow processing, abnormal message processing, illegal access equipment processing, illegal message processing, illegal and abnormal message tracing;
generating a security monitoring policy configuration file according to the security policy information and the IED equipment goose/sv service subscription relationship, the definition information of service data items, the network connection relationship and the terminal network parameters, wherein the content of the security monitoring policy configuration file comprises at least one of the following: alarm definition, event definition, alarm and event merging configuration, abnormal message processing strategy configuration, flow alarm threshold value, overrun flow processing strategy configuration, illegal access equipment processing strategy configuration, illegal message tracing strategy configuration.
9. A computer device, comprising:
one or more processors;
a memory; and
one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, which when executed by the processor implement the steps of the intelligent substation communication data security monitoring method of any of claims 1-7.
10. A computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the steps of the intelligent substation communication data security monitoring method according to any of claims 1-7.
CN202210077767.9A 2022-01-24 2022-01-24 Intelligent substation communication data safety monitoring method and system Active CN114513342B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210077767.9A CN114513342B (en) 2022-01-24 2022-01-24 Intelligent substation communication data safety monitoring method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210077767.9A CN114513342B (en) 2022-01-24 2022-01-24 Intelligent substation communication data safety monitoring method and system

Publications (2)

Publication Number Publication Date
CN114513342A CN114513342A (en) 2022-05-17
CN114513342B true CN114513342B (en) 2023-08-04

Family

ID=81550070

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210077767.9A Active CN114513342B (en) 2022-01-24 2022-01-24 Intelligent substation communication data safety monitoring method and system

Country Status (1)

Country Link
CN (1) CN114513342B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826790B (en) * 2022-06-30 2022-11-15 浪潮电子信息产业股份有限公司 Block chain monitoring method, device, equipment and storage medium
CN118041693B (en) * 2024-04-11 2024-07-23 国网浙江省电力有限公司杭州市富阳区供电公司 Security defense method, system, equipment and medium of switch

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013118889A1 (en) * 2012-02-10 2013-08-15 株式会社 東芝 Transformer substation automation system and automatic recognition method for terminal
CN103326469A (en) * 2013-06-14 2013-09-25 广东电网公司电力科学研究院 Method and device for monitoring GOOSE communication status of intelligent substation
CN107947367A (en) * 2017-12-07 2018-04-20 国网四川省电力公司技能培训中心 One kind protection equipment on-line monitoring and intelligent diagnosis system
CN110224894A (en) * 2019-06-18 2019-09-10 国网四川省电力公司内江供电公司 A kind of transformer station process layer network management system for monitoring
CN110768846A (en) * 2019-10-31 2020-02-07 国网四川省电力公司阿坝供电公司 Intelligent substation network safety protection system
CN111882194A (en) * 2020-07-21 2020-11-03 国家电网有限公司 Intelligent substation relay protection state monitoring and diagnostic system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9998443B2 (en) * 2016-02-22 2018-06-12 International Business Machines Corporation Retrospective discovery of shared credentials

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013118889A1 (en) * 2012-02-10 2013-08-15 株式会社 東芝 Transformer substation automation system and automatic recognition method for terminal
CN103326469A (en) * 2013-06-14 2013-09-25 广东电网公司电力科学研究院 Method and device for monitoring GOOSE communication status of intelligent substation
CN107947367A (en) * 2017-12-07 2018-04-20 国网四川省电力公司技能培训中心 One kind protection equipment on-line monitoring and intelligent diagnosis system
CN110224894A (en) * 2019-06-18 2019-09-10 国网四川省电力公司内江供电公司 A kind of transformer station process layer network management system for monitoring
CN110768846A (en) * 2019-10-31 2020-02-07 国网四川省电力公司阿坝供电公司 Intelligent substation network safety protection system
CN111882194A (en) * 2020-07-21 2020-11-03 国家电网有限公司 Intelligent substation relay protection state monitoring and diagnostic system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《基于神经网络的电力终端安全监测及信息攻击检测策略研究》;张睿智;《信息科技》(第2021年第07期);全文 *

Also Published As

Publication number Publication date
CN114513342A (en) 2022-05-17

Similar Documents

Publication Publication Date Title
CN114513342B (en) Intelligent substation communication data safety monitoring method and system
US10015188B2 (en) Method for mitigation of cyber attacks on industrial control systems
CN109271793B (en) Internet of things cloud platform equipment category identification method and system
CN109150869B (en) Switch information acquisition and analysis system and method
CN104063473A (en) Database auditing monitoring system and database auditing monitoring method
CN114363044B (en) Hierarchical alarm method, hierarchical alarm system, storage medium and terminal
CN114567463B (en) Industrial network information safety monitoring and protecting system
CN110224865A (en) A kind of log warning system based on Stream Processing
CN116614277A (en) Network security supervision system and method based on machine learning and abnormal behavior analysis
CN110958231A (en) Industrial control safety event monitoring platform and method based on Internet
CN114785613B (en) Method and system for processing safety alarm event based on automatic arrangement
CN112702333B (en) Data security detection method and device
CN104660552A (en) Wireless local area network (WLAN) intrusion detection system
CN114125083B (en) Industrial network distributed data acquisition method and device, electronic equipment and medium
CN113671909A (en) Safety monitoring system and method for steel industrial control equipment
CN113271303A (en) Botnet detection method and system based on behavior similarity analysis
CN111935063A (en) System and method for monitoring abnormal network access behavior of terminal equipment
CN103365963B (en) Database audit system compliance method for quickly detecting
WO2014096761A1 (en) Network security management
CN101388794A (en) Method and system for positioning network management system exception affair
CN116257021A (en) Intelligent network security situation monitoring and early warning platform for industrial control system
CN113132370A (en) Universal integrated safety pipe center system
CN111698168B (en) Message processing method, device, storage medium and processor
CN202652270U (en) Database audit system
CN112291225A (en) Big data abnormal flow detection method and system applied to integral system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant