CN115001906A - Safety gateway - Google Patents
Safety gateway Download PDFInfo
- Publication number
- CN115001906A CN115001906A CN202210621866.9A CN202210621866A CN115001906A CN 115001906 A CN115001906 A CN 115001906A CN 202210621866 A CN202210621866 A CN 202210621866A CN 115001906 A CN115001906 A CN 115001906A
- Authority
- CN
- China
- Prior art keywords
- data
- module
- access control
- security gateway
- station
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000013500 data storage Methods 0.000 claims abstract description 20
- 238000002955 isolation Methods 0.000 claims abstract description 14
- 238000004891 communication Methods 0.000 claims abstract description 13
- 238000007726 management method Methods 0.000 claims abstract description 9
- 230000003993 interaction Effects 0.000 claims abstract description 6
- 238000004806 packaging method and process Methods 0.000 claims abstract description 6
- 238000011217 control strategy Methods 0.000 claims abstract description 5
- 238000013524 data verification Methods 0.000 claims description 8
- 238000007689 inspection Methods 0.000 claims description 6
- 230000008859 change Effects 0.000 claims description 5
- 238000012795 verification Methods 0.000 claims description 4
- 238000000034 method Methods 0.000 abstract description 9
- 238000012423 maintenance Methods 0.000 abstract description 8
- 238000004519 manufacturing process Methods 0.000 abstract description 4
- 230000005540 biological transmission Effects 0.000 description 7
- 238000012544 monitoring process Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 238000013459 approach Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 240000007651 Rubus glaucus Species 0.000 description 2
- 235000011034 Rubus glaucus Nutrition 0.000 description 2
- 235000009122 Rubus idaeus Nutrition 0.000 description 2
- 235000015108 pies Nutrition 0.000 description 2
- 241001137251 Corvidae Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000003653 coastal water Substances 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005553 drilling Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000005684 electric field Effects 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses security gateway includes: the external network access control module is used for managing and controlling the external network access data according to an external network access control strategy issued by the control center of the external field station; the intranet access control module is used for carrying out port isolation according to the isolation instruction sent by the data storage module; the network communication module is used for performing online authentication and offline authentication on data and performing data interaction with a control center or a switch of the field station when the data pass the authentication; and the data storage module is used for storing the operation data of the field station after packaging and packaging. The method and the device can be responsible for access control of network boundaries and network interiors, and can isolate problem equipment and self-management, so that the method and the device are more applicable to a wider scene. Meanwhile, the gateway is low in manufacturing cost and extremely low in requirement on hardware performance, and compared with the existing firewall products which need to know subnet environments, master network protocol knowledge and meet the requirement on the policy configuration of the firewall products, the operation and maintenance cost of the gateway is greatly reduced.
Description
Technical Field
The application relates to the technical field of data security transmission of field stations, in particular to a security gateway.
Background
Along with in the universe thing networking, especially under the field station/cabinet scene, for example offshore oil drilling platform, coastal waters wind-powered electricity generation field and desert solar energy electric field etc. can take off-line mode to carry out work because network construction is not in place or the bandwidth is not enough, promptly the workstation need keep in temporary the data of waiting to exchange, when waiting to patrol and examine equipment or patrol and examine personnel and approach, accomplish data upload and data download. In order to ensure the secure transmission of the subnet data of such an outside-field station/cabinet, an access control device, such as a commercial firewall or an industrial firewall, is deployed at the subnet boundary in the current manner to intercept, analyze and compare the traffic entering and exiting the subnet, and then determine whether to release the network communication packet.
However, this approach tends to have its own drawbacks: firstly, the division of labor in this way actually splits the network monitoring, network interception and network interaction with the superior network, so that each safety product needs to establish an independent management and control system, and the operation is complex and the application range is limited; secondly, the firewall is usually only deployed at the network boundary, and only can control the flow entering and exiting the subnet, but cannot control the intranet, so that the protection capability of the firewall cannot meet the security requirement on field battle data transmission; thirdly, the method depends on manual inspection, the requirement on the working capacity of inspectors is high, the number of outdoor stations is large, a large amount of manpower and material resources are consumed for inspection work, and the difficulty in development is large; meanwhile, the cost of the firewall is relatively high, so that the cost of the method is high and the economy is poor.
Disclosure of Invention
An object of the application is to provide a security gateway to solve the problem that the existing data transmission of field outstation adopts the firewall and the manual inspection mode is high in cost, complex in operation, large in developing difficulty and limited in application range.
To achieve the above object, the present application provides a security gateway comprising:
the external network access control module is used for managing and controlling the external network access data according to an external network access control strategy issued by the control center of the external field station;
the intranet access control module is used for carrying out port isolation according to the isolation instruction sent by the data storage module;
the network communication module is used for performing online authentication and offline authentication on data and performing data interaction with a control center or a switch of the field station when the data pass the authentication;
and the data storage module is used for storing the operation data of the field station after packaging and packaging.
Further, preferably, the security gateway further includes:
and the wireless on-duty machine is used for starting the wireless network card to search surrounding hotspots when the field station is in an off-line state.
Further, preferably, the data storage module is further configured to receive alarm information issued by the control center of the extraterrestrial station, and change a control policy of the extranet access control module or an isolation instruction of the intranet access control module according to the alarm information.
Further, preferably, the data storage module is further configured to send the stored data to the control center of the off-site station when the off-site station is in the online mode.
Further, preferably, the data storage module is further configured to send the stored data to the switch when the outstation is in the offline mode.
Further, preferably, the extranet access control module is deployed at a network boundary, and the intranet access control module is connected to the switch.
Further, preferably, the extranet access control module is an iptables or firewall module in linux.
Further, preferably, the external network access control module is further configured with an open source VPN module, and configured to establish an encrypted channel with the control center of the external site.
Further, preferably, the network communication module includes:
the system comprises a data receiving module, a data sending module and a data verification module;
the data verification module is used for verifying data, when the data are verified, the data sent by the control center or the switch of the field station received by the data receiving module are stored in the data storage module,
or the data passing the verification is sent to the control center or the switch of the field station through the data sending module.
Further, preferably, the data verification module is further configured to:
when the field station is in an off-line mode, verifying data sent by the switch;
and when the field station is in an online mode, performing information source authentication and data integrity inspection on data issued by the field station control center.
Compared with the prior art, the beneficial effects of this application lie in:
1) the method and the device can be responsible for access control of network boundaries and network interiors, can isolate problem equipment and self-management, and therefore are wider in use scene.
2) The device is low in manufacturing cost, extremely low in requirements for hardware performance, capable of being deployed on cheap hardware such as raspberry pies, and the change cost of the formed product can be reduced by one order of magnitude compared with the existing product.
3) The application has lower operation and maintenance cost, and only needs to be fixedly installed and electrified for wiring. Compared with the prior firewall product which needs to know the subnet environment, master the network protocol knowledge and meet the requirement of the firewall product on policy configuration, the cost of the firewall product is greatly reduced.
Drawings
In order to more clearly illustrate the technical solution of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a security gateway provided in an embodiment of the present application;
FIG. 2 is a schematic diagram of a security gateway according to another embodiment of the present application;
fig. 3 is a schematic diagram of a hardware configuration of a security gateway according to an embodiment of the present application;
fig. 4 is a schematic diagram illustrating a security gateway applied to a monitoring process of an out-of-field site according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
It should be understood that the step numbers used herein are for convenience of description only and are not intended as limitations on the order in which the steps are performed.
It is to be understood that the terminology used in the description of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the specification of the present application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
The terms "comprises" and "comprising" indicate the presence of the described features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
The term "and/or" refers to and includes any and all possible combinations of one or more of the associated listed items.
It should be noted that, in order to ensure the data communication security of the field station/cabinet network scene, the current main mode is to deploy access control equipment, such as a commercial firewall or an industrial firewall, at the subnet boundary, and then intercept and analyze the flow entering and exiting the subnet; and after comparing the strategies, determining whether to release the network communication packet. However, there are many disadvantages to this approach: firstly, the protection capability is not applicable, and the traditional network access control product can only be deployed at the network boundary, only can control the flow entering and exiting the subnet, but cannot control the intranet port, so that the traditional network access control product is not applicable to the subnet environment of the field station. And hackers can break through physical protection, directly access the attacking device to a subnet or replace the existing networking device, and simulate the IP address of the existing device to attack. In this case, neither the existing commercial firewalls nor the industrial firewalls can do its job. Secondly, the application range is very limited, because the access control is only deployed at the network boundary, but in practical situations, the field station may not be networked in time for various reasons, and the field station does not need to be networked with the computing center at ordinary times but independently performs work, and in such a situation, the working form of the firewall is not applicable, and the monitoring of the working process of the field station cannot be achieved. Thirdly, this kind of mode requires too much to the personnel's of patrolling and examining ability, and under the field station scene, the patrolling and examining person who accords with network security operational capability not only has the safety in production operational capability of field station, need grasp network knowledge and network security knowledge again, and this must make the operation and maintenance cost of operating whole universe thing networking higher. Fourth, the cost of this kind of mode is high, because the cheapest product of commercial firewall is also more than 1 ten thousand at present, and the industrial firewall cost is 3 ~ 5 ten thousand, and the cost of a field station is only about several thousand to several ten thousand yuan, and the quantity is huge, if for every field station configuration firewall class product, obviously in the economic aspect very unreasonable, also difficult to let field station operation unit accept. Therefore, the application aims to provide a security gateway, which replaces the traditional firewall mode, can ensure the safe transmission of data of the field station, can reduce the cost and can enlarge the application range.
Referring to fig. 1, an embodiment of the present application provides a security gateway. As shown in fig. 1, the security gateway includes modules 01-04. The specific functions of each module are as follows:
the external network access control module 01 is used for managing and controlling external network access data according to an external network access control strategy issued by a control center of the external field station;
preferably, the extranet access control module 01 may adopt an iptables or firewall module mature in linux community, and is applied to a network boundary, and a policy is issued by a superior sub-center.
The intranet access control module 02 is used for carrying out port isolation according to the isolation instruction sent by the data storage module 04;
specifically, the intranet access control module 02 is connected to the switch through a serial port, and performs port isolation according to an isolation instruction sent by the data storage module 04;
the network communication module 03 is used for performing online authentication and offline authentication of data and performing data interaction with a control center or a switch of an off-site station when the data are verified;
and the data storage module 04 is used for storing the operation data of the field station after being packaged and encapsulated.
In one embodiment, the data storage module 04 is further configured to receive alarm information issued by the control center of the field station, and change the control policy of the external network access control module 01 or the isolation instruction of the internal network access control module 02 according to the alarm information; the system is also used for sending the stored data to the control center of the field station when the field station is in an online mode; and for sending the stored data to the switch when the outstation is in an offline mode.
It can be understood that the data storage module 04 is a security center of the field station, and can receive alarm information sent by the upper-level branch center and the in-network monitoring device; the outer network access control strategy and the inner network access control module 02 can be changed according to the alarm information, and the execution result is recorded; the log information, the equipment information and the operation and maintenance records of the field station governed by the invention can be packaged and encapsulated, and are directly sent to the upper-level center in an online mode, and are delivered to the data switch in an offline mode.
Referring to fig. 2, in an embodiment, the security gateway further includes:
and the wireless watch machine 05 is used for starting a wireless network card to search surrounding hotspots when the field station is in an off-line state. In practical application, the wireless network card can be opened periodically to search for a close hotspot. The wireless watch-dog 05 is applied to an off-line scene and waits for the approach of a data switch; in addition, the wireless watch-on machine 05 also provides a planning function, and can watch on according to various modes such as operation and maintenance strategies of a superior computing center, timing or presetting next contact and the like. And the wireless network card is prevented from being started in the unplanned time, and the wireless attack surface is further reduced.
In a preferred embodiment, the extranet access control module 01 is further configured with an open source VPN module, and is configured to establish an encrypted channel with the extranet site management and control center. By establishing the encryption channel, the safety of data communication can be further ensured, and the data transmission process is prevented from being cracked or invaded.
Referring to fig. 2, in an embodiment, the network communication module 03 specifically includes a data receiving module 031, a data transmitting module 032, and a data verifying module 033; wherein their respective functions are as follows:
the data verification module 033 is configured to perform data verification, and when the verification passes, store the data sent by the control center or the switch outside the field, which is received by the data receiving module 031, to the data storage module 04,
or the data passing the verification is sent to the control center or the switch of the off-site station through the data sending module 032.
As a preferred embodiment, the data verification module 033 is further configured to:
when the field station is in an off-line mode, verifying data sent by the switch;
and when the field station is in an online mode, performing information source authentication and data integrity inspection on data issued by the field station control center.
IN one embodiment, a preferred hardware configuration of the security gateway is further provided, as shown IN fig. 3, and as can be seen from fig. 3, the security gateway includes at least three interfaces, i.e., an IN port, an OUT port, and a connect port; when entering the off-line mode, the IN port or the OUT port is accessed to the network port of the switch; when entering an online mode, an OUT port is accessed to a superior network, and an IN port is accessed to a network port of a switch (the port of the original superior network accessed to the switch); and the CONSOLE port typically runs 485 protocol and accesses the CONSOLE port of the switch.
Referring to fig. 4, in one embodiment, a schematic diagram of a monitoring process of using the security gateway for an off-site station is shown. As can be seen from fig. 4, the network security monitoring machine of the field station performs data interaction with the security operation and maintenance control center through a general field station gateway (i.e., a security gateway provided in the present application), wherein the field station network security monitoring machine includes an industrial personal computer, a conventional detector, a conventional actuator, an intelligent instrument, an intelligent controller, and the like, and when the security operation and maintenance control center performs online management on the field station network security monitoring machine, access control of the internal network, the external network, and the external network can be realized through the gateway, so as to previously ensure access and data transmission security; and when the network environment is poor, offline management can be directly performed through the data switch.
In summary, the security gateway provided by the present application only performs network isolation, log and data exchange, and can implement simple network access control by using the existing open source code, and is applied to the online management situation. Specifically, the present application can achieve at least the following effects:
1) the method is out of the traditional boundary protection concept, can take charge of access control of network boundaries and network interiors through system architecture reformation, can isolate problem equipment and self-management, and therefore can be suitable for various scenes, and is high in popularization.
2) The security gateway has extremely low requirement on hardware performance, can be deployed on cheap hardware such as a raspberry pie and the like, and the change cost after the product is formed can be reduced by one order of magnitude compared with the existing product, so the security gateway has low manufacturing cost.
3) The application is extremely low to the fortune dimension cost, only needs the tight installation, and the power-on wiring can. Compared with the prior firewall products which need to know the subnet environment, master the network protocol knowledge and meet the requirement of the firewall product policy configuration, the operation and maintenance cost of the security gateway is greatly reduced.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and the division of the units is merely one logical functional division, and there may be other divisions in the actual implementation, for example, multiple units or page components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit. The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) or a processor (processor) to execute some steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Finally, it should be noted that the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.
Claims (10)
1. A security gateway, comprising:
the external network access control module is used for managing and controlling the external network access data according to an external network access control strategy issued by the control center of the external field station;
the intranet access control module is used for carrying out port isolation according to the isolation instruction sent by the data storage module;
the network communication module is used for performing online authentication and offline authentication of data and performing data interaction with a control center or a switch of the field station when the data are verified;
and the data storage module is used for storing the operation data of the field station after packaging and packaging.
2. The security gateway of claim 1, further comprising:
and the wireless on-duty machine is used for starting the wireless network card to search surrounding hotspots when the field station is in an off-line state.
3. The security gateway of claim 1, wherein the data storage module is further configured to receive alarm information issued by a control center of the extraterrestrial station, and change a control policy of the extranet access control module or an isolation instruction of the intranet access control module according to the alarm information.
4. The security gateway of claim 1, wherein the data storage module is further configured to send the stored data to a control center of the off-site station when the off-site station is in an online mode.
5. The security gateway of claim 1, wherein the data storage module is further configured to send the stored data to the switch when the off-premise station is in the offline mode.
6. The security gateway of claim 1, wherein the extranet access control module is deployed at a network boundary, and the intranet access control module is connected to the switch.
7. The security gateway of claim 1, wherein the extranet access control module is an iptables or firewall module in linux.
8. The security gateway of claim 1, wherein the extranet access control module is further configured with an open source VPN module for establishing an encrypted channel with an extranet site management and control center.
9. The security gateway of claim 1, wherein the network communication module comprises:
the system comprises a data receiving module, a data sending module and a data verification module;
the data verification module is used for verifying data, when the data are verified, the data sent by the control center or the switch of the field station received by the data receiving module are stored in the data storage module,
or the data passing the verification is sent to the control center or the switch of the field station through the data sending module.
10. The security gateway of claim 9, wherein the data authentication module is further configured to:
when the field station is in an off-line mode, verifying data sent by the switch;
and when the off-site station is in an online mode, performing information source authentication and data integrity inspection on data issued by the off-site station control center.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210621866.9A CN115001906B (en) | 2022-06-02 | 2022-06-02 | Security gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210621866.9A CN115001906B (en) | 2022-06-02 | 2022-06-02 | Security gateway |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115001906A true CN115001906A (en) | 2022-09-02 |
| CN115001906B CN115001906B (en) | 2024-03-29 |
Family
ID=83031034
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210621866.9A Active CN115001906B (en) | 2022-06-02 | 2022-06-02 | Security gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115001906B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101277308A (en) * | 2008-05-23 | 2008-10-01 | 杭州华三通信技术有限公司 | Method for insulating inside and outside networks, authentication server and access switch |
| CN106941494A (en) * | 2017-03-30 | 2017-07-11 | 中国电力科学研究院 | A kind of security isolation gateway and its application method suitable for power information acquisition system |
| CN111935068A (en) * | 2020-06-12 | 2020-11-13 | 工业互联网创新中心(上海)有限公司 | Big data platform, server side thereof, security authentication system and method |
| CN112003750A (en) * | 2020-08-24 | 2020-11-27 | 浪潮云信息技术股份公司 | Data center host Overlay network access control method |
| US20210091976A1 (en) * | 2019-09-24 | 2021-03-25 | Pribit Technology, Inc. | System For Controlling Network Access Of Terminal Based On Tunnel And Method Thereof |
-
2022
- 2022-06-02 CN CN202210621866.9A patent/CN115001906B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101277308A (en) * | 2008-05-23 | 2008-10-01 | 杭州华三通信技术有限公司 | Method for insulating inside and outside networks, authentication server and access switch |
| CN106941494A (en) * | 2017-03-30 | 2017-07-11 | 中国电力科学研究院 | A kind of security isolation gateway and its application method suitable for power information acquisition system |
| US20210091976A1 (en) * | 2019-09-24 | 2021-03-25 | Pribit Technology, Inc. | System For Controlling Network Access Of Terminal Based On Tunnel And Method Thereof |
| CN111935068A (en) * | 2020-06-12 | 2020-11-13 | 工业互联网创新中心(上海)有限公司 | Big data platform, server side thereof, security authentication system and method |
| CN112003750A (en) * | 2020-08-24 | 2020-11-27 | 浪潮云信息技术股份公司 | Data center host Overlay network access control method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115001906B (en) | 2024-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Quincozes et al. | A survey on intrusion detection and prevention systems in digital substations | |
| CN106302535A (en) | The attack emulation mode of power system, device and attack emulator | |
| Veitch et al. | Microgrid cyber security reference architecture. | |
| Siddiqi et al. | On practical threat scenario testing in an electric power ICS testbed | |
| WO2024016642A1 (en) | Sdn-based intelligent ship network system | |
| Paul et al. | Towards the protection of industrial control systems–conclusions of a vulnerability analysis of profinet IO | |
| Qassim et al. | Simulating command injection attacks on IEC 60870-5-104 protocol in SCADA system | |
| Basholli et al. | Analysis of security challenges in SCADA systems, a technical review on automated real-time systems | |
| CN107071056A (en) | A kind of distributed energy internet information front end safety communicating method | |
| Jay et al. | Unsupervised learning based intrusion detection for goose messages in digital substation | |
| CN108833218A (en) | The network system and its method for building up of multi-variable air conditioning unit | |
| CN115001906A (en) | Safety gateway | |
| CN106789275A (en) | Transmission Network of Power System security test system and method | |
| Siddavatam et al. | Testing and validation of Modbus/TCP protocol for secure SCADA communication in CPS using formal methods | |
| Salazar et al. | Towards a high-fidelity network emulation of IEC 104 SCADA systems | |
| Menzel et al. | Securing SCADA networks for smart grids via a distributed evaluation of local sensor data | |
| CN108366368A (en) | A kind of electric power cloud platform system and its radio switch-in method based on Wi-Fi | |
| Lekidis | Cyber-security measures for protecting EPES systems in the 5G area | |
| CN114124514A (en) | Electric power universe thing networking safety protection system | |
| Sharma et al. | SCADA Communication Protocols: Modbus & IEC 60870–5 | |
| Yan et al. | Research on 5G network architecture for smart pumped storage power station | |
| Bu et al. | Design of 5G-oriented computing framework for the edge agent used in power IoT | |
| CN109889529B (en) | IPTABLE-based firewall implementation method for communication controller | |
| CN108900481A (en) | A kind of interchanger safety access system and method | |
| CN115001804B (en) | Bypass access control system, method and storage medium applied to field station |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |