CN115292704A

CN115292704A - Attack and defense testing method and device for power dispatching network, terminal equipment and storage medium

Info

Publication number: CN115292704A
Application number: CN202211219847.XA
Authority: CN
Inventors: 赵学全
Original assignee: Beijing 6Cloud Technology Co Ltd; Beijing 6Cloud Information Technology Co Ltd
Current assignee: Beijing 6Cloud Technology Co Ltd; Beijing 6Cloud Information Technology Co Ltd
Priority date: 2022-10-08
Filing date: 2022-10-08
Publication date: 2022-11-04

Abstract

The application discloses a power dispatching network attack and defense testing method, a device, terminal equipment and a storage medium, wherein the power dispatching network attack and defense testing method comprises the following steps: determining an attack scheme and a protection scheme of the power dispatching network; according to the attack scheme, attack penetration is carried out on the dispatching automation unit; detecting the attack process of the attack penetration, and executing safety protection on the attack process according to the protection scheme; and carrying out attack and defense tests on the power dispatching network based on the attack process and the protection process of the safety protection. The problem that the safety of power dispatching network transmission information is low is solved, and the requirement of safety assessment of the power dispatching network is met.

Description

Attack and defense testing method and device for power dispatching network, terminal equipment and storage medium

Technical Field

The application relates to the technical field of power dispatching network security, in particular to a power dispatching network attack and defense testing method and device, terminal equipment and a storage medium.

Background

Electric power is an important basic energy industry related to the livelihood of people, provides the most basic guarantee for the economic development of the society, and is the central importance of national economy and livelihood of people's construction. With the construction of big power grids in northwest and northeast and the formation of extra-high voltage synchronous power grids, national power grids are showing more complex power grid forms, and meanwhile, the regional mode dominance is converted into the global mode dominance, so that the operation control is more complex. The real-time or quasi-real-time control and management of tasks in the power grid are the functions and tasks of the power grid dispatching automation system.

With the rapid development of a transformer substation in a power system in China from a single microcomputer protection conventional station to a comprehensive automation station and then to a digital transformer substation and an intelligent transformer substation, the security threat suffered by the power dispatching automation system is continuously changed. Taking the common integrated automation station and the common intelligent substation as an example, although the power dispatching automation system uses an independent network of a dedicated channel, the common information security problems such as information leakage, integrity damage, illegal use, eavesdropping and the like also occur. In addition, important networks also have major security threats such as bypass control, denial of service, violation of authorization, random behavior of staff, interception/tampering, fraud, camouflage and the like.

Disclosure of Invention

The application mainly aims to provide a power dispatching network attack and defense testing method, a device, a terminal device and a storage medium, and aims to solve the problem that the safety of information transmitted by a power dispatching network is low and meet the requirement of safety assessment of the power dispatching network.

In order to achieve the above object, the present application provides a power dispatching network attack and defense testing method, where the power dispatching network attack and defense testing method includes:

the power dispatching network attack and defense testing method is applied to an attack and defense testing system, the attack and defense testing system comprises a dispatching automation unit, and the power dispatching network attack and defense testing method comprises the following steps:

determining an attack scheme and a protection scheme of the power dispatching network;

according to the attack scheme, attack penetration is carried out on the dispatching automation unit;

detecting the attack process of the attack penetration, and executing safety protection on the attack process according to the protection scheme;

and carrying out attack and defense tests on the power dispatching network based on the attack process and the protection process of the safety protection.

Optionally, the scheduling automation unit includes a scheduling master station simulation subsystem, a substation simulation subsystem, and a terminal simulation subsystem, and the step of performing attack penetration on the scheduling automation unit according to the attack scheme includes:

when at least one of the scheduling master station simulation subsystem, the substation simulation subsystem and the terminal simulation subsystem suffers from attack penetration, acquiring data of the attack penetration based on the scheduling master station simulation subsystem and a preset three-remote rule;

and receiving the attack penetration data forwarded by the substation simulation subsystem through the terminal simulation subsystem to obtain the attack process.

Optionally, the attack and defense test system further includes a comprehensive management unit, the comprehensive management unit includes a data acquisition module and a task evaluation module, and the step of performing the attack and defense test on the power scheduling network based on the attack process and the protection process of the safety protection includes:

acquiring attack and defense data of the attack process and the protection process through the data acquisition module to generate corresponding experiment results;

and the task evaluation module is used for carrying out test situation on the attack and defense data and evaluating the test result.

Optionally, the attack and defense testing system further includes an electric power simulation unit and a digital sand table unit, and after the step of developing attack penetration on the dispatching automation unit according to the attack scheme, the method further includes:

performing physical simulation on a preset power dispatching physical environment and a topological structure to obtain a power simulation unit;

constructing a digital factory based on the power simulation unit and the digital sand table unit;

and displaying at least one of the attack process, the protection process and the power dispatching network attack and defense test process based on the digital factory.

Optionally, the step of constructing a digital factory based on the power simulation unit and the digital sand table unit includes:

acquiring power dispatching data;

according to the power dispatching data, constructing a low-dimensional factory digital space for the power simulation unit;

and aiming at the plant digital space, constructing the digital plant by using a preset high-dimensional rendering technology.

Optionally, the attack scheme at least includes a preset power scheduling network virus infection, a preset power protocol attack, a preset database illegal intrusion, and a preset vulnerability attack.

Optionally, the attack penetration unit is provided with an interface, and the determining of the attack scheme and the protection scheme of the power scheduling network includes the following steps:

and determining the protection scheme and determining the attack scheme through the interface.

The embodiment of the application further provides a power dispatching network attack and defense testing device, the power dispatching network attack and defense testing device includes:

the determining module is used for determining an attack scheme and a protection scheme of the power dispatching network;

the attack module is used for developing attack penetration on the scheduling automation unit according to the attack scheme;

the protection module is used for detecting the attack process of the attack penetration and executing safety protection on the attack process according to the protection scheme;

and the test module is used for carrying out attack and defense tests on the power dispatching network based on the attack process and the protection process of the safety protection.

The embodiment of the application further provides terminal equipment, the terminal equipment comprises a memory, a processor and a power dispatching network attack and defense test program, the power dispatching network attack and defense test program is stored in the memory and can run on the processor, and the power dispatching network attack and defense test program is executed by the processor to realize the steps of the power dispatching network attack and defense test method.

The embodiment of the present application further provides a computer-readable storage medium, where a power scheduling network attack and defense test program is stored on the computer-readable storage medium, and when the power scheduling network attack and defense test program is executed by a processor, the steps of the power scheduling network attack and defense test method described above are implemented.

According to the attack and defense testing method, device, terminal equipment and storage medium for the power dispatching network, an attack scheme and a protection scheme of the power dispatching network are determined; according to the attack scheme, attack penetration is carried out on the dispatching automation unit; detecting the attack process of the attack penetration, and executing safety protection on the attack process according to the protection scheme; and carrying out attack and defense tests on the power dispatching network based on the attack process and the protection process of the safety protection. By determining the attack scheme and the protection scheme and performing attack and defense tests on data in the attack process and the protection process, the problem of low safety of information transmitted by the power dispatching network can be solved, and the requirement of safety evaluation of the power dispatching network is met. Based on the scheme of the application, a typical attack and defense test system of the power dispatching network is constructed based on the principle that the power dispatching network transmits information in the important basic energy industry of the real world, the effectiveness of the attack and defense test method of the power dispatching network provided by the application is verified on the attack and defense test system, and finally the safety of power dispatching tested by the method is obviously improved.

Drawings

Fig. 1 is a schematic view of functional modules of a terminal device to which the power dispatching network attack and defense testing device belongs;

fig. 2 is a schematic flow chart of a first exemplary embodiment of the power dispatching network attack and defense testing method according to the present application;

fig. 3 is a schematic view of an attack and defense testing system according to a second exemplary embodiment of the power dispatching network attack and defense testing method of the present application;

fig. 4 is a schematic flowchart of a third exemplary embodiment of the attack and defense testing method for the power dispatching network according to the present application;

fig. 5 is a schematic flow chart of a fourth exemplary embodiment of the power dispatching network attack and defense testing method according to the present application;

fig. 6 is a schematic flow chart of a fifth exemplary embodiment of the power dispatching network attack and defense testing method according to the present application;

fig. 7 is a schematic flowchart of a sixth exemplary embodiment of the power dispatching network attack and defense testing method according to the present application;

fig. 8 is a flowchart illustrating a seventh exemplary embodiment of the power dispatching network attack and defense testing method according to the present application.

The implementation, functional features and advantages of the objectives of the present application will be further explained with reference to the accompanying drawings.

Detailed Description

It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.

The main solution of the embodiment of the application is as follows: determining an attack scheme and a protection scheme of the power dispatching network; according to the attack scheme, attack penetration is carried out on the dispatching automation unit; detecting the attack process of the attack penetration, and executing safety protection on the attack process according to the protection scheme; and carrying out attack and defense tests on the power dispatching network based on the attack process and the protection process of the safety protection. By determining the attack scheme and the protection scheme and carrying out attack and defense tests on data in the attack process and the protection process, the problem of low safety of information transmitted by the power dispatching network can be solved, and the requirement of safety evaluation of the power dispatching network is met. Based on the scheme of the application, a typical attack and defense test system of the power dispatching network is constructed based on the principle that the power dispatching network transmits information in the important basic energy industry of the real world, the effectiveness of the attack and defense test method of the power dispatching network provided by the application is verified on the attack and defense test system, and finally the safety of power dispatching tested by the method is obviously improved.

The embodiment of the application considers that the safety threat suffered by the power dispatching automation system is constantly changed along with the rapid development of the transformer substation in the power system in China from the conventional substation protected by a single microcomputer to the comprehensive automation station and then to the digital transformer substation and the intelligent transformer substation. Taking the common integrated automation station and the common intelligent substation as an example, although the power dispatching automation system uses an independent network of a dedicated channel, the common information security problems such as information leakage, integrity damage, illegal use, eavesdropping and the like also occur. In addition, important networks also have main security threats such as bypass control, service denial, authorization violation, random behavior of workers, interception, tampering, cheating, camouflage and the like.

Therefore, according to the scheme of the embodiment of the application, a typical attack and defense test system of the power dispatching network is constructed according to the rule that the power dispatching network transmits information in the important basic energy industry of the real world, the effectiveness of the attack and defense test method of the power dispatching network is verified on the attack and defense test system, and finally the safety of the power dispatching tested by the method is obviously improved.

Specifically, referring to fig. 1, fig. 1 is a functional module schematic diagram of a terminal device to which the power dispatching network attack and defense testing apparatus belongs. The power dispatching network attack and defense testing device can be a device which is independent of the terminal equipment and can carry out power dispatching network attack and defense testing, and the device can be borne on the terminal equipment in a hardware or software mode. The terminal device can be an intelligent mobile terminal with a data processing function, such as a mobile phone and a tablet personal computer, and can also be a fixed terminal device or a server with a data processing function.

In this embodiment, the terminal device to which the power dispatching network attack and defense testing apparatus belongs at least includes an output module 110, a processor 120, a memory 130, and a communication module 140.

The memory 130 stores an operating system and an attack and defense test program of the power dispatching network, and the attack and defense test device of the power dispatching network can determine an attack scheme and a protection scheme of the power dispatching network; according to the attack scheme, carrying out attack penetration on the deployment of the dispatching automation unit; detecting the attack process of the attack penetration, and performing safety protection on the attack process according to the protection scheme; information such as power dispatching network attack and defense tests and the like based on the attack process and the protection process of the safety protection is stored in the memory 130; the output module 110 may be a display screen or the like. The communication module 140 may include a WIFI module, a mobile communication module, a bluetooth module, and the like, and communicates with an external device or a server through the communication module 140.

The power dispatching network attack and defense test program in the memory 130 realizes the following steps when being executed by the processor:

Further, the power dispatching network attack and defense test program in the memory 130, when executed by the processor, further implements the following steps:

and the attack and defense data are subjected to test situation through the task evaluation module, and the experimental result is evaluated.

performing physical simulation on a preset power dispatching physical environment and a topological structure to obtain the power simulation unit;

acquiring power dispatching data;

and aiming at the digital space of the factory, constructing the digital factory by a preset high-dimensional rendering technology.

According to the scheme, the attack scheme and the protection scheme of the power dispatching network are determined; according to the attack scheme, attack penetration is carried out on the dispatching automation unit; detecting an attack process of the attack penetration, and executing safety protection on the attack process according to the protection scheme; and carrying out attack and defense tests on the power dispatching network based on the attack process and the protection process of the safety protection. By determining the attack scheme and the protection scheme and carrying out attack and defense tests on data in the attack process and the protection process, the problem of low safety of information transmitted by the power dispatching network can be solved, and the requirement of safety evaluation of the power dispatching network is met. Based on the scheme of the application, a typical attack and defense test system of the power dispatching network is constructed based on the principle that the power dispatching network transmits information in the important basic energy industry of the real world, the effectiveness of the attack and defense test method of the power dispatching network provided by the application is verified on the attack and defense test system, and finally the safety of power dispatching tested by the method is obviously improved.

Based on the above terminal device architecture, but not limited to the above architecture, the embodiments of the method of the present application are proposed.

Referring to fig. 2, fig. 2 is a schematic flowchart of a first exemplary embodiment of the power dispatching network attack and defense testing method according to the present application. The power dispatching network attack and defense testing method is applied to an attack and defense testing system, the attack and defense testing system comprises a dispatching automation unit, and the power dispatching network attack and defense testing method comprises the following steps:

step S210, determining an attack scheme and a protection scheme of the power dispatching network;

specifically, the electric power is an important basic energy industry related to the livelihood, provides the most basic guarantee for the economic development of the society, and is the central importance of national economy and livelihood construction. With the construction of big power grids in northwest and northeast and the formation of extra-high voltage synchronous power grids, national power grids are showing more complex power grid forms, and meanwhile, the regional mode dominance is converted into the global mode dominance, so that the operation control is more complex. However, with the rapid development of a transformer substation in a power system in China from a single microcomputer protection conventional station to a comprehensive automation station, and then to a digital transformer substation and an intelligent transformer substation, the security threat suffered by the power dispatching automation system is continuously changed. Taking the common integrated automation station and the intelligent substation as an example at present, although the power dispatching automation system uses an independent network of a dedicated channel, the common information security problems such as information leakage, integrity damage, illegal use, eavesdropping and the like also occur. In addition, important networks also have major security threats such as bypass control, denial of service, violation of authorization, random behavior of staff, interception/tampering, fraud, camouflage and the like.

In this embodiment, the attack scheme and the protection scheme can be set through the comprehensive management unit in the attack and defense test system, so that the attack scheme and the protection scheme can be combined in a user-defined manner, and the flexibility of the attack and defense test of the power dispatching network is improved. By the technologies of reverse research, vulnerability mining, protocol analysis and the like of the equipment, the attack architecture system for the intelligent manufacturing network is constructed, a new attack mode can be quickly integrated into the system under the condition that the original code does not need to be modified, and the expansibility is strong. It should be noted that, in other embodiments, the method may also be used to determine other units, devices, interfaces, and the like of an attack scheme and a protection scheme of a power scheduling network, which is not limited in this embodiment of the present application.

Step S220, according to the attack scheme, attack penetration is carried out on the dispatching automation unit;

specifically, attack penetration is carried out on the dispatching automation unit according to an attack scheme, and therefore the power dispatching network attack and defense test can be carried out through attack penetration attack process data. In the embodiment, equipment of the dispatching automation unit is taken as an attack target, a typical customizable attack penetration system scheme is matched, typical power dispatching industrial equipment penetration attack is developed, and an attack penetration process of a real power dispatching industrial field is restored. The attack military fire depot is formed by covering power scheduling network Nimuda virus infection, power scheduling industrial fingerprint sniffing scanning invasion, power scheduling network ARP, IP deception invasion, DDOS attack, illegal injection of databases such as scheduling master station SCADA and EMS, power protocol IEC104, DNP3.0, IEC61850 process instruction attack, power scheduling network router invasion, power scheduling network node destruction and the like.

Step S230, detecting the attack process of the attack penetration, and executing safety protection on the attack process according to the protection scheme;

specifically, by detecting an attack process of attack penetration, security protection is performed on the attack process according to a protection scheme. Therefore, the attack and defense test of the power dispatching network can be carried out through the data of the safety protection.

In this embodiment, can be through the safety protection unit among the attack and defense test system to attack the process execution safety protection, build omnidirectional industry internet elasticity safety protection system through top-down, wherein include: the system comprises industrial audit, an industrial firewall, a supervisory system, an industrial host guard, industrial situation perception and the like, and can comprehensively monitor and defend software and hardware behaviors of an abnormal network attack scheduling automation unit, verify the effectiveness of protective measures, improve the network security decision-making capability and help enterprises improve the comprehensive protection capability. Specifically, the following may be mentioned:

1. electric power industry security situation perception analysis: the method has the advantages that customized description and integral presentation of important data are carried out on industry scenes according to dimensions such as industry process flows, electric power assets, asset vulnerability, asset security events, attack event traceability and asset operation and maintenance conditions, the current operation condition and integral security situation data of the important assets are clearly presented for users through industry safety data on a large screen, and the users can efficiently master the overall industry security situation.

2. Protection of industrial intrusion characteristics: the industrial intrusion characteristics of the invention comprise attack behaviors aiming at industrial vulnerabilities and general intrusion attacks. The method can not only protect general intrusion characteristic attacks, but also accurately protect the attack behaviors aiming at industrial vulnerabilities, protect the industrial control system in an all-round way and avoid known network attacks.

3. Protecting a white list of a host: the programs outside the white list can be identified and prevented from running, and the running behaviors of the programs, such as viruses, trojans, malicious programs and the like which are introduced into the system through a network, a U disk and the like, can be identified and prevented from running and operating. Thereby guaranteeing the safe and stable operation of important equipment such as an engineer station, an operator station, a server and the like to the maximum extent.

4. Asset management: the statistics of different dimensions are carried out on the amount of safety protection equipment managed currently, such as the total amount of the managed equipment assets and the statistics of each type of equipment assets, so that a user can be helped to visually present the detailed statistics of various types of asset equipment.

Namely, an industrial firewall, industrial audit and a host guard are used as a network probe, network data are uploaded to a security analysis brain in real time, the industrial controller and the industrial host are monitored in real time and are linked with security equipment to realize security strategy cooperative protection, intelligent combing is carried out on complicated industrial network assets, security events of all dimensions are classified in a high-efficiency aggregation mode through a big data engine to change the data into security which can be understood by a user in a large screen mode, and then visual, controllable and manageable threats to the security of a power dispatching control network and a power control system are realized.

And S240, carrying out attack and defense tests on the power dispatching network based on the attack process and the protection process of the safety protection.

Specifically, the test situation and the test effect are evaluated according to data acquired in real time in the test process, the protocol type, the three-remote service, the success rate, the attack coverage area and the like supported by the attack penetration unit are analyzed and evaluated, and the safety of information transmission of the power dispatching network is improved.

It should be noted that, in the embodiment of the present application, hierarchical network structure simulation advanced technologies such as large-scale network access device simulation, network feature data simulation, core network, access network, and the like based on a general processing device and a special processing device are comprehensively applied to simulate general features in various aspects of a target network of a power scheduling system, and a simulation research environment is mainly established for vulnerability analysis, vulnerability mining, attack and defense technology research, development of related tools, and guarantee of safe and stable operation of a power grid of the power scheduling system.

According to the scheme, the attack scheme and the protection scheme of the power dispatching network are determined; according to the attack scheme, attack penetration is carried out on the dispatching automation unit; detecting an attack process of the attack penetration, and executing safety protection on the attack process according to the protection scheme; and carrying out attack and defense tests on the power dispatching network based on the attack process and the protection process of the safety protection. By determining the attack scheme and the protection scheme and performing attack and defense tests on data in the attack process and the protection process, the problem of low safety of information transmitted by the power dispatching network can be solved, and the requirement of safety evaluation of the power dispatching network is met.

Referring to fig. 3, fig. 3 is a schematic view of an attack and defense testing system of a second exemplary embodiment of the power dispatching network attack and defense testing method of the present application. Specifically, the figure shows a power simulation unit 1, a digital sand table unit 2, a scheduling automation unit 3, an attack penetration unit 4, a safety protection unit 5 and an integrated management unit 8, wherein the attack penetration unit 4 is used for expanding attack penetration 6, and the safety protection unit 5 is used for executing safety protection 7.

Specifically, the steps of constructing the attack and defense test system framework may specifically be as follows:

a three-level architecture network of a terminal power transformation and distribution system, a scheduling substation system and a scheduling main station system of a real power scheduling network is set up as a main scheduling automation unit 3; the power simulation unit 1 shows normal service flows of power grid multi-path redundant power supply, power grid transmission and transformation and distribution and the like and the attacked effect of the normal service flows. Meanwhile, a digital sand table technology is applied, and the fault process of the system and the equipment in the power dispatching automation unit 3 after being attacked is displayed in an all-dimensional and multi-angle mode. The attack penetration unit integrates an attack weapon library aiming at the power grid, covers Nimuda virus infection of the power dispatching network, sniffer scanning invasion, ARP (Address resolution protocol) of the power dispatching network, IP deception invasion, DDOS (distributed denial of service) attack, illegal injection of databases such as a dispatching master station SCADA (supervisory control and data acquisition) and EMS (energy management system), invasion of a power dispatching network router and damage of power dispatching network nodes, and has a customizable attack scheme and rich attack means. The safety protection unit builds an omnibearing industrial internet elastic safety protection system from an enterprise layer information network to a bottom layer power dispatching network from top to bottom, and software and hardware attack penetration behaviors of the dispatching automation unit are comprehensively monitored, recorded and defended. The comprehensive management unit carries out task configuration and state management, and integrates various interfaces, so that the uplink system end can be conveniently called and configured. The comprehensive attack and defense display system can be used for integrating functions of scientific research, safety evaluation, attack and defense drilling, effect display and the like.

Firstly, the comprehensive management unit 8 configures an attack scheme of the attack penetration unit 4 and a defense scheme of the safety protection unit 5 according to task requirements; then, by starting the attack penetration unit 4, selecting a corresponding attack scheme, developing the attack penetration 6, and after the dispatching automation unit 3 is attacked, the consequences and the influence of the power dispatching industrial system after being attacked by the network can be completely reproduced in the power simulation unit 1 and the digital sand table unit 2. By starting the safety protection unit 5, safety protection 7 is carried out, electric power industry safety situation analysis, industrial invasion characteristic protection, host white list protection and software and hardware behaviors of the abnormal network attack scheduling automation unit are comprehensively monitored and defended. The comprehensive management unit 8 monitors and collects the flow data of the process comprehensively to record and manage the state.

In addition, each unit forming the power dispatching network defense and attack testing system is independent of each other, once hardware and software of each unit are damaged, other units cannot be interfered, the system can be quickly reconstructed, restored or cleaned according to task requirements, and the power dispatching network defense and attack testing system has high reliability and expansibility. Namely, the resource hardware of the attack and defense test system has high independent reliability.

The attack penetration unit 4 is independent, and the attack weapon base is upgraded to a network military fire base, so that the 0day bug can be rapidly reproduced.

In the embodiment, a power simulation unit 1, a digital sand table unit 2, a dispatching automation unit 3, an attack penetration unit 4, a safety protection unit 5 and a comprehensive management unit 8 form a modular integration mode of basic constituent units of the power dispatching attack and defense test system; the effectiveness of the protection measures can be verified, the network security decision-making capability is improved, and the user is helped to improve the comprehensive protection capability of the power system network.

Referring to fig. 4, fig. 4 is a schematic flowchart of a third exemplary embodiment of the power dispatching network attack and defense testing method according to the present application. Based on the embodiment shown in fig. 2, the scheduling automation unit includes a scheduling master station simulation subsystem, a substation simulation subsystem, and a terminal simulation subsystem, and step S220 is performed to perform attack penetration on the scheduling automation unit according to the attack scheme, where the method includes:

step S410, when at least one of the scheduling master station simulation subsystem, the substation simulation subsystem and the terminal simulation subsystem suffers from the attack penetration, acquiring data of the attack penetration based on the scheduling master station simulation subsystem and a preset three-remote rule;

specifically, in the power grid dispatching automation system, when a dispatching master station system needs to transmit time synchronization with a station terminal, data are called and controlled through a five-remote rule, wherein the five-remote rule comprises the following steps: remote control, remote viewing, remote measuring, remote signaling, remote regulating data. These data require high reliability and real-time performance, and the data volume is large, and directly affect the safety of the power grid. If the system is attacked by hacker or virus when the information is transmitted between the dispatching master station system and the factory station, the oscillation and paralysis of the power system can be caused, and large-area power failure accidents can be caused, for example, black energy attack which causes large-area power failure of Ukrainian can be caused, thereby causing serious loss influence on social production and economic benefit.

In this embodiment, the scheduling master station simulation subsystem realizes power scheduling and power distribution through "three remotes" such as remote signaling, remote measurement, remote control, and the like, and realizes monitoring, protection, control, and transformation and distribution management under normal and accident conditions of a power grid.

It should be noted that, the method is based on deep interpretation of IEC60870-5-104 and DNP3.0 international mainstream power scheduling and information transmission communication protocol. The system integrates IEC104 and DNP3.0 protocol application data acquisition and analysis software, so that power characteristic data such as corresponding switches, voltage/current, phases and the like are extracted, and the current operation logic, the power grid operation state and the like are analyzed.

Step S420, receiving, by the terminal simulation subsystem, the attack penetration data forwarded by the substation simulation subsystem, and obtaining the attack process.

Specifically, the substation simulation subsystem mainly comprises a communication acquisition type substation simulation subsystem and a monitoring function type substation simulation subsystem. The communication acquisition type substation simulation subsystem is mainly responsible for information uploaded by a power distribution terminal, transmitting the information to the SCADA monitoring main station and the scheduling main station, receiving a control command of the scheduling main station, issuing the control command to a terminal device, reporting information such as local and remote maintenance (including parameter configuration, system diagnosis and the like), abnormal alarm and the like, and sending an alarm to the SCADA monitoring main station; the monitoring function type substation simulation subsystem has the basic functions of a communication acquisition type substation, realizes line fault positioning, isolation recovery and power supply in a non-fault area on the basis of regional power distribution and scheduling network topology analysis, reports a result to an SCADA monitoring main station, and can realize human-computer interaction, information storage and system safety management functions.

The terminal simulation subsystem is an execution unit of the power dispatching network simulation subsystem, realizes the power on-off condition, receives a control instruction of the master station, collects the state information of the terminal unit and reports the state information, and can simulate the use and management of electric energy by a user side.

That is, all data are gathered through the scheduling master station simulation subsystem, and the data are forwarded to the terminal simulation subsystem through the substation simulation subsystem, so that data in an attack process can be obtained, and therefore the power scheduling network attack and defense test is carried out.

Further, the attack penetration scheme at least comprises preset power dispatching network virus infection, preset power protocol attack, preset database illegal invasion and preset vulnerability attack.

Specifically, protocols for attack penetration include, but are not limited to, the following:

1. fingerprint sniffing in the power industry:

the attack mode is as follows: and accurately identifying the characteristics of the equipment by utilizing a great amount of mastered fingerprint technologies in the power industry, and running an attack script to accurately attack the equipment.

Attack path: the intelligent manufacturing system network is accessed using a wired or wireless network.

Attack effect: the abnormal communication protocol data stops the operation of the specified equipment.

2. Power dispatching network Nimuda virus infection:

the attack mode is as follows: searching HTM and HTML files in a local hard disk and an EXCHANGE mailbox, finding an EMAIL address from the HTM and HTML files and the EXCHANGE mailbox, and sending an EMAIL; searching network shared resources, and putting virus mails into a shared directory of others; by using the method of CodeBlue virus, random IP addresses are attacked, and if the IIS server is not provided with a patch, the virus can be infected. The worm uses its own SMTP server to send out mail. And simultaneously, the configured DNS is used for obtaining the address of one Mail server.

Attack path: the method is spread through Email, shared network resources, IIS server and web page browsing.

3. The power protocols IEC104, DNP3.0 and IEC61850 process instruction attack:

the attack mode is as follows: the network attack method for indirectly finishing attack behaviors based on power protocol deep analysis stealing or tampering communication physics and logic links. The host between two communication computers is controlled by various attack means or directly controlled in a physical access mode, and the purpose of attacking any one of the two communication computers is achieved through the host.

Attack path: and entering the power dispatching automation system network by using a wired or wireless network.

Attack effect: and monitoring the flow of an operator station, an application station, a controller and a system of the SCADA server of the specified dispatching master station and tampering data.

4. And (3) illegal injection of databases such as SCADA (supervisory control and data acquisition) and EMS (energy management system) of the dispatching master station:

the attack mode is as follows: only the normal data needs to be input, but the malicious code data is input, and the system loading the data does not design a good filtering process for the malicious code data, so that the malicious code is executed, and finally, information leakage or function damage is caused.

Attack path: and (6) inputting data.

Attack effect: and illegal equipment control of the power dispatching industrial field control equipment and leakage of formula data.

5. Vulnerability attack:

the attack mode is as follows: the attack actions of exploiting vulnerabilities known to the software and firmware of the device.

Attack path: various technical means, network and USB flash disk.

Attack effect: the attacked operation station is paralyzed and can not normally communicate.

In this embodiment, with the above scheme, when at least one of the scheduling master station simulation subsystem, the substation simulation subsystem, and the terminal simulation subsystem suffers from the attack penetration, data of the attack penetration is obtained based on the scheduling master station simulation subsystem and a preset three-remote rule; and receiving the attack penetration data forwarded by the substation simulation subsystem through the terminal simulation subsystem to obtain the attack process. Through the networking design, configuration and controller programming of the attack and defense test system, the power dispatching network dispatching automation unit is realized, the problem of low safety of information transmission of the power dispatching network is solved, and the requirement of safety evaluation of the power dispatching network is met.

Referring to fig. 5, fig. 5 is a schematic flowchart of a fourth exemplary embodiment of the power dispatching network attack and defense testing method according to the present application. Based on the embodiment shown in fig. 2, the attack and defense testing system further includes a comprehensive management unit, the comprehensive management unit includes a data acquisition module and a task evaluation module, and step S240, the attack and defense testing of the power dispatching network is performed based on the attack process and the protection process of the safety protection, including:

step S510, acquiring attack and defense data of the attack process and the protection process through the data acquisition module, and generating corresponding experiment results;

specifically, the integrated management unit includes, but is not limited to: the system comprises a database, a task configuration and management module, a data acquisition module, a data processing module and a task evaluation module. The specific functions are as follows:

1. a database. The database mainly comprises a resource model database and a test database, and the hardware of the database mainly comprises a database server to store model data and test data in the power dispatching network simulation system.

2. And a data acquisition module. The data acquisition module mainly comprises a service layer data acquisition probe, a monitoring layer data acquisition probe and a terminal layer data acquisition probe, and controls various data acquisition probes embedded in the power dispatching network SCADA system to carry out data acquisition according to test requirements according to a test requirement data acquisition configuration instruction. The data acquisition module finishes the acquisition of key data such as control instructions, equipment parameters, system running states and the like in the system according to probes arranged in each node in the system.

3. And a data processing module. The data processing module of the terminal layer mainly processes data acquisition in the simulation process, reads the acquired data according to a specific format, extracts fields, arranges and classifies the data and stores the data in a database server.

4. And a task evaluation module. The method mainly aims at evaluating the test situation and the test result. And evaluating the test situation and the test effect according to the data acquired in real time in the test process, and analyzing and evaluating the protocol type, the three-remote service, the success rate, the attack coverage area and the like supported by the attack system.

And step S520, testing the attack and defense data through the task evaluation module, and evaluating the test result.

Specifically, evaluation is performed on the test situation and the test result through the task evaluation module. And evaluating the test situation and the test effect according to the data acquired in real time in the test process, and analyzing and evaluating the protocol type, the three-remote service, the success rate, the attack coverage area and the like supported by the attack system. In addition, the situation display can be carried out on the simulation test.

Therefore, a power dispatching network defense means can be explored, a power dispatching network system safety protection system is established, a flexible safety strategy is applied, threats are quickly responded, loss is reduced to the maximum extent when network attacks occur, and normal operation of services is kept.

According to the scheme, the attack and defense data of the attack process and the protection process are obtained through the data acquisition module, and corresponding experiment results are generated; and the task evaluation module is used for carrying out test situation on the attack and defense data and evaluating the test result. By adopting an open reconfigurable technical system and a componentized packaging technology, each module can realize layered multiplexing. According to the test requirements, the comprehensive management unit is used for realizing rapid reconstruction, recovery or cleaning of the power dispatching network and supporting rapid and repeated test task operation.

Referring to fig. 6, fig. 6 is a schematic flowchart of a fifth exemplary embodiment of the power dispatching network attack and defense testing method according to the present application. Based on the embodiment shown in fig. 2, the attack and defense testing system further includes an electric power simulation unit and a digital sand table unit, and after the attack penetration is performed on the dispatching automation unit according to the attack scheme, the step S220 further includes:

step S610, performing physical simulation on a preset power dispatching physical environment and a topological structure to obtain a power simulation unit;

specifically, the physical simulation is carried out on a power dispatching physical environment and a topological structure in the power industry to obtain a power simulation unit, wherein the power simulation unit comprises a sand table model and a power simulation screen, and therefore the physical environment of a typical industry is simulated in an all-round mode.

The sand table model comprises a power generation system, a booster station, a transformer substation, a hub station, a step-down station, a power transmission line and power utilization equipment, and can demonstrate the simulation of the whole process of power generation, power transmission and transformation and power supply and utilization. And simulating normal production and operation states of a real power dispatching industrial field and the production and operation states after the real power dispatching industrial field is attacked. When the attack system finishes the attack, the corresponding equipment on the sand table malfunctions, the indicating light flickers, and the sand table alarm gives an alarm. After the attack is released, normal production can be continued by one-key reduction.

The power simulation screen integrates physical network topology of the dispatching automation unit, and meanwhile, the running and attack conditions of the current network are displayed among all hardware assets through the lamp belts. When the attack starts, the corresponding lamp strip is displayed to be red, and the display board alarm gives an alarm.

Namely, based on the sand table model and the electric power simulation screen, the service environment and the network topology of the electric power industry can be restored and displayed in an all-around manner, and key process flow physical environments such as power plant transmission and transformation are covered completely.

Step S620, constructing a digital factory based on the power simulation unit and the digital sand table unit;

specifically, the digital sand table unit is integrated and fused with all elements and all service data of the power simulation unit, the power simulation unit is subjected to digital twin, a mechanism model is adopted to calculate power dispatching industrial data in real time, a two-dimensional factory digital space is constructed, and finally WebGL and 3D rendering technologies are used for constructing a digital sand table similar to an intelligent manufacturing factory in full life cycle height. Modeling all hardware equipment systems of the power simulation unit, realizing operation interface reproduction and three-dimensional visual reproduction, and finishing digital factory construction and network system control by combining data of the power simulation unit.

And S630, displaying at least one of the attack process, the protection process and the power dispatching network attack and defense test process based on the digital factory.

Specifically, different from the traditional network attack and defense display effect, the power dispatching network system disclosed by the invention is added with the whole process display of a digital sand table system on the basis of the display of a power simulation unit, and a system 1 is constructed through the digital twin of the visual simulation of a plurality of service scenes in the power industry: the virtual operation and monitoring module realizes the high information fusion of virtual data in the digital twin, and provides a complete data environment and object system for network security attack and defense design, network risk assessment and the like.

According to the scheme, the physical simulation is specifically performed on the preset power dispatching physical environment and the topological structure, so that the power simulation unit is obtained; constructing a digital factory based on the power simulation unit and the digital sand table unit; and displaying at least one of the attack process, the protection process and the power dispatching network attack and defense test process based on the digital factory. After the attack action takes place, show the result that equipment was attacked in real time through electric power simulation unit, digital sand table unit cooperation electric power simulation unit can detail show the all-round three-dimensional attack effect show of whole attack process.

Referring to fig. 7, fig. 7 is a schematic flowchart of a sixth exemplary embodiment of the power dispatching network attack and defense testing method according to the present application. Based on the embodiment shown in fig. 6, in step S620, a digital plant is constructed based on the power simulation unit and the digital sand table unit, and includes:

step S710, acquiring power dispatching data;

specifically, the digital sand table system is integrated and fused with all essential and all service data of the power simulation unit, the power simulation unit is subjected to digital twinning, and a mechanism model is adopted to calculate power dispatching industrial data in real time.

Step S720, constructing a low-dimensional factory digital space for the power simulation unit according to the power scheduling data;

specifically, the electric power simulation unit is subjected to digital twinning, electric power dispatching industrial data are calculated in real time by adopting a mechanism model, and a two-dimensional factory digital space is constructed.

Step S730, constructing the digital factory by using a preset high-dimensional rendering technology with respect to the factory digital space.

In particular, high-dimensional rendering techniques are used to build the digital factory, wherein the high-dimensional rendering techniques include, but are not limited to, webGL, 3D rendering techniques. For example, a digital sand table that is highly similar to the full lifecycle of an intelligent manufacturing plant is built using WebGL, 3D rendering technology. Modeling all hardware equipment systems of the power simulation unit, realizing operation interface reproduction and three-dimensional visual reproduction, and finishing digital factory construction and network system control by combining data of the power simulation unit.

According to the scheme, the power dispatching data are obtained specifically; according to the power dispatching data, constructing a low-dimensional factory digital space for the power simulation unit; and aiming at the digital space of the factory, constructing the digital factory by a preset high-dimensional rendering technology. After the attack behavior occurs, the power simulation unit displays the attacked result of the equipment in real time, and the digital sand table unit is matched with the power simulation unit to display the omnibearing three-dimensional attack effect display of the whole attack process in a detailed mode, so that the attack and defense test of the power dispatching network can be performed more intuitively.

Referring to fig. 8, fig. 8 is a schematic flowchart of a seventh exemplary embodiment of the power dispatching network attack and defense testing method according to the present application. Based on the embodiment shown in fig. 2, the attack penetration unit is provided with an interface, and step S210 is performed to determine an attack scheme and a protection scheme of the power scheduling network, where the attack scheme and the protection scheme include:

step S810, determining the protection scheme and determining the attack scheme through the interface.

Specifically, the interface is used for setting a protection scheme, wherein the type of the interface includes, but is not limited to, a webservice interface and an http api interface. The http api is preferably used in the embodiment of the application.

In addition, in this embodiment, an interface is also provided in the security protection unit, and the type of the interface includes, but is not limited to, a webservice interface and an http api interface. Therefore, an attack scheme can be set through the interface of the attack penetration unit, a protection scheme is set through the safety protection unit, and the comprehensiveness of the attack and defense test system is improved aiming at different attack schemes and protection schemes.

In this embodiment, by the above scheme, specifically, the protection scheme is determined, and the attack scheme is determined through the interface; according to the attack scheme, attack penetration is carried out on the dispatching automation unit; detecting an attack process of the attack penetration, and executing safety protection on the attack process according to the protection scheme; and carrying out attack and defense tests on the power dispatching network based on the attack process and the protection process of the safety protection. An attack scheme can be set through an interface of the attack penetration unit, and the comprehensiveness of the attack and defense test system is improved.

In addition, this application embodiment still provides a power dispatching network attack and defense testing arrangement, power dispatching network attack and defense testing arrangement includes:

Please refer to the above embodiments, and details of the principle and the implementation process for implementing the attack and defense test of the power dispatching network are not described herein.

In addition, the embodiment of the present application further provides a terminal device, where the terminal device includes a memory, a processor, and a power scheduling network attack and defense test program that is stored on the memory and can be run on the processor, and when the power scheduling network attack and defense test program is executed by the processor, the steps of the power scheduling network attack and defense test method described above are implemented.

Since the power dispatching network defense and attack testing program is executed by the processor, all technical solutions of all the embodiments are adopted, so that at least all the beneficial effects brought by all the technical solutions of all the embodiments are achieved, and details are not repeated herein.

In addition, an embodiment of the present application further provides a computer-readable storage medium, where a power dispatching network attack and defense test program is stored on the computer-readable storage medium, and when the power dispatching network attack and defense test program is executed by a processor, the steps of the power dispatching network attack and defense test method described above are implemented.

Since the power dispatching network attack and defense test program is executed by the processor, all technical solutions of all the embodiments are adopted, so that at least all the beneficial effects brought by all the technical solutions of all the embodiments are achieved, and detailed description is omitted.

Compared with the prior art, the attack and defense testing method, the device, the terminal equipment and the storage medium for the power dispatching network provided by the embodiment of the application determine the attack scheme and the protection scheme of the power dispatching network; according to the attack scheme, attack penetration is carried out on the dispatching automation unit; detecting the attack process of the attack penetration, and executing safety protection on the attack process according to the protection scheme; and carrying out attack and defense tests on the power dispatching network based on the attack process and the protection process of the safety protection. By determining the attack scheme and the protection scheme and carrying out attack and defense tests on data in the attack process and the protection process, the problem of low safety of information transmitted by the power dispatching network can be solved, and the requirement of safety evaluation of the power dispatching network is met. Based on the scheme of the application, a typical attack and defense test system of the power dispatching network is constructed based on the principle that the power dispatching network transmits information in the important basic energy industry of the real world, the effectiveness of the attack and defense test method of the power dispatching network provided by the application is verified on the attack and defense test system, and finally the safety of power dispatching tested by the method is obviously improved.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or system that comprises the element.

The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.

Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, a controlled terminal, or a network device) to execute the method of each embodiment of the present application.

The above description is only a preferred embodiment of the present application, and not intended to limit the scope of the present application, and all modifications of equivalent structures and equivalent processes, which are made by the contents of the specification and the drawings of the present application, or which are directly or indirectly applied to other related technical fields, are included in the scope of the present application.

Claims

1. The power dispatching network attack and defense testing method is characterized by being applied to an attack and defense testing system, the attack and defense testing system comprises a dispatching automation unit, and the power dispatching network attack and defense testing method comprises the following steps:

2. The power dispatching network attack and defense testing method according to claim 1, wherein the dispatching automation unit comprises a dispatching master station simulation subsystem, a substation simulation subsystem and a terminal simulation subsystem, and the step of developing attack penetration on the dispatching automation unit according to the attack scheme comprises:

3. The attack and defense test method for the power dispatching network according to claim 1, wherein the attack and defense test system further comprises a comprehensive management unit, the comprehensive management unit comprises a data acquisition module and a task evaluation module, and the step of performing the attack and defense test for the power dispatching network based on the attack process and the protection process of the safety protection comprises:

4. The power dispatching network attack and defense test method according to claim 1, wherein the attack and defense test system further comprises a power simulation unit and a digital sand table unit, and after the step of developing attack penetration on the dispatching automation unit according to the attack scheme, the method further comprises:

5. The power dispatching network attack and defense test method according to claim 4, wherein the step of constructing a digital factory based on the power simulation unit and the digital sand table unit comprises:

acquiring power dispatching data;

6. The power dispatching network attack and defense testing method according to claim 1, wherein the attack scheme at least includes preset power dispatching network virus infection, preset power protocol attack, preset database illegal intrusion and preset vulnerability attack.

7. The attack and defense testing method for the power dispatching network according to claim 1, wherein the attack penetration unit is provided with an interface, and the determining of the attack scheme and the protection scheme of the power dispatching network comprises the following steps:

8. The utility model provides a power dispatching network attacks and defends testing arrangement which characterized in that, power dispatching network attacks and defends testing arrangement includes:

9. A terminal device, comprising a memory, a processor and a power dispatching network attack and defense test program stored on the memory and executable on the processor, wherein the power dispatching network attack and defense test program, when executed by the processor, implements the steps of the power dispatching network attack and defense test method according to any one of claims 1 to 7.

10. A computer-readable storage medium, wherein a power dispatching network attack and defense test program is stored on the computer-readable storage medium, and when executed by a processor, the power dispatching network attack and defense test program implements the steps of the power dispatching network attack and defense test method according to any one of claims 1 to 7.