CN116405329B - Network security risk blocking device and system for power monitoring system - Google Patents

Network security risk blocking device and system for power monitoring system Download PDF

Info

Publication number
CN116405329B
CN116405329B CN202310674626.XA CN202310674626A CN116405329B CN 116405329 B CN116405329 B CN 116405329B CN 202310674626 A CN202310674626 A CN 202310674626A CN 116405329 B CN116405329 B CN 116405329B
Authority
CN
China
Prior art keywords
message
module
network security
risk
blocking
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310674626.XA
Other languages
Chinese (zh)
Other versions
CN116405329A (en
Inventor
陈文刚
蒋涛
田瑞敏
李海燕
王新瑞
姬玉泽
李�远
徐丽美
马伟天
许泳涛
张玉娟
郝鑫杰
姚泽龙
郜涛
孙逊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanxi Shengshi Huizhi Technology Co ltd
Jincheng Power Supply Co of State Grid Shanxi Electric Power Co Ltd
Original Assignee
Shanxi Shengshi Huizhi Technology Co ltd
Jincheng Power Supply Co of State Grid Shanxi Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanxi Shengshi Huizhi Technology Co ltd, Jincheng Power Supply Co of State Grid Shanxi Electric Power Co Ltd filed Critical Shanxi Shengshi Huizhi Technology Co ltd
Priority to CN202310674626.XA priority Critical patent/CN116405329B/en
Publication of CN116405329A publication Critical patent/CN116405329A/en
Application granted granted Critical
Publication of CN116405329B publication Critical patent/CN116405329B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a power monitoring system network security risk blocking device and system, include: the first message channel module: the internal circuit on-off instruction is used for executing the internal circuit on-off instruction sent by the core control module; the core control module: the device is used for receiving and issuing verification, communication, execution and setting operations required by the running of the device; and a safety management module: the method is used for encrypting and decrypting the transmission message and verifying the identity of the message sender; and a remote management module: the system is used for carrying out information interaction and state feedback with the network security management platform at the master station side; when the network security management platform at the master station side monitors that the security risk alarm exists at the station side, the core control module controls the internal circuit of the first message channel module to be disconnected, and the station side is physically blocked; according to the method and the device, blocking measures can be taken at the first time, and safety is improved.

Description

Network security risk blocking device and system for power monitoring system
Technical Field
The application relates to the technical field of network security monitoring of power systems, in particular to a network security risk blocking device and system of a power monitoring system.
Background
The essence of the power monitoring system is that by using advanced computer information technology to complete the monitoring control operation of the whole power production process, various network risk problems can be generated in the running process of the power system. For ensuring the safe reliability of the operation of the power system, the national network company has established a safety situation sensing monitoring system covering all power plants and substations, can realize the acquisition and processing of safety risk events in local power monitoring system equipment, and simultaneously, can send the processing result to a network safety management platform deployed at the master station side.
But the currently deployed network security management platform and the security situation sensing device at the station side are only in the distributed monitoring and centralized alarming stage, the network security monitoring device at the station side needs to send alarming information to the master station after acquiring related network security risk events, corresponding alarming prompts are generated on the master station management platform, and then the master station attendant informs related operation and maintenance personnel to further judge the corresponding risk alarming events and to arrive at site disposal. There is a problem in that it takes a long time until the treatment is completed, which is enough for network intrusion or vandalism to have serious jeopardy consequences, often resulting in a spread from a small range to a large range of security risk events.
Disclosure of Invention
In order to solve one of the technical defects, the application provides a network security risk blocking device and system for a power monitoring system, which can prevent and detect intrusion risks in various blocking modes and improve network security level.
According to a first aspect of the present application, there is provided a network security risk blocking device for a power monitoring system, including: the first message channel module: the device is electrically connected with the core control module and is used for executing an internal circuit on-off instruction sent by the core control module; the core control module: the device is used for receiving and issuing verification, communication, execution and setting operations required by the running of the device; and a safety management module: the communication connection with the core control module is used for encrypting and decrypting the transmission message and verifying the identity of the message sender; and a remote management module: the system is in communication connection with the security management module and is used for carrying out information interaction and state feedback with the network security management platform at the master station side.
Preferably, the device comprises: a login management module: the system is in communication connection with the core control module and is used for local login and management operation of operators; a key management module: the key generation module is in communication connection with the core control module and is used for generating, adding, updating and deleting management operations of the key; the secret key comprises a local private key, a local public key and an opposite-end public key; certificate management module: the CA certificate management system is in communication connection with the core control module and is used for adding, updating and deleting management operations of the CA certificate; the certificates comprise a local device certificate, a peer device certificate, an upper root certificate and an operator certificate.
Preferably, the security management module includes: encryption and decryption module: the system is in communication connection with the remote management module and is used for encrypting and decrypting the message transmitted by the network security management platform; and an identity verification module: and the encryption and decryption module is in communication connection and is used for carrying out identity authentication on a message sender of the network security management platform.
Preferably, the login management module includes: a two-factor authentication interface module: the method is used for performing double-factor authentication when an operator performs local login and management operation; the double-factor authentication is at least one authentication mode of Ukey authentication, IC card authentication, fingerprint authentication, retina authentication and facial image authentication; a local management interface module: the service function is used for the operators to perform local login and management operation, and is at least one of an application program API, a service port and a command line interface.
Preferably, the device comprises: risk policy management module: the system comprises a core control module, a network security management platform and a risk policy management module, wherein the core control module is in communication connection with the network security management platform and is used for adding, updating and deleting risk policy rules issued by the network security management platform, and the risk policy rules comprise matching sequence numbers, message matching items, matching actions and blocking types; risk detection and treatment module: the communication message is analyzed and matched detection treatment is carried out according to a risk policy rule; the second message channel module: the device is electrically connected with the core control module and the third message channel module respectively and is used for executing an internal circuit on or off instruction sent by the core control module; a third message channel module: and the device is respectively and electrically connected with the core control module, the second message channel module and the risk detection and treatment module and is used for executing an internal circuit on or off instruction sent by the core control module.
Preferably, the risk detection handling module comprises: a first judgment unit: the method is used for judging whether the message information is matched with a first rule in the risk policy rules; a first execution unit: when the message information is matched with the first rule in the risk policy rules and the matching action is put, putting the message and carrying out next message matching; a second execution unit: when the message information is matched with the first rule in the risk policy rules and the matching action is an alarm, the alarm information is encrypted by the core control module and then sent to the network security management platform, and then the message is released and the next message is matched; a third execution unit: when the message information is matched with the first rule in the risk policy rules and the matching action is network blocking, discarding the message, encrypting the network blocking information through a core control module, transmitting the network blocking information to a network security management platform, and matching the next message; when the matching action is physical blocking, the physical blocking information is sent to a core control module, the core control module controls a second message channel module to execute the disconnecting operation, and the physical blocking information is sent to a network security management platform after being encrypted; a second judgment unit: the method comprises the steps of judging whether the matched rule is the last rule in the risk policy rules; if yes, the message is released and the next message matching is carried out; otherwise, the message information is matched with the next rule in the risk policy rules.
Preferably, the device comprises: honey pot capturing interface: and the second message channel module is electrically connected with the first message channel module and is used for introducing attack flow into a honeypot network to induce an attacker to attack the simulation system or equipment.
According to a second aspect of the present application, there is provided a network security risk blocking system of a power monitoring system, comprising: the system comprises a station side and a master station side, wherein the station side and the master station side comprise a switch, a longitudinal encryption authentication device and a router, the master station side comprises a CA certificate management system and a network security management platform, service equipment sequentially passes through the switch, the longitudinal encryption authentication device, the router, the longitudinal encryption authentication device and the switch of the station side and is connected with the network security management platform, and the system further comprises the network security risk blocking device of the power monitoring system, wherein the network security risk blocking device is connected between the switch of the station side and the longitudinal encryption authentication device in series.
By adopting the network security risk blocking device and the network security risk blocking system for the power monitoring system, when the network security management platform at the master station side monitors that the security risk alarm exists at the station side, the core control module receives the instruction, and the core control module controls the internal circuit of the first message channel module to be disconnected so as to physically block the station side; after the security risk alarm disappears, the core control module controls the internal circuit of the first message channel module to be conducted, message transmission is recovered, blocking measures can be taken at the first time, and the security is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
fig. 1 is a schematic structural diagram of a network security risk blocking device of a power monitoring system according to an embodiment of the present application;
FIG. 2 is a schematic diagram illustrating the flow of communication messages in different states according to the first embodiment of the present application;
fig. 3 is a schematic structural diagram of a network security risk blocking device of a power monitoring system according to a second embodiment of the present application;
FIG. 4 is a flow chart of communication messages in different states according to a second embodiment of the present application;
fig. 5 is a flow chart of message risk detection and handling in a second embodiment of the present application;
fig. 6 is a schematic structural diagram of a network security risk blocking device of a power monitoring system according to a third embodiment of the present application;
fig. 7 is a schematic topology diagram of a network security risk blocking device of a power monitoring system according to a third embodiment of the present application;
FIG. 8 is a flow chart of communication messages in different states according to a third embodiment of the present application;
FIG. 9 is a topology diagram of a network security risk blocking system for a power monitoring system provided by the present application;
FIG. 10 is a flow chart of a physical blocking in a network security risk blocking system of a power monitoring system provided by the present application;
FIG. 11 is a flowchart of network recovery in a network security risk blocking system of a power monitoring system provided by the present application;
in the figure: 1 is a first message channel module, 2 is a core control module, 3 is a remote management module, 4 is a key management module, 5 is a certificate management module, 6 is an encryption and decryption module, 7 is an identity verification module, 8 is a double-factor authentication interface module, 9 is a local management interface module, 10 is a risk policy management module, 11 is a risk detection treatment module, 12 is a second message channel module, 13 is a third message channel module, and 14 is a honeypot capture interface.
Detailed Description
In order to make the technical solutions and advantages of the embodiments of the present application more apparent, the following detailed description of exemplary embodiments of the present application is given with reference to the accompanying drawings, and it is apparent that the described embodiments are only some of the embodiments of the present application and not exhaustive of all the embodiments. It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other.
In the process of realizing the method, the inventor finds that after the network security monitoring device at the station side collects related network security risk events, alarm information is sent to the master station, corresponding alarm prompts are generated on the master station management platform, and then the master station attendant informs related operation and maintenance personnel to further judge the corresponding risk alarm events and to arrive at site for disposal. There is a problem in that a longer time is required for the treatment to be completed.
In view of the above problems, a first embodiment of the present application provides a network security risk blocking device for a power monitoring system, as shown in fig. 1, the network security risk blocking device for a power monitoring system includes:
the first message channel module 1: the device is electrically connected with the core control module 2 and is used for executing an internal circuit on-off instruction sent by the core control module;
core control module 2: the device is used for receiving and issuing verification, communication, execution and setting operations required by the running of the device;
and a safety management module: the communication connection with the core control module is used for encrypting and decrypting the transmission message and verifying the identity of the message sender;
remote management module 3: the system is in communication connection with the security management module and is used for carrying out information interaction and state feedback with the network security management platform at the master station side.
Fig. 2 is a schematic flow diagram of a communication message in different states in the present embodiment, as shown in fig. 2, an electronic execution unit for implementing the passing or blocking of a network communication message by the first message channel module 1 has a characteristic that the core control module 2 can control its internal circuit to be in a conducting or disconnecting state, and the message channel module can restore to a conducting state when the device is in a power-off or dead state; the core control module 2 realizes the operation control of related functions such as verification, communication, execution, setting and the like required by the normal operation of the device; the security management module is used for encrypting and decrypting the transmission message and verifying the identity of the message sender; the remote management module 3 realizes communication service functions such as alarm information, control instructions, state feedback and the like between the blocking device and the master station management platform, and can be in the modes of application program API, service ports and the like; in this embodiment, when the network security management platform at the master station side monitors that a security risk alarm exists at the station side, the core control module 2 receives an instruction, and the core control module 2 controls the internal circuit of the first message channel module 1 to be disconnected, so as to physically block the station side; after the security risk alarm disappears, the core control module 2 controls the internal circuit of the first message channel module 1 to be conducted, message transmission is restored, blocking measures can be taken at the first time, and the security is improved.
Further, the security management module includes: encryption and decryption module 6: the system is in communication connection with the remote management module 3 and is used for encrypting and decrypting the message transmitted by the network security management platform; identity verification module 7: the encryption and decryption module 6 is in communication connection and is used for carrying out identity authentication on a message sender of the network security management platform; the encryption and decryption module 6 realizes the encryption and decryption functions of the communication message between the blocking device and the master station management platform, and ensures the integrity and confidentiality of the communication message; the identity verification module 7 realizes the identity verification function of the received communication message of the master station management platform, and ensures that the information of the sender is not tampered and can not be repudiated.
Further, the apparatus comprises: a login management module: the device is in communication connection with the core control module 2 and is used for local login and management operation of operators; key management module 4: the key generation, addition, update and deletion management operation is used for generating, adding, updating and deleting the key; the secret key comprises a local private key, a local public key and an opposite-end public key; certificate management module 5: the device is connected with the core control module 2 in a bidirectional way and is used for adding, updating and deleting management operations of the CA certificate; the certificates comprise a local device certificate, a peer device certificate, an upper root certificate and an operator certificate.
Specifically, the login management module includes: two-factor authentication interface module 8: the method is used for performing double-factor authentication when an operator performs local login and management operation; the double-factor authentication is at least one authentication mode of Ukey authentication, IC card authentication, fingerprint authentication, retina authentication and facial image authentication; the local management interface module 9: the service function is used for carrying out local login and management operation by an operator, and is at least one of an application program API, a service port and a command line interface; specifically, the dual-factor authentication interface module 8 can realize dual-factor authentication function when an operator performs local login and management operation on the blocking device, and if a common dual-factor authentication device has a mode of determining the identity of the operator, such as Ukey, an IC card, a fingerprint, retina, a facial image, etc., the dual-factor authentication interface module 8 is connected with a dual-factor peripheral interface, and the dual-factor peripheral interface: the physical interface connected with the double-factor authentication device can be of USB, IC card slot and other types; the local management interface module 9 realizes the service function of performing local login and management operation on the network risk blocking device by an operator, and can be an application program API, a service port, a command line interface and the like, the local management interface module 9 is connected with a local management interface, and the local management interface module 9 is connected with an operator PC (personal computer) through the local management interface and can be an Ethernet electric port, a Console port or the like. The key management module 4 is used for realizing the generation, addition, update and deletion management operation of keys, wherein the keys comprise local private keys, local public keys, opposite-end public keys and the like; the certificate management module 5 realizes the management operations of adding, updating and deleting CA certificates, and the certificates comprise types of local equipment certificates, opposite-end equipment certificates, superior root certificates, operator certificates and the like;
specifically, when the network security risk blocking device runs for the first time, a plant side operator inserts a double-factor authentication peripheral such as Ukey, login verification is performed through the local management interface module 9, basic information setting, key generation and other operations are performed after the device is successfully logged in, and then files such as a device public key, a device certificate request and an operator certificate request are exported; the files are submitted to a manager at a master station side in an offline mode such as USB flash disk copying or mail, the manager at the master station side performs operations such as auditing and certificate issuing in a CA certificate management system, and then the issued equipment certificates, operator certificates, the files such as the equipment certificates at the master station side, the superior root certificates and the like are returned to the operator at the factory station side in an offline mode; the station side operator executes certificate importing operation and imports the related certificate into the network security risk blocking device, and the network security risk blocking device can carry out encrypted communication with the network security management platform at the master station side; when the network security management platform at the master station side monitors that the security risk alarm exists at the station side, the master station security manager can perform physical blocking control on the station side through the network security management platform; in order to ensure that the network security risk blocking device cannot influence the operation of the existing system, when shutdown, outage or dead halt occurs, the first message channel module 1 is physically conducted inside, and the data message directly flows through the device.
The device comprises a remote control interface, wherein the remote control interface is connected with a remote management module, and the device is communicated with a master station side through the remote control interface; the remote control interface may be of the type Ethernet electrical or optical, wireless (4G/5G), etc.
The device comprises a double-factor peripheral interface and a local management interface, wherein the double-factor peripheral interface is connected with a double-factor authentication interface module, and the local management interface is connected with a local management interface module.
The device comprises: the device is connected with the output end of the station side switch through the message input interface, and is connected with the input end of the longitudinal encryption authentication device through the message output interface; the message input interface is a physical interface for a network communication message to enter the device, and can be an Ethernet electric port or an optical port and the like; the message output interface is a physical interface of a network communication message leaving the device, and can be an Ethernet electric port or an optical port and the like.
An embodiment II of the present application provides a network security risk blocking device of a power monitoring system, as shown in FIG. 3, including:
risk policy management module 10: the system comprises a core control module, a network security management platform and a risk policy management module, wherein the core control module is in communication connection with the network security management platform and is used for adding, updating and deleting risk policy rules transmitted by the network security management platform, and the risk policy rules comprise matching sequence numbers, message matching items, matching actions and blocking types;
risk detection handling module 11: the communication message is analyzed and matched detection treatment is carried out according to a risk policy rule;
the second message channel module 12: the device is electrically connected with the core control module and the third message channel module respectively and is used for executing an internal circuit on or off instruction sent by the core control module;
third message channel module 13: and the device is respectively and electrically connected with the core control module, the second message channel module and the risk detection and treatment module and is used for executing an internal circuit on or off instruction sent by the core control module.
In this embodiment, the risk policy management module 10 performs management operations such as adding, updating, deleting, etc. of the risk policy rules issued by the master station security management platform, and the device may perform corresponding reception according to the type (all/designated plant stations) issued by the risk policy rules defined by the master station security management platform, where each risk policy rule includes a matching sequence number, a message matching item, a matching action (release/alarm/blocking), a blocking type (physical blocking/network blocking), etc.; the message matching item is a matching logic formulated for the relevant information of the message (such as information of a source address, a source port number, a destination address, a destination port number, a protocol number, a service type, an interface index, a message byte number, a session flow, a flow rate duty ratio and the like), and the matching logic can be one or a plurality of combinations; the risk detection and treatment module 11 achieves the functions of analyzing, detecting and treating communication messages between the station end and the master station end. The module analyzes the message flowing through the device to obtain the related information of the message and performs matching detection treatment according to the risk policy rule; network blocking of the security risk blocking device is achieved through a risk policy management module 10 and a risk detection and treatment module 11; FIG. 4 is a schematic diagram illustrating the flow of communication messages in different states in the present embodiment, and the messages pass when the network security risk blocking device has no risk alarm state; when in the network blocking state, the message is discarded; when the physical distribution is in a blocking state, the message is interrupted; and when the device is in a power-off or dead state, the message passes.
Specifically, when the network security risk blocking device runs for the first time, a plant station side operator inserts a double-factor authentication peripheral such as Ukey, login verification is performed through the local management interface module 9, basic information setting, key generation and other operations are performed after the device is successfully logged in, and then files such as a device public key, a device certificate request and an operator certificate request are exported; the files are submitted to a manager at a master station side in an offline mode such as USB flash disk copying or mail, the manager at the master station side performs operations such as auditing and certificate issuing in a CA certificate management system, and then the issued equipment certificates, operator certificates, the files such as the equipment certificates at the master station side, the superior root certificates and the like are returned to the operator at the factory station side in an offline mode; and the station side operator executes certificate importing operation and imports the related certificate into the security risk blocking device, and at the moment, the security risk blocking device can carry out encrypted communication with the master station side security management platform and receive the risk policy rules issued by the master station side network security management platform.
When the network security risk blocking device detects the risk according to the risk policy rules, corresponding actions such as alarm uploading, network blocking or physical blocking are performed; when the network security management platform at the master station side receives the security risk alarm sent by the factory station side, the master station security manager can carry out network blocking control on the factory station side through the network security management platform after studying and judging; when the network security management platform at the master station side detects a new security risk which is not detected at the factory station side, the security management personnel at the master station can carry out the new addition, update and issuing of the risk policy rules through the security management platform; in order to ensure that the network security risk blocking device does not affect the operation of the existing system, when shutdown, outage or dead halt occurs, the second message channel module 10 and the third message channel module 11 are physically conducted, and the data message directly flows through the device.
Further, the risk detection and treatment module 11 includes: a first judgment unit: the method is used for judging whether the message information is matched with a first rule in the risk policy rules; a first execution unit: when the message information is matched with the first rule in the risk policy rules and the matching action is put, putting the message and carrying out next message matching; a second execution unit: when the message information is matched with the first rule in the risk policy rules and the matching action is an alarm, the alarm information is encrypted by the core control module and then sent to the network security management platform, and then the message is released and the next message is matched; a third execution unit: when the message information is matched with the first rule in the risk policy rules and the matching action is network blocking, discarding the message, encrypting the network blocking information through a core control module, transmitting the network blocking information to a network security management platform, and matching the next message; when the matching action is physical blocking, physical blocking information is sent to a core control module, the core control module controls a first message channel module to execute a disconnecting operation, and the physical blocking information is sent to a network security management platform after being encrypted; a second judgment unit: the method comprises the steps of judging whether the matched rule is the last rule in the risk policy rules; if yes, the message is released and the next message matching is carried out; otherwise, the message information is matched with the next rule in the risk policy rules.
Fig. 5 is a flow chart of message risk detection and handling performed by the risk detection and handling module 11, as shown in fig. 5, after the network security risk blocking device obtains a message, the message is matched with a first rule in a risk policy rule, and when the message information of the message is matched with the first rule in the risk policy rule and the matching action is put, the next message matching is performed after the message is put; when the message information is matched with the first rule in the risk policy rules and the matching action is an alarm, the alarm information is encrypted by the core control module 2 and then sent to the network security management platform, and the next message matching is carried out after the message is released; when the message information is matched with the first rule in the risk policy rules and the matching action is network blocking, discarding the message, encrypting the network blocking information by the core control module 2, transmitting the network blocking information to a network security management platform, and matching the next message; when the matching action is physical blocking, the physical blocking information is sent to the core control module 2, the core control module 2 controls the first message channel module 1 to execute the disconnecting operation, and the physical blocking information is sent to the network security management platform after being encrypted by the core control module 2; when the matched rule is the last rule in the risk policy rules, the message is released and the next message is matched; and when the matched rule is not the last rule in the risk policy rules, matching the message information with the next rule in the risk policy rules.
The third embodiment of the present application provides a network security risk blocking device of a power monitoring system, and fig. 6 is a schematic structural diagram of the present implementation; fig. 7 is a schematic topology diagram of the present embodiment, and as shown in fig. 6 and fig. 7, the apparatus includes:
honeypot capture interface 14: the second message channel module is electrically connected with the first message channel module and is used for introducing attack flow into a honeypot network to induce an attacker to attack the simulation system or equipment; in the embodiment, a honeypot capturing interface 14 is added to the plant-side network security risk blocking device, attack flow is introduced into a honeypot network, an attacker is attracted to attack an analog simulation system or equipment, and actions such as attack tools, means, motivations and purposes of the network attacker can be collected by adding the honeypot capturing interface 14; capturing or analyzing the attack behavior, thereby improving the level of network security active defense; fig. 8 is a schematic diagram of the flow of communication messages in different states in the present embodiment, and when the network security risk blocking device has no risk alarm, power failure or dead state, the message goes to the third message channel module 13; while in the capture state, the message is directed to the master site side honeypot network system through the honeypot capture interface 14.
When the network security risk blocking device detects risks according to the risk policy rules, corresponding actions such as alarm uploading, network blocking, honeypot capturing and the like are performed; when the network security management platform at the master station side receives the security risk alarm sent by the factory station side, the master station security management personnel can control the honey pot capturing state of the factory station side through the network security management platform after studying and judging; when the network security management platform at the master station side detects a new security risk which is not detected at the factory station side, the security management personnel at the master station can carry out the new addition, update and issuing of the risk policy rules through the security management platform; in order to ensure that the security risk blocking device does not affect the operation of the existing system, when shutdown, outage or dead halt occurs, the second message channel module 12 and the third message channel module 13 are physically conducted, and the data message directly flows through the device.
An embodiment of the present application provides a network security risk blocking system of a power monitoring system, fig. 9 is a topology diagram of the embodiment, and as shown in fig. 9, a network security risk blocking system of a power monitoring system includes: the system comprises a station side and a master station side, wherein the station side and the master station side comprise a switch, a longitudinal encryption authentication device and a router, the master station side comprises a CA certificate management system and a network security management platform, service equipment sequentially passes through the switch, the longitudinal encryption authentication device, the router, the longitudinal encryption authentication device and the switch of the station side and is connected with the network security management platform, and the system further comprises the network security risk blocking device of the power monitoring system, wherein the network security risk blocking device is connected between the switch of the station side and the longitudinal encryption authentication device in series.
When the network security management platform at the master station side monitors that the security risk alarm exists at the station side, the master station security manager can perform physical blocking control on the station side through the network security management platform, a specific blocking execution process is shown in fig. 10, when the network security management platform at the master station side monitors that the security risk alarm exists at the station side, the network security manager at the station side issues a blocking instruction, the network security risk blocking device at the station side verifies the identity of a sender after receiving the instruction, after verification is successful, the blocking confirmation message is sent, the security manager at the master station side verifies the identity of an operator at the station side after receiving the blocking confirmation message, after verification is successful, the blocking execution instruction is sent, the network security risk blocking device verifies the identity of the sender after receiving the blocking execution instruction, after verification is successful, the blocking operation is executed, the network security risk blocking device sends a blocking operation result message, and the network security management platform marks the blocking state of the station.
When the network security management platform at the master station side monitors that the security risk alarm at the plant station side disappears, the network security management personnel at the master station side can carry out network recovery control on the plant station side through the network security management platform, a specific recovery execution process is shown in fig. 11, the network security management platform at the master station side monitors that the security risk at the plant station side disappears, the network security management personnel at the master station side issues a recovery instruction, the network security risk blocking device at the plant station side verifies the identity of a sender after receiving the recovery instruction, after the verification is successful, the network security management personnel at the master station side verifies the identity of an operator at the plant station side after receiving the recovery confirmation message, after the verification is successful, the network security risk blocking device sends a recovery operation result message after the verification is successful, and the network security management platform marks the recovery state of the plant station.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The schemes in the embodiments of the present application may be implemented in various computer languages, for example, C language, VHDL language, verilog language, object-oriented programming language Java, and transliteration scripting language JavaScript, etc.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.

Claims (6)

1. A network security risk blocking system of a power monitoring system, which is applied to monitoring control operation of the whole power production process, and comprises the following components: the system comprises a factory station side and a master station side, wherein the factory station side and the master station side comprise a switch, a longitudinal encryption authentication device and a router, the master station side comprises a CA certificate management system and a network security management platform, and service equipment sequentially passes through the switch, the longitudinal encryption authentication device, the router, the longitudinal encryption authentication device and the switch of the factory station side and is connected with the network security management platform, and the system is characterized in that:
the network security risk blocking system also comprises a network security risk blocking device of the power monitoring system, and the risk blocking device is connected in series between the station side switch and the longitudinal encryption authentication device;
the utility model provides a network security risk blocking device of electric power monitored control system, include:
the first message channel module: the device is electrically connected with the core control module and is used for executing an internal circuit on-off instruction sent by the core control module;
the core control module: the device is used for receiving and issuing verification, communication, execution and setting operations required by the running of the device;
and a safety management module: the communication connection with the core control module is used for encrypting and decrypting the transmission message and verifying the identity of the message sender;
and a remote management module: the system is in communication connection with the security management module and is used for carrying out information interaction and state feedback with the network security management platform at the master station side;
when the network security management platform at the master station side monitors that the security risk alarm exists at the station side, the core control module receives an instruction, and the core control module controls the internal circuit of the first message channel module to be disconnected so as to physically block the station side; after the security risk alarm disappears, the core control module controls the internal circuit of the first message channel module to be conducted, and message transmission is resumed;
the network security risk blocking device of the power monitoring system further comprises:
risk policy management module: the system comprises a core control module, a network security management platform and a risk policy management module, wherein the core control module is in communication connection with the network security management platform and is used for adding, updating and deleting risk policy rules issued by the network security management platform, and the risk policy rules comprise matching sequence numbers, message matching items, matching actions and blocking types; the message matching item is a matching logic formulated for the relevant information of the message, the matching logic is one or more combination of the relevant information of the message, and the relevant information of the message comprises: source address, source port number, destination address, destination port number, protocol number, service type, interface index, number of bytes, session traffic, traffic duty cycle;
risk detection and treatment module: the communication message is analyzed and matched detection treatment is carried out according to a risk policy rule;
the second message channel module: the device is electrically connected with the core control module and the third message channel module respectively and is used for executing an internal circuit on or off instruction sent by the core control module;
a third message channel module: the device is electrically connected with the core control module, the second message channel module and the risk detection and treatment module respectively and is used for executing an internal circuit on or off instruction sent by the core control module;
when the network security risk blocking device detects the risk according to the risk policy rules, corresponding actions of alarm uploading, network blocking or physical blocking are performed; when the network security management platform at the master station side receives the security risk alarm sent by the factory station side, the master station security manager performs network blocking control on the factory station side through the network security management platform after studying and judging; when the network security management platform at the master station side detects a new security risk which is not detected at the factory station side, the security management personnel at the master station perform the new addition, update and issuing of the risk policy rules through the security management platform; in order to ensure that the network security risk blocking device does not affect the operation of the existing system, when shutdown, outage or dead halt occurs, the second message channel module 10 and the third message channel module 11 are physically conducted, and the data message directly flows through the device.
2. The power monitoring system cyber-security risk blocking system according to claim 1, comprising:
a login management module: the system is in communication connection with the core control module and is used for local login and management operation of operators;
a key management module: the key generation module is in communication connection with the core control module and is used for generating, adding, updating and deleting management operations of the key; the secret key comprises a local private key, a local public key and an opposite-end public key;
certificate management module: the CA certificate management system is in communication connection with the core control module and is used for adding, updating and deleting management operations of the CA certificate; the certificates comprise a local device certificate, a peer device certificate, an upper root certificate and an operator certificate.
3. The power monitoring system network security risk blocking system of claim 1, wherein the security management module comprises:
encryption and decryption module: the system is in communication connection with the remote management module and is used for encrypting and decrypting the message transmitted by the network security management platform;
and an identity verification module: and the encryption and decryption module is in communication connection and is used for carrying out identity authentication on a message sender of the network security management platform.
4. The system of claim 2, wherein the login management module comprises:
a two-factor authentication interface module: the method is used for performing double-factor authentication when an operator performs local login and management operation; the double-factor authentication is at least one authentication mode of Ukey authentication, IC card authentication, fingerprint authentication, retina authentication and facial image authentication;
a local management interface module: the service function is used for the operators to perform local login and management operation, and is at least one of an application program API, a service port and a command line interface.
5. The power monitoring system cyber-security risk blocking system of claim 1, wherein the risk detection handling module comprises:
a first judgment unit: the method is used for judging whether the message information is matched with a first rule in the risk policy rules;
a first execution unit: when the message information is matched with the first rule in the risk policy rules and the matching action is put, putting the message and carrying out next message matching;
a second execution unit: when the message information is matched with the first rule in the risk policy rules and the matching action is an alarm, the alarm information is encrypted by the core control module and then sent to the network security management platform, and then the message is released and the next message is matched;
a third execution unit: when the message information is matched with the first rule in the risk policy rules and the matching action is network blocking, discarding the message, encrypting the network blocking information through a core control module, transmitting the network blocking information to a network security management platform, and matching the next message; when the matching action is physical blocking, physical blocking information is sent to a core control module, the core control module controls a first message channel module to execute a disconnecting operation, and the physical blocking information is sent to a network security management platform after being encrypted;
a second judgment unit: the method comprises the steps of judging whether the matched rule is the last rule in the risk policy rules; if yes, the message is released and the next message matching is carried out; otherwise, the message information is matched with the next rule in the risk policy rules.
6. The power monitoring system cyber-security risk blocking system according to claim 1, comprising:
honey pot capturing interface: and the second message channel module is electrically connected with the first message channel module and is used for introducing attack flow into a honeypot network to induce an attacker to attack the simulation system or equipment.
CN202310674626.XA 2023-06-08 2023-06-08 Network security risk blocking device and system for power monitoring system Active CN116405329B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310674626.XA CN116405329B (en) 2023-06-08 2023-06-08 Network security risk blocking device and system for power monitoring system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310674626.XA CN116405329B (en) 2023-06-08 2023-06-08 Network security risk blocking device and system for power monitoring system

Publications (2)

Publication Number Publication Date
CN116405329A CN116405329A (en) 2023-07-07
CN116405329B true CN116405329B (en) 2024-02-27

Family

ID=87020253

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310674626.XA Active CN116405329B (en) 2023-06-08 2023-06-08 Network security risk blocking device and system for power monitoring system

Country Status (1)

Country Link
CN (1) CN116405329B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102722576A (en) * 2012-06-05 2012-10-10 西安未来国际信息股份有限公司 Encipherment protection system and encipherment protection method for database in cloud computing environment
EP3432185A1 (en) * 2017-07-19 2019-01-23 Siemens Aktiengesellschaft Method and network device for protecting a device using at least one key pair generated using asymmetric encryption for encrypted communication and/or authentication against manipulation
CN109495499A (en) * 2018-12-13 2019-03-19 南京国电南自电网自动化有限公司 Communication protocol bi-directional verification automated test tool and method based on Encryption Algorithm
CN113923045A (en) * 2021-10-29 2022-01-11 北京天融信网络安全技术有限公司 Safety monitoring type intranet access control method and system
CN115174157A (en) * 2022-06-14 2022-10-11 中国南方电网有限责任公司 Relay protection remote operation and maintenance network security multistage blocking method and system
CN115643030A (en) * 2022-10-25 2023-01-24 国网重庆市电力公司电力科学研究院 Power distribution network safety multistage blocking emergency response system and method
CN115694931A (en) * 2022-12-27 2023-02-03 中国南方电网有限责任公司 Relay protection remote operation and maintenance intrusion prevention and detection method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11496475B2 (en) * 2019-01-04 2022-11-08 Ping Identity Corporation Methods and systems for data traffic based adaptive security

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102722576A (en) * 2012-06-05 2012-10-10 西安未来国际信息股份有限公司 Encipherment protection system and encipherment protection method for database in cloud computing environment
EP3432185A1 (en) * 2017-07-19 2019-01-23 Siemens Aktiengesellschaft Method and network device for protecting a device using at least one key pair generated using asymmetric encryption for encrypted communication and/or authentication against manipulation
CN109495499A (en) * 2018-12-13 2019-03-19 南京国电南自电网自动化有限公司 Communication protocol bi-directional verification automated test tool and method based on Encryption Algorithm
CN113923045A (en) * 2021-10-29 2022-01-11 北京天融信网络安全技术有限公司 Safety monitoring type intranet access control method and system
CN115174157A (en) * 2022-06-14 2022-10-11 中国南方电网有限责任公司 Relay protection remote operation and maintenance network security multistage blocking method and system
CN115643030A (en) * 2022-10-25 2023-01-24 国网重庆市电力公司电力科学研究院 Power distribution network safety multistage blocking emergency response system and method
CN115694931A (en) * 2022-12-27 2023-02-03 中国南方电网有限责任公司 Relay protection remote operation and maintenance intrusion prevention and detection method and system

Also Published As

Publication number Publication date
CN116405329A (en) 2023-07-07

Similar Documents

Publication Publication Date Title
CN106789015B (en) Intelligent power distribution network communication safety system
CN110996318A (en) Safety communication access system of intelligent inspection robot of transformer substation
CN212486798U (en) Electric power sensing equipment based on block chain technology
CN111988328A (en) Safety guarantee method and system for acquiring terminal data of power generation unit of new energy plant station
CN106549502B (en) A kind of safe distribution of electric power protecting, monitoring system
CN106685775A (en) Self-inspection type invasion prevention method and system for intelligent household electrical appliance
CN106685650A (en) Electric power wide area industrial control network communication method based on quantum communication technology
CN112270020B (en) Terminal equipment safety encryption device based on safety chip
CN115001717B (en) Terminal equipment authentication method and system based on identification public key
CN115174157A (en) Relay protection remote operation and maintenance network security multistage blocking method and system
KR102018064B1 (en) Secure communication apparatus and method for securing SCADA communication network
CN111314382B (en) Network safety protection method suitable for high-frequency emergency control system
CN116405329B (en) Network security risk blocking device and system for power monitoring system
CN104821879A (en) Encryption method in data transfer of electric power system
CN114844676B (en) Emergency handling system and method for network security threat of power monitoring system
CN116208421A (en) Security authentication management and control method, device, medium and server
CN115118751B (en) Blockchain-based supervision system, method, equipment and medium
CN115694931A (en) Relay protection remote operation and maintenance intrusion prevention and detection method and system
Zhang et al. Design and implementation of IEC61850 communication security protection scheme for smart substation based on bilinear function
CN115361273A (en) Block chain-based electric power operation and maintenance safety supervision and emergency management and control system and method
CN108879963A (en) Power load management equipment and method
CN110233735B (en) Comprehensive safety protection method and system for grid-connected power station industrial control system
CN114143028A (en) Data cross-region safe transmission method and system based on electric power spot transaction service scene
CN112187729A (en) Operation permission safety management and control system and method
CN111953685A (en) Dynamic electric power monitoring network security analysis system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Chen Wengang

Inventor after: Xu Yongtao

Inventor after: Zhang Yujuan

Inventor after: Hao Xinjie

Inventor after: Yao Zelong

Inventor after: Gao Tao

Inventor after: Sun Xun

Inventor after: Jiang Tao

Inventor after: Tian Ruimin

Inventor after: Li Haiyan

Inventor after: Wang Xinrui

Inventor after: Ji Yuze

Inventor after: Li Yuan

Inventor after: Xu Limei

Inventor after: Ma Weitian

Inventor before: Chen Wengang

Inventor before: Xu Yongtao

Inventor before: Zhang Yujuan

Inventor before: Hao Xinjie

Inventor before: Yao Zelong

Inventor before: Gao Tao

Inventor before: Sun Xun

Inventor before: Jiang Tao

Inventor before: Tian Ruimin

Inventor before: Li Haiyan

Inventor before: Wang Xinrui

Inventor before: Ji Yuze

Inventor before: Li Yuan

Inventor before: Xu Limei

Inventor before: Ma Weitian