Disclosure of Invention
In order to solve one of the technical defects, the application provides a network security risk blocking device and system for a power monitoring system, which can prevent and detect intrusion risks in various blocking modes and improve network security level.
According to a first aspect of the present application, there is provided a network security risk blocking device for a power monitoring system, including: the first message channel module: the device is electrically connected with the core control module and is used for executing an internal circuit on-off instruction sent by the core control module; the core control module: the device is used for receiving and issuing verification, communication, execution and setting operations required by the running of the device; and a safety management module: the communication connection with the core control module is used for encrypting and decrypting the transmission message and verifying the identity of the message sender; and a remote management module: the system is in communication connection with the security management module and is used for carrying out information interaction and state feedback with the network security management platform at the master station side.
Preferably, the device comprises: a login management module: the system is in communication connection with the core control module and is used for local login and management operation of operators; a key management module: the key generation module is in communication connection with the core control module and is used for generating, adding, updating and deleting management operations of the key; the secret key comprises a local private key, a local public key and an opposite-end public key; certificate management module: the CA certificate management system is in communication connection with the core control module and is used for adding, updating and deleting management operations of the CA certificate; the certificates comprise a local device certificate, a peer device certificate, an upper root certificate and an operator certificate.
Preferably, the security management module includes: encryption and decryption module: the system is in communication connection with the remote management module and is used for encrypting and decrypting the message transmitted by the network security management platform; and an identity verification module: and the encryption and decryption module is in communication connection and is used for carrying out identity authentication on a message sender of the network security management platform.
Preferably, the login management module includes: a two-factor authentication interface module: the method is used for performing double-factor authentication when an operator performs local login and management operation; the double-factor authentication is at least one authentication mode of Ukey authentication, IC card authentication, fingerprint authentication, retina authentication and facial image authentication; a local management interface module: the service function is used for the operators to perform local login and management operation, and is at least one of an application program API, a service port and a command line interface.
Preferably, the device comprises: risk policy management module: the system comprises a core control module, a network security management platform and a risk policy management module, wherein the core control module is in communication connection with the network security management platform and is used for adding, updating and deleting risk policy rules issued by the network security management platform, and the risk policy rules comprise matching sequence numbers, message matching items, matching actions and blocking types; risk detection and treatment module: the communication message is analyzed and matched detection treatment is carried out according to a risk policy rule; the second message channel module: the device is electrically connected with the core control module and the third message channel module respectively and is used for executing an internal circuit on or off instruction sent by the core control module; a third message channel module: and the device is respectively and electrically connected with the core control module, the second message channel module and the risk detection and treatment module and is used for executing an internal circuit on or off instruction sent by the core control module.
Preferably, the risk detection handling module comprises: a first judgment unit: the method is used for judging whether the message information is matched with a first rule in the risk policy rules; a first execution unit: when the message information is matched with the first rule in the risk policy rules and the matching action is put, putting the message and carrying out next message matching; a second execution unit: when the message information is matched with the first rule in the risk policy rules and the matching action is an alarm, the alarm information is encrypted by the core control module and then sent to the network security management platform, and then the message is released and the next message is matched; a third execution unit: when the message information is matched with the first rule in the risk policy rules and the matching action is network blocking, discarding the message, encrypting the network blocking information through a core control module, transmitting the network blocking information to a network security management platform, and matching the next message; when the matching action is physical blocking, the physical blocking information is sent to a core control module, the core control module controls a second message channel module to execute the disconnecting operation, and the physical blocking information is sent to a network security management platform after being encrypted; a second judgment unit: the method comprises the steps of judging whether the matched rule is the last rule in the risk policy rules; if yes, the message is released and the next message matching is carried out; otherwise, the message information is matched with the next rule in the risk policy rules.
Preferably, the device comprises: honey pot capturing interface: and the second message channel module is electrically connected with the first message channel module and is used for introducing attack flow into a honeypot network to induce an attacker to attack the simulation system or equipment.
According to a second aspect of the present application, there is provided a network security risk blocking system of a power monitoring system, comprising: the system comprises a station side and a master station side, wherein the station side and the master station side comprise a switch, a longitudinal encryption authentication device and a router, the master station side comprises a CA certificate management system and a network security management platform, service equipment sequentially passes through the switch, the longitudinal encryption authentication device, the router, the longitudinal encryption authentication device and the switch of the station side and is connected with the network security management platform, and the system further comprises the network security risk blocking device of the power monitoring system, wherein the network security risk blocking device is connected between the switch of the station side and the longitudinal encryption authentication device in series.
By adopting the network security risk blocking device and the network security risk blocking system for the power monitoring system, when the network security management platform at the master station side monitors that the security risk alarm exists at the station side, the core control module receives the instruction, and the core control module controls the internal circuit of the first message channel module to be disconnected so as to physically block the station side; after the security risk alarm disappears, the core control module controls the internal circuit of the first message channel module to be conducted, message transmission is recovered, blocking measures can be taken at the first time, and the security is improved.
Detailed Description
In order to make the technical solutions and advantages of the embodiments of the present application more apparent, the following detailed description of exemplary embodiments of the present application is given with reference to the accompanying drawings, and it is apparent that the described embodiments are only some of the embodiments of the present application and not exhaustive of all the embodiments. It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other.
In the process of realizing the method, the inventor finds that after the network security monitoring device at the station side collects related network security risk events, alarm information is sent to the master station, corresponding alarm prompts are generated on the master station management platform, and then the master station attendant informs related operation and maintenance personnel to further judge the corresponding risk alarm events and to arrive at site for disposal. There is a problem in that a longer time is required for the treatment to be completed.
In view of the above problems, a first embodiment of the present application provides a network security risk blocking device for a power monitoring system, as shown in fig. 1, the network security risk blocking device for a power monitoring system includes:
the first message channel module 1: the device is electrically connected with the core control module 2 and is used for executing an internal circuit on-off instruction sent by the core control module;
core control module 2: the device is used for receiving and issuing verification, communication, execution and setting operations required by the running of the device;
and a safety management module: the communication connection with the core control module is used for encrypting and decrypting the transmission message and verifying the identity of the message sender;
remote management module 3: the system is in communication connection with the security management module and is used for carrying out information interaction and state feedback with the network security management platform at the master station side.
Fig. 2 is a schematic flow diagram of a communication message in different states in the present embodiment, as shown in fig. 2, an electronic execution unit for implementing the passing or blocking of a network communication message by the first message channel module 1 has a characteristic that the core control module 2 can control its internal circuit to be in a conducting or disconnecting state, and the message channel module can restore to a conducting state when the device is in a power-off or dead state; the core control module 2 realizes the operation control of related functions such as verification, communication, execution, setting and the like required by the normal operation of the device; the security management module is used for encrypting and decrypting the transmission message and verifying the identity of the message sender; the remote management module 3 realizes communication service functions such as alarm information, control instructions, state feedback and the like between the blocking device and the master station management platform, and can be in the modes of application program API, service ports and the like; in this embodiment, when the network security management platform at the master station side monitors that a security risk alarm exists at the station side, the core control module 2 receives an instruction, and the core control module 2 controls the internal circuit of the first message channel module 1 to be disconnected, so as to physically block the station side; after the security risk alarm disappears, the core control module 2 controls the internal circuit of the first message channel module 1 to be conducted, message transmission is restored, blocking measures can be taken at the first time, and the security is improved.
Further, the security management module includes: encryption and decryption module 6: the system is in communication connection with the remote management module 3 and is used for encrypting and decrypting the message transmitted by the network security management platform; identity verification module 7: the encryption and decryption module 6 is in communication connection and is used for carrying out identity authentication on a message sender of the network security management platform; the encryption and decryption module 6 realizes the encryption and decryption functions of the communication message between the blocking device and the master station management platform, and ensures the integrity and confidentiality of the communication message; the identity verification module 7 realizes the identity verification function of the received communication message of the master station management platform, and ensures that the information of the sender is not tampered and can not be repudiated.
Further, the apparatus comprises: a login management module: the device is in communication connection with the core control module 2 and is used for local login and management operation of operators; key management module 4: the key generation, addition, update and deletion management operation is used for generating, adding, updating and deleting the key; the secret key comprises a local private key, a local public key and an opposite-end public key; certificate management module 5: the device is connected with the core control module 2 in a bidirectional way and is used for adding, updating and deleting management operations of the CA certificate; the certificates comprise a local device certificate, a peer device certificate, an upper root certificate and an operator certificate.
Specifically, the login management module includes: two-factor authentication interface module 8: the method is used for performing double-factor authentication when an operator performs local login and management operation; the double-factor authentication is at least one authentication mode of Ukey authentication, IC card authentication, fingerprint authentication, retina authentication and facial image authentication; the local management interface module 9: the service function is used for carrying out local login and management operation by an operator, and is at least one of an application program API, a service port and a command line interface; specifically, the dual-factor authentication interface module 8 can realize dual-factor authentication function when an operator performs local login and management operation on the blocking device, and if a common dual-factor authentication device has a mode of determining the identity of the operator, such as Ukey, an IC card, a fingerprint, retina, a facial image, etc., the dual-factor authentication interface module 8 is connected with a dual-factor peripheral interface, and the dual-factor peripheral interface: the physical interface connected with the double-factor authentication device can be of USB, IC card slot and other types; the local management interface module 9 realizes the service function of performing local login and management operation on the network risk blocking device by an operator, and can be an application program API, a service port, a command line interface and the like, the local management interface module 9 is connected with a local management interface, and the local management interface module 9 is connected with an operator PC (personal computer) through the local management interface and can be an Ethernet electric port, a Console port or the like. The key management module 4 is used for realizing the generation, addition, update and deletion management operation of keys, wherein the keys comprise local private keys, local public keys, opposite-end public keys and the like; the certificate management module 5 realizes the management operations of adding, updating and deleting CA certificates, and the certificates comprise types of local equipment certificates, opposite-end equipment certificates, superior root certificates, operator certificates and the like;
specifically, when the network security risk blocking device runs for the first time, a plant side operator inserts a double-factor authentication peripheral such as Ukey, login verification is performed through the local management interface module 9, basic information setting, key generation and other operations are performed after the device is successfully logged in, and then files such as a device public key, a device certificate request and an operator certificate request are exported; the files are submitted to a manager at a master station side in an offline mode such as USB flash disk copying or mail, the manager at the master station side performs operations such as auditing and certificate issuing in a CA certificate management system, and then the issued equipment certificates, operator certificates, the files such as the equipment certificates at the master station side, the superior root certificates and the like are returned to the operator at the factory station side in an offline mode; the station side operator executes certificate importing operation and imports the related certificate into the network security risk blocking device, and the network security risk blocking device can carry out encrypted communication with the network security management platform at the master station side; when the network security management platform at the master station side monitors that the security risk alarm exists at the station side, the master station security manager can perform physical blocking control on the station side through the network security management platform; in order to ensure that the network security risk blocking device cannot influence the operation of the existing system, when shutdown, outage or dead halt occurs, the first message channel module 1 is physically conducted inside, and the data message directly flows through the device.
The device comprises a remote control interface, wherein the remote control interface is connected with a remote management module, and the device is communicated with a master station side through the remote control interface; the remote control interface may be of the type Ethernet electrical or optical, wireless (4G/5G), etc.
The device comprises a double-factor peripheral interface and a local management interface, wherein the double-factor peripheral interface is connected with a double-factor authentication interface module, and the local management interface is connected with a local management interface module.
The device comprises: the device is connected with the output end of the station side switch through the message input interface, and is connected with the input end of the longitudinal encryption authentication device through the message output interface; the message input interface is a physical interface for a network communication message to enter the device, and can be an Ethernet electric port or an optical port and the like; the message output interface is a physical interface of a network communication message leaving the device, and can be an Ethernet electric port or an optical port and the like.
An embodiment II of the present application provides a network security risk blocking device of a power monitoring system, as shown in FIG. 3, including:
risk policy management module 10: the system comprises a core control module, a network security management platform and a risk policy management module, wherein the core control module is in communication connection with the network security management platform and is used for adding, updating and deleting risk policy rules transmitted by the network security management platform, and the risk policy rules comprise matching sequence numbers, message matching items, matching actions and blocking types;
risk detection handling module 11: the communication message is analyzed and matched detection treatment is carried out according to a risk policy rule;
the second message channel module 12: the device is electrically connected with the core control module and the third message channel module respectively and is used for executing an internal circuit on or off instruction sent by the core control module;
third message channel module 13: and the device is respectively and electrically connected with the core control module, the second message channel module and the risk detection and treatment module and is used for executing an internal circuit on or off instruction sent by the core control module.
In this embodiment, the risk policy management module 10 performs management operations such as adding, updating, deleting, etc. of the risk policy rules issued by the master station security management platform, and the device may perform corresponding reception according to the type (all/designated plant stations) issued by the risk policy rules defined by the master station security management platform, where each risk policy rule includes a matching sequence number, a message matching item, a matching action (release/alarm/blocking), a blocking type (physical blocking/network blocking), etc.; the message matching item is a matching logic formulated for the relevant information of the message (such as information of a source address, a source port number, a destination address, a destination port number, a protocol number, a service type, an interface index, a message byte number, a session flow, a flow rate duty ratio and the like), and the matching logic can be one or a plurality of combinations; the risk detection and treatment module 11 achieves the functions of analyzing, detecting and treating communication messages between the station end and the master station end. The module analyzes the message flowing through the device to obtain the related information of the message and performs matching detection treatment according to the risk policy rule; network blocking of the security risk blocking device is achieved through a risk policy management module 10 and a risk detection and treatment module 11; FIG. 4 is a schematic diagram illustrating the flow of communication messages in different states in the present embodiment, and the messages pass when the network security risk blocking device has no risk alarm state; when in the network blocking state, the message is discarded; when the physical distribution is in a blocking state, the message is interrupted; and when the device is in a power-off or dead state, the message passes.
Specifically, when the network security risk blocking device runs for the first time, a plant station side operator inserts a double-factor authentication peripheral such as Ukey, login verification is performed through the local management interface module 9, basic information setting, key generation and other operations are performed after the device is successfully logged in, and then files such as a device public key, a device certificate request and an operator certificate request are exported; the files are submitted to a manager at a master station side in an offline mode such as USB flash disk copying or mail, the manager at the master station side performs operations such as auditing and certificate issuing in a CA certificate management system, and then the issued equipment certificates, operator certificates, the files such as the equipment certificates at the master station side, the superior root certificates and the like are returned to the operator at the factory station side in an offline mode; and the station side operator executes certificate importing operation and imports the related certificate into the security risk blocking device, and at the moment, the security risk blocking device can carry out encrypted communication with the master station side security management platform and receive the risk policy rules issued by the master station side network security management platform.
When the network security risk blocking device detects the risk according to the risk policy rules, corresponding actions such as alarm uploading, network blocking or physical blocking are performed; when the network security management platform at the master station side receives the security risk alarm sent by the factory station side, the master station security manager can carry out network blocking control on the factory station side through the network security management platform after studying and judging; when the network security management platform at the master station side detects a new security risk which is not detected at the factory station side, the security management personnel at the master station can carry out the new addition, update and issuing of the risk policy rules through the security management platform; in order to ensure that the network security risk blocking device does not affect the operation of the existing system, when shutdown, outage or dead halt occurs, the second message channel module 10 and the third message channel module 11 are physically conducted, and the data message directly flows through the device.
Further, the risk detection and treatment module 11 includes: a first judgment unit: the method is used for judging whether the message information is matched with a first rule in the risk policy rules; a first execution unit: when the message information is matched with the first rule in the risk policy rules and the matching action is put, putting the message and carrying out next message matching; a second execution unit: when the message information is matched with the first rule in the risk policy rules and the matching action is an alarm, the alarm information is encrypted by the core control module and then sent to the network security management platform, and then the message is released and the next message is matched; a third execution unit: when the message information is matched with the first rule in the risk policy rules and the matching action is network blocking, discarding the message, encrypting the network blocking information through a core control module, transmitting the network blocking information to a network security management platform, and matching the next message; when the matching action is physical blocking, physical blocking information is sent to a core control module, the core control module controls a first message channel module to execute a disconnecting operation, and the physical blocking information is sent to a network security management platform after being encrypted; a second judgment unit: the method comprises the steps of judging whether the matched rule is the last rule in the risk policy rules; if yes, the message is released and the next message matching is carried out; otherwise, the message information is matched with the next rule in the risk policy rules.
Fig. 5 is a flow chart of message risk detection and handling performed by the risk detection and handling module 11, as shown in fig. 5, after the network security risk blocking device obtains a message, the message is matched with a first rule in a risk policy rule, and when the message information of the message is matched with the first rule in the risk policy rule and the matching action is put, the next message matching is performed after the message is put; when the message information is matched with the first rule in the risk policy rules and the matching action is an alarm, the alarm information is encrypted by the core control module 2 and then sent to the network security management platform, and the next message matching is carried out after the message is released; when the message information is matched with the first rule in the risk policy rules and the matching action is network blocking, discarding the message, encrypting the network blocking information by the core control module 2, transmitting the network blocking information to a network security management platform, and matching the next message; when the matching action is physical blocking, the physical blocking information is sent to the core control module 2, the core control module 2 controls the first message channel module 1 to execute the disconnecting operation, and the physical blocking information is sent to the network security management platform after being encrypted by the core control module 2; when the matched rule is the last rule in the risk policy rules, the message is released and the next message is matched; and when the matched rule is not the last rule in the risk policy rules, matching the message information with the next rule in the risk policy rules.
The third embodiment of the present application provides a network security risk blocking device of a power monitoring system, and fig. 6 is a schematic structural diagram of the present implementation; fig. 7 is a schematic topology diagram of the present embodiment, and as shown in fig. 6 and fig. 7, the apparatus includes:
honeypot capture interface 14: the second message channel module is electrically connected with the first message channel module and is used for introducing attack flow into a honeypot network to induce an attacker to attack the simulation system or equipment; in the embodiment, a honeypot capturing interface 14 is added to the plant-side network security risk blocking device, attack flow is introduced into a honeypot network, an attacker is attracted to attack an analog simulation system or equipment, and actions such as attack tools, means, motivations and purposes of the network attacker can be collected by adding the honeypot capturing interface 14; capturing or analyzing the attack behavior, thereby improving the level of network security active defense; fig. 8 is a schematic diagram of the flow of communication messages in different states in the present embodiment, and when the network security risk blocking device has no risk alarm, power failure or dead state, the message goes to the third message channel module 13; while in the capture state, the message is directed to the master site side honeypot network system through the honeypot capture interface 14.
When the network security risk blocking device detects risks according to the risk policy rules, corresponding actions such as alarm uploading, network blocking, honeypot capturing and the like are performed; when the network security management platform at the master station side receives the security risk alarm sent by the factory station side, the master station security management personnel can control the honey pot capturing state of the factory station side through the network security management platform after studying and judging; when the network security management platform at the master station side detects a new security risk which is not detected at the factory station side, the security management personnel at the master station can carry out the new addition, update and issuing of the risk policy rules through the security management platform; in order to ensure that the security risk blocking device does not affect the operation of the existing system, when shutdown, outage or dead halt occurs, the second message channel module 12 and the third message channel module 13 are physically conducted, and the data message directly flows through the device.
An embodiment of the present application provides a network security risk blocking system of a power monitoring system, fig. 9 is a topology diagram of the embodiment, and as shown in fig. 9, a network security risk blocking system of a power monitoring system includes: the system comprises a station side and a master station side, wherein the station side and the master station side comprise a switch, a longitudinal encryption authentication device and a router, the master station side comprises a CA certificate management system and a network security management platform, service equipment sequentially passes through the switch, the longitudinal encryption authentication device, the router, the longitudinal encryption authentication device and the switch of the station side and is connected with the network security management platform, and the system further comprises the network security risk blocking device of the power monitoring system, wherein the network security risk blocking device is connected between the switch of the station side and the longitudinal encryption authentication device in series.
When the network security management platform at the master station side monitors that the security risk alarm exists at the station side, the master station security manager can perform physical blocking control on the station side through the network security management platform, a specific blocking execution process is shown in fig. 10, when the network security management platform at the master station side monitors that the security risk alarm exists at the station side, the network security manager at the station side issues a blocking instruction, the network security risk blocking device at the station side verifies the identity of a sender after receiving the instruction, after verification is successful, the blocking confirmation message is sent, the security manager at the master station side verifies the identity of an operator at the station side after receiving the blocking confirmation message, after verification is successful, the blocking execution instruction is sent, the network security risk blocking device verifies the identity of the sender after receiving the blocking execution instruction, after verification is successful, the blocking operation is executed, the network security risk blocking device sends a blocking operation result message, and the network security management platform marks the blocking state of the station.
When the network security management platform at the master station side monitors that the security risk alarm at the plant station side disappears, the network security management personnel at the master station side can carry out network recovery control on the plant station side through the network security management platform, a specific recovery execution process is shown in fig. 11, the network security management platform at the master station side monitors that the security risk at the plant station side disappears, the network security management personnel at the master station side issues a recovery instruction, the network security risk blocking device at the plant station side verifies the identity of a sender after receiving the recovery instruction, after the verification is successful, the network security management personnel at the master station side verifies the identity of an operator at the plant station side after receiving the recovery confirmation message, after the verification is successful, the network security risk blocking device sends a recovery operation result message after the verification is successful, and the network security management platform marks the recovery state of the plant station.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The schemes in the embodiments of the present application may be implemented in various computer languages, for example, C language, VHDL language, verilog language, object-oriented programming language Java, and transliteration scripting language JavaScript, etc.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.