CN117240550B - Isolation control method and firewall for production control zone I and zone II of transformer substation - Google Patents

Isolation control method and firewall for production control zone I and zone II of transformer substation Download PDF

Info

Publication number
CN117240550B
CN117240550B CN202311200450.0A CN202311200450A CN117240550B CN 117240550 B CN117240550 B CN 117240550B CN 202311200450 A CN202311200450 A CN 202311200450A CN 117240550 B CN117240550 B CN 117240550B
Authority
CN
China
Prior art keywords
production control
area
network message
zone
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311200450.0A
Other languages
Chinese (zh)
Other versions
CN117240550A (en
Inventor
徐波
张晓晨
黄晓扬
叶健强
梁俊
苏纪臣
李燕
韩晓熠
杨鑫
杨亚峰
王柄楠
周斌
姚武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Ningxia Electric Power Co Ltd
Original Assignee
State Grid Ningxia Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Ningxia Electric Power Co Ltd filed Critical State Grid Ningxia Electric Power Co Ltd
Priority to CN202311200450.0A priority Critical patent/CN117240550B/en
Publication of CN117240550A publication Critical patent/CN117240550A/en
Application granted granted Critical
Publication of CN117240550B publication Critical patent/CN117240550B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Remote Monitoring And Control Of Power-Distribution Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A firewall is arranged between a production control zone I and a production control zone II in an intelligent substation monitoring system, and the firewall is respectively connected to switches of the production control zone I and the production control zone II through network cables; the isolation control method is applied to the firewall and comprises the following steps: respectively configuring a white list of an MAC address, an IP address and a port number in advance; capturing a network message flowing from a production control area II to a production control area I; sequentially judging whether the MAC address, the IP address and the port number of the network message are respectively positioned in the corresponding white lists; if the MAC address, the IP address and the port number of the network message do not all exist in the white list corresponding to the MAC address, the IP address and the port number, the network message is refused to be forwarded to the production control I area, and alarm operation representing abnormal request is executed. The scheme can improve the safety of the intelligent substation monitoring system.

Description

Isolation control method and firewall for production control zone I and zone II of transformer substation
Technical Field
The invention relates to the technical field of network safety protection of substations, in particular to an isolation control method and a firewall for a production control zone I and a production control zone II of a substation.
Background
The substation monitoring system realizes unified access, unified storage and unified management of substation information such as power grid and equipment operation information, state monitoring information, metering information and the like through system integration optimization and information sharing, and further realizes operation monitoring, operation control, comprehensive information analysis, intelligent alarm and the like of the substation. Usually, 2 sets of power dispatching data network access equipment which are independently configured are deployed in an ultra-high voltage transformer substation, and a dispatching data access network and a provincial dispatching data access network are respectively accessed by adopting special channels based on different channels such as synchronous digital hierarchy SDH or quasi-synchronous digital hierarchy PDH, so that network special on a physical layer is realized. Each set of power dispatching data network is divided into a real-time subnet and a non-real-time subnet which are logically isolated, and the power dispatching data networks are respectively connected with the services of a substation monitoring system, a motion system, an alarm graph gateway, a stability control system, a time synchronization system, a relay protection system, a five-prevention system, a synchronous phasor measurement system, a signal protection substation, fault wave recording, network safety monitoring, electric quantity acquisition, one-time online monitoring, auxiliary control system and the like in the station.
The production control I area of the transformer substation is generally connected with a motion system, an alarm graphic gateway, a stability control system, a time synchronization system, a relay protection system, a five-prevention system, a synchronous phasor measurement system and the like. The production control II area of the transformer substation is usually connected with a signal protection substation, a network safety monitoring device, an electric quantity collector, a fault wave recording system, a primary online monitoring system, an auxiliary control system and the like. The production control I area and the production control II area of the transformer substation are connected through a network firewall, so that the function of network protection is achieved. However, in the existing transformer substation protection system, the firewall configuration strategy of the transformer substation monitoring system is imperfect, so that the production control area II can penetrate through the firewall to control the power grid equipment of the production control area I, the requirement that the production control area II cannot control the production control area I obviously cannot be met, and the safety of the transformer substation protection system is greatly reduced.
Disclosure of Invention
In view of the foregoing, it is necessary to provide an isolation control method and firewall for controlling the production control zone i and zone ii of a substation, so as to improve the security of the intelligent substation monitoring system.
In a first aspect, the invention provides an isolation control method for a production control area I and a production control area II of a transformer substation, wherein the production control area I and the production control area II are two production control areas in an intelligent transformer substation monitoring system; wherein the production control zone I can control the production control zone II, and the production control zone II cannot control the production control zone I; a firewall is arranged between the production control area I and the production control area II in the intelligent substation monitoring system, and the firewall is respectively connected to the switches of the production control area I and the production control area II through network cables;
the isolation control method is applied to the firewall and comprises the following steps:
respectively configuring a white list of an MAC address, an IP address and a port number in advance;
Capturing a network message flowing from the production control area II to the production control area I;
sequentially judging whether the MAC address, the IP address and the port number of the network message are respectively positioned in the corresponding white lists;
If the MAC address, the IP address and the port number of the network message do not all exist in the white list corresponding to the MAC address, the IP address and the port number, the network message is refused to be forwarded to the production control I area, and alarm operation representing abnormal request is executed.
Preferably, after determining that the MAC address, the IP address, and the port number of the network packet all exist in the corresponding white list, the method further includes:
analyzing the network message;
judging whether a remote control prefabricated instruction or a remote control execution instruction exists in the analyzed network message; the remote control prefabricated commander is used for performing functional test on equipment in the intelligent substation monitoring system, and the remote control execution commander is used for performing control execution on the equipment in the intelligent substation monitoring system;
If any one of the remote control prefabrication instruction character or the remote control execution instruction character exists in the analyzed network message, the network message is refused to be forwarded to the production control I area, and alarm information is sent to a remote signaling loop of a public measurement and control device in the intelligent substation monitoring system, so that the public measurement and control device sends an alarm of illegal network intrusion to a background monitoring system through an in-station network.
Preferably, the isolation control method further includes:
based on a hash algorithm, carrying out hash operation on a target user name and a target password which can successfully log in an account in advance, and storing after obtaining a first hash value;
Acquiring a current user name and a current password input by a current user;
performing hash operation on the current user name and the current password to obtain a second hash value; wherein the hash algorithm based on the second hash value is the same as the hash algorithm based on the first hash value;
Comparing the first hash value with the second hash value; if the first hash value is not identical to the second hash value, determining that the current login is illegal, and rejecting the current login request.
Preferably, the target password satisfies the following requirements:
A length of not less than 8 characters;
Is formed by mixing at least two of capital letters, lowercase letters, numbers and special characters;
The target password is not identical to the target user name;
And/or the hash algorithm includes any one of MD5, SHA1, SHA256, and SHA 512.
Preferably, after successfully logging in the current account, the method further comprises:
and monitoring the operation executed in the current account, and controlling the current account to exit when no operation is executed within a preset time length.
Preferably, the types of privileged users capable of logging into the intelligent substation monitoring system include: a system management privilege user, a network security privilege user and a security audit privilege user; each type of privileged user has the relevant authority of the type of privileged user to realize the corresponding function, but the system management privileged user does not have the right to operate the audit record.
Preferably, the isolation control method further includes:
after the login failure of the equipment is monitored, the following operations are executed:
rejecting all communications based on the unsecure transmission protocol; wherein the unsecure transmission protocol includes: text transfer protocol FTP and Telnet protocols;
Limiting the login address of the system management privilege user to a preset safe login address;
And rejecting all requests for remote management of the equipment in the production control area I.
Preferably, after capturing the network packet flowing from the production control ii area to the production control i area, the method further includes:
judging whether the current network message is a non-service request for the longitudinal authentication equipment;
if the current network message is the non-service request, judging whether the transmission protocol of the current network message is ICMP protocol or not;
And if the current network message is not the ICMP protocol, refusing to forward the current network message to the corresponding equipment in the production control I area.
The isolation control method further comprises the following steps:
counting the equipment in the production control II area corresponding to the network message refused to be forwarded to the production control I area in unit time;
if the number of times that the network message sent by the first device in the production control area II is refused to be forwarded to the production control area I is greater than a preset first threshold value in unit time, executing the following operations:
sending a right acquisition signal to a switch located in the production control area II;
Receiving a permission grant instruction sent by a switch positioned in a production control II area; the permission grant instruction comprises port numbers for connecting each device in the production control II area with the switch;
And determining a target port corresponding to the first equipment by using the permission grant instruction, and controlling a switch positioned in a production control II area to close the target port. .
In a second aspect, the present invention provides a firewall deployed between a production control zone i and a production control zone ii in an intelligent substation monitoring system; the firewall includes: the system comprises a configuration module, a message grabbing module, a comparison judging module and an executing module;
The configuration module is configured to configure a white list of the MAC address, the IP address and the port number in advance respectively;
the message grabbing module is configured to grab network messages flowing from the production control area II to the production control area I;
The comparison judging module is configured to sequentially judge whether the MAC address, the IP address and the port number of the network message grabbed by the report Wen Zhuaqu module are respectively located in the respective corresponding whitelists configured by the configuration module;
The execution module is configured to refuse to forward the network message to the production control area I and execute alarm operation representing abnormal request occurrence when the comparison judging module judges that the MAC address, the IP address and the port number of the network message do not all exist in the corresponding white list.
According to the technical scheme, in the isolation control method for the production control I area and the production control II area of the transformer substation provided by the embodiment of the invention, a firewall is deployed between the production control I area and the production control II area, the firewall grabs the network message flowing to the production control I area in real time, judges whether the MAC address, the IP address, the port number and the like of the network message exist in a pre-stored white list, if not, the current network message is not in accordance with the safety regulation of a transformer substation monitoring system, and the potential safety hazard of the production control II area for controlling equipment in the production control I area possibly exists, so that forwarding of the network message is refused, and alarm operation is executed. Therefore, the potential safety hazard that the production control II zone passes through the firewall to control the equipment in the production control I zone can be avoided based on the scheme, so that the safety of the intelligent substation monitoring system is greatly improved.
Drawings
Fig. 1 is a flowchart of an isolation control method for controlling a zone i and a zone ii in substation production according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of a firewall according to an embodiment of the invention.
Detailed Description
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
In the communication of the intelligent substation, an IEC61850 series standard substation communication network and system are adopted, 2 sets of independently configured power dispatching data network access equipment are deployed in the ultra-high voltage substation, and different special channels are adopted to access the network, so that network special on a physical level is realized. The production control I area and the production control II area are two production control areas in the intelligent substation monitoring system, and the two production control areas have different control grades, for example, the production control I area can control the production control II area, and the production control II area can not control the production control I; the potential safety hazard of the intelligent substation monitoring system is mainly that the production control area II at a lower level can control power grid equipment in the production control area I. Therefore, the firewall is arranged between the production control area I and the production control area II in the intelligent substation monitoring system, and is respectively connected to the switches of the production control area I and the production control area II through the network cable, and further protection of the intelligent substation monitoring system is achieved through arrangement of a firewall strategy.
As shown in fig. 1, the embodiment of the invention provides an isolation control method for controlling a zone i and a zone ii of a substation production, which is applied to a firewall and can include the following steps:
step 101: respectively configuring a white list of an MAC address, an IP address and a port number in advance;
step 102: capturing a network message flowing from a production control area II to a production control area I;
step 103: sequentially judging whether the MAC address, the IP address and the port number of the network message are respectively positioned in the corresponding white lists;
Step 104: if the MAC address, the IP address and the port number of the network message do not all exist in the white list corresponding to the MAC address, the IP address and the port number, the network message is refused to be forwarded to the production control I area, and alarm operation representing abnormal request is executed.
In this embodiment, a white list of MAC addresses, a white list of IP addresses, and a white list of port numbers are configured in advance, that is, a trusted or secure MAC address is stored in the white list of MAC addresses, a trusted or secure IP address is stored in the white list of IP addresses, and a trusted or secure port number is stored in the white list of port numbers. Therefore, when the grabbed network message flowing to the production control I area from the production control II area is not in the white list configured in the above way, the network message is indicated to be an abnormal network message, and the network message is refused to be forwarded to the production control I area, so that the production control II area is prevented from controlling power grid equipment in the production control I area through the network message, and the safety of the intelligent substation monitoring system is greatly improved.
It is easy to understand that, in addition to the above-mentioned white list of MAC address, IP address and port number, the white list of addresses and ports of service requests may be configured, so that the non-service request addresses and ports may be uniformly prohibited from passing through. The unwanted restricted ports may also be closed and the unwanted cable removed.
Further, if it is determined that the MAC address, the IP address, and the port number of the network packet are all in the white list corresponding to the MAC address, the IP address, and the port number of the network packet, the network packet may be further parsed;
then judging whether a remote control prefabricated instruction or a remote control execution instruction exists in the analyzed network message; the remote control prefabricated commander is used for performing functional test on equipment in the intelligent substation monitoring system, and the remote control execution commander is used for performing control execution on the equipment in the intelligent substation monitoring system;
If any one of the remote control prefabrication instruction character or the remote control execution instruction character exists in the analyzed network message, the network message is refused to be forwarded to the production control I area, and alarm information is sent to a remote signaling loop of a public measurement and control device in the intelligent substation monitoring system, so that the public measurement and control device sends an alarm of illegal network intrusion to a background monitoring system through an in-station network.
Therefore, whether the remote control message is a remote control prefabricated message or a remote control execution message is judged, and the remote control message is forbidden, so that remote invasion of external equipment and a network can be avoided, and further, the intelligent substation monitoring system is prevented from being invaded by illegal persons such as hackers, and the safety of the intelligent substation monitoring system is ensured.
For example, the remote control pre-made command is SBOW and the remote control execution command is oper. After the network message is analyzed, the network message is PTRC1$ VEBT1$ SBOW, namely, the network message is a remote control prefabricated message, and there may be an external device that remotely performs a function test on the device in the production area, and the network message needs to be refused to be forwarded to the production control I area and an alarm operation is executed. For another example, after the network message is analyzed, the network message is PTRC1$CO VEBT1$ oper, that is, at this time, the network message is a remote control execution message, and there may be an external device that remotely controls the device in the production area, and it is necessary to reject forwarding the network message to the production control area I and execute a corresponding alarm operation.
For the equipment in the production control area I and the production control area II, the firewall should regularly backup each configuration file in an offline state, so as to avoid data loss caused by illegal access, power failure, network disconnection and other emergency conditions. Meanwhile, each device in the production control I area and the production control II area should be configured with an NTP network so as to realize one time of time synchronization of each device within a preset time length, thereby ensuring the time consistency of each device and avoiding misoperation of each device due to time errors when responding to an operation instruction.
Further, the isolation control method can verify the user name and the password of the login account so as to ensure the legality of the login user. Specifically, the login verification may include:
based on a hash algorithm, carrying out hash operation on a target user name and a target password which can successfully log in an account in advance, and storing after obtaining a first hash value;
Acquiring a current user name and a current password input by a current user;
carrying out hash operation on the current user name and the current password to obtain a second hash value; wherein the hash algorithm based on the second hash value is the same as the hash algorithm based on the first hash value;
comparing the first hash value with the second hash value; if the first hash value is not identical to the second hash value, determining that the current login is illegal, and rejecting the current login request.
Specifically, when the target password is set, the length of the password should be not less than 8 characters, and the password is formed by mixing at least two of capital letters, lowercase letters, numbers, special characters and the like, and the target password and the target user name cannot be completely the same. Of course, the target password should be replaced regularly and the plaintext cannot be stored, so that the security level of the account can be greatly improved according to the password configuration method.
Further, the hash algorithm described above may include any one of MD5, SHA1, SHA256, SHA512, and the like.
In one embodiment, in configuring a firewall, the type of privileged user that is able to log into the intelligent substation monitoring system may be configured to: the system management privilege user, the network security privilege user and the security design privilege user, and each type of privilege user has the relevant authority of the corresponding function to be realized by the characteristic privilege user, for example, the system management privilege user usually has most of the authorities, but the system management privilege user is configured to have no authority to operate the audit record, so that the system management privilege user is prevented from modifying the audit record, and further the system management privilege user is prevented from escaping corresponding responsibility due to the changed audit result.
Therefore, the scheme realizes account allocation according to the user property and the authority separation of privileged users of equipment such as system management, network management, security audit and the like. And the account number sharing among different users is avoided, and the same account number is avoided for personnel and equipment communication, so that the safety of the intelligent substation monitoring system can be greatly improved.
In one embodiment, when the firewall is configured, the firewall may be further configured to monitor an operation performed in the current account, and when no operation is performed in a preset time period, control the current account to exit, so as to avoid hidden danger that the user forgets to exit after using, and further cause malicious use of other people. For example, the user may automatically log out after no action is detected for more than 3 minutes in account login.
In order to avoid malicious logging by a person, when the firewall realizes isolation control of the production control I and the production control II, the isolation control method can further comprise the following steps: after the login failure of the equipment is monitored, the following operations are executed:
rejecting all communications based on the unsecure transmission protocol; wherein the unsafe transmission protocol comprises: text transfer protocol FTP and Telnet protocols;
Limiting the login address of the system management privilege user to a preset safe login address;
All requests for remote management of the equipment in zone I of the production control are denied.
In order to further improve the safety of the intelligent substation monitoring system, only the ICMP protocol can be opened for the non-business request of the longitudinal authentication equipment. Specifically, after capturing the network packet flowing from the production control area ii to the production control area i, the method further includes:
judging whether the current network message is a non-service request for the longitudinal authentication equipment;
if the current network message is a non-service request, judging whether the transmission protocol of the current network message is an ICMP protocol or not;
if the message is not ICMP, the current network message is refused to be forwarded to the corresponding equipment in the production control I area.
In addition, to ensure the security of the intelligent substation monitoring system, the TCP SMALL SERVERS, UDP SMALL SERVERS, finger, HTTP SERVER, BOOTP SERVER, DNS query and other unnecessary public network services or functions can be disabled. The device policy can be further accurate to the port according to the configuration principle of 'minimization', the debugging policy is closed, and a dedicated log host is configured for each device.
When the firewall is configured for information acquisition, the firewall is mainly configured for acquiring user login success information, user exit information, user login failure information, modification strategy information, CPU utilization information, memory utilization information, power failure information, fan failure information, temperature anomaly information, network port state recovery information, access information which does not accord with a security strategy and attack warning information. The CPU utilization rate information and the memory utilization rate information adopt periodically acquired waterproof, and other information adopts a mode of triggering acquisition.
In one embodiment, in order to reduce workload of the firewall and improve processing efficiency of the firewall, abnormal devices can be prevented from being sent frequently, and the method can be implemented in the following manner:
counting the equipment in the production control II area corresponding to the network message refused to be forwarded to the production control I area in unit time;
if the number of times that the network message sent by the first device in the production control area II is refused to be forwarded to the production control area I is greater than a preset first threshold value in unit time, executing the following operations:
sending a right acquisition signal to a switch located in the production control area II;
Receiving a permission grant instruction sent by a switch positioned in a production control II area; the permission grant instruction comprises port numbers for connecting each device in the production control II area with the switch;
And determining a target port corresponding to the first equipment by using the permission grant instruction, and controlling a switch positioned in a production control II area to close the target port.
In this embodiment, when each network message is processed, statistics may be further performed on the devices in the production control area ii that send the network message, and statistics is performed on which devices send the network message that is refused to be forwarded to the production control area i, when a device frequently sends the network message in a short time, and each time the network message sent is refused to be forwarded to the production control area i, for example, the first threshold is 3 times, and in 30 minutes, the number of times that the network message sent by the device a in the production control area ii is refused to be forwarded to the production control area i is 5 times, which indicates that there is a risk of malicious login or intrusion of the device in the production control area ii, and then the port corresponding to the device is closed by acquiring the authority of the switch in the production control area ii, so as to avoid that the device sends the network message again. Therefore, the security of the intelligent substation monitoring system is improved, the data processing capacity of the firewall is reduced, the firewall can have more memory to process other data, and the processing efficiency of the firewall is greatly improved.
As shown in fig. 2, the embodiment of the present invention further provides a firewall disposed between a production control area i and a production control area ii in the intelligent substation monitoring system; the firewall includes: the device comprises a configuration module 201, a report Wen Zhuaqu module 202, a comparison and judgment module 203 and an execution module 204;
a configuration module 201 configured to configure a white list of MAC addresses, IP addresses, and port numbers, respectively, in advance;
A message Wen Zhuaqu module 202 configured to grasp a network message flowing from the production control ii area to the production control i area;
The comparison and judgment module 203 is configured to sequentially judge whether the MAC address, the IP address and the port number of the network packet grabbed by the packet Wen Zhuaqu module 202 are respectively located in the respective corresponding whitelists configured by the configuration module 201;
And the execution module 204 is configured to refuse to forward the network message to the production control i area and execute an alarm operation representing that an abnormal request occurs when the comparison and judgment module 203 judges that the MAC address, the IP address and the port number of the network message do not all exist in the white list corresponding to the comparison and judgment module.
In one embodiment, the firewall further includes a remote message verification module configured to:
after determining that the MAC address, the IP address and the port number of the network message are all in the corresponding white list, further judging whether the network message is a remote control message or not;
If the network message is a remote control message, the network message is refused to be forwarded to the production control area I, and alarm operation is executed.
In one embodiment, the firewall further comprises a login authentication module configured to: based on a hash algorithm, carrying out hash operation on a target user name and a target password which can successfully log in an account in advance, and storing after obtaining a first hash value;
Acquiring a current user name and a current password input by a current user;
carrying out hash operation on the current user name and the current password to obtain a second hash value; wherein the hash algorithm based on the second hash value is the same as the hash algorithm based on the first hash value;
comparing the first hash value with the second hash value; if the first hash value is not identical to the second hash value, determining that the current login is illegal, and rejecting the current login request.
In one embodiment, the firewall further includes an auto-exit module configured to monitor operations performed in the current account and to control the current account to exit when no operations have been performed for a preset length of time.
In one embodiment, the firewall further includes a login failure processing module configured to perform the following operations after detecting a device login failure:
rejecting all communications based on the unsecure transmission protocol; wherein the unsafe transmission protocol comprises: text transfer protocol FTP and Telnet protocols;
Limiting the login address of the system management privilege user to a preset safe login address;
All requests for remote management of the equipment in zone I of the production control are denied.
In one embodiment, the firewall further comprises a non-service request processing module configured to:
judging whether the current network message is a non-service request for the longitudinal authentication equipment;
if the current network message is a non-service request, judging whether the transmission protocol of the current network message is an ICMP protocol or not;
if the message is not ICMP, the current network message is refused to be forwarded to the corresponding equipment in the production control I area.
In one embodiment, the firewall is further configured to:
counting the equipment in the production control II area corresponding to the network message refused to be forwarded to the production control I area in unit time;
if the number of times that the network message sent by the first device in the production control area II is refused to be forwarded to the production control area I is greater than a preset first threshold value in unit time, executing the following operations:
sending a right acquisition signal to a switch located in the production control area II;
Receiving a permission grant instruction sent by a switch positioned in a production control II area; the permission grant instruction comprises port numbers for connecting each device in the production control II area with the switch;
And determining a target port corresponding to the first equipment by using the permission grant instruction, and controlling a switch positioned in a production control II area to close the target port.
It should be noted that, since the apparatus embodiments and the method embodiments are based on the same inventive concept, the description of the apparatus embodiments can be referred to the description of the method embodiments, and the description thereof will not be repeated here.
The modules or units in the device of the embodiment of the invention can be combined, divided and deleted according to actual needs. The foregoing disclosure is illustrative of the preferred embodiments of the present invention, and is not to be construed as limiting the scope of the invention, as it is understood by those skilled in the art that all or part of the above-described embodiments may be practiced with equivalents thereof, which fall within the scope of the invention as defined by the appended claims.

Claims (9)

1. The isolation control method for the production control area I and the production control area II of the transformer substation is characterized in that the production control area I and the production control area II are two production control areas in an intelligent transformer substation monitoring system; wherein the production control zone I can control the production control zone II, and the production control zone II cannot control the production control zone I; a firewall is arranged between the production control area I and the production control area II in the intelligent substation monitoring system, and the firewall is respectively connected to the switches of the production control area I and the production control area II through network cables;
the isolation control method is applied to the firewall and comprises the following steps:
respectively configuring a white list of an MAC address, an IP address and a port number in advance;
Capturing a network message flowing from the production control area II to the production control area I;
sequentially judging whether the MAC address, the IP address and the port number of the network message are respectively positioned in the corresponding white lists;
If the MAC address, the IP address and the port number of the network message do not all exist in the corresponding white list, rejecting to forward the network message to the production control I area, and executing alarm operation representing abnormal request;
after determining that the MAC address, the IP address, and the port number of the network packet all exist in the corresponding whitelist, the method further includes:
analyzing the network message;
judging whether a remote control prefabricated instruction or a remote control execution instruction exists in the analyzed network message; the remote control prefabricated commander is used for performing functional test on equipment in the intelligent substation monitoring system, and the remote control execution commander is used for performing control execution on the equipment in the intelligent substation monitoring system;
If any one of the remote control prefabrication instruction character or the remote control execution instruction character exists in the analyzed network message, the network message is refused to be forwarded to the production control I area, and alarm information is sent to a remote signaling loop of a public measurement and control device in the intelligent substation monitoring system, so that the public measurement and control device sends an alarm of illegal network intrusion to a background monitoring system through an in-station network.
2. The insulation control method for controlling the production of the i-zone and the ii-zone of the transformer substation according to claim 1, further comprising:
based on a hash algorithm, carrying out hash operation on a target user name and a target password which can successfully log in an account in advance, and storing after obtaining a first hash value;
Acquiring a current user name and a current password input by a current user;
performing hash operation on the current user name and the current password to obtain a second hash value; wherein the hash algorithm based on the second hash value is the same as the hash algorithm based on the first hash value;
Comparing the first hash value with the second hash value; if the first hash value is not identical to the second hash value, determining that the current login is illegal, and rejecting the current login request.
3. The method for isolating and controlling the production control zone i and zone ii of a transformer substation according to claim 2, wherein the target password satisfies the following requirements:
A length of not less than 8 characters;
Is formed by mixing at least two of capital letters, lowercase letters, numbers and special characters;
The target password is not identical to the target user name;
And/or the number of the groups of groups,
The hashing algorithm includes any one of MD5, SHA1, SHA256, and SHA 512.
4. The method for controlling the isolation between the production control zone i and the production control zone ii of the transformer substation according to claim 2, further comprising, after successful login to the current account:
and monitoring the operation executed in the current account, and controlling the current account to exit when no operation is executed within a preset time length.
5. The method for controlling the isolation between the production control zone i and the production control zone ii of the substation according to claim 1, wherein the types of privileged users capable of logging into the intelligent substation monitoring system include: a system management privilege user, a network security privilege user and a security audit privilege user; each type of privileged user has the relevant authority of the type of privileged user to realize the corresponding function, but the system management privileged user does not have the right to operate the audit record.
6. The method for controlling the isolation between the production control zone i and the production control zone ii of the transformer substation according to claim 5, further comprising:
after the login failure of the equipment is monitored, the following operations are executed:
rejecting all communications based on the unsecure transmission protocol; wherein the unsecure transmission protocol includes: text transfer protocol FTP and Telnet protocols;
Limiting the login address of the system management privilege user to a preset safe login address;
And rejecting all requests for remote management of the equipment in the production control area I.
7. The method for isolating and controlling the production control i zone and the production control ii zone of the substation according to claim 1, further comprising, after capturing the network message flowing from the production control ii zone to the production control i zone:
judging whether the current network message is a non-service request for the longitudinal authentication equipment;
if the current network message is the non-service request, judging whether the transmission protocol of the current network message is ICMP protocol or not;
And if the current network message is not the ICMP protocol, refusing to forward the current network message to the corresponding equipment in the production control I area.
8. The insulation control method for controlling the production of the transformer substation according to any one of claims 1 to 7, wherein the insulation control method further comprises:
counting the equipment in the production control II area corresponding to the network message refused to be forwarded to the production control I area in unit time;
if the number of times that the network message sent by the first device in the production control area II is refused to be forwarded to the production control area I is greater than a preset first threshold value in unit time, executing the following operations:
sending a right acquisition signal to a switch located in the production control area II;
Receiving a permission grant instruction sent by a switch positioned in a production control II area; the permission grant instruction comprises port numbers for connecting each device in the production control II area with the switch;
And determining a target port corresponding to the first equipment by using the permission grant instruction, and controlling a switch positioned in a production control II area to close the target port.
9. A firewall, characterized in that the firewall is deployed between a production control area I and a production control area II in an intelligent substation monitoring system; the firewall includes: the system comprises a configuration module, a message grabbing module, a comparison judging module and an executing module;
The configuration module is configured to configure a white list of the MAC address, the IP address and the port number in advance respectively;
the message grabbing module is configured to grab network messages flowing from the production control area II to the production control area I;
The comparison judging module is configured to sequentially judge whether the MAC address, the IP address and the port number of the network message grabbed by the report Wen Zhuaqu module are respectively located in the respective corresponding whitelists configured by the configuration module;
The execution module is configured to refuse to forward the network message to the production control area I and execute alarm operation representing abnormal request occurrence when the comparison judging module judges that the MAC address, the IP address and the port number of the network message do not all exist in the corresponding white list;
The firewall is further configured to perform the following:
counting the equipment in the production control II area corresponding to the network message refused to be forwarded to the production control I area in unit time;
if the number of times that the network message sent by the first device in the production control area II is refused to be forwarded to the production control area I is greater than a preset first threshold value in unit time, executing the following operations:
sending a right acquisition signal to a switch located in the production control area II;
Receiving a permission grant instruction sent by a switch positioned in a production control II area; the permission grant instruction comprises port numbers for connecting each device in the production control II area with the switch;
And determining a target port corresponding to the first equipment by using the permission grant instruction, and controlling a switch positioned in a production control II area to close the target port.
CN202311200450.0A 2023-09-18 2023-09-18 Isolation control method and firewall for production control zone I and zone II of transformer substation Active CN117240550B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311200450.0A CN117240550B (en) 2023-09-18 2023-09-18 Isolation control method and firewall for production control zone I and zone II of transformer substation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311200450.0A CN117240550B (en) 2023-09-18 2023-09-18 Isolation control method and firewall for production control zone I and zone II of transformer substation

Publications (2)

Publication Number Publication Date
CN117240550A CN117240550A (en) 2023-12-15
CN117240550B true CN117240550B (en) 2024-06-04

Family

ID=89082144

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311200450.0A Active CN117240550B (en) 2023-09-18 2023-09-18 Isolation control method and firewall for production control zone I and zone II of transformer substation

Country Status (1)

Country Link
CN (1) CN117240550B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111083154A (en) * 2019-12-24 2020-04-28 北京网太科技发展有限公司 Safety protection method, device and storage medium
CN111309978A (en) * 2020-02-24 2020-06-19 广西电网有限责任公司防城港供电局 Transformer substation system safety protection method and device, computer equipment and storage medium
CN112839031A (en) * 2020-12-24 2021-05-25 江苏天创科技有限公司 Industrial control network security protection system and method
CN116346655A (en) * 2022-12-20 2023-06-27 中国电力科学研究院有限公司 Network abnormal movable mould test system and method for new generation transformer substation and centralized control station

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8756411B2 (en) * 2010-12-06 2014-06-17 Siemens Aktiengesellschaft Application layer security proxy for automation and control system networks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111083154A (en) * 2019-12-24 2020-04-28 北京网太科技发展有限公司 Safety protection method, device and storage medium
CN111309978A (en) * 2020-02-24 2020-06-19 广西电网有限责任公司防城港供电局 Transformer substation system safety protection method and device, computer equipment and storage medium
CN112839031A (en) * 2020-12-24 2021-05-25 江苏天创科技有限公司 Industrial control network security protection system and method
CN116346655A (en) * 2022-12-20 2023-06-27 中国电力科学研究院有限公司 Network abnormal movable mould test system and method for new generation transformer substation and centralized control station

Also Published As

Publication number Publication date
CN117240550A (en) 2023-12-15

Similar Documents

Publication Publication Date Title
EP2721801B1 (en) Security measures for the smart grid
CN106982235B (en) IEC 61850-based electric power industry control network intrusion detection method and system
Hadeli et al. Leveraging determinism in industrial control systems for advanced anomaly detection and reliable security configuration
KR20160002058A (en) Modbus Communication Pattern Learning Based Abnormal Traffic Detection Apparatus and Method
Mashima et al. Artificial command delaying for secure substation remote control: Design and implementation
US20170149734A1 (en) Distributed Setting of Network Security Devices from Power System IED Settings Files
Ibtissam et al. Assessment of protection schemes and their security under denial of service attacks
Jung et al. Anomaly Detection in Smart Grids based on Software Defined Networks.
Dazahra et al. A defense-in-depth cybersecurity for smart substations
Czechowski et al. Cyber security in communication of SCADA systems using IEC 61850
US11570179B2 (en) Secure transfer using media access control security (MACsec) key agreement (MKA)
CN117240550B (en) Isolation control method and firewall for production control zone I and zone II of transformer substation
Naedele et al. Network security for substation automation systems
CN110971467A (en) Network centralized management system
KR102160537B1 (en) Digital substation with smart gateway
CN113285937B (en) Safety audit method and system based on traditional substation configuration file and IEC103 protocol flow
Girdhar et al. Cybersecurity of process bus network in digital substations
KR102145421B1 (en) Digital substation with smart gateway
Roy et al. A Survey on the Security Vulnerabilities in the Cyber-Physical Power Systems
Karanfil et al. Security monitoring of the microgrid using IEC 62351-7 network and system management
Hong et al. Cyber-physical security in a substation
Yang et al. Cybersecurity testing technology in smart substations
Kim et al. Robust Cyber Infrastructure for Cyber Attack Enabling Resilient Distribution System
Guo et al. Defending 5g iot terminals in electrical power communication and information system against cyber threats
KR102160539B1 (en) Digital substation with smart gateway

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant