JP2013197759A - Protection control measurement system and apparatus and data transmission method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a protection control measurement system with high safety and reliability that does not include a large capacity key storage and uses an information quantitative security technology that enables sharing of a disposable key that a security attacker cannot know.SOLUTION: When main body data 21 for transmission is transmitted, authentication tag generation means 13 generates an authentication tag 23 using the main body data 21 and key data 22 generated by key data generation means, and transmission/reception means 14 generates transmission data 24 by adding the authentication tag 23 to the main body data 21 and transmits the transmission data 24. When reception data 24a is received, the transmission/reception means 14 separates the reception data 24a into main body data 21a and an authentication tag 23a, and the authentication tag generation means 13 generates an authentication tag 23b for comparison. Reception data authentication means 15 determines whether the received authentication tag 23a and the authentication tag 23b for comparison agree with each other. Each time an authentication tag is generated, different key data 22 is used and after determination, the key data 22 used in authentication is deleted.

Description

  Embodiments described herein relate generally to a system including a plurality of devices connected via a communication network, and more particularly, to a power system protection control measurement system and device, and a data transmission method.

  In recent years, examples of applying general-purpose network technologies such as Ethernet (registered trademark) and TCP / IP to protection control measurement systems are increasing. In this case, cyber security measures are always a problem. Regarding the security technology for power communication, Non-Patent Document 1 defines an authentication method using a SHA (Secure Hash Algorithm) algorithm.

  However, as described in Non-Patent Document 2, various security algorithms that are currently mainstream, such as SHA defined in Non-Patent Document 1, guarantee security based on the amount of calculation. It is. Therefore, if the performance of a computer improves in the future, or if a faster method for solving the security algorithm is discovered, those security algorithms based on computational complexity will be unsafe in terms of security. And must be changed to another safe algorithm.

  In general, security measures need to consider three things: concealment, authentication, and integrity. However, the protection control measurement system is more important than data concealment because of its mission-critical nature. Therefore, Patent Document 1 proposes to apply a message authentication method that guarantees safety based on the amount of information to the protection control system without depending on the amount of calculation.

JP 2010-166486 A IEC62351 “Power systems management and associated informationexchange-Data and communications security” D.R. Stinson, “Basics of Cryptography” (ISBN4-320-02820-1), (Original: “CRYPTOGRAPHY: Theory and Practice”)

  However, in the invention of Patent Document 1, it is necessary for each relay that transmits and receives data to continue to share a disposable key that cannot be known by a security attacker. Therefore, in order to provide the protection relay device with key data required during the operation of the system in advance, each protection relay device must have a large capacity key storage. Even if such a storage can be provided, it will be costly to keep key data in the storage safely during system operation (15 to 20 years for protection relay systems). .

  Another method is to use a key sharing protocol such as the Diffie-Hellman key sharing method in order to share key data between the protection relay devices without having a large capacity key storage in the protection relay device. However, since such a protocol relies on the amount of calculation for its security, the message authentication scheme as a whole guarantees the security based on the amount of calculation.

  Embodiments of the present invention have been proposed in order to solve the above-described problems. The purpose of the present invention is to provide each protection relay device that performs data transmission / reception with a large capacity while maintaining an information security framework. Establishing information security technology that can share disposable keys that security attackers cannot know without having key storage, and a safe and reliable protection control measurement system using such information security technology And an apparatus, and a data transmission method.

  In order to achieve the above object, an embodiment of the present invention connects a plurality of devices including a protection control measurement device that performs protection control measurement of a power system through a transmission line, and exchanges data between the plurality of devices. In the protection control measurement system to be performed, each device samples the amount of electricity in the power system, generates protection data creation means for generating main body data, and harmonic current data by sampling at higher speed than sampling by the protection data creation means. And generating an authentication tag using key data generating means for generating key data from the harmonic current data, the main body data, and key data generated by the key data generating means Means and the generated authentication tag are added to the main data used for the generation as transmission data, and the transmission data is transmitted to the transmission path. And transmission / reception means for receiving data from the transmission path and separating the received data into main body data and an authentication tag; main data and authentication tag in the received data received by the transmission / reception means; and the key data Receiving data authenticating means for authenticating the validity of the received data using the key data generated by the generating means, and used when generating an authentication tag by the authentication tag generating means as a security method based on the information amount A method of changing the key data to be performed each time, and deleting the key data after authenticating the main data and the authentication tag in the received data and the key data generated by the key data generating means It is characterized by.

The block diagram which shows the structure of the protection control measurement system which concerns on 1st Embodiment. The figure which shows the characteristic data processing and data flow in the protection control measurement system shown in FIG. The figure which shows the format of the transmission data transmitted between the protection control measuring devices shown in FIG. The figure which shows the specific key data table used with the protection control measurement system shown in FIG. The figure which shows the characteristic data processing and data flow in the receiving side apparatus of the protection control measurement system which concerns on 2nd Embodiment. The figure which shows the characteristic authentication tag production | generation algorithm and authentication algorithm in the protection control measurement system which concerns on 3rd Embodiment. The figure which shows the specific example of the vector calculation by the authentication tag production | generation algorithm shown in FIG. The figure which shows the characteristic data processing and data flow of the protection control measurement system which concerns on 4th Embodiment. The flowchart which shows the characteristic data processing by the transmission / reception means and reception data authentication means in the receiving side apparatus shown in FIG. The figure which shows the characteristic data processing and data flow of the current differential protection system which concern on 6th Embodiment. The figure which shows the more concrete image of the current differential protection system of FIG. The flowchart which shows the characteristic data processing in the modification of 6th Embodiment shown in FIG. FIG. 12 is a logic circuit diagram showing characteristic data processing in a modification of the sixth embodiment shown in FIG. 11. The figure which shows the characteristic data processing and data flow of the substation control system which concerns on 7th Embodiment.

  Hereinafter, a plurality of embodiments to which the protection control measurement system of the present invention is applied will be specifically described with reference to the drawings.

1. First Embodiment [1-1. Constitution]
[System configuration]
FIG. 1 is a block diagram showing a configuration of a protection control measurement system according to a first embodiment to which the present invention is applied. As shown in FIG. 1, the protection control measurement system includes a plurality of protection control measurement devices 11 and 12 having the same configuration, and a transmission line 2 connecting them. The transmission path 2 is composed of various media such as an optical fiber, a microwave, and a power line. Specific transmission purpose data exchanged between the protection control measuring devices 11 and 12 includes, for example, transmission line current data measured at both terminals of the transmission line 3, or a circuit breaker cutoff command, a substation equipment state, and the like. Various types of protection control data. In this specification, such protection control data for transmission purposes is referred to as “transmission purpose data” or “(transmission purpose) body data”.

  Protection control measuring devices 11 and 12 are installed in substations A and B, respectively. The protection control measurement devices 11 and 12 include sample hold circuits 41 and 42, A / D converters 51 and 52, protection data generation units 61 and 62, key data generation units 71 and 72, authentication tag generation units 81 and 82, and transmission / reception units. 91, 92, received data authentication means 101, 102, and protection operation units 111, 112 are provided.

  In this embodiment, an authentication tag generation algorithm that employs the following key data usage method is used as a security method based on an information theoretical viewpoint. That is, for example, a method is employed in which the key generation means 71 and 72 generate the key data 22 used when the authentication tag generation means 81 and 82 generates the authentication tag. The individual key data 22 is sampled at a higher speed than the sampling data transmitted through the transmission path 2 to calculate harmonics flowing through the transmission path, and this harmonic data is used as the key data 22. In order to realize an authentication tag generation algorithm that employs a security method based on such an information theoretical viewpoint, the protection control measuring devices 11 and 12 have the following functions.

[Protection control measuring devices 11, 12]
The protection control measuring devices 11 and 12 include sample and hold circuits 41 and 42 and A / D converters 51 and 52 as sampling means. The sample hold circuits 41 and 42 measure the instantaneous value of the current value of the transmission line at a predetermined interval. The sample hold circuits 41 and 42 hold the measured values during the AD conversion in the A / D converters 51 and 52 and output the measured currents as output currents. The A / D converters 51 and 52 AD convert the output current output from the sample hold circuits 41 and 42 into a digital value. The A / D converters 51 and 52 sample the instantaneous value of the current value at a constant rate and output it as the instantaneous value data 20. In this embodiment, it is sampled as 16-bit digital data at 12.8 kHz.

  The sampled instantaneous value data 20 is input to the protection data generating means 61 and 62. In the protection data generation means 61 and 62, sampling data corresponding to an electrical angle of 30 degrees is extracted from the instantaneous value data 20 and the main body data 21 is generated. The main body data 21 is 600 Hz when the frequency of the current flowing through the power transmission line 3 is 50 Hz. The main body data 21 is output to the authentication tag generation units 71 and 72 and the transmission means 91 and 92.

  The instantaneous value data 20 is input to the key data generating means 71 and 72. The key data generation means 71 and 72 extract harmonic components from the instantaneous value data 20. As harmonic components to be extracted, sampling is performed at a higher speed than sampling by the protection data generating means 61 and 62, and harmonic data is extracted. The harmonic data is higher than the order that the attacker E101 cannot calculate from the data transmitted through the protection relay 2. Data flowing through this harmonic component is used as key data 22. The key data 22 is stored in a key data table (not shown) in the key generation means 41 and 42 and is output to the authentication tag generation means 81 and 82.

  In the present embodiment, since sampling data corresponding to an electrical angle of 30 degrees is extracted, only sampling data with an electrical angle of 30 ° flows through the transmission path 2 of the protection control measuring devices 11 and 12. Therefore, from the data flowing through the transmission line 2, it is possible to calculate only up to the fifth harmonic, as is clear from Shannon's sampling theorem, and it is impossible to calculate the sixth and higher harmonics.

  Of the harmonics observed in the power system, the harmonics having a sufficient magnitude are odd multiples. For this reason, the harmonics extracted by the key data generating means 71 and 72 are set to the seventh or higher harmonics. .., 7th order, 9th order, 13th order, 15th order, 17th order,... Harmonics are extracted on the basis of one cycle of the fundamental wave. In the higher harmonics of the 7th order or higher and odd multiples, the harmonic components are in the range of 7th order: 2.358%, 11th order: 1.739%, 13th order: 1.347%, 17th order: 0.801%. fluctuate.

  Changes in numerical values of harmonic components are replaced by what percentage of each full order can occur at maximum. The harmonic values calculated in the protection control measuring devices 11 and 12 are also set to be managed with a 16-bit width. Since the full scale value of 16-bit data is 65536, for example, in the case of the 7th harmonic, 2.358% corresponds to about 1500 in the full scale value. 1500 is a value existing between 2 ^ 10 and 2 ^ 11.

  Therefore, assuming that the same current flows through both terminals of the protection control measuring devices 11 and 12, when the 7th harmonic is adopted, about 10 bits of information is not intercepted from the enemy E101, and both terminals are protected. The measuring devices 11 and 12 can be shared. The key data generation means 71 and 72 use the 10-bit information as the key data 22 and output it to the authentication tag generation means 81 and 82. The harmonic component to be employed is not limited to the 7th order, but can be employed as long as it is higher than the 7th order and an odd multiple.

  The authentication tag generation means 81 and 82 generate the authentication tag 23 using the main data 21 and the key data 22 for transmission purposes. Further, when the main body data 21a in the received data 24a received by the transmission / reception means 91 and 92 transmitted from another protection control measuring device is received, an authentication tag 23b for comparison with the authentication tag 23a in the received data 24a is provided. It has a function to generate. The comparison authentication tag 23b is generated using the main data 21a in the received data 24a and the key data 22 stored in the key data generating means 71 and 72 in the own apparatus.

  The transmission / reception means 91, 92 has a function of adding the authentication tag 23 generated by the authentication tag generation means 81, 82 to the main body data 21 used for generating the transmission data 24 and transmitting the transmission data 24 to the transmission path 2. And receiving the data 24a from the transmission line 2 and separating the received data 24a into the main data 21a and the authentication tag 23a.

  The reception data authentication means 101, 102 receives the main data 21a and the authentication tag 23a in the reception data 24a received by the transmission / reception means 91, 92, and the key data 22 generated by the key data generation means 71, 72 in its own device. The authenticity determination of the validity of the received data 24a is performed, and the determination result 25 is output to the protection arithmetic units 111 and 112. Specifically, the reception data authentication means 101 and 102 compare the authentication tag 23a in the reception data 24a with the comparison authentication tag 23b. The authentication tag 23b for comparison is generated from the main data 21a in the received data 24a and the key data 22 generated in the own apparatus by the authentication tag generating means 81 and 82. It is determined whether or not these authentication tags 23a and 23b match, and a determination result 25 is output.

  In the present specification and the accompanying drawings, reference character “21a”, “23a”, “24a” indicating the main data, authentication tag, and received data on the receiving side indicates the position on the receiving side. Is used to distinguish the received data and data included in it (main data and authentication tag) from the transmitting side. In addition, the reference “b” in the reference sign “23a” indicating the comparison authentication tag generated from the main data in the received data and the key data 22 in the own apparatus is the authentication tag in the received data “21a”. Used to distinguish from “23a”.

[Action]
[1-2. System operation]
FIG. 2 shows the protection control measurement system shown in FIG. 1 from one protection control measurement device 1 (hereinafter referred to as a transmission side device 1T) to the other protection control measurement device 1 (hereinafter referred to as a reception side). It is a figure which shows the characteristic data processing and flow of data when transmitting the main data 21 for transmission to the device 1R). In the attached drawings showing the characteristics of data processing and the flow of data in FIG. 2 and subsequent figures, the characteristic data processing in each embodiment is performed for the configuration in each device 1 from the viewpoint of simplification. Only means are shown.

  As shown in FIG. 2, in the transmitting apparatus 1T, when the main data 21 to be transmitted is input to the authentication tag generation unit 81, the authentication tag generation unit 81 stores the key data 22 generated by the key data generation unit 71. Read. An authentication tag 23 is generated from the body data 21 and the key data 22. The generated authentication tag 23 and the main body data 21 that is the basis thereof are input to the transmission / reception means 91. The transmission / reception unit 91 generates the transmission data 24 by combining the input main body data 21 and the authentication tag 23, and transmits the transmission data 24 to the reception-side apparatus 1 </ b> R via the transmission path 2.

  In the receiving apparatus 1R, the transmitting / receiving unit 92 receives the data 24 transmitted from the transmitting apparatus 1T as received data 24a. Here, the transmission / reception means 92 separates the reception data 24a into the main body data 21a and the authentication tag 23a, and inputs the main body data 21a into the authentication tag generation means 82 and the authentication tag 23a into the reception data authentication means 15, respectively. When the main body data 21a in the received data 24a is input to the authentication tag generation means 82, the authentication tag generation means 82 reads the key data 22 generated by the key data generation means 82 in its own device 1R and receives these data. An authentication tag 23b for comparison is generated from the main body data 21a and the key data 22 in the own apparatus, and is input to the received data authentication means 102.

  The received data authentication means 102 compares the authentication tag 23a in the input received data 24a with the authentication tag 23b for comparison and determines whether or not these authentication tags 23a and 23b match, The determination result 25 is output.

  FIG. 3 is a diagram showing a format of transmission data 24 transmitted between apparatuses. As shown in FIG. 3, transmission data 24 is sandwiched between a header and a footer added as a physical layer and a data link layer, and body data 21 such as protection control data and an authentication tag are added as an application layer. It is constituted by.

[Authentication tag generation algorithm]
In this embodiment, an authentication tag generation algorithm that employs a security method based on an information amount viewpoint is an important feature of the present invention. In particular, generating individual key data 22 from the sampled instantaneous value data 20 is important in order to adopt a security method using the authentication tag 23 without continually storing and managing a large amount of key data 22.

  In the following, authentication tag generation processing using a specific key data table as shown in FIG. 4 will be sequentially described from the viewpoint of clearly showing the effect of the authentication tag generation algorithm employing such a security method.

  The key data table shown in FIG. 4 includes k pieces of key data “No.” for the maximum number “s” of transmission object data “No. 1” to “No. 1 ”to“ No.k ”are prepared. That is, the key generation means generates key data 22 as key data “No. 1”, “No. 2”, “No. 3”,.

  Here, the maximum number of transmission target data “s” shown in FIG. 4 is the total number of transmission target data. For example, when the transmission target data is 32 bits long, s is 232. If the total number that the authentication tag 23 can take is m, the authentication tag 23 is expressed by 2 log m bits. For example, when the transmission target data No. y is transmitted and the key data 22 to be used is No. x, the transmission target data No. y includes an element Axy of the authentication matrix of the key data table as the authentication tag 23. Is added.

  In the above case, the authentication tag generation means 81 and 82 may generate a maximum of m types of authentication tags 23, and for this purpose, different key data “No. 1” to “No” for each sampling. .k "in order.

  On the other hand, when the transmission data 24a to which the authentication tag 23a created from the “No. 1” key data 22 is added is received from the partner apparatus, the authentication created from the “No. 1” key data 22 in the own apparatus. The tag 23b is selected, and the authentication tags 23a and 23b created from the respective “No. 1” key data 22 are compared to make a determination. After the determination, the information of the key data “No. 1” is deleted from the key data table.

[effect]
According to the first embodiment as described above, the following effects can be obtained. First, data comprising a combination of the main data 21 to be transmitted and the authentication tag 23 generated from the main data 21 is transmitted, and the receiving side generates an authentication tag 23 based on the main data 21 in the received data. And the authentication tag 23 included in the received data, the presence / absence of data falsification on the transmission path can be detected. By changing the key data 22 used when generating the authentication tag 23 every time data is transmitted, security can be guaranteed from the viewpoint of information amount, not from the viewpoint of calculation amount.

  Further, the key data 22 used in this embodiment cannot be predicted by a security attacker who observes the transmission path. Therefore, the method using the disposable key as the message authentication method in the power transmission line protection relay system can ensure the safety by the amount of information in the entire message authentication scheme. In addition, since the harmonic continues to change to an unpredictable value each time, a new disposable key is always generated while the protection relay system is in operation. For this reason, it is not necessary to continue storing and managing a large amount of key data 22 in each protection relay device, and a reduction in cost required for storing and managing a large amount of key data 22 can be expected.

  Therefore, according to the first embodiment, it is not necessary to keep and manage a large amount of key data 22, and a practical information security technology that is easy to implement for protection control measurement is constructed. It is possible to provide a safe and reliable protection control measurement system and apparatus and data transmission method using such information quantitative security technology.

[Second to seventh embodiments]
The protection control measurement systems according to the second to seventh embodiments described below are all protection control measurement systems (FIG. 1) having the same system configuration as the first embodiment. The fifth embodiment is a modification in which the processing / data configuration is partially changed or a means is added, and the sixth and seventh embodiments are applied to a current differential protection system and a substation control system. It is an example. Therefore, in the description of the second to seventh embodiments, only the features different from the first embodiment are described, and the description of the same parts as the first embodiment is basically omitted.

[Second Embodiment]
In the second embodiment, in order to make the key data 22 used between the transmission side device 1T and the reception side device 1R coincide with each other, the key data 22 generated by the key data generation means 71 and 72 is used as individual key data. Key identification information for uniquely identifying 22 is added. As the key identification information, time information at which the key data 22 is generated can be used.

  FIG. 5 is a diagram showing the characteristic data processing and data flow of the second embodiment, and the transmission side device 1T and the reception side device 1R hold the same key data information table 201. . The key data information table 201 includes a plurality of key data 22 and key identification information for uniquely specifying individual key data. In the example of FIG. 5, time information “t1, t2,..., Tn” at which the key data 22 is generated is added to the n pieces of key data K1 to Kn as examples of key identification information. When such a key data information table 201 is used, the transmission side apparatus 1T and the reception side apparatus 1R generate data including time information t for generating the key data 22 for specifying the key.

  That is, in the transmission side device 1T, the authentication tag generation unit 81 uses the authentication tag 23 generated from the main body data 21 when the authentication tag 23 is generated from the main body data 21 and the key data 22 of the time information t. A data set 202 composed of time information t specifying the key data 22 is passed to the transmission / reception means 91. As a result, the transmission data 24 generated by the transmission / reception means 91 includes the main body data 21, the authentication tag 23, and the time information t.

  In the receiving apparatus 1R, the transmission / reception unit 92 separates the reception data 24a into the data set 203 including the main body data 21a and the time information t and the authentication tag 23a, and passes the data set 203 to the authentication tag generation unit 82. . Based on the given time information t, the authentication tag generation means 82 specifies the key data 22 of the same time information t from the key data information table 201 in the own device, and the key data 22 of the time information t and the received data The comparison authentication tag 23b is generated using the main body data 21a.

  Thereby, the authentication process using the same key data 22 is realizable between the transmission side apparatus 1T and the reception side apparatus 1R.

  As described above, in the authentication method of the first embodiment, if observation is performed in a short time, the authentication tag 23 is always generated using different key data 22. Therefore, a mechanism for always matching the key data 22 used on the transmission / reception side is necessary.

  On the other hand, according to the second embodiment as described above, by using the time information t specifying the key data 22, the key data 22 used on the transmission side and the reception side can be reliably matched. Can do. For example, even if one of the protection control measurement devices breaks down and the transmission path is temporarily interrupted and then recovered and restarted, according to the present embodiment, the time information t is locked on the receiving side. By searching from the data information table 101, the same key data 22 as that on the transmission side can be used easily and reliably on the reception side. Further, when the operation of the protection control measurement device is started at both terminals, according to the present embodiment, the key data 22 used at both terminals is automatically synchronized, so that the reliability and operability are high. A protection control measurement system can be provided.

[Third Embodiment]
The third embodiment has a feature of separating the key data 22 into a fixed key matrix U that is used in common and a disposable key vector v that is changed every transmission, thereby reducing the sizes of the authentication tag 23 and the key data 22. The size is reduced to reduce the amount of authentication tag generation calculation.

Then, as a result of separating the key data 22 into the fixed key matrix U and the disposable key vector v, the authentication tag generation algorithm by the authentication tag generation means 81 and 82 (FIG. 1) says that the authentication tag vector y is obtained by the following vector operation. Has characteristics.
y = xU + v
Where x: body data vector U: fixed key matrix v: disposable key vector

  FIG. 6 is a diagram showing characteristic authentication tag generation algorithms and authentication algorithms in the transmission-side apparatus 1T and the reception-side apparatus 1R in the present embodiment using such an authentication tag generation algorithm.

  As shown in FIG. 6, in the transmitting apparatus 1T, the authentication tag vector y is generated from the main body data vector x using the fixed key matrix U and the disposable key vector v by the authentication tag generation algorithm 61 as described above, It is transmitted as transmission data (x, y).

  Further, when receiving data (x ′, y ′) is received, the receiving side apparatus 1R uses the authentication algorithm 62 to receive the received data (x ′, using the fixed key matrix U and the disposable key vector v in the own apparatus. , Y ′), an authentication tag vector y ″ is generated from the body data vector x ′, and authentication determination is performed by comparison with the authentication tag vector y ′ in the received data (x ′, y ′).

  In such an embodiment, the key data 22 is separated into the fixed key matrix U and the disposable key vector v, so that the authentication tag space realized by the first embodiment can be realized only by operating the disposable key vector v. Therefore, it is possible to secure the same level of security and reliability as the first embodiment for the attacker. Further, the key data 22 that must be changed for each data transmission is only the disposable key vector v. In other words, the key data 22 is generated by one fixed key matrix U and a required number of disposable key vectors v corresponding to the number of transmissions. Data 22 can be configured.

  FIG. 7 shows a specific example of vector calculation by the authentication tag generation algorithm according to the present embodiment. In the example of FIG. 7, the fixed key matrix U is given in advance, and the disposable key vector v is (0) at the timing of transmitting certain body data x (1, 0, 0, 1, 0). , 1, 0), an authentication tag vector y (1, 1, 0) is generated as shown in the figure. The receiving side also performs the same operation on the received data to calculate an authentication tag vector, and compares it with the authentication tag vector added to the received data.

  According to the present embodiment as described above, in addition to obtaining the same effect as the first embodiment, the size of the authentication tag 23 and the key data 22 is further reduced, and the amount of authentication tag generation calculation is also increased. Can be small. In particular, since the authentication tag generation algorithm according to the present embodiment can obtain an authentication tag vector only by taking the logical sum and logical product of bit strings, it can be operated at high speed. Suitable for system implementation.

[Fourth Embodiment]
In the first embodiment described above, a case has been described in which the reception-side apparatus 1R outputs the authentication determination result 25 by the reception data authentication unit 15. However, in the actual reception-side apparatus 1R, generally, the reception data 24a includes An application that performs protection control calculation using the main body data 21a is provided.

  The fourth embodiment is characterized by data processing in the receiving side device in order to prevent the use of unauthorized data in such an application, and FIG. 8 shows a characteristic in such receiving side device 1R. It is a figure which shows a data processing and the flow of data.

  As shown in FIG. 8, in the present embodiment, not only the main body data 21a in the reception data 24a but also the determination result 25 of the reception data authentication means 101, 102 is given to the application 31, so that the reception data 24a When the data is invalid, the received data 24a is discarded by the application 31. The determination result 25 is stored in the security information log means 32.

  FIG. 9 shows the characteristic features of the transmission / reception means 91 and 92 and the reception data authentication means 101 and 102 in the reception side apparatus 1R in the present embodiment characterized in the handling of the determination result 25 of the reception data authentication means 101 and 102 as described above. 10 is a flowchart showing various data processing.

  That is, when data is received by the transmission / reception means 92 in the receiving side apparatus 1R (S901), the reception data authentication means 102 executes authentication processing of the reception data 24a (S902), and uses the determination result 25 as a security information log. It is stored in the security information log means 32 (S903). The main body data 21a is passed from the transmission / reception means 92 to the application 31, and the determination result 25 is passed from the reception data authentication means 101 (S904).

  In FIG. 8, the flow of data for passing the main data 21a from the transmission / reception means 92 to the application 31 is described, but both the determination result 25 and the main data 21a may be passed by the received data authentication means 102. In any case, by passing both the main body data 21a and the determination result 25 to the application 31, the application 31 can discard the main body data in the illegal received data.

  According to the present embodiment as described above, in addition to obtaining the same effect as that of the first embodiment, it is possible to prevent unauthorized data from being used for the protection control calculation. Can improve the reliability. Also, by saving the judgment result at the time of receiving illegal data as a security information log, it becomes possible to analyze the attacking aspect of the attacker using the saved log. For example, the authentication tag generation algorithm is further strengthened Therefore, it is possible to implement various countermeasures such as increasing the size of the authentication tag 23 or monitoring the transmission path.

[Fifth Embodiment]
As described above, according to the authentication method of the third or fourth embodiment, invalid received data is erroneously determined to be valid according to the contents of the key data 22 to be used or the authentication tag generation algorithm to be used. The probability of doing so can be determined explicitly.

Therefore, as a fifth embodiment, for example, the authentication tag generation means 81 and 82 in FIG. 1 are provided with a function that allows the user to set the contents of the key data 22 to be used and the authentication tag generation algorithm. By adopting such a configuration, it is possible to easily set the probability that wrongly received data is erroneously determined to be valid, for example, to be equal to or lower than the transmission channel error probability.

  Many security systems for protection control measurement systems that have been proposed in the past have been proposed in the IT industry, and protection control engineers have not been able to control their algorithms and detection probabilities. However, according to the fifth embodiment in which the authentication tag generation means 81 and 82 are provided with a setting function, the protection control engineer can easily control the algorithm and the detection probability of falsification that is uniquely determined from the algorithm. .

  As a specific set value in this case, it is sufficient to sequentially set parameters such as U, V, probability P,. For example, if the transmission path error is 10-5, it is possible to prevent an attack by an attacker to be practically negligible if various parameters are set and input so that the error is 10-6 or more.

  Even if the communication infrastructure for protection control measurement will change in the future due to technological development, according to this embodiment, the protection control measurement system that is safe in terms of information theory is not affected by changes in the communication infrastructure. It can be operated and is not threatened by an increase in computer processing capacity, and it is not necessary to change security software after delivery. Therefore, it is possible to provide a protection control measurement system with high economic efficiency, reliability, and operation rate.

[Sixth Embodiment]
FIG. 10 shows a protection control measurement system according to a sixth embodiment to which the present invention is applied. In particular, the protection control measurement system of the first embodiment is characteristic when applied to a current differential protection system. It is a figure which shows an easy data processing and the flow of data.

  As shown in FIG. 10, in the current differential protection system, protection relay devices 211 and 212 are installed at both ends of the transmission line 210, and current / voltage data 213 at the end of the current is protected between these protection relay devices 211 and 212. It is a system that protects transmission lines based on Kirchhoff's law by transmitting each other as transmission target data.

  In order to protect the power transmission line, the protection relay devices 211 and 212 are provided with a current differential calculation unit 214, and the current differential calculation unit 214 allows the current / voltage data 213 of the own end to be connected to the other end. Current differential calculation using the current / voltage data 213a is performed, and when an accident is detected, a trip command 215 is output from the current differential calculation means 214 to trip the circuit breaker 216 at its own end. Hereinafter, in such a current differential protection system, processing when current / voltage data 213 of one protection relay device 211 is received by the other protection relay device 212 and current differential calculation is performed will be described.

  The protection relay device 211 captures the current / voltage data 213 at the end of the power transmission line 210 by the protection data generation means 61 (FIG. 1). Then, the current / voltage data 213 and the key data 22 are input to the authentication tag generation means 81, and the authentication tag 23 is generated. The authentication tag 23 and the current / voltage data 213 are given to the transmission / reception means 91, and the transmission / reception means 91 transmits the transmission data 24 formed by combining the current / voltage data 213 and the authentication tag 23 to the protection relay device 212 at the other end.

  When the data from the protection relay device 211 at the other end is received by the transmission / reception means 92 as the reception data 24a, the protection relay device 212 receives the current / voltage data 213a of the protection relay device 211 at the other end included in the reception data 24a. Is passed to the current differential calculation means 214. At the same time, the same current / voltage data 213a and key data 22 are input to the authentication tag generation means 82 to generate an authentication tag 23b for comparison.

  The generated comparison authentication tag 23b and the authentication tag 23a in the reception data 24a are input to the reception data authentication means 102, and whether or not these two authentication tags 23a and 23b are matched by the reception data authentication means 102. The determination result 25 is passed to the current differential calculation means 214. The current differential calculation means 214 is also supplied with the current / voltage data 213 at its own end taken in by the protection data generation means 61 (FIG. 1).

  When the current differential calculation means 214 performs a current differential calculation using the current / voltage data 213 at its own end and the current / voltage data 213a at the other end and detects a system fault in the transmission line 210, A trip command 215 is output to the breaker 216 at its own end.

  In the case of a current differential relay system, processing in the reverse direction at the same time (the protection relay device 212 sends its own current / voltage data 213 to the protection relay device 211, and the protection relay device 211 performs a current differential operation, When a system fault is detected, a process of tripping the circuit breaker 216 at the end of the protective relay device 211 is also executed.

  FIG. 11 shows a more specific image when applied to an actual current differential relay system. The relay realizes a protection system by sending its own electricity data to both sides. In the case of a general-purpose communication network such as Ethernet (registered trademark), a format 220 indicated by a balloon in the figure is one transmission data unit (frame) including a header, electric quantity data, an authentication tag 23, and a CRC (Cyclic Redundancy Check). ). In the case of Ethernet, since the maximum length per frame is 1514 bytes, the size of the authentication tag 23 in the figure, 32 bits (attack success probability is 10-9), the proportion of the entire frame is very small. It can be seen that adding the authentication tag 23 has almost no effect on the traffic.

  According to the sixth embodiment as described above, effective security measures can be taken for a protection relay that transmits and receives protection control data to and from each other via a transmission line, such as a transmission line current differential protection relay. .

[Modification of Sixth Embodiment]
FIG. 12 shows that the current / voltage data at the other end is set to zero when the determination result 25 is “authentication tag mismatch” (incorrect data) in the current differential protection system of the sixth embodiment shown in FIG. It is a flowchart which shows the process which implements a current differential calculation. Only when the determination result 25 is “authentication tag match” (legitimate data), the current differential operation is performed using the received current / voltage data of the other end. By performing such processing, it is possible to prevent unauthorized data from being used for current differential computation, and thus a more reliable current differential protection system can be provided.

  FIG. 13 is a circuit diagram of the current differential protection system according to the sixth embodiment shown in FIG. 10, when the determination result 25 is “authentication tag mismatch”, regardless of the calculation result of the current differential calculation. It is a logic circuit diagram showing the process which locks a trip command.

  In a normal relay, the result of the current differential calculation is directly output to the circuit breaker 216 as a trip command. In the example shown in FIG. 13, the result of the current differential calculation and the authentication determination result 25 are ANDed. By outputting the result to the circuit breaker 216, it is possible to prevent a trip command from being issued to the circuit breaker 116 only when the determination result 25 is “authentication tag mismatch”. By performing such processing, tripping of the circuit breaker based on illegal data can be prevented, so that a more reliable current differential protection system can be provided.

[Seventh Embodiment]
FIG. 14 shows a protection control measurement system according to a seventh embodiment to which the present invention is applied. In particular, a characteristic when the protection control measurement system of the first embodiment is applied to a substation control system is shown. It is a figure which shows a data processing and the flow of data.

  As shown in FIG. 14, in the substation control system, the control device 1502 has jurisdiction by transmitting a control command 1503 from the control computer 1501 outside the substation to the control device 1502 installed in the substation. This is a system for controlling power equipment.

  In FIG. 14, as an example, a system is shown in which a control signal 1505 is output from the control command output means 1504 of the control device 1502 in response to a control command 1503 from the control computer 1501 to control opening and closing of the circuit breaker 216 in the substation. ing. An operation terminal 1506 is connected to the control computer 1501. Hereinafter, the operation of the system when the investigator issues an operation command 1503 for the circuit breaker 216 from the operation terminal 1506 will be described.

  When an operator issues a control command 1503 for the circuit breaker 116 from an operation terminal 1506 connected to the control computer 1501, the control command 1503 is input to the transmission / reception unit 91 and the authentication tag generation unit 81 of the control computer 1501. Is done. The authentication tag generation unit 81 generates the authentication tag 23 using the control command 1503 and the key data 22. The transmission / reception means 91 transmits the transmission data 24 formed by combining the control command 1503 and the authentication tag 23 to the control device 1502.

  When the control device 1502 receives the data transmitted from the control computer 1501 as the reception data 24a by the transmission / reception means 92, the control apparatus 1502 receives the control command 1503a from the control computer 1501 included in the reception data 24a as the control command output means 1504. Input to the authentication tag generation means 13. The authentication tag generation means 82 generates a comparison authentication tag 23b using the received control command 1503a and key data 22. The generated comparison authentication tag 23b and the authentication tag 23a in the reception data 24a are input to the reception data authentication means 102, and whether or not these two authentication tags 23a and 23b are matched by the reception data authentication means 102. And the determination result 25 is passed to the control command output means 1504.

  The control command output means 1504 outputs the control signal 1505 along the received control command 1503a to the circuit breaker 216 only when the determination result 25 is “authentication tag match” (a legitimate control command).

  According to the seventh embodiment as described above, even when the control command is rewritten in the middle of the transmission path, it is possible to prevent the device from being erroneously controlled by the unauthorized control command. Therefore, a highly reliable substation control system can be provided.

[Other Embodiments]
In the present specification, a plurality of embodiments according to the present invention have been described. However, these embodiments are presented as examples and are not intended to limit the scope of the invention. That is, the apparatus configuration shown in the drawings is merely an example showing the minimum functional configuration necessary for realizing the present invention, and the specific hardware configuration and software configuration of each means can be selected as appropriate. For example, the following modifications are also included.

  Key data storage means for storing the key data 22 is provided in the protection control measurement device. In the key data generation means 71 and 72, the calculated harmonic current data and the fixed key information previously given to the key data storage means. It is also possible to generate the key data 22 from the two pieces of information. By generating the key data 22 from the harmonic current data and the fixed key information provided in advance, the capacity of the key data 22 stored in the key data storage unit can be suppressed.

  In the present invention, as a transmission / reception unit of the protection control measuring devices 11 and 12, a configuration in which a physically separated transmission unit and reception unit are provided, and transmission and authentication authentication tag generation units 81 and 82 are individually provided. It is good also as a structure.

  The above embodiments can be implemented in other various forms, and various omissions, replacements, and changes can be made without departing from the scope of the invention. These embodiments and modifications thereof are included in the invention described in the claims and equivalents thereof as well as included in the scope and gist of the invention.

DESCRIPTION OF SYMBOLS 11, 12 ... Protection control measuring device 2 ... Transmission line 3 ... Transmission line 41, 42 ... Sample hold circuit 51, 52 ... A / D converter 61, 62 ... Protection data generation means 71, 72 ... Key data generation means 81, 82 ... Authentication tag generation means 91, 92 ... Transmission / reception means 101, 102 ... Received data authentication means 111, 112 ... Protection calculation unit E ... Attacker 20 ... Instantaneous value data 21 ... Body data 22 ... Key data 23 ... Authentication tag 23a ... Reception Authentication tag 23b… Comparison control authentication tag 24… Transmission data 24a… Reception data 25… Determination result

Claims (11)

In a protection control measurement system that connects a plurality of devices including a protection control measurement device that performs protection control measurement of an electric power system via a transmission line, and exchanges data between the plurality of devices,
Each device is
Protection data creation means for sampling the amount of electricity in the power system and generating body data;
Calculating harmonic current data by sampling at a higher speed than sampling by the protection data creating means, and key data generating means for creating key data from the harmonic current data;
An authentication tag generating means for generating an authentication tag using the main body data and the key data generated by the key data generating means;
The generated authentication tag is added to the main body data used for the generation as transmission data, the transmission data is transmitted to the transmission path, the data is received from the transmission path, and the received data is transmitted to the main body. A transmission / reception means for separating data and an authentication tag;
The main body data and the authentication tag in the reception data received by the transmission / reception means, and the reception data authentication means for authenticating the validity of the reception data using the key data generated by the key data generation means,
As a security method based on an information amount viewpoint, a method of changing key data used every time an authentication tag is generated by the authentication tag generation unit is adopted, and body data and an authentication tag in the received data, A protection control measurement system, wherein the key data is deleted after authenticity is verified by the key data generated by the key data generation means. In the key data generation means, together with the key data, the same number of key identification information that uniquely identifies individual key data is stored,
The transmission / reception means is configured to add, together with the generated authentication tag, key identification information for specifying the key data used to generate the authentication tag to the main body data as transmission data,
The received data authentication unit is configured to authenticate the validity of received data using key data specified by key identification information in received received data. Protection control measurement system. The key data generated in the key data generation unit is separated into a fixed fixed common key matrix and the set number of disposable key vectors,
2. The authentication tag generating means obtains an authentication tag vector y by the following vector operation, where x is a body data vector, U is a fixed key matrix, and v is a disposable key vector. Or the protection control measurement system of Claim 2.
y = xU + v When the received data authentication means determines that the received data is illegal data, the received data authentication means includes means for discarding the received data and means for recording the fraud determination result as security information. 4. The protection control measurement system according to any one of items 3. Each device is
A key data storage means for storing a preset number of key data,
5. The key data generation unit according to claim 1, wherein the key data generation unit generates key data from two pieces of information: the calculated harmonic current data and the fixed key information previously provided in the key data storage unit. The protection control measurement system according to any one of claims. A plurality of electrical relay protection relay devices having a configuration of the device including the key data generation unit, the authentication tag generation unit, the transmission / reception unit, and the reception data authentication unit are connected via a transmission line, and each protection relay device When configuring a current differential protection system that performs current differential operation by sending and receiving current and voltage sampling data to and from a protection relay device at another electrical station,
Each protection relay device
When transmitting the sampling data, the authentication tag generating means generates an authentication tag using the sampling data for transmission and one key data generated by the key data generating means, and the transmitting / receiving means By adding the generated authentication tag to the sampling data used for the generation, it becomes transmission data,
When data is received by the transmission / reception means, the data authentication means receives data using the sampling data and the authentication tag included in the received data received and the key data stored in the key data storage means. The data authentication is performed, and the current differential calculation is performed using the sampling data only when the data is valid reception data. The protection control measurement system described.   Each protection relay device is configured to perform a current differential operation by setting the value of the received data to zero when the received data authentication means determines that the received data is illegal data. The protection control measurement system according to claim 6. Each protection relay device is configured to lock a trip command to a circuit breaker when the received data authentication means determines that the received data is invalid data. The protection control measurement system described. A plurality of control devices having the configuration of the device including the key data generation unit, the authentication tag generation unit, the transmission / reception unit, and the reception data authentication unit are connected by a transmission path, and a control computer or other control device is connected by each control device. When configuring a substation control system that receives control commands from and controls controlled devices,
Each control device
The key data generation means, the authentication tag generation means, the transmission / reception means, and the reception data authentication means according to claim 1,
When transmitting the control command, the authentication tag generation unit generates an authentication tag using the control command for transmission and one key data generated by the key data generation unit, and transmits and receives Means to add the generated authentication tag to the control command used to generate the transmission data,
When the data is received by the transmission / reception means, the data authentication means uses the control command and the authentication tag in the received data received, and the received data using the key data generated by the key data generation means. The protection control measurement system according to claim 1, wherein the control device is controlled using the control command only when the received data is legitimate received data. In the protection control measurement device that performs protection control measurement of the power system and exchanges data with other devices connected by the transmission path,
Protection data creation means for sampling the amount of electricity in the power system and generating body data;
Calculating harmonic current data by sampling at a higher speed than sampling by the protection data creating means, and key data generating means for creating key data from the harmonic current data;
An authentication tag generating means for generating an authentication tag using the main body data and one key data generated by the key data generating means;
The generated authentication tag is added to the main body data used for the generation as transmission data, the transmission data is transmitted to the transmission path, the data is received from the transmission path, and the received data is referred to as main body data. A transmission / reception means separated into authentication tags;
The main body data and the authentication tag in the reception data received by the transmission / reception means, and the reception data authentication means for authenticating the validity of the reception data using the key data generated by the key data generation means,
As a security method based on an information amount viewpoint, a method of changing key data used every time an authentication tag is generated by the authentication tag generation unit is adopted, and body data and an authentication tag in the received data, A protection control measuring apparatus, wherein after the authenticity is verified by the key data generated by the key data generating means, the key data is deleted. In the data transmission method of the protection control measurement device that performs protection control measurement of the power system and exchanges data with other devices connected by the transmission path,
The protection control measurement device samples the amount of electricity in the power system and generates protection data creating means for generating main body data;
Harmonic current data is calculated by sampling at higher speed than sampling by the protection data creating means, and key data generating means for creating key data from the harmonic current data is provided,
By the protection control measuring device,
An authentication tag generating process for generating an authentication tag using the main body data and one key data generated by the key data generating means;
A transmission process for adding the generated authentication tag to the main body data used for generating the transmission data and transmitting the transmission data to the transmission path;
A receiving process for receiving data from the transmission path and separating the received data into main body data and an authentication tag;
Performing the received data authentication process for authenticating the validity of the received data using the main data and the authentication tag in the received received data, and the key data created in the key data generating means,
As a security method based on an information amount viewpoint, a method of changing key data used every time an authentication tag is generated by the authentication tag generation unit is adopted, and body data and an authentication tag in the received data, A data transmission method for a protection control measurement device, wherein the key data is deleted after authenticity is verified by the key data generated by the key data generation means.

Images