JP2016100641A - Power transmission and distribution network operation system and power transmission and distribution network operation method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To distribute a message in consideration of the reliability and public nature of each facility.SOLUTION: In a power transmission and distribution network operation system, a supply side facility comprises: a message encryption processing unit that encrypts a message to be transmitted by a message encryption key provided per reliability of the supply side facility; and a group encryption processing unit that encrypts messages encrypted by the message encryption processing unit by a group encryption key provided per communication group including the supply side facility or a demand side facility grouped according to a communication objective. The demand side facility comprises: a group decryption processing unit for decrypting the messages encrypted by the supply side by a group decryption key corresponding to the group encryption key distributed to the demand side facility in advance; and a message decryption processing unit that decrypts a message that can be decrypted of the messages decrypted by the group decryption processing unit by a message decryption key corresponding to the message encryption key distributed to the demand side facility in advance.SELECTED DRAWING: Figure 21

Description

  The present invention relates to a supply and demand adjustment and a power transmission / distribution control method between a plurality of power generation facilities and customer facilities using a power network.

  Between a plurality of power generation facilities and customer facilities using a power network, it is a wide-area distributed cooperation system that links facilities installed in a wide range. In such a system, the participation and removal of equipment is performed asynchronously at multiple locations on the system, and the power network that constitutes the system and the communication network itself that exchanges control information are always partially maintained and repaired. With special characteristics. Furthermore, since this system has a wide range of operating bodies for each facility, the publicity and reliability of each facility are different. Under these circumstances, in order to realize stable operation of the entire system, the communication network, the power network, and each facility are linked to operate as a multiplex system, and even if some facilities or systems fail, other facilities and systems It is necessary to realize a stable supply and demand for electricity by substituting.

  As a technique for realizing this, for example, as described in Patent Document 1, a communication system of a distributed processing system is multiplexed, and a device management table for managing information on communication devices associated with each node constituting the distributed processing system is used. As a result, it is possible to dynamically grasp the status of communication devices in a distributed processing system and build a communication device replacement processing method that can perform replacement processing without affecting the system even if a failure occurs. A method has been proposed.

JP-A-7-160601

  Since Patent Document 1 does not consider the reliability and public nature of each node, for example, when the reliability of the equipment selected as an alternative when the equipment goes down is low, the equipment goes down again, and the power Supply may not be restored.

  In addition, if power supply to facilities with high publicity is performed from facilities operated by a management entity with low reliability, the operating state of the supply and demand side facilities becomes unstable, and the reliability of the supply and demand side facilities is also impaired.

  Furthermore, since each equipment cannot judge the reliability of a cooperation destination equipment, it is difficult to solve the said subject.

  The present invention has been made in view of the above, and in a communication group having a plurality of facilities with different reliability levels, it is possible to distribute a message in consideration of the reliability and publicity of each facility. An object is to provide a power transmission / distribution network operation system and a power transmission / distribution network operation method.

  In order to solve the above-described problems and achieve the object, a power transmission / distribution network operation system according to the present invention includes a power transmission / distribution network in which a power supply side facility and the power demand side facility are connected by a communication network. In the operation system, the supply side equipment is grouped according to a communication purpose with a message encryption processing unit that encrypts a message to be transmitted with a message encryption key provided for each reliability of the supply side equipment. A group encryption processing unit that encrypts the message encrypted by the message encryption processing unit using a group encryption key provided for each communication group including the supplied supply side facility or the demand side facility. The demand side equipment uses the group decryption key corresponding to the group encryption key distributed in advance to its own equipment to encrypt the message encrypted on the supply side. A message decryption unit that decrypts a message that can be decrypted in the message decrypted by the group decryption unit using a group decryption processing unit that decrypts the message and a message decryption key that corresponds to the message encryption key distributed in advance to the facility. A power transmission / distribution network operating system comprising a processing unit.

  Moreover, this invention is grasped | ascertained also as an electric power transmission / distribution network operating method performed with the said electric power transmission / distribution network operating system.

  ADVANTAGE OF THE INVENTION According to this invention, it becomes possible to deliver a message in consideration of the reliability and public property of each facility in a communication group having a plurality of facilities with different reliability levels.

It is an example of a wide area cooperation system configuration for power transmission and distribution. It is an example of information possessed by facilities participating in power transactions. It is an example of information possessed by the power exchange. It is an example of information possessed by the grid operating organization. It is an example of composition of equipment information. It is a structural example of an electronic certificate. It is an example of a communication destination management table. It is an example of a group key management table. It is an example of a message key management table. It is an example of a reliability determination policy. It is an example of a group participation policy. It is an example of transaction participation equipment information. It is a transaction content list example. It is a transmission message structural example. It is an example of system connection information of equipment. It is an example of the authentication procedure of the facilities participating in the power transmission and distribution network. It is an example of the re-authentication procedure of the equipment which participates in an electric power transmission and distribution network. It is an example of the connection procedure of an installation to a power transmission and distribution network. It is an example of a group key distribution procedure when an authenticated facility participates in a new transaction. It is an example of the determination procedure of the key distributed based on the description content of an electronic certificate. It is an example of the communication basic procedure in a communication group. It is an example of the performance information distribution procedure from a system operation organization. It is an example of the reliability update procedure of an installation. It is an example of a communication group key update procedure. It is an example of a message key update procedure. It is an example of a procedure for building a group with equipment that can respond to an emergency when an emergency occurs. It is an example of a procedure for adjusting supply and demand by linking facilities that can handle an emergency. It is an example of the response | compatibility procedure when a communication failure generate | occur | produces between a specific installation and an electric power exchange. This is a procedure for determining the necessity of emergency response for a specific facility.

  FIG. 1 is a configuration example of a power trading system to which the present invention is applied. The facility certification body 101 is an organization that evaluates the reliability and legitimacy of facilities participating in power transactions, and is operated by, for example, the government or industry organizations. This institution checks the status of applications from facilities participating in power transactions, and issues an electronic certificate to be used in the transaction if the application details match the actual conditions of the facilities.

  The power exchange 102 is an organization that manages power transaction information, and performs supply and demand control between a power generation facility group and a customer group, calculation of an electricity usage fee corresponding thereto, and mediation of payment between facilities.

  The system operation organization 103 is an organization that performs system operation for controlling power transmission and distribution using the power network 110 from the power generation facility group to the customer group. The grid operating organization 103 also has a function of monitoring and recording the actual power transmission / distribution status between the facilities.

  The power generation facility 1 104 and the power generation facility 2 105 are facilities on the supply side for supplying electric power, for example, a thermal power plant, a hydroelectric power plant, a solar power plant, and the like. Regardless of the scale of the power generation equipment, it is assumed from large-scale power plants to solar power generation in ordinary households.

  The customer 1 106 and the customer 2 107 are facilities on the demand side that use electric power, and are assumed from large-scale facilities such as factories and medical institutions to general households.

  The communication network 108 is a communication network used for power transactions, and is assumed to be connected via the Internet or a dedicated line. For particularly important facilities, it is possible to duplicate the physical communication network from the viewpoint of disaster reduction.

  The communication group 109 is a virtual communication network that is constructed so that a plurality of facilities that perform transactions share information, and a plurality of communication groups 109 are constructed for each purpose.

  The power network 110 is a network composed of power transmission power lines that transmit and distribute power.

  Although not specifically described below, in practice, the facility certification body 101, the power exchange 102, the grid operation organization 103, the power generation facility 1 104, the power generation facility 2 105, the customer 1 106, and the customer 2 107 are servers. Each of the processes described below is executed by a processing unit such as a CPU (Central Processing Unit) executing a program installed in the computer or control apparatus. Running.

  FIG. 2 is an example of information possessed by facilities participating in power transactions. The power transaction participation facility 201, which is the power generation facility 1 104 and the power generation facility 2 105, has a facility certificate 202 for verifying the legitimacy of this facility and a communication destination management for managing a communication destination of a list of facilities to which this facility communicates Table 202, a group key management table 204 for managing a group key list used to encrypt a transmission message when a message is transmitted to a specific communication group, and a message used for encryption according to the reliability of the message Key management table 205, system connection information 206 of the own equipment that records the state of the system to which this equipment is connected, equipment operation policy 207 that defines the equipment operation policy in normal and emergency, and the system of this equipment It consists of system status information 208 indicating the status. A plurality of group keys and message keys are held.

  FIG. 3 is an example of information possessed by the power exchange 102. The power exchange 102 includes a facility certificate 302 for verifying the legitimacy of the facility, a reliability determination policy 303 describing a list of criteria for determining the reliability of the facility participating in the power transaction, Group participation policy 304 that defines the participation policy for the group to which each facility participating in the transaction belongs, transaction participation facility information list 305 that manages information on facilities participating in the transaction, and participation in the transaction The system connection information list 306 for managing the system connection information of the installed equipment, the transaction content list 307 for managing the transaction content list of the equipment, the group key 204, the message key 205, and the communication destination management table 203 are included.

  FIG. 4 is an example of information possessed by the grid operating organization 103. The grid operation organization 401, which is the grid operation organization 103, has an equipment certificate 402 for certifying the validity of the equipment, a system connection information list 403 for managing the system connection information of the equipment, and a transaction content list for the equipment. Transaction contents list 404, group key 204, message key 205, equipment operation policy 405 that defines the equipment operation policy in normal and emergency, system state information 406 indicating the system state of this equipment, and this equipment Is composed of a communication destination management table 203 that records the connection destinations of the facilities that communicate with each other.

  FIG. 5 is a configuration example of facility information held by each facility. The facility information is setting information for each facility such as a power generation facility, and includes facility basic information 502 and a facility operation policy 503. The basic equipment information 502 is the basic information of this equipment, the equipment name, the operating entity that operates the equipment, the equipment installation location that is the installation location of the equipment, the maximum power generation, and the equipment has been operated until now. Consists of operational institutions that are institutions. FIG. 5 shows that the power generation facility A is operated by a local government and is installed in Yokohama Minato Ward as a power generation facility having a maximum power generation amount of 1 MW. The operation period is 10 years.

  The facility operation policy 503 describes the state of the facility and the response policy during normal times and emergencies.

  Here, normal time indicates a state in which no disaster or the like has occurred, and an emergency is defined as a state in which an event that has some negative effect such as damage to equipment occurs.

  The normal time response policy 504 indicates the capability of the facility during normal times. The shortest response to supply and demand adjustment defines the time that can be responded in the shortest time when a demand for supply and demand adjustment is received from the power exchange 102 or the like. This example shows that a high-speed DR (Demand Response) response corresponding to 10 minutes is possible. The average power generation amount is an average power generation amount during normal times. The voltage fluctuation range is a fluctuation range of the transmission voltage during normal times. The frequency fluctuation range indicates the width of the frequency fluctuation during normal times. The operating rate indicates the period during which the facility is operating. In this example, the operating rate is 80%, so that 20% per year may be stopped due to maintenance.

  The emergency response policy 505 defines a response policy for each emergency type.

  Contingency type 1 506 indicates whether or not a response 507 is possible when an earthquake with a seismic intensity of 5 or less occurs, and in this example indicates that the facility can be operated. However, the value of each attribute is different compared to normal time, for example, the utilization rate has dropped to 50%. This is because it is essential to check the operation of the facility when an earthquake occurs.

  Contingency type 2 508 describes the policy for handling earthquakes with seismic intensity 6 or higher. In this case, the equipment cannot be operated, but the communication function may be alive, so the communication group is notified that the equipment cannot be operated and that an earthquake has been detected.

  Contingency type 3 509 indicates a response to a DoS (Denied of Service) attack that is essential for cyber terrorism. The DoS attack is called a denial of service attack, and is an attack that makes communication difficult by accessing a large amount of communication functions from the outside. In this case, since the communication function cannot be used, the shortest response to supply and demand adjustment cannot be adjusted and only the current state is maintained, but the function of the power generation facility itself is alive, so that the current supply is continued.

  FIG. 6 is a configuration example of the electronic certificate 601 that is the facility certificates 202, 302, and 402. The electronic certificate basic information 602 describes the basic information of the electronic certificate itself and the basic information of the equipment certified by the certificate. In FIG. 6, for example, the local government that is the operating entity serves as the certification authority, and the certification authority 101 that is the certification authority provides the digital certificate with the serial number 1234567 and version 1.1 to the power generation equipment 1. It shows that it is issued using the algorithm and signature algorithm. In the equipment basic information 603 and the equipment operation policy 604, information received from the equipment is posted. The rating information 605 is information indicating the rating of each facility, is determined by the facility authentication procedure shown in FIGS. 16 and 17, and includes public property 606, supply and demand adjustment responsiveness 607, and facility reliability 608. Public property 606 indicates the public property of the facility, and is defined as, for example, A: public institution, B: large-scale private organization, C: organization other than the above. The supply and demand adjustment responsiveness 607 is a response time to the supply and demand adjustment request of the equipment, and is defined as, for example, A: within 10 minutes, B: within 1 hour, and C: 1 hour or more. The facility reliability 608 indicates the reliability of the facility, and is defined as, for example, A: operation rate of 90% or more, B: 80% or more to 90% or less, and C: 80% or less. The digital signature 609 of the certificate authority is a digital signature that is given to detect falsification of information in the electronic certificate.

  FIG. 7 is an example of the communication destination management table 203. The communication group 702 indicates the type of the communication group. For example, a power generation facility group including only power generation facilities can be considered. A connection destination 703 is a list of facilities participating in each communication group. The connection destination IP address 704 is a connection destination IP address of each connection destination. It is also possible to have multiple IP addresses. The transmission / reception network I / F 705 indicates a network I / F that is connected to a facility that owns the communication management table 203 and a communication network when communicating with each connection destination. This is because there are cases where a plurality of network I / Fs are provided depending on equipment in consideration of fault tolerance. In FIG. 7, for example, the communication group of the power generation facility is connected to the power exchange whose IP address is aaa.aaa.aaa.aaa via NIC1 as the connection destination, and the IP address is bbb via NIC2 as the connection destination. It shows that it is connected to the power generation facility 2 which is .bbb.bbb.bbb.

  FIG. 8 is an example of the group key management table 204. Since different group keys are used for each communication group, this table is used to manage them collectively. The communication group 802 is a communication group that manages keys. Key information 803 is key information used in communication of each group. The current key ID 803 is a key identifier currently used in each group. The current key 805 is key information for performing encryption and decryption of a message when a message is currently transmitted / received in each group. The old key ID 806 is an ID of a key used before the current key, and the old key 807 is old key information. The current key validity period 808 indicates the validity period during which the current key can be used, and is updated to a new key before this validity period comes. In FIG. 8, for example, the communication group of the power generation facility indicates that the message is encrypted and decrypted by the current key KeyA corresponding to the current key ID identified by KID1, and the validity period is September 30, 2014. Show. Further, the group of power generation facilities indicates that in the past, the message was encrypted and decrypted with the old key KeyAold corresponding to the old key ID identified by KID1old.

  FIG. 9 is an example of the message key management table 205. Since different message keys are used for each degree of trust, this table is used to manage them collectively. The reliability 902 is a unit for managing a key for each reliability. In this example, three types of high, medium, and low are defined, but there may be a case where the granularity is finer than that. The key information 903 is key information for encrypting and decrypting information of each reliability. The current key ID 904 is a key identifier currently used in each group. The current key 905 is key information for performing message encryption and decryption when a message is currently transmitted and received in each group. The old key ID 906 is an ID of a key used before the current key, and the old key 907 is old key information. The current key validity period 908 indicates the validity period during which the current key can be used, and is updated to a new key before this validity period comes. FIG. 9 shows that, for example, when the reliability is high, the message is encrypted and decrypted by KeyH identified by KID_H, and the validity period is September 30, 2014. Further, the high reliability key indicates that the message was encrypted and decrypted with the old key KeyHold corresponding to the old key ID identified by KID_Hold in the past.

  FIG. 10 is an example of the reliability determination policy 303. The reliability determination policy 303 is information indicating a condition serving as a reference for determining the reliability of each facility. The reliability 1001 indicates the reliability of the facility participating in the power transaction. In this example, three types of high, medium, and low are defined, but there may be a case where the granularity is finer than that. As the reliability of the facility participating in the power transaction is higher, as a result, it is determined that the reliability of the information included in the message transmitted by the facility is higher. A message key 1002 indicates a message key currently used for each reliability. The key ID is a key ID that identifies a currently used key. The key information is currently used key information.

  The reliability judgment condition 1005 consists of multiple judgment conditions. When the equipment participates in power trading, compare it with the description in the equipment certificate 202 sent to the power exchange, and if there is a matching condition, respond to it. It is determined that the equipment has a certain degree of reliability, and a message key corresponding to the condition is provided. As the reliability determination condition 1005, for example, an equipment operation result 1006, an equipment scale 1007, an emergency 1008 that can be distinguished, and the like can be considered. As a determination method, a method for determining the reliability of the equipment on the basis of a condition that is determined for each item and that matches the condition with the lowest reliability among them can be considered. FIG. 10 shows that, for example, in order to provide a highly reliable message key KeyH, it is a condition that the equipment operation performance is 10 years or more and the equipment scale is 500 kW or more. Furthermore, it is shown that it is necessary to be able to cope with an emergency of seismic intensity 5 or higher. And, for example, if the equipment operation performance of a certain equipment is 8 years, the equipment scale is 800 kW, and the emergency that can be handled is seismic intensity 5, the conditions that the reliability is “medium”, “high”, “high” respectively. Therefore, it is determined that the facility as a whole satisfies at least the condition of “medium” reliability.

  FIG. 11 is an example of the group participation policy 304. The communication group 1101 is a list of names of communication groups currently in operation. The group key 1102 is a group key that is currently valid for each group, and includes a key ID 1103 and key information 1104. The distribution condition 1106 is a condition of equipment for participating in each communication group, and a plurality of conditions can be considered. In this example, when a new facility joins the group, the facility information of the facility is compared with the facility type 1107 indicating the type of distribution destination, and the key of the corresponding communication group is paid out if they match. In the event of an emergency, which will be described later, the key of the emergency response communication group is paid out only when the emergency response policy of each facility matches the emergency response conditions. In FIG. 11, for example, the facility type is a power generation facility, and KeyA identified by KID1 is distributed to the communication group of the power generation facility that satisfies the distribution condition. In addition, it shows that KeyD identified by KID4 is distributed to the emergency correspondence communication group that satisfies the condition that the seismic intensity of 5 or higher can be handled as the emergency response condition.

  FIG. 12 is an example of the transaction participation facility information 305. The facility 1201 is a list of facilities participating in the power exchange 102. The reliability 1201 indicates the current reliability and the previous reliability of each facility. The reliability policy determination result 1205 is a result of determining the reliability of each facility based on the reliability determination policy 303. Penalty presence / absence 1206 indicates whether a penalty has been imposed when it is determined that the reliability of the transaction application content is low when there is a difference between the application content of the power transaction of each facility and the transaction status. As a specific content of the penalty, for example, the reliability of the equipment may be lowered for a certain period. The penalty period 1207 is a period during which a penalty is imposed on each facility. A method of extending this period according to the size of the transaction application content and the actual value, the number of occurrences of the difference, and the like can be considered. The number of occurrences 1208 of difference between transaction information and results is the number of occurrences of difference between transaction application information of facilities and transaction results. In FIG. 12, for example, the power generation facility 1 has a high reliability in both the present and the past, and there is no difference between the penalty and transaction information and the actual results, while the power generation facility 2 has a high reliability in the past. Although the reliability policy determination result was “high”, the difference between the transaction information and the actual results occurred twice, indicating that the reliability is currently “medium”.

  FIG. 13 is an example of the transaction content list 404. The transaction ID 1301 is an identifier that is uniquely assigned for each power transaction. The supply source 1302 is a power supply source. The supplier 1303 is a consumer who supplies power. A transaction contract 1304 shows the details of a power transaction contract between the supply source 1302 and the supply destination 1303. The contract period 1305 is a period of a transaction contract. The supply amount 1306 is the amount of power supplied during the contract period. The actual value indicates the actual power supply period and supply amount. The actual difference occurrence reason 1310 is a place where the reason is described when there is a difference between the transaction contract 1304 and the actual value 1307. In FIG. 13, for example, the transaction identified by transaction ID “1” is from the power generation facility 1 to the customer 1 from 3:00 on 2014/7/5 to 3:00 on 2014/8/5. During this period, the transaction is supplied with electric power. In addition, the actual value shows that it was 5kW / h according to the supply amount specified in the contract.

  FIG. 14 shows the basic configuration of messages transmitted and received within a group. This message is encrypted and decrypted with the corresponding group key at the time of transmission / reception. The message ID 1401 is a message identifier. The message type 1402 is a message type, and is “notification” for the notification message in this example. The entire group notification information 1403 is information notified to the entire group and is not encrypted with the message key. The reliability-specific information 1404 is information that is encrypted with a message key for each reliability. The messages 1407 are grouped for each reliability level 1405 and encrypted with the corresponding message key 1408 for each reliability. However, the message key ID 1406 used for encrypting the message of each reliability is not encrypted, and can be referred to for determination of the key ID for decryption on the receiving side. In FIG. 14, for example, the operation information that is the value of the power generation facility operation information is encrypted with the message key KeyH corresponding to the reliability “high”, and the adjustment request information that is the value of the adjustment request information has the reliability “medium”. It shows that the power information that is encrypted with the corresponding message key KeyM and that is the value of the interchangeable power amount is encrypted with the message key KeyL corresponding to the reliability “low”. With such a configuration, when a message is distributed in a communication group having a plurality of facilities with different reliability levels, it is possible to control the position at which each facility reads the distributed message according to the reliability level. Become.

  FIG. 15 is an example of the facility system connection information 403. The management number 1501 is an identifier for uniquely identifying the state of the equipment connected to the grid of the power network. The facility name 1502 is the name of the facility connected to the system. The connection system characteristic 1503 indicates the characteristics of the system to which the equipment is connected. For example, a loop type in which the power lines are connected in a loop shape, a star type in which the equipment is connected radially to the end, etc. The power line connection form can be considered. These connection systems also affect the availability of power supply in the event of a disaster such as a power outage. For example, in the case of a loop type, it is difficult to supply power only at a specific location because power wraps around, but in the case of a star type, power is supplied to a specific location by using a part of a radial wire. This is easier than the loop type.

  The maximum power transmission capacity 1504 is the maximum amount of power that can be transmitted through the power transmission line to which the equipment is connected, and there are cases where the capacity changes or power transmission becomes impossible because the state of the electric wire differs between normal time 1505 and emergency 1506. In the drawing, a partial disconnection 1507 is shown as an example of an emergency.

  The current information 1508 indicates the state of which power generation facility currently supplies to which consumer how much power.

  In FIG. 15, for example, the power generation facility 1 identified by the management number “1” has a loop-type connection system characteristic, the maximum transmission capacity in normal times is 1 MW, and the maximum transmission capacity in the event of a partial disconnection is It shows that it is 500kW. In addition, the power generation facility 1 is currently in operation, for example, supplying 50 kW and 100 kW of power to the customer 1 and the customer 2, respectively.

  FIG. 16 shows a procedure in which the power generation facility 1104 receives authentication from the facility authentication organization 101 and issues an electronic certificate.

  The power generation facility 1104 generates a private key and a public key necessary for creating an electronic certificate (step 1601).

  The power generation facility 1104 transmits the facility information and the public key to the facility certification authority 101, and issues an electronic certificate issuance request (step 1602).

  The facility certification body 101 examines the validity of the application information (step 1603). For example, this validity check may be performed by requesting credit information of the application facility from a credit examination specialist or investigating operational results.

  The facility certification body 101 confirms that there is no defect in the application content (step 1604). If the examination is passed, rating information is generated (step 1605).

  Subsequently, an electronic certificate is created from the public key, facility information, and rating information (step 1606). The electronic certificate is sent to the power generation facility 1101 (step 1607).

  If there is a flaw in the authentic content, the reason for the failure and a failure notice are sent to the power generation facility 1104 as a failure of the examination (steps 1604 and 1608). FIG. 17 is an example of a re-authentication procedure for facilities participating in the power transmission and distribution network. In this embodiment, equipment re-authentication is performed at regular intervals. At the time of re-authentication, the actual operation results will be reflected in the rating. In this example, the facility certificate update of the power generation facility 1104 will be described as an example.

  When the expiration date of the electronic certificate approaches, the power generation facility 1104 generates a secret key and a public key (step 1701), sends facility information and a public key to the facility certification authority 101, and requests certificate issuance (step 1702).

  The facility certification body 101 examines the validity of the application information (step 1703) and generates rating information (FIG. 6) (step 1704).

  The facility certification body 101 requests the transaction content of the power generation facility 1104 from the power exchange 102 (step 1705), and the power exchange 102 returns a transaction content list (FIG. 13) of the power generation facility 1104 (step 1706). .

  The facility certification authority 101 checks the transaction contents to see if there is a difference in performance after the previous certificate issuance (step 1707), and if it occurs, the facility reliability is further lowered (step 1708). Specific procedures include changing the penalty presence / absence 1206 in the corresponding equipment column of the transaction participation equipment information 305 (FIG. 12) to a penalty period, and lowering the current reliability from high to medium. A method is conceivable. In this example, an example in which a difference that is lower than the actual result is shown, but when a difference that exceeds the actual result occurs, the facility reliability is increased.

  The facility certification authority 101 creates an electronic certificate from the public key, facility information, and rating information (step 1709), and sends the electronic certificate to the power generation facility 1101 (step 1710). The power generation facility 1101 that has received the new electronic certificate discards the old facility certificate, for example, by deleting it (step 1711).

  FIG. 18 is an example of a system connection procedure for connecting equipment to the power network 110.

  The power generation facility 1104 and the grid operating organization 103 perform mutual device authentication using the electronic certificate (step 1801).

  When the authentication is completed, the power generation facility 1104 requests the grid operating organization 103 to connect to the grid (step 1802).

  The grid operation organization 103 permits the power generation facility 1104 to connect to the power grid and sends the grid connection information (FIG. 15) to which this facility is connected. As this information, for example, a power transmission voltage, a power transmission capacity, and the like can be considered (step 1803).

  The power generation facility 1104 connects to the power network (step 1804).

  The power generation facility 1104 notifies the grid operation organization 103 of the grid connection completion notification (step 1805).

  The grid operating organization 103 adds the power generation facility 1104 to the grid connection information of the facility (FIG. 15) (step 1806).

FIG. 19 is an example of a group key distribution procedure when an authenticated facility participates in a new transaction.
The power generation facility 1 104 and the power exchange 102 perform mutual device authentication using the electronic certificate (step 1901). When the authentication is completed, an encrypted communication path is established between the two (step 1902).
The power exchange 102 determines the participating communication group and the reliability from the contents (FIG. 6) described in the electronic certificate of the power generation facility 1 (step 1903). Details of the determination of reliability and the selection procedure of keys to be distributed based on the determination will be described with reference to FIG.

  The power exchange 102 distributes the group key corresponding to the participating group to the power generation facility 1104 (step 1904). In addition, when belonging to a plurality of groups, keys for the belonging group are distributed. Next, the power exchange 102 distributes a message key group corresponding to the reliability of the power generation facility 1104 (step 1905). The power generation facility 1104 and the power exchange 102 end the encrypted communication (step 1906). The power exchange 102 registers the power generation facility 1104 in the communication destination management table 203 (FIG. 7) (step 1907). The communication group participation member update is notified from the power exchange 102 to the equipment group belonging to the group in which the power generation equipment 1104 participates (step 1908). The equipment group that has received the member update message updates the communication destination management table 203 (FIG. 7) and adds the power generation equipment 1104 (step 1909). As shown in FIG. 19, the process (steps 1930 to 1905) during the distribution of the group key group and the message key group (steps 1930 to 1905) is executed in an encrypted state (step 1910). ).

  FIG. 20 is an example of a procedure for determining a key that the power exchange 102 distributes to facilities based on the description of the electronic certificate (FIG. 6).

  The power exchange 102 compares the electronic certificate received from the equipment with the reliability determination policy 303 (FIG. 10) (step 2001). If the equipment satisfies all the conditions for high reliability (step 2002), the power exchange 102 Decide to issue a high message key (step 2003).

  Similarly, when the facility satisfies all the conditions for reliability (step 2004), the power exchange 102 decides to issue a message key for reliability (step 2005), and the condition for the facility having low reliability is determined. If all of the above are satisfied (step 2006), it is decided to issue a message key with high reliability (step 2007).

  The power exchange 102 compares the facility information (FIG. 5 or FIG. 12) with the group participation policy (FIG. 11) (step 2008), and determines the distribution of the group key that matches the group participation policy (step 2009).

  FIG. 21 is an example of a basic communication group communication procedure. In this example, the case where the power generation facility 1104 delivers a message to the communication group and the customer 2107 responds to the message will be described as an example. When sending a message into a communication group, the message is sent to all group members. The group member that has received the message determines whether or not to respond to it and if it is determined to be used for reply, a reply message is generated and distributed to all group members.

The power generation facility 1104 generates a message original (step 2101). Based on the reliability specification of each part of the original message, it is encrypted with a message key for each reliability (FIG. 14), and a transmission message is generated (step 2102).
The power generation facility 1104 encrypts with the group key of the communication group to be transmitted (step 2103). With reference to the communication destination management table 203 (FIG. 7) held by the power generation facility 1104, a message is transmitted to the facility group belonging to the communication group (step 2104).
The processing procedure of the received message will be described taking the customer 2107 as an example. The customer 2107 decrypts the received message with the group key (step 2106). Only the information of the part where the message key and message key ID of this equipment match is decrypted and the information is read (step 2107).

  When the customer 2107 determines that an individual reply is necessary (step 2108), the customer 2107 generates a message (step 2109) and returns the message to the power generation facility 1104 (step 2110). The message reply may be distributed to the entire group.

  FIG. 22 is an example of a procedure for distributing record information from the grid operating organization 103.

  For example, the power exchange 102 requests the small transaction group to distribute the actual value (FIG. 13) of the transaction ID 2 of the transaction content list 404 (step 2201).

  The grid operating organization 103 that has received this message refers to the transaction content list 404 and distributes the actual value related to the transaction ID to the same group (step 2202).

  The power exchange 102 updates the reliability and penalty of the equipment corresponding to the transaction ID2 in the transaction participation facility information 305 (FIG. 12) from the actual value and transaction contents regarding the transaction ID2 (step 2203).

  FIG. 23 is an example of a procedure for updating the reliability of equipment.

  The power exchange 102 receives the operation result of the transaction ID 2 from the grid operating organization 103 (step 2301).

  The contents of the transaction contract 1304 with the transaction ID 2 in the transaction content list 404 are compared with the actual value (step 2302).

  If there is no difference between the transaction and the operation results, the power exchange 102 completes the process (step 2303), and if there is a difference, the reason for the result difference is added to the transaction content list 404 ( Step 2304).

  The power exchange 102 adds +1 to the number of occurrences of the difference between the transaction information of the power generation facility 2 and the actual result in the transaction participation facility information list 305 (FIG. 12) (step 2305), and the difference occurrence number sets a predetermined reliability lowering threshold. When it exceeds (Step 2306), the current reliability of the power generation facility 2 is lowered by one level (Step 2307).

  FIG. 24 is an example of a communication group key update procedure.

  The power exchange 102 grasps the group key that has reached the power generation facility group key renewal deadline (step 2401). In this example, it is assumed that the key A update deadline has come, and this will be described below as an example.

  The power exchange 102 registers the current key KeyA in KeyAold in the group key management table 204 (Step 2042), and generates KeyAnew (Step 2403).

Subsequently, the power exchange 102 encrypts KeyAnew with KeyA (Step 2404), and distributes KeyAnew to the group for distribution (Step 2405).
Each facility that has received KeyAnew decrypts KeyAnew with KeyA (step 2406), and registers KeyA as KeyAold in group key management table 204 (step 2407).
Furthermore, each facility registers KeyAnew as the current key KeyA in the group key management table 204 (step 2408), and notifies the power exchange 102 of the completion of the key update (step 2409).

  When receiving the key update completion from all the facilities in the group (step 2410), the power exchange 102 registers KeyAnew as the current key KeyA in the group key management table 204 (step 2411).

  The power exchange 102 distributes the group key update notification to the group, and thereafter, the group member uses KeyAnew as the group key (step 2412).

  FIG. 25 is an example of a message key update procedure. In this example, an update method when the update time limit of the message key KeyH in the message key management table 205 (FIG. 9) has been described will be described as an example.

  The power exchange 102 detects that the update time limit of the message key KeyH has come (step 2501), registers the current key KeyH of the message key management table 205 in KeyHold (step 2502), and generates KeyHnew (step 2503). ).

The power exchange 102 encrypts KeyHnew with KeyH (step 2504), and extracts a list of facilities 130 with the current reliability of the transaction participation facility information from the transaction participation facility information list 305 (FIG. 12) (step 2505). Then, KeyHnew is distributed to the equipment with high reliability (step 2506).
The high-reliability equipment 130 that has received KeyHnew decrypts and extracts keyHnew using KeyH (step 2507), and registers KeyH in message key management table 205 in KeyHold (step 2508).

  The high-reliability equipment 130 switches KeyHnew as the current key KeyH (step 2509), and notifies the power exchange 102 of the completion of the key update (2510).

  When the power exchange 102 confirms the completion of the update of all the transaction target equipment (step 2511), the power exchange 102 distributes the update of the reliability key to the high-reliability equipment 130 (2512). The equipment list whose reliability is high and the current reliability is lowered is extracted (step 2513), and the extracted equipment group is notified that the reliability is lowered (step 2514). The equipment that has received this notification discards the KeyH by deleting it (step 2515).

  FIG. 26 shows an example of a procedure for constructing a group with equipment that can respond to an emergency when an emergency occurs. In this example, the case where the power generation facility 1104 and the customer 1106 are damaged will be described. In the event of an emergency, it is possible that a number of unauthorized messages will flow from the system that does not respond to the emergency on the normal communication group, and the processing may be confused. It is possible to reduce the communication amount related to the processing and reduce the processing load.

  When a disaster occurs and the power generation facility 1104 detects a disaster by a detection unit such as a sensor (step 2601), the power generation facility 1104 notifies the group according to the emergency response policy 505 (FIG. 5) (step 2601). 2602).

  Similarly, when the customer 1106 is damaged (step 2603), the disaster is notified to the group according to the emergency response policy 505 (step 2604).

  The power exchange 102 distributes a response request to the compatible facility to the communication group in order to determine the facility that can respond to the notified emergency content (step 2605). In this case, the power generation facility 1104, the customer 1106, and the grid operating organization 103 respond as compatible facilities (step 2606).

  Upon receiving the response, the power exchange 102 generates an emergency response group key (step 2607), encrypts the emergency response group key with the key of the group to which the equipment responding that it can respond (step 2608), Distribute the emergency response group key (step 2609). The equipment that has received the emergency response group key forms an emergency response communication group (step 2610).

  FIG. 27 is an example of a procedure for adjusting supply and demand by linking facilities capable of handling an emergency.

  The power exchange 102 distributes to the emergency response group an instruction for requesting confirmation of power generation capacity and transmission capacity (step 2701), and each facility returns the power generation capacity and power transmission capacity (step 2702).

  The power exchange 102 formulates a supply and demand plan so that power is supplied to consumers with high publicity in order from power generation facilities with high reliability and publicity (FIGS. 6 and 12) (step 2703). As information used for the determination at this time, for example, power generation surplus, power transmission capacity, power transmission possibility, power quality, and the like can be considered.

  The power exchange 102 instructs each facility to transmit and distribute power based on the supply and demand plan (step 2704), and each facility starts transmission and distribution (step 2705).

  FIG. 28 is an example of an execution procedure of alternative communication means when a communication failure occurs between a specific facility and the power exchange 102. In this example, a case where the power generation facility 1104 cannot access the power exchange 102 will be described.

  When the power generation facility 1104 becomes inaccessible to the power exchange 102 (step 2801), the power generation facility 1104 confirms whether the communication group to which the power generation facility 1104 belongs can access the power exchange (step 2802).

  When replying that a part of the communication group can be accessed (step 2803), the power generation facility 1104 determines that the peripheral communication environment of the own system is abnormal based on this response (step 2804).

  Information to be traded with the power exchange is encrypted with the public key of the power exchange (step 2805).

  The power generation facility 1104 delivers a request to the power exchange 102 to transfer a message including transaction details to the communication group and the message (steps 2806 and 2807). The facility that can be connected to the power exchange 102 that has received the message forwards the distributed message to the power exchange 102.

  The power exchange 102 decrypts the received transaction content with the private key (step 2808), processes the transaction content (step 2809), generates a response message (step 2810), and is included in the electronic certificate of the power generation facility 1104 The response message is encrypted with the public key to be transmitted (step 2811) and distributed to the communication group.

  At this time, the power exchange 102, for example, increases the reliability of these power generation facilities and consumers from “medium” to “high” as an incentive for the power generation facilities and customers that transferred the message, The period during which the price is reduced (the period until the penalty deadline) is shortened.

  The equipment in the communication group that has received the information and the equipment that can be connected to the power generation equipment 1104 transfers the information to the power generation equipment 1104 (steps 2811 and 2812).

  The power generation facility 1104 decrypts the response message with the secret key (step 2813) and confirms the response (step 2814).

  FIG. 29 shows a procedure for determining the necessity of emergency response by a specific facility. In this example, although the power generation facility 1104 has notified the occurrence of an emergency, a procedure for determining whether an equipment that has not detected an emergency should receive the information and respond appropriately.

  When the power generation facility 1104 detects an earthquake (step 2901), the power generation facility 1104 distributes the occurrence detection to the communication group to which it belongs (steps 2902 and 2903).

  However, the customer 2107 does not determine that there is an emergency because no earthquake has been detected (step 2904).

  Thereafter, a notice of occurrence of an emergency is distributed from other systems belonging to the same communication group (step 2905).

  When the customer 2 receives the occurrence notification from a certain number of systems in the communication group, the customer 2 switches to the determination that the occurrence has occurred (step 2906) and switches to the emergency response mode (step 2907). In this case, for example, the customer 2 switches to the emergency response mode when receiving a certain number or more of emergency occurrence notifications from the power generation facility with high reliability (FIG. 6) of other systems in the same communication group as the user 2. The emergency response mode may be switched according to the reliability of other systems and the number of occurrence occurrence notifications.

101: Facility certification body, 102: Electricity exchange, 103 ... System operation organization, 104 ... Power generation facility 1, 105 ... Power generation facility 2, 106 ... Customer 1, 107 ... Customer 2, 108 ... Communication network, 109 ... Communication Group, 110 ... Power network, 201 ... Power transaction participation equipment, 202 ... Equipment certificate, 203 ... Communication destination management table, 204 ... Group key management table, 205 ... Message key management table, 206 ... System connection information of own equipment, 207 ... Equipment operation policy, 208 ... System status information, 302 ... Equipment certificate, 303 ... Reliability judgment policy, 304 ... Group participation policy, 305 ... Transaction participation equipment information list, 306 ... Equipment system connection information list, 307 ... Transaction List of contents, 401: System operation organization, 402: Equipment certificate, 403: System connection information of equipment, 404: Transaction content list, 405: Equipment operation policy, 406: System status information.

Claims (12)

A power transmission and distribution network operation system in which a power supply side facility and the power demand side facility are connected by a communication network,
The supply side equipment is:
A message encryption processing unit that encrypts a message to be transmitted by a message encryption key provided for each reliability of the supply side equipment;
Group encryption that encrypts the message encrypted by the message encryption processing unit with a group encryption key provided for each communication group including the supply side equipment or the demand side equipment grouped according to the communication purpose A processing unit,
The demand side equipment is:
A group decryption processing unit for decrypting the message encrypted on the supply side with a group decryption key corresponding to the group encryption key distributed in advance to the own equipment;
A message decryption processing unit that decrypts a message that can be decrypted among the messages decrypted by the group decryption processing unit, with a message decryption key corresponding to the message encryption key distributed in advance to the facility;
A power transmission / distribution network operation system comprising: The supply side equipment and the demand side equipment are:
The supply-side equipment or the demand-side equipment is authenticated with equipment information including normal-time operation policy information, which is an operation policy during normal times of the own equipment, and emergency operation policy information, which is an emergency operation policy information other than during normal times. Having an equipment processing unit for transmitting the equipment information to the equipment certification body,
The facility certification organization generates rating information that ranks the supply side facility or the demand side facility based on the facility information received from the supply side facility or the demand side facility, and includes the generated rating information. A certificate authority processing unit that transmits a certificate to the supply-side facility or the demand-side facility of the transmission source,
The power transmission / distribution network operation system according to claim 1. A transaction processing unit is provided that lowers the reliability of the supply-side facility or the demand-side facility based on the number of times the power transaction contract between the supply-side facility and the demand-side facility differs from the actual value. With an exchange
The message encryption processing unit encrypts a message to be transmitted with a message encryption key provided for each lowered reliability.
The power transmission / distribution network operation system according to claim 1. The facility processing unit of the supply-side facility or the demand-side facility determines whether or not the damage is detected by the detection unit, and when it is determined that the damage is detected, notifies the exchange that the damage has occurred,
Whether the transaction processing unit of the exchange is capable of responding to the disaster in the other supply side equipment or other demand side equipment belonging to the same communication group as the supply side equipment or the demand side equipment. Confirming and receiving a response indicating that the response is possible from the supply-side facility or the demand-side facility, the emergency response group with the supply-side facility or the demand-side facility transmitting the response as one group Generating the group encryption key and distributing it to the emergency response group;
The power transmission and distribution network operation system according to claim 3. The equipment processing unit of the supply side equipment or the demand side equipment determines whether or not the own equipment can be connected to the exchange, and determines that the supply side equipment or the demand is not connectable to the exchange. Request the other supply side equipment or other demand side equipment belonging to the communication group to which the side equipment belongs to transfer information indicating transaction details to the exchange,
The requested facility equipment of the other supply side equipment or the other demand side equipment transfers information indicating the transaction content to the exchange according to the request,
The power transmission and distribution network operation system according to claim 3. The exchange increases the reliability of the other supply-side equipment or other demand-side equipment that has transferred the information indicating the transaction content, or when there is a difference between the power transaction contract and the actual value. Reduce the period of reduced confidence,
The power transmission and distribution network operation system according to claim 3. A power transmission / distribution network operation method performed in a power transmission / distribution network operation system in which a power supply side facility and the power demand side facility are connected by a communication network,
A message encryption processing step for encrypting a message to be transmitted with a message encryption key provided for each reliability of the supply side equipment;
Group encryption that encrypts the message encrypted by the message encryption processing unit with a group encryption key provided for each communication group including the supply side equipment or the demand side equipment grouped according to the communication purpose Processing step,
A group decryption processing step of decrypting the message encrypted on the supply side with a group decryption key corresponding to the group encryption key distributed in advance to the facility;
A message decryption processing step of decrypting a message that can be decrypted among the messages decrypted by the group decryption processing unit with a message decryption key corresponding to the message encryption key distributed in advance to the own equipment;
A method for operating a power transmission and distribution network, comprising: The supply-side equipment or the demand-side equipment is authenticated with equipment information including normal-time operation policy information, which is an operation policy during normal times of the own equipment, and emergency operation policy information, which is an emergency operation policy information other than during normal times. A first transmission step of transmitting the facility information to a facility certification body;
Generating the rating information rating the supply side facility or the demand side facility based on the facility information received from the supply side facility or the demand side facility;
A second transmission step of transmitting an electronic certificate including the generated rating information to the supply-side facility or the demand-side facility of a transmission source,
The power transmission and distribution network operation method according to claim 7. A transaction processing step of reducing the reliability of the supply side equipment or the demand side equipment based on the number of times that a difference has occurred between the power transaction contract and the actual value between the supply side equipment and the demand side equipment. ,
In the message encryption processing step, a message to be transmitted is encrypted with a message encryption key provided for each lowered reliability.
The power transmission and distribution network operation method according to claim 7. It is determined whether or not the detection unit has detected a disaster, and if it is determined that the disaster has been detected, a notification step for notifying that the exchange has been damaged,
A confirmation step of confirming whether or not it is possible to cope with the disaster in the other supply side equipment or other demand side equipment belonging to the same communication group as the supply side equipment or the demand side equipment;
When the response indicating that the response is possible is received from the supply-side facility or the demand-side facility, the group encryption of the emergency response group in which the supply-side facility or the demand-side facility that transmitted the response is a group A distribution step of generating an encryption key and distributing it to the emergency response group;
The power transmission / distribution network operating method according to claim 9, comprising: If it is determined whether or not its own equipment can be connected to the exchange, and if it is determined that it is not connectable to the exchange, the other supply-side equipment belonging to the communication group to which the supply-side equipment or the demand-side equipment belongs or A requesting step for requesting other demand side equipment to transfer information indicating transaction details to the exchange;
A transfer step of transferring the information indicating the transaction content to the exchange according to the request, the facility processing unit of the requested other supply side facility or the other demand side facility,
The power transmission / distribution network operating method according to claim 9, comprising: In the distribution step, when the reliability of the other supply-side equipment or other demand-side equipment that has transferred the information indicating the transaction content is increased, or when there is a difference between the power transaction contract and the actual value Reduce the period of reduced confidence,
The power transmission / distribution network operating method according to claim 9.

Images