JP2018055391A - Security diagnostic device and security diagnostic method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technology that detects an abnormal operation in a case where an abrupt operation signal value is transmitted as a result of infection with malware or the like, even when an operation signal transmitted by a remote plant control server has a value in a normal range.SOLUTION: A security diagnostic device according to the present invention to solve the problem, comprises: operation signal categorizing means that divides operation signals transmitted by a remote plant control server into categories; a database storing past diagnostic results; measurement signal categorizing means that divides measurement signals measured in a plant into categories; and a security diagnostic section that diagnoses a malfunction of an operation signal of the remote plant control server on the basis of a categorization result of the operation signal categorizing means, the categorization result of the measurement signal categorizing means, and the past diagnostic results.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a security diagnostic apparatus in a power generation / storage plant.

  JP-A-2015-162140 (Patent Document 1) describes a technique for detecting the occurrence of an abnormality or accident based on measurement data from a plant when an abnormal transient or accident occurs in the plant. There is technology.

  This publication describes that “a distinction is made as to whether a signal change is caused by a change in plant characteristics or a change in control logic”.

JP2015-162140

The remote plant control server sends a plant operation signal and controls the plant. In Patent Document 1, if an abnormal operation signal is transmitted because the remote plant control server is infected with malware, the output becomes abnormal, and an abnormality of the remote plant control server can be detected.
However, even if the value of the operation signal transmitted to the plant is a value in the normal operating range, an abnormality may be caused if the value of the operation signal changes abruptly. For example, the turbine malfunctions by repeatedly changing the rotation speed of the turbine of the plant between the minimum value and the maximum value from the remote plant control server. When the remote plant control server is infected with malware or the like and transmits an abrupt operation signal value, there is a problem that it is difficult to notice the abnormal operation of the remote plant control server until the plant becomes abnormal.

  In order to solve the above problems, a security diagnosis apparatus according to the present invention is measured by a plant, an operation signal classification means for classifying operation signals transmitted by a remote plant control server into categories, a database for storing past diagnosis results, and a plant. The measurement signal classification means for classifying the measured signals into categories, the operation signal of the remote plant control server is abnormal based on the classification result of the operation signal classification means, the classification result of the measurement signal classification means, and the past diagnosis result And a security diagnostic unit for diagnosing the situation.

  Even if the operation signal of the remote plant control server is a signal in the normal range, it can be detected that the plant is operating to operate abnormally.

Block diagram for explaining the security diagnostic device 100 Operation flowchart of security diagnostic device 100 The figure explaining the structure of the data decomposition function of a classification part Block diagram showing the configuration of the F0 layer 621 Block diagram showing the configuration of the F1 layer 622 Operation flow chart of security diagnostic means 170 The figure explaining the mode of the data preserved in the operation signal classification result database Diagram explaining the mode of data stored in the diagnosis result database The figure which shows the screen which displays the determination result in the flowchart of FIG. The figure explaining the structure in case the plant 200 of operation object is a gas turbine plant The figure explaining the structure in case the plant 200 of operation object is a storage battery plant

  A security diagnostic apparatus according to an embodiment of the present invention will be described below with reference to the drawings.

  FIG. 1 is a block diagram illustrating a security diagnostic apparatus 100 according to the first embodiment of the present invention. The remote diagnosis control server 310 and the plant 200 are monitored using the security diagnostic device 100.

  The plant 200 includes an on-site plant control device 210 and a plant main machine 220. Various measuring devices are installed in the plant main machine, and measurement signals measured by these measuring devices are transmitted to the on-site plant control device 210. There is a remote plant control server 310 to control the plant 200 from a remote location. The remote plant control server 310 transmits the operation signal 1 to the on-site plant control device 210 in the plant 200. The on-site plant control device 210 calculates an operation signal and transmits it to the plant main unit 220 in order to control the plant main unit 220 to a desired operation state based on the operation signal 1 transmitted from the remote plant control server 310.

  The signal 3 including the plant measurement signal 19 received by the on-site plant control device 210 and the operation signal 17 calculated by the on-site plant control device 210 is stored in the plant data recording device 320. The signal 3 may include an arbitrary signal calculated by the on-site plant control device 210.

  The security diagnosis apparatus 100 includes an operation signal classification unit 151, a measurement signal classification unit 152, and a security diagnosis unit 170 as arithmetic units. The security diagnostic apparatus 100 also includes a measurement signal database 130, an operation signal database 140, an operation signal classification result database 161, a measurement signal classification result database 162, and a diagnosis result database 180 as databases. In FIG. 1, the database is abbreviated as DB.

  In addition, the security diagnostic apparatus 100 includes an external input interface 110 and an external output interface 120 as interfaces with the outside.

  And the measurement signal 4 which measured various up state quantities which are the operation states of a plant via the external input interface 110, the operation signal 1 from a remote plant control server, the keyboard 420 with which the operation management room 400 was equipped, The external input signal 5 operated by operating the external input device 410 configured by the mouse 430 is taken into the security diagnosis device 100.

Further, the image display information 17 is output to the image display device 440 provided in the operation management room 200 via the external output interface 120.
The measurement signal 6 taken into the security diagnostic apparatus 100 is stored in the measurement signal database 130. The operation signal 7 taken into the security diagnostic apparatus 100 is stored in the operation signal database 140. Although most of the measurement signal 4 and the operation signal 1 are analog quantities, the measurement signal 6 and the operation signal 7 captured by the security diagnostic apparatus 100 are time-series digital quantities, so that the symbols are distinguished.

  The security diagnostic apparatus 100 has two processing modes: a model construction processing mode and a diagnostic processing mode.

  In the model construction mode, measurement signals and operation signals in a normal state are classified into several groups using a clustering technique, and a diagnostic model is constructed.

  In the diagnosis process, the time measurement signal and the operation signal to be diagnosed are classified into groups using clustering technology, and security diagnosis is performed.

  First, the operation of the model construction processing mode will be described.

  In the model construction processing mode, a monitoring model used for detecting a state change is constructed. First, the measurement signal classification unit 152 extracts the measurement signal 8 for a predetermined period from the measurement signal database 130, and classifies the measurement signal 8 by the clustering technique. The measurement signal classification result information 11 as the classification result is transmitted to the measurement signal classification result database 162 and stored.

  Next, the operation signal classification unit 151 extracts the operation signals 9 for a predetermined period from the operation signal database 140 and classifies them by the clustering technique. The operation signal classification result information 10 as the classification result is transmitted to the operation signal classification result database 161 and stored.

  In addition, not only the measurement signal but also an arbitrary signal calculated by the on-site plant control device 210 is extracted, and the measurement signal classification unit 152 classifies the measurement signal and the arbitrary signal calculated by the on-site plant control device 210 by the clustering technique. May be. Further, the measurement signal and the operation signal may be divided into arbitrary groups, and a diagnostic model may be constructed for each group.

  Thus, in the security diagnostic apparatus 100 of the present embodiment, the measurement signal and the operation signal are individually classified.

  Next, the operation in the diagnostic processing mode will be described.

First, the measurement signal classification processing unit 152 classifies the measurement signal 8 by using the clustering technique while referring to the measurement signal 8 and the diagnostic model constructed in the model construction processing mode, and transmits it to the operation signal classification result information 12 security diagnostic unit 170.
Further, the operation signal classification processing unit 151 classifies the operation signal 9 by the clustering technique while referring to the operation signal 9 and the diagnosis model constructed in the model construction processing mode, and transmits the measurement signal classification result information 13 to the security diagnosis unit 170. .

  Then, the security diagnosis unit 170 diagnoses the security of the remote plant control server 310 based on the past diagnosis result information 20 from the operation signal classification result information 12 and the measurement signal classification result information 13. The diagnosis result information 16 is output to the external output interface 120.

  In the security diagnostic apparatus 100 of this embodiment, the operation signal classification unit 151, the measurement signal classification unit 152, the security diagnosis unit 170, the operation signal database 140, the measurement signal database 130, the operation signal classification result database 161, the measurement signal classification Although the result database 162 and the diagnosis result database 180 are provided inside the security diagnostic apparatus 100, some of these apparatuses are arranged outside the security diagnostic apparatus 100 so that only data is communicated between the apparatuses. Also good.

  The operation signal database 140, the measurement signal database 130, the operation signal classification result database 161, the measurement signal classification result database 162, and the database information 1801 and 1802 stored in the diagnosis result database 180 installed in the security diagnosis apparatus 100 are as follows. Data communication can be performed with the operation management room 900, and database information can be displayed on the image display device 940. These pieces of information can be corrected by an external input signal 5 generated by operating an external input device 410 including a keyboard 420 and a mouse 430.

  FIG. 2 is an operation flowchart of the security diagnostic apparatus 100.

  Step R10: The signal stored in the plant data recording device is taken into the diagnostic device 100 via the external input interface 120, and the measurement signal 6 is stored in the measurement signal database 130. Further, the transmission signal of the remote plant control server is taken into the diagnostic device 100 via the external input interface 120 and the operation signal 7 is stored in the measurement signal database 140.

Step R20: The measurement signal classification unit 152 is operated to extract the predetermined measurement signal 8 from the measurement signal database 130 and classify it by the clustering technique. The measurement signal classification result information 11 as the classification result is transmitted to the measurement signal classification result database 162 and stored.
Further, the measurement signal classification result information 15 that is a classification result is also transmitted to the security diagnosis unit 170. The detailed operation content of the measurement signal classification unit 152 will be described later with reference to FIG.

Step R30: The operation signal classification means 151 is operated to extract a predetermined operation signal 7 from the operation signal database 140 and classify it by a clustering technique. The operation signal classification result information 10 as the classification result is transmitted to the operation signal classification result database 161 and stored.
Further, the operation signal classification result information 12 which is a classification result is also transmitted to the security diagnosis unit 170. The detailed operation content of the measurement signal classification unit 151 will be described later with reference to FIG.

  Step R40: The operation mode is determined. If it is in the model construction mode, the process ends. If it is in the diagnosis processing mode, the process proceeds to Step R50.

  Step R50: The security diagnosis unit 170 is operated to diagnose the state of the remote plant control server, and the diagnosis result information 16 is output to the external output interface 120.

  The diagnosis result information 21 is also transmitted to the diagnosis result database 180 and stored. The operation contents of the security diagnosis unit 170 will be described later with reference to FIG.

Step R60: An end determination is performed, and when the end determination is satisfied, the diagnosis processing mode is ended. If the end condition is not satisfied, the process returns to step R10. Here, the termination condition is a condition determined in advance by the user. For example, the process ends when an end signal is transmitted from the keyboard 41 or the mouse 42 to the security diagnosis unit 170.
FIG. 3 is a diagram for explaining the operation signal classification unit 151 and the measurement signal classification unit 152.

  In the present embodiment, a case where adaptive resonance theory (ART) is applied as a technique for classifying signals will be described. It should be noted that other clustering methods such as vector quantization and support vector machine can be used.

  As shown in FIG. 3A, the data classification function includes a data preprocessing device 610 and an ART module 620. The data preprocessing device 610 converts the operation data into input data for the ART module 620.

  Hereinafter, the means by the data preprocessing device 610 and the ART module 620 will be described.

First, the data pre-processing device 610 normalizes data for each operation signal and measurement item. The data including the normalized data Nxi (n) of the operation signal and the measurement signal and the complement of the normalized data CNxi (n) (= 1−Nxi (n)) is defined as input data I _i (n). This input data I _i (n) is input to the ART module 620.

  In the ART module 620, the measurement signal 8 or the operation signal 9 as input data is classified into a plurality of categories.

  The ART module 620 includes an F0 layer 621, an F1 layer 622, an F2 layer 623, a memory 624, and a selection subsystem 625, which are coupled to each other. The F1 layer 622 and the F2 layer 623 are connected via a weighting factor. The weighting coefficient represents a prototype (prototype) of a category into which input data is classified. Here, the prototype represents a representative value of the category.

  Next, the algorithm of the ART module 620 will be described.

  The outline of the algorithm when input data is input to the ART module 620 is as shown in the following processing 1 to processing 5.

  Process 1: The input vector is normalized by the F0 layer 621, and noise is removed.

  Process 2: A suitable category candidate is selected by comparing the input data input to the F1 layer 622 with the weighting factor.

  Process 3: The validity of the category selected by the selection subsystem 625 is evaluated by the ratio with the parameter ρ. If it is determined to be valid, the input data is classified into the category, and the process proceeds to process 4. On the other hand, if it is not determined to be valid, the category is reset, and an appropriate category candidate is selected from the other categories (repeat process 2). Increasing the value of parameter ρ makes the category classification finer, and decreasing the value of ρ makes the classification coarse. This parameter ρ is referred to as a vigilance parameter.

  Process 4: When all the existing categories are reset in Process 2, it is determined that the input data belongs to the new category, and a new weighting factor representing the prototype of the new category is generated.

Process 5: When input data is classified into category J, weight coefficient WJ (new) corresponding to category J uses past weight coefficient WJ (old) and input data p (or data derived from input data). And updated by the following equation (1).
WJ (new) = Kw · p + (1−Kw) · WJ (old) (1)
Here, Kw is a learning rate parameter (0 <Kw <1), and is a value that determines the degree to which the input vector is reflected in the new weighting factor.

  It should be noted that equations (1) and equations (2) to (12) described later are incorporated in the ART module 620.

  The feature of the data classification algorithm of the ART module 620 is the processing 4 described above.

  In process 4, when input data different from the learned pattern is input, a new pattern can be recorded without changing the recorded pattern. Therefore, it is possible to record a new pattern while recording a pattern learned in the past.

  As described above, when the operation data given in advance is given as input data, the ART module 620 learns the given pattern. Therefore, when new input data is input to the learned ART module 620, it is possible to determine which pattern in the past is close by the above algorithm. If the pattern has never been experienced before, it is classified into a new category.

FIG. 3B is a block diagram showing the configuration of the F0 layer 621. In the F0 layer 621, the input data I _i is normalized again at each time, and a normalized input vector u _i to be input to the F1 layer 622 and the selection subsystem 625 is created.

First, w _i ⁰ is calculated from the input data I _{i according} to the equation (2). Here, a is a constant.

Next, x _i ⁰ obtained by normalizing w _i ⁰ is calculated using Equation (3). Here, || · || is a symbol representing a norm.

Then, using equation (4), v _i ⁰ obtained by removing noise from x _i is calculated. However, θ is a constant for removing noise. Since the minute value becomes 0 by the calculation of Expression (4), noise of the input data is removed.

Finally, a normalized input vector u _i ⁰ is obtained using equation (5). u _i ⁰ is input to the F1 layer.

FIG. 3C is a block diagram showing the configuration of the F1 layer 622. As shown in FIG. In the F1 layer 622, u _i ⁰ obtained by Expression (5) is held as a short-term memory, and p _i input to the F2 layer 722 is calculated. Formulas for the F2 layer are collectively shown in Formulas (6) to (12). However, a and b are constants, f (·) is a function shown in Expression (4), and T _j is a fitness calculated by the F2 layer 623.

ただし、

However,

  FIG. 4 is a flowchart of the security diagnosing means 170, and is a diagram for explaining R50 of FIG. 2 in detail.

  Step S10: The security diagnosis unit 170 compares the previous operation signal classification result information 13 stored in the operation signal classification database 161 to check whether the operation signal classification result 12 has changed from the previous category. If there is no change in category, the process proceeds to step S20. If there is a change in category, the process proceeds to step S30.

  Step S20: If there is no category change, the security diagnosis means 170 determines that the operation is normal and ends the process.

  Step S30: The security diagnosis means 170 reads the past diagnosis result information 20 from the diagnosis result database 180 and calculates the category change count F. The calculated category change count F is recorded in the diagnosis result database 180, and the process proceeds to step S40.

  Step S40: The security diagnosis means 170 records the time T when the category is changed in the diagnosis result database 180, and proceeds to step S50.

  Step S50: The security diagnosis means 170 checks whether the product of the category change count calculated in step S30 and the inter-category distance D stored in the operation signal classification result database 161 is equal to or greater than a specified value. The distance D between categories is calculated | required by the type | formula shown to Formula (13), for example. Ai and Bi are signal values before and after the category change.

  If the result of the check is equal to or greater than the specified value α, that is, if Expression (14) is satisfied, the process proceeds to step S60 to perform an abnormal operation determination process, and if it is less than the specified value, the process proceeds to step S70.

  Step S60: The security diagnosis unit 170 determines that the remote plant control device 310 is in an abnormal state and the plant 200 may be damaged, and displays a warning on the image display device 440 via the external interface 120. Then, the process ends.

  Step S70: The security diagnosis means 170 reads the previous category change time from the diagnosis result database 180, calculates the difference time S from the current category change time, and proceeds to step S80.

  Step S80: If the product P of the reciprocal of the difference time S calculated in step S70 and the inter-category distance stored in the operation signal classification result database 161 is greater than or equal to the specified value β, the security diagnosis means 170, that is, equation (15) If it satisfies, the process proceeds to step S90 to perform an abnormal operation determination process, and if it is less than the specified value β, the process proceeds to step S100.

  Step S90: The security diagnosis unit 170 determines that the plant 200 may be operating abnormally, displays a warning on the image display device 440 via the external interface 120, and ends the process.

  Step S100: The security diagnosis means 170 determines that the operation is normal and ends the process.

  In the security diagnosis means of the present invention showing a series of processing flows in FIG. 4, the operation signal is abruptly detected even in the normal operation range from the category change count and the inter-category distance information stored in the operation signal classification result database 161 in step S50. An effect that can detect a change as abnormal is obtained.

  Further, it is possible to obtain an effect that it is possible to detect a short-time signal change repetition of the operation signal as an abnormality within the normal operation range from the difference time and the inter-category distance information stored in the operation signal classification result database 161 in step S80.

  FIG. 5 is a diagram for explaining the state of data stored in the operation signal classification result database 161. The operation signal classification result database 161 stores the relationship between the time and the category number at the time of operation signal classification, and the distance coefficient before and after the category change.

  FIG. 6 is a diagram for explaining the state of data stored in the diagnosis result database 180. The diagnosis result database 180 stores the number of times of category change and the time when the category change occurred.

  Using the operation signal classification result information 13 stored in the operation signal classification result database 161 and the diagnosis result information 20 stored in the diagnosis result database 180, the diagnosis unit 180 diagnoses the state of the remote plant control server 310. .

  FIG. 7 is a diagram illustrating an example of a screen displayed on the image display device 440. The image display device displays the operation signal value, the result of classifying the operation signal and the measurement signal into categories, and the diagnosis result. With this screen, the operation results of the operation signal classification unit 151 and the security diagnosis unit 170 can be confirmed. According to this screen, it is displayed that the computer is infected by a change in the operation signal.

  In addition to the screens described above, the image display device 440 of the present embodiment displays trend graphs of operation signals and measurement signals and information on various databases, so that the operator can grasp the state of the plant 200 and the remote plant control server. .

  FIG. 8 is a diagram illustrating a configuration when the diagnosis target plant 200 is a power plant using a gas turbine. The plant 200 includes a gas turbine generator 220 and an on-site plant control device 210. The gas turbine generator 220 includes a generator 221, a compressor 222, a combustor 223, and a turbine 224.

During power generation, the air sucked by the compressor 222 is compressed into compressed air, and this compressed air is sent to the combustor 223 and mixed with fuel and burned. The turbine 224 is rotated using the high-pressure gas generated by the combustion, and the generator 221 generates power.
The on-site plant control device 210 controls the output of the gas turbine generator 220 according to the power demand. The on-site plant control device 210 uses the operation data 18 measured by a sensor (not shown) installed in the gas turbine generator 220 as input data. The operation data 18 includes state quantities such as intake air temperature, fuel input amount, turbine gas temperature, turbine rotation speed, generator power generation amount, turbine vibration, and the like, and is measured every sampling period. It also measures weather information such as atmospheric temperature.

The on-site plant control device 210 calculates a control signal 18 for controlling the gas turbine generator 220 using these operation data 19. Further, the on-site plant control device 210 performs processing for generating an alarm when the value of the operation data 19 deviates from a preset range. The alarm signal is processed as a digital signal of 1 when the operation data 19 deviates from a preset range and 0 when within the range. When the alarm signal is 1, the operator is notified of the content of the alarm by sound or screen display.
The on-site plant control device 210 transmits the measured operation data 19, the control signal 18 calculated by the on-site plant control device 210, and a measurement signal including an alarm signal to the plant data recording device 320.

In the operation signal DB 140 of this embodiment, at least a fuel input amount for controlling the output of the gas turbine generator 110 and a command value for the turbine speed are stored as operation signals.
In the measurement signal DB 130 of the present embodiment, at least the intake air temperature, the fuel input amount, the turbine exhaust gas temperature, the turbine rotational speed, the generator power generation amount, the turbine shaft vibration, and other state quantities are stored as measurement signals.

  By using the security diagnostic device of the present invention, it is possible to detect an abnormality in which the value of the operation signal changes rapidly even if the value of the operation signal transmitted to the power plant is within a normal operating range. As a result, it is possible to obtain an effect of avoiding the failure of the turbine by repeatedly changing the rotation speed of the turbine between the minimum value and the maximum value at once.

  FIG. 9 is a diagram showing an embodiment when the plant 200 is a power storage plant. FIG. 9 is a diagram illustrating a configuration when the diagnosis target plant 200 is a power storage system. The plant 200 includes a power storage system 220 and an on-site plant control device 210. The power storage system 220 includes a storage battery 225, a PCS (Power Conditioning System) 226 that converts direct current and alternating current, a transformer 227, and a circuit breaker 228.

  When discharging, direct current is passed from the storage battery 225 to the PCS 226, the DC current is converted to alternating current at the PCS 226, boosted to the voltage of the power system with a transformer, connected to the power system with a circuit breaker, and supplied with power. To do. In charging, the power received from the power system is stepped down to the rated voltage of the PCS 226 by the transformer 227, converted from alternating current to direct current by the PCS 226, passed to the storage battery 225, and stored in the storage battery 225.

  In the operation signal DB 140 of this embodiment, at least the power charged / discharged by the storage battery 225, the operation control signal of the PCS 226, and the like are stored as operation signals.

  The measurement signal DB 130 of the present embodiment includes at least state quantities such as SOC (State Of Charge) of the storage battery 225, charging power, discharging power, voltage, temperature, charging power amount, discharging power amount, and operating state of the PCS 226. Saved as

  By using the security diagnostic device of the present invention, even when the value of the operation signal transmitted to the power storage plant is in the normal operating range, an effect that an abnormality in which the value of the operation signal changes rapidly can be detected. As a result, it is possible to avoid the occurrence of frequency fluctuations in the grid-connected power system by repeatedly changing the charging power and discharging power between the minimum value and the maximum value at once. It is done.

  In addition, this invention is not limited to an above-described Example, Various modifications are included. For example, the above-described embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described.

  Each of the above-described configurations, functions, processing units, processing means, and the like may be realized by hardware by designing a part or all of them with, for example, an integrated circuit. Each of the above-described configurations, functions, and the like may be realized by software by interpreting and executing a program that realizes each function by the processor. Information such as programs, tables, and files for realizing each function can be stored in a memory, a hard disk, a recording device such as an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.

Further, the control lines and information lines indicate what is considered necessary for the explanation, and not all the control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.
In addition, the present invention can be applied to various plants such as a thermal power plant, a nuclear power plant, and a power storage plant as a security diagnostic device.

DESCRIPTION OF SYMBOLS 100 ... Security diagnostic apparatus 110 ... External input interface 120 ... External output interface 130 ... Measurement signal database 140 ... Operation signal database 151 ... Operation signal classification means 152 ... Measurement signal classification means 161 ... Operation signal classification result Database: 162 ... Measurement signal classification result database, 170 ... Security diagnosis means, 180 ... Diagnostic result database, 1 ... Operation signal, 3 ... Measurement signal, 4 ... Measurement signal, 5 ... External input signal, 6 ... Measurement signal, 7 ... Operation signal 8 ... Measurement signal 9 ... Operation signal 10 ... Operation signal classification result information 11 ... Measurement signal classification result information 12 ... Operation signal classification result information 13 ... Operation signal classification result information 14 ... Measurement signal classification Result information 15 ... Measured signal classification result information 16 ... Diagnostic result information 17 ... Image display information , 18 ... operation signal, 19 ... measurement signal, 20 ... diagnosis result information, 21 ... diagnosis result information

Claims (10)

  Operation signal classification means for classifying operation signals transmitted by the remote plant control server into categories, a database for storing past diagnosis results, measurement signal classification means for classifying measurement signals measured in the plant into categories, and the operations A security diagnosis unit that diagnoses that the operation signal of the remote plant control server is abnormal based on the classification result of the signal classification means and the classification result of the measurement signal classification means and the past diagnosis result, Security diagnostic equipment. In the security diagnostic device according to claim 1,
The security diagnosis device is characterized in that the security diagnosis means compares the classification result of the first period and the classification result of the second period. In the security diagnostic device according to claim 2,
The security diagnosis means determines that the state of the remote plant control server is normal when the relationship of the category of the measurement signal in the previous period is the same in the first period and the second period,
If the relationship of the category of the measurement signal in the previous period is different between the first period and the second period, and the category change is equal to or greater than the specified value or the category change time is shorter than the specified value, the state of the remote plant control server is abnormal A security diagnostic device characterized by judging. The security diagnostic device according to claim 1 is:
An operation signal classification database for storing the classification result of the operation signal classification means;
The operation signal classification means sends the result of classification into operation signal categories to the operation signal classification database. In the security diagnostic device according to any one of claims 1 to 4,
The remote plant control server stores at least a fuel input amount for controlling the output of the gas turbine generator, and a command value of the turbine speed,
The signal to be displayed on the screen is a result of detecting an abnormality in which the value of the operation signal changes even if the value of the operation signal transmitted to the power plant is within a normal operating range,
A security diagnosis device characterized by displaying on a screen information capable of avoiding a turbine failure by repeatedly changing the turbine speed between a minimum value and a maximum value. In the security diagnostic device according to any one of claims 1 to 4,
The remote plant control server stores at least a charge / discharge command value for controlling charge power and discharge power of the storage battery system,
The signal to be displayed on the screen is a result of detecting an abnormality in which the value of the operation signal changes even when the value of the operation signal transmitted to the power storage plant is within a normal operating range,
A security diagnostic device characterized in that information that can prevent occurrence of frequency fluctuations in the power system due to repeated change of charge / discharge power between a minimum value and a maximum value is displayed on the screen.   The step of classifying the operation signal transmitted by the remote plant control server into the category, the step of classifying the measurement signal measured in the plant into the category, the classification result of classifying the operation signal, the classification result and the past diagnosis result And a security diagnosis step for diagnosing that the operation signal of the remote plant control server is abnormal. In the security diagnosis method according to claim 7,
The security diagnosis method is characterized in that the security diagnosis step is a step of comparing the classification result of the first period and the classification result of the second period. In the security diagnostic method according to claim 8,
The security diagnosis step determines that the state of the remote plant control server is normal when the relationship of the category of the measurement signal in the previous period is the same in the first period and the second period,
If the relationship of the category of the measurement signal in the previous period is different between the first period and the second period, and the category change is equal to or greater than the specified value or the category change time is shorter than the specified value, the state of the remote plant control server is abnormal A security diagnosis method characterized by judging. In the security diagnostic method according to claim 9,
A security diagnosis method characterized by storing the result of classification into operation signal categories in the operation signal classification step.

Images