TW201729567A - Centralized protection method for distributed smart grid and system thereof capable of defending against threats from an external network and defending against attacks from the internal of a smart grid - Google Patents

Centralized protection method for distributed smart grid and system thereof capable of defending against threats from an external network and defending against attacks from the internal of a smart grid Download PDF

Info

Publication number
TW201729567A
TW201729567A TW105104013A TW105104013A TW201729567A TW 201729567 A TW201729567 A TW 201729567A TW 105104013 A TW105104013 A TW 105104013A TW 105104013 A TW105104013 A TW 105104013A TW 201729567 A TW201729567 A TW 201729567A
Authority
TW
Taiwan
Prior art keywords
smart grid
network
security
centralized protection
message
Prior art date
Application number
TW105104013A
Other languages
Chinese (zh)
Other versions
TWI615004B (en
Inventor
吳坤熹
溫志宏
方湘婷
陳冠筑
左峻德
Original Assignee
東海大學
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 東海大學 filed Critical 東海大學
Priority to TW105104013A priority Critical patent/TWI615004B/en
Publication of TW201729567A publication Critical patent/TW201729567A/en
Application granted granted Critical
Publication of TWI615004B publication Critical patent/TWI615004B/en

Links

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02BCLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO BUILDINGS, e.g. HOUSING, HOUSE APPLIANCES OR RELATED END-USER APPLICATIONS
    • Y02B70/00Technologies for an efficient end-user side electric power management and consumption
    • Y02B70/30Systems integrating technologies related to power network operation and communication or information technologies for improving the carbon footprint of the management of residential or tertiary loads, i.e. smart grids as climate change mitigation technology in the buildings sector, including also the last stages of power distribution and the control, monitoring or operating management systems at local level
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S20/00Management or operation of end-user stationary applications or the last stages of power distribution; Controlling, monitoring or operating thereof
    • Y04S20/20End-user application control systems

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A centralized protection technology for a distributed smart grid provided in the present invention is a protection mechanism which provides network communication to each of terminal elements and network relay devices in a wired or wireless smart grid, so as to route communication data transmitted in the smart grid to an information security device for matching and perform subsequent processing processes according to a matching result and a corresponding security strategy. The protection technology can not only defend against threats from an external network, but also defend against attacks from the internal of the smart grid, so as to improve security. In contrast to the protection technology of the prior art which requires periodically updating security rules on each of the network communication devices or terminal elements, the present invention only requires updating a centralized security rule database of the information security device to achieve protection of the distributed terminal elements in the smart grid, thereby dramatically reducing management complexity, and improving entire protection security of the smart grid.

Description

分散式智慧電網之集中防護方法及其系統 Centralized protection method and system for decentralized smart grid

本發明係與物聯網之安全防護技術有關,特別是關於一種分散式智慧電網之集中防護方法及其系統。 The invention relates to the security protection technology of the Internet of Things, in particular to a centralized protection method and system for a distributed smart grid.

智慧電網(smart grid)係藉由資訊與通訊技術,偵測電力之供應端與使用端之供需資訊,據以調整供應端電力之生產與輸配,或調整使用端之耗電量,從而達到節約能源、降低損耗並增強電網之可靠性,因此,就智慧電網之聯網設備而言,即兼負有電力傳輸與資訊傳遞之雙重角色。 Smart grid (Smart Grid) uses information and communication technology to detect supply and demand information on the supply and use sides of power, to adjust the production and transmission of power at the supply end, or to adjust the power consumption of the use end. Saving energy, reducing losses and enhancing the reliability of the power grid, therefore, for the smart grid networking equipment, it has the dual role of power transmission and information transmission.

而為確保網路設備之資訊安全,於習知技術中已有諸多不同之防護技術被公開,例如在中國CN103944896A號公開案中,係透過在各個網頁伺服器上分別嵌入前端安全模組,截取發送到網頁伺服器的HTTP請求,再根據匹配之結果及其相應之安全策略進行後續處理過程的智慧電網安全防護系統,此乃係著重於伺服器,特別是網頁伺服器的安全防護者。 In order to ensure the information security of network devices, many different protection technologies have been disclosed in the prior art. For example, in the case of CN103944896A in China, the front-end security module is embedded in each web server, and intercepted. The smart grid security protection system that sends the HTTP request to the web server and then performs the subsequent processing according to the matching result and its corresponding security policy. This is the security guard of the server, especially the web server.

又有如在歐洲EP26084461A1案中,係使智慧電網之網路設備間的加密通信,在傳遞上需要經過兩個網域,同時在兩個網域中使用不同之金鑰,從而得以提高訊息之傳遞安全性,惟其並未對於智慧電網中之網路設備提供適當之保護機制。 In another case, in European EP26084461A1, the encrypted communication between the network devices of the smart grid is transmitted through two domains, and different keys are used in the two domains, thereby improving the transmission of the message. Security, but it does not provide appropriate protection mechanisms for network devices in the smart grid.

再者,習知對於如智慧電錶(Smart Meter)、網路中繼器(Relay Router)等感測器或網路元件設備之安全防護技術者,係有如美國 US8510835B1所揭露在閘道出入口設置防火牆等資安設備,以抵禦外部之攻擊,至於內部攻擊之防護,則有如美國US20120060152A1案中所揭露,針對所欲防護之攻擊行為制定對應之防禦規則,並定期地修改各項內部元件之韌體,此等防護技術顯有更新不易且繁瑣之不便,尚非屬良善之防護技術。 Furthermore, it is known that the security protection technology for sensors such as smart meters, relay routers, or network component devices is like the United States. US8510835B1 discloses that a security device such as a firewall is installed at the entrance and exit of the gateway to defend against external attacks. As for the protection of internal attacks, as disclosed in the case of US20120060152A1, a corresponding defense rule is formulated for the attack behavior to be protected, and periodically. The modification of the internal components of the firmware, these protection technologies are not easy to update and cumbersome inconvenience, it is not a good protection technology.

因此,本發明之主要目的即在提供一種分散式智慧電網之集中式防護方法及其系統,無需就個別之聯網裝置單獨設置與更新防禦規則,即可達到監控內部網路之網路流量,從而令網路中之內部網路流量,得以受到適當之防護,以確保安全。 Therefore, the main object of the present invention is to provide a centralized protection method and system for a distributed smart grid, which can monitor network traffic of an internal network without separately setting and updating defense rules for individual networked devices. Internal network traffic on the network is properly protected to ensure security.

緣是,為達成上述之目的,本發明所提供分散式智慧電網之集中式防護方法及其系統,乃係使如智慧電錶、感測器等智慧電網中之多數網路單元彼此間之訊息傳送,在傳送至目標之前,係先受繞送至一資安單元進行檢查,並依據檢查之結果,決定是否攔截該訊息或傳送至原傳送目標。 Therefore, in order to achieve the above object, the centralized protection method and system for the distributed smart grid provided by the present invention are to enable the transmission of information between most network units in a smart grid such as a smart meter or a sensor. Before being transmitted to the target, it is firstly circulated to a security unit for inspection, and based on the result of the check, it is decided whether to intercept the message or transmit it to the original transmission target.

其中,各該網路單元間之訊息傳送係經由一中繼單元為之者。 The message transmission between each of the network units is via a relay unit.

其中,該內部網路之訊息傳輸係以一個或多個之控制器經由該中繼單元以控制傳輸之路徑。 The message transmission of the internal network is controlled by one or more controllers via the relay unit to control the path of transmission.

其中,該控制器係為一開放流控制器(openflow controller),而該中繼單元則包含有多數之路由器。 The controller is an open flow controller, and the relay unit includes a plurality of routers.

其具體地,當各該網路單元與該資安單元未位於同一子網路 時,繞送之訊息係受網路位址轉換,重寫目的位址為該資安單元之位址,使訊息得以順利繞送至該資安單元進行檢查,且訊息經檢查為安全時,再受網路位址轉換,重寫目的位址為原傳送目標之位址,以完成既定之訊息傳送。 Specifically, when each of the network elements and the security unit are not in the same subnet When the message is bypassed by the network address, the rewritten destination address is the address of the security unit, so that the message can be smoothly sent to the security unit for inspection, and the message is checked for security. Then, the network address is converted, and the destination address is rewritten as the address of the original transmission destination to complete the predetermined message transmission.

(10)‧‧‧分散式智慧電網之集中防護系統 (10) ‧‧‧Centralized protection system for decentralized smart grids

(20)‧‧‧網路單元 (20)‧‧‧Network Unit

(21)(22)(23)‧‧‧智慧電錶 (21) (22) (23) ‧ ‧ smart meter

(24)‧‧‧空調開關 (24)‧‧‧Air conditioning switch

(30)‧‧‧資安單元 (30) ‧‧‧ Security Unit

(40)‧‧‧中繼單元 (40) ‧‧‧Relay Unit

(41)(42)(43)(44)(45)‧‧‧網路中繼設備 (41)(42)(43)(44)(45)‧‧‧Network relay equipment

(50)‧‧‧控制器 (50) ‧ ‧ controller

第一圖係本發明一較佳實施例之示意圖。 The first figure is a schematic representation of a preferred embodiment of the invention.

請參閱第一圖所示,本發明一較佳實施例所提供分散式智慧電網之集中防護系統(10),乃係包含有多數之網路單元(20)、一資安單元(30)、一中繼單元(40)以及一控制器(50)。 Referring to the first embodiment, a centralized protection system (10) for a distributed smart grid according to a preferred embodiment of the present invention includes a majority of network units (20) and a security unit (30). A relay unit (40) and a controller (50).

各該網路單元(20)係以一內部網路彼此電性連接,而可將訊息經由該內部網路於其相互間傳送,其得以為智慧電網中具有訊息傳送需求之設備,除例如圖式中所載之智慧電錶(21)(22)(23)與空調開關(24)等終端設備外,亦得以為如電力線路或變電與控制設施中之設備,為便於說明,於本實施例中將僅就圖式中所載之終端設備進行說明,惟並不以之為限。 Each of the network units (20) is electrically connected to each other by an internal network, and the messages can be transmitted between the two via the internal network, which can be a device with a message transmission requirement in the smart grid, except for example. In addition to the terminal equipment such as the smart meter (21) (22) (23) and the air conditioner switch (24), it can also be used in equipment such as power lines or substation and control facilities. In the example, only the terminal equipment contained in the drawings will be described, but not limited to it.

該資安單元(30)係為習知之資安設備,用以對網路流量(network traffic)進行檢查,例如入侵防護系統(Intrusion Protection System),其較佳之配置方式係介於智慧電網之該內部網路與外部之網際網路間,而可對於在該內部網路與外部網際網路間傳送之訊息進行防護,從而保護智慧電網不受外部網際網路之攻擊,易言之,即該資安單元(30)係具有與習知技術防禦外部網際網路攻擊之相同功效,且於本發明中,該資安單元(30)更兼具有防禦來自內部網際網路攻擊之特別效果。 The security unit (30) is a well-known security device for checking network traffic, such as an Intrusion Protection System. The preferred configuration is based on the smart grid. The internal network and the external Internet can protect the information transmitted between the internal network and the external Internet, thereby protecting the smart grid from external Internet attacks. The security unit (30) has the same function as the conventional technology to defend against external Internet attacks, and in the present invention, the security unit (30) has the special effect of defending against attacks from internal Internet.

該中繼單元(40)係介於各該網路單元(20)與該資安單元(30)之間,具有多數之網路中繼設備(41)(42)(43)(44)(45),係各自與對應之網路單元(20)或資安單元(30)為直接之電性連接,用以協助各該網路單元(20)在該內部網路中之訊息傳送,其中,各該網路中繼設備係得以為智慧電錶等具轉送功能之網路單元(20),或者係通訊能力較強之獨立中繼路由器(Relay Router)。 The relay unit (40) is interposed between each of the network unit (20) and the security unit (30), and has a plurality of network relay devices (41) (42) (43) (44) ( 45), each of which is directly connected to the corresponding network unit (20) or the security unit (30) to facilitate the transmission of information of the network unit (20) in the internal network, wherein Each of the network relay devices is a network unit (20) having a transfer function such as a smart meter, or a relay router having a strong communication capability.

該控制器(50)係位於該內部網路中,用以控制該中繼單元(40)所屬之全部或一部之網路中繼設備,而為獲得較佳的傳輸效率,係可使該控制器(50)為一開放流控制器(OpenFlow controller),而可基於如開放流(OpenFlow)通訊協定,規劃訊息之傳輸路徑,並指揮所控制之網路中繼設備進行之。 The controller (50) is located in the internal network to control all or a part of the network relay device to which the relay unit (40) belongs, and to obtain better transmission efficiency, The controller (50) is an OpenFlow controller, and can be based on, for example, an OpenFlow protocol, planning a transmission path of the message, and directing the controlled network relay device.

藉由該分散式智慧電網之集中防護系統(10),乃可實施遂行本發明所提供之分散式智慧電網之集中防護方法,舉例而言,當一訊息擬自該智慧電錶(22)傳送至該空調開關(24)時,該控制器(50)係以網路中繼設備(41)將封包訊息自網路中繼設備(41),循著網路中繼設備(42)(45)之路徑繞送至該資安單元(30)進行檢查,當訊息封包之檢查結果未違反該資安單元(30)既定之安全規則時,即依最短路徑原則,將該訊息封包經由網路中繼設備(45)(42)(43)(44)之最短路徑,傳送至原傳送目標之該空調開關(24),反之,倘該訊息封包經檢查為攻擊訊息時,則將此訊息封包予以丟棄,不予傳送,從而達到防護之功效。 By means of the centralized protection system (10) of the distributed smart grid, the centralized protection method of the distributed smart grid provided by the present invention can be implemented, for example, when a message is intended to be transmitted from the smart meter (22) to In the air conditioner switch (24), the controller (50) uses the network relay device (41) to packet the message from the network relay device (41), following the network relay device (42) (45) The path is bypassed to the security unit (30) for checking. When the result of the message packet inspection does not violate the established security rules of the security unit (30), the message is packetized via the network according to the shortest path principle. The shortest path of the device (45) (42) (43) (44) is transmitted to the air conditioning switch (24) of the original transmission target, and if the message packet is checked as an attack message, the message is packetized. Discard, do not transmit, so as to achieve the effect of protection.

據此,該資安單元(30)不僅可以對來自外部網際網路之攻擊進行防護,亦得以阻擋來自智慧電網內部網路之攻擊,是等集中式之防護 相較於傳統分散式防護技術而言,在韌體或安全規則之更新上係更為便利,有助於維持防護之最佳效果。 According to this, the security unit (30) can not only protect against attacks from the external Internet, but also block attacks from the internal network of the smart grid. Compared to traditional decentralized protection technology, it is more convenient to update the firmware or safety rules to help maintain the best protection.

另外,為因應實際使用上之不同情況,對於訊息封包之傳送,更可藉由該控制器(50)進行適當之控制,舉例來說: In addition, in response to different situations in actual use, for the transmission of the message packet, the controller (50) can be appropriately controlled, for example:

其一、當訊息封包之傳送方與接收方無安全檢查之需求時,係可自行定義無需繞送經該資安單元(30)檢查之規則,設若自智慧電錶(21)傳送至智慧電錶(23)之訊息封包,並無安全檢查之必要時,傳送於其彼此間之訊息,該控制器(50)即直接規劃以最短路徑,經由網路中繼設備(41)(42)(43)之路徑,直接將訊息封包傳送至智慧電錶(23),無需繞送至該資安單元進行檢查。 First, when the sender and the receiver of the message packet do not have the need for security check, they can define the rules that need to be bypassed by the security unit (30), and if they are transmitted from the smart meter (21) to the smart meter ( 23) The message packet, which is transmitted between its messages when there is no security check, the controller (50) directly plans the shortest path via the network relay device (41) (42) (43) The path directly transmits the message packet to the smart meter (23) without being bypassed to the security unit for inspection.

其二、當該中繼單元(40)所屬之多數網路中繼設備中,若有未受該控制器(50)所控制之設備存在時,設若網路中繼設備(42)為不支援開放流(OpenFlow)之傳統第二階網路交換器(Layer-2 Ethernet Switch),則該控制器(50)即可於所控制之網路中繼設備(41)與網路中繼設備(45)間,以及所控制之網路中繼設備(45)與網路中繼設備(43)間,分別建立隧道(Tunnel),而使應受該資安單元(30)進行檢查之訊息封包係經由所建立之隧道進行傳輸。 Second, when most of the network relay devices to which the relay unit (40) belongs, if there is a device that is not controlled by the controller (50), if the network relay device (42) is not supported OpenFlow's traditional Layer 2 Ethernet Switch, the controller (50) can be used to control the network relay device (41) and network relay device ( 45), and between the controlled network relay device (45) and the network relay device (43), respectively establish a tunnel (Tunnel), and the message packet that should be checked by the security unit (30) It is transmitted via the established tunnel.

具體而言,上述訊息係得以封裝(encapsulation)技術,於原訊息標頭加上另一層標頭,例如該控制器(50)可調整網路中繼設備(41)之對照表,新增規則為「收到來源為智慧電錶(22)且目的為空調開關(24)之訊息,則以封裝技術於原訊息標頭外,增加另一層標頭,並將新增之最外層標頭的來源設為網路中繼設備(41),且目的設為網路中繼設備(45)」,以及調整網路中繼設備(45)之對照表中新增規則為「當收到來自網路中繼設備(41)之封 裝訊息時即進行解封(decapsulation),移除最外層標頭,還原回原始訊息,並將訊息傳送至資安單元(30)」,據此,即得以使訊息封包被繞送至該資安單元(30)進行檢查,而當檢查結果為正常時,即將訊息封包送至網路中繼設備(45),再依最短路徑原則,傳送至原傳送目標。 Specifically, the above information is encapsulated by adding another layer header to the original message header. For example, the controller (50) can adjust the comparison table of the network relay device (41), adding a new rule. In order to "receive the message from the smart meter (22) and the purpose is the air conditioner switch (24), add another layer header and the source of the newly added outermost header by using the encapsulation technique outside the original message header. The new rule in the comparison table for setting the network relay device (41) and the purpose of setting the network relay device (45) and adjusting the network relay device (45) is "when receiving the network from the network" Relay device (41) Decapsulation is performed when the message is loaded, the outermost header is removed, the original message is restored, and the message is transmitted to the security unit (30), whereby the message packet is bypassed to the resource. The security unit (30) checks, and when the check result is normal, the message packet is sent to the network relay device (45), and then transmitted to the original transmission destination according to the shortest path principle.

其三、當智慧電網之內部網路具有不同之子網路時,例如網路中繼設備(42)係為將網路中繼設備(41)(43)(45)分隔為三個子網段之第三階路由器(Layer-3 Router),該控制器(50)即可控制網路中繼設備(41),在接收到智慧電錶(22)欲傳送到空調開關(24)之訊息封包時,進行網路位址轉換(Network Address Translation),將其目的地位址改寫為該資安單元(30)之位址,以使訊息封包依網路中繼設備(42)之第三階路由器路由表(Routing Table)規則,繞送至該資安單元(30)進行檢查,當訊息封包受檢查為非攻擊訊息時,再將訊息封包經由網路中繼設備(45)改寫目的位址為原傳送目標之空調開關(24)位址,使訊息封包傳送至原傳送目標。 Third, when the internal network of the smart grid has different subnets, for example, the network relay device (42) is to divide the network relay device (41) (43) (45) into three subnet segments. a third-level router (Layer-3 Router), the controller (50) can control the network relay device (41), when receiving the message packet of the smart meter (22) to be transmitted to the air conditioner switch (24), Perform Network Address Translation and rewrite the destination address to the address of the security unit (30) so that the message packet is based on the third-order router routing table of the network relay device (42). The (Routing Table) rule is sent to the security unit (30) for checking. When the message packet is checked as a non-attack message, the message packet is rewritten to the destination address via the network relay device (45). The target air conditioner switch (24) address transmits the message packet to the original transmission destination.

其四、當該內部網路係以如ZigBee等無線網路方式通訊時,乃至於各該網路單元(20)亦兼具網路中繼設備之功能時,則使具有中繼功能之設備均受到該控制器(50)之控制為佳,俾當所收到之訊息被判斷為有安全檢查必要時,即得繞送至該資安單元(30)進行檢查,是等保護方法之實施,並不因網路通訊方式之改變而受到影響。 Fourth, when the internal network communicates by means of a wireless network such as ZigBee, and even if each of the network units (20) also functions as a network relay device, the device having the relay function is enabled. It is better to be controlled by the controller (50). When the received message is judged to be necessary for security check, it must be sent to the security unit (30) for inspection, which is the implementation of the protection method. It is not affected by changes in the way the network is communicated.

(10)‧‧‧分散式智慧電網之集中防護系統 (10) ‧‧‧Centralized protection system for decentralized smart grids

(20)‧‧‧網路單元 (20)‧‧‧Network Unit

(21)(22)(23)‧‧‧智慧電錶 (21) (22) (23) ‧ ‧ smart meter

(24)‧‧‧空調開關 (24)‧‧‧Air conditioning switch

(30)‧‧‧資安單元 (30) ‧‧‧ Security Unit

(40)‧‧‧中繼單元 (40) ‧‧‧Relay Unit

(41)(42)(43)(44)(45)‧‧‧網路中繼設備 (41)(42)(43)(44)(45)‧‧‧Network relay equipment

(50)‧‧‧控制器 (50) ‧ ‧ controller

Claims (12)

一種分散式智慧電網之集中防護方法,係使智慧電網內部之多數網路單元彼此間所傳送之訊息,係經由一中繼單元繞送至資安單元進行檢查,當受檢查之訊息未違反該資安單元之安全規則時,即再經由該中繼單元送至原傳送目標,而當受檢查之訊息違反該資安單元之安全規則時,則中止該訊息之傳送,藉以提供智慧電網之網路內部通訊之防禦。 A centralized protection method for a distributed smart grid is such that a message transmitted by a plurality of network units within a smart grid is transmitted to a security unit via a relay unit for inspection, when the checked message does not violate the When the security rules of the security unit are sent to the original transmission destination via the relay unit, when the checked message violates the security rules of the security unit, the transmission of the message is suspended, thereby providing the network of the smart grid. The defense of the internal communication of the road. 如請求項1所述分散式智慧電網之集中防護方法,其中,該智慧電網內部網路之訊息傳輸係以一控制器控制傳輸之路徑。 The centralized protection method of the distributed smart grid according to claim 1, wherein the information transmission of the smart grid internal network controls the transmission path by a controller. 如請求項2所述分散式智慧電網之集中防護方法,其中,該控制器係為開放流控制器(OpenFlow controller). The centralized protection method for the distributed smart grid according to claim 2, wherein the controller is an OpenFlow controller. 如請求項1、2或3項所述分散式智慧電網之集中防護方法,其中,該中繼單元係包含有多數之路由器或交換器。 The centralized protection method of the distributed smart grid according to claim 1, 2 or 3, wherein the relay unit includes a plurality of routers or switches. 如請求項1、2或3項所述分散式智慧電網之集中防護方法,其中,訊息封包係受封裝(Encapsulation)後再行傳送。 The method for centralized protection of a distributed smart grid according to claim 1, 2 or 3, wherein the message packet is encapsulated and transmitted. 如請求項1、2或3項所述分散式智慧電網之集中防護方法,其中,訊息封包係受網路位址轉換(Network Address Translation),將原傳送目標之目的位址重寫或改寫為該資安單元之位址,俾以將訊息封包繞送至該資安單元。 The centralized protection method for the distributed smart grid according to claim 1, 2 or 3, wherein the message packet is subjected to Network Address Translation, and the destination address of the original transmission destination is rewritten or rewritten as The address of the security unit is used to route the message packet to the security unit. 如請求項6所述分散式智慧電網之集中防護方法,其中,經檢查為安全之訊息封包係受網路位址轉換(Network Address Translation),重寫或改寫目的位址為原傳送目標之位址後傳送至原傳送目標。 The centralized protection method for the distributed smart grid according to claim 6, wherein the message packet checked to be secure is subjected to Network Address Translation, and the destination address is rewritten or rewritten as the original transmission destination. After the address is transferred to the original transfer destination. 一種分散式智慧電網之集中防護系統,包含有: 多數網路單元,彼此間係以一內部網路相互電性連接;一中繼單元,介於各該網路單元之間,用以將於各該網路單元間相互傳送之訊息,繞送經檢查確認為安全後,再傳送至原傳送目標。 A centralized protection system for a distributed smart grid, comprising: Most of the network units are electrically connected to each other by an internal network; a relay unit is interposed between the network units for transmitting information to each other between the network units. After checking to confirm that it is safe, it will be transferred to the original transfer destination. 如請求項8所述分散式智慧電網之集中防護系統,其係更包含有一資安單元,用以檢查訊息並攔截攻擊之網路流量(network traffic)。 The centralized protection system of the distributed smart grid according to claim 8 further includes a security unit for checking messages and intercepting network traffic of the attack. 如請求項8或9所述分散式智慧電網之集中防護系統,其係更包含有一控制器,用以規劃傳輸之路徑並控制該中繼單元執行之。 The centralized protection system of the distributed smart grid according to claim 8 or 9, further comprising a controller for planning a transmission path and controlling the execution of the relay unit. 如請求項10所述分散式智慧電網之集中防護系統,其中,該控制器係為開放流控制器(OpenFlow controller)。 The centralized protection system of the distributed smart grid according to claim 10, wherein the controller is an OpenFlow controller. 如請求項8或9所述分散式智慧電網之集中防護系統,其中,該中繼單元係具有多數之路由器或交換器。 A centralized protection system for a distributed smart grid according to claim 8 or 9, wherein the relay unit has a plurality of routers or switches.
TW105104013A 2016-02-05 2016-02-05 Centralized protection method and system for decentralized smart grid TWI615004B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW105104013A TWI615004B (en) 2016-02-05 2016-02-05 Centralized protection method and system for decentralized smart grid

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW105104013A TWI615004B (en) 2016-02-05 2016-02-05 Centralized protection method and system for decentralized smart grid

Publications (2)

Publication Number Publication Date
TW201729567A true TW201729567A (en) 2017-08-16
TWI615004B TWI615004B (en) 2018-02-11

Family

ID=60186746

Family Applications (1)

Application Number Title Priority Date Filing Date
TW105104013A TWI615004B (en) 2016-02-05 2016-02-05 Centralized protection method and system for decentralized smart grid

Country Status (1)

Country Link
TW (1) TWI615004B (en)

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW200612695A (en) * 2004-10-08 2006-04-16 Broad Web Corp Content checking method applied to network packet of a network security switch
CN104569576B (en) * 2014-12-19 2018-03-20 上海交通大学 The illegal electricity consumption behavior distributed detection system of intelligent grid

Also Published As

Publication number Publication date
TWI615004B (en) 2018-02-11

Similar Documents

Publication Publication Date Title
Hussein et al. SDN VANETs in 5G: An architecture for resilient security services
EP2907274B1 (en) Security device bank and system including the security device bank
US20130266017A1 (en) Communication system, control apparatus, communication method, and program
CN104994065A (en) Access control list operation system and method based on software-defined network
US20160094517A1 (en) Apparatus and method for blocking abnormal communication
US20060191006A1 (en) Denial-of-service-attack protecting method, denial-of-service attack protecting system, denial-of-service attack protecting device, repeater, denial-of-service attack protecting program, and program for repeater
CN109474605A (en) A kind of source net lotus industrial control system composite defense method based on Autonomous Domain
CN108900549A (en) A kind of safe block chain networking technology
US20210203638A1 (en) Communication security apparatus, control method, and storage medium storing a program
CN105337890A (en) Control strategy generation method and apparatus
CN104539600A (en) Industrial control firewall implementing method for supporting filtering IEC 104 protocol
CN106027491B (en) Separated links formula communication processing method and system based on isolation IP address
Hadley et al. Software-defined networking redefines performance for ethernet control systems
ES2445706T3 (en) Method for communication in an automation system
KR20170120291A (en) Blocking apparatus for abnormal device of internet of things devices and blocking method for the same
JP5295463B1 (en) Network system and communication device
Tippenhauer et al. Vbump: Securing ethernet-based industrial control system networks with vlan-based traffic aggregation
TWI615004B (en) Centralized protection method and system for decentralized smart grid
CN109167774B (en) Data message and data stream safety mutual access method on firewall
KR20140117753A (en) Abnormal traffic detection method on control system protocol
JP6683480B2 (en) Communication device and communication system
WO2019177974A1 (en) Defeating man-in-the-middle attacks in one leg of 1+1 redundant network paths
US20180152376A1 (en) Method to Recover Network Controller-to-Router Connectivity using A Low Bandwidth Long-Range Radio Backup Channel
US20180115581A1 (en) Software defined network for preventing an attack on a host tracking service and controller included in the same
KR102694199B1 (en) L2-based virtual private network management device for network separation between apartment houses

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees