[go: up one dir, main page]

CN112073375B - An isolation device and isolation method suitable for the client side of the power Internet of Things - Google Patents

An isolation device and isolation method suitable for the client side of the power Internet of Things Download PDF

Info

Publication number
CN112073375B
CN112073375B CN202010789502.2A CN202010789502A CN112073375B CN 112073375 B CN112073375 B CN 112073375B CN 202010789502 A CN202010789502 A CN 202010789502A CN 112073375 B CN112073375 B CN 112073375B
Authority
CN
China
Prior art keywords
external network
data
processing module
data message
isolation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010789502.2A
Other languages
Chinese (zh)
Other versions
CN112073375A (en
Inventor
梁晓兵
翟峰
岑炜
付义伦
曹永峰
刘鹰
李保丰
王晖南
徐萌
许斌
孔令达
冯云
冯占成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Marketing Service Center of State Grid Shanxi Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Marketing Service Center of State Grid Shanxi Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, China Electric Power Research Institute Co Ltd CEPRI, Marketing Service Center of State Grid Shanxi Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202010789502.2A priority Critical patent/CN112073375B/en
Publication of CN112073375A publication Critical patent/CN112073375A/en
Application granted granted Critical
Publication of CN112073375B publication Critical patent/CN112073375B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y10/00Economic sectors
    • G16Y10/35Utilities, e.g. electricity, gas or water
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/08Protocols for interworking; Protocol conversion
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Health & Medical Sciences (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • General Business, Economics & Management (AREA)
  • Power Engineering (AREA)
  • Business, Economics & Management (AREA)
  • Medical Informatics (AREA)
  • General Health & Medical Sciences (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to an isolation device and an isolation method suitable for an electric power Internet of things client side, which are characterized in that an external network processing module is utilized to analyze a first data message sent by received external network equipment so as to acquire key information, and protocol format conversion processing is carried out on the key information according to a data ferrying protocol so as to acquire a second data message; the isolation exchange module is used for controlling the external network processing module and the internal network processing module to be in a physical isolation state, and format verification is carried out on the second data message; and after the second data message passes the format verification, the second data message is decrypted by using an intranet processing module, and the decrypted second data message is subjected to protocol format conversion processing according to a special communication protocol of the electric power Internet of things, so that a third data message is obtained and sent to intranet equipment, the safety isolation between an open client side access network and an electric power Internet of things core network is realized, and the core service system can be effectively prevented from being illegally invaded.

Description

一种适用于电力物联网客户侧的隔离装置及隔离方法An isolation device and isolation method suitable for the client side of the power Internet of Things

技术领域Technical field

本发明涉及物联网技术领域,并且更具体地,涉及一种适用于电力物联网客户侧的隔离装置及隔离方法。The present invention relates to the technical field of the Internet of Things, and more specifically, to an isolation device and an isolation method suitable for the client side of the power Internet of Things.

背景技术Background technique

随着移动互联、人工智能等新技术的发展,电力用户与智能电网的双向交互越来越频繁,用户对电网的服务形式和服务质量要求也越来越高。为了满足电力用户的应用需求,增强电力用户对智能电网的感知度和参与度,电力物联网随之而产生。电力物联网具有运行状态全面感知、信息高效处理、应用便捷灵活等特征,将电力用户及其设备,各类企业及设备,以及人和物连接起来,产生共享数据,为用户、电网、电力企业、供应商和社会服务,并以电网为枢纽,发挥平台和共享作用,为全行业和更多市场主体提供更有价值的服务。With the development of new technologies such as mobile Internet and artificial intelligence, the two-way interaction between power users and smart grids is becoming more and more frequent, and users have increasingly higher requirements for the service form and service quality of the power grid. In order to meet the application needs of power users and enhance their awareness and participation in smart grids, the power Internet of Things emerged. The power Internet of Things has the characteristics of comprehensive perception of operating status, efficient information processing, convenient and flexible application, etc. It connects power users and their equipment, various enterprises and equipment, as well as people and things, and generates shared data to provide users, power grids, and power enterprises with , suppliers and social services, and use the power grid as a hub to play a platform and sharing role to provide more valuable services to the entire industry and more market entities.

为提升电力物联网与用户的互动性,需要在电力物联网客户侧接入充电桩、外部综合能源设备等海量安全不受控的非电网资产设备。这些设备可通过WIFI等便捷通信方式与各类电器设备连接,实现用电数据的采集与信息交互。这不可避免地使电力网络从封闭式服务方式转变为开放式,导致电力物联网与公共网络直接连接,在很大程度上增加了电力物联网遭受伪造终端接入、木马、病毒、恶意代码等网络攻击的风险,使恶意人员更容易通过感知层入侵到整个电力网络并进行攻击破坏。因此,需要隔离装置实现网络隔离和网络间数据的安全交互。然而,传统隔离设备或系统功能较为单一,设备体积和功耗较大,需要的计算资源相对较多,大多只适用于传统网络的边界隔离,不能满足低功耗、低成本、多分布需求的电力物联网感知层或边缘层的客户侧不受控设备信息安全交互需求。In order to improve the interaction between the power Internet of Things and users, it is necessary to connect a large number of safe and uncontrolled non-grid asset equipment such as charging piles and external comprehensive energy equipment to the customer side of the power Internet of Things. These devices can be connected to various electrical equipment through convenient communication methods such as WIFI to realize the collection of power consumption data and information interaction. This inevitably changes the power network from a closed service mode to an open one, leading to a direct connection between the power Internet of Things and the public network. This greatly increases the power Internet of Things' vulnerability to counterfeit terminal access, Trojans, viruses, malicious codes, etc. The risk of network attacks makes it easier for malicious individuals to invade the entire power network through the perception layer and carry out attacks and damage. Therefore, isolation devices are needed to achieve network isolation and secure data interaction between networks. However, traditional isolation equipment or systems have relatively single functions, large equipment size and power consumption, and require relatively large amounts of computing resources. Most of them are only suitable for boundary isolation of traditional networks and cannot meet the needs of low power consumption, low cost, and multi-distribution. Information security interaction requirements for client-side uncontrolled devices at the perception layer or edge layer of the power Internet of Things.

因此,急需研究物联网微隔离技术,研制能够部署于电力物联网感知层或边缘层的网络隔离装置,将开放给电力用户的接入网络与电力物联网核心网络进行安全隔离。Therefore, there is an urgent need to study IoT micro-isolation technology and develop network isolation devices that can be deployed at the perception layer or edge layer of the power IoT to safely isolate the access network open to power users from the core network of the power IoT.

发明内容Contents of the invention

本发明提出一种适用于电力物联网客户侧的隔离装置及隔离方法,以解决如何将开放的物联网客户侧接入网络与电力物联网核心网络进行安全隔离的问题。The present invention proposes an isolation device and an isolation method suitable for the client side of the power Internet of Things to solve the problem of how to safely isolate the open client side access network of the Internet of Things from the core network of the power Internet of Things.

为了解决上述问题,根据本发明的一个方面,提供了一种适用于电力物联网客户侧的隔离装置,所述装置包括:In order to solve the above problems, according to one aspect of the present invention, an isolation device suitable for the client side of the power Internet of Things is provided. The device includes:

外网处理模块,用于对接收的外网设备发送的第一数据报文进行解析,以获取关键信息,并按照数据摆渡协议对所述关键信息进行协议格式转换处理,以获取第二数据报文并发送至隔离交换模块;The external network processing module is used to parse the first data message sent by the received external network device to obtain key information, and perform protocol format conversion processing on the key information according to the data ferry protocol to obtain the second data message. The file is sent to the isolation switching module;

隔离交换模块,用于控制外网处理模块和内网处理模块处于物理隔离的状态,对所述第二数据报文进行格式校验,并在所述第二数据报文通过格式校验后,将所述第二数据报文发送至内网处理模块;The isolation switching module is used to control the external network processing module and the internal network processing module to be in a physically isolated state, perform format verification on the second data message, and after the second data message passes the format verification, Send the second data message to the intranet processing module;

内网处理模块,用于对所述第二数据报文进行解密处理,并按照电力物联网专用通信协议对解密后的第二数据报文进行协议格式转换处理,以获取第三数据报文并发送至内网设备。The intranet processing module is used to decrypt the second data message, and perform protocol format conversion processing on the decrypted second data message according to the power Internet of Things dedicated communication protocol to obtain the third data message and Sent to intranet device.

优选地,其中所述装置还包括:Preferably, the device further includes:

内网处理模块,用于对接收的网内设备发送的第四数据报文进行加密处理,并按照数据摆渡协议对加密后的第四数据进行协议格式转换处理,以获取第五数据报文并发送至隔离交换模块;The internal network processing module is used to encrypt the received fourth data message sent by the device in the network, and perform protocol format conversion processing on the encrypted fourth data according to the data ferry protocol to obtain the fifth data message and Sent to isolation switching module;

隔离交换模块,用于控制外网处理模块和内网处理模块处于物理隔离的状态,对所述第五数据报文进行格式校验,并在所述第五数据报文通过格式校验后,将所述第五数据报文发送至外网处理模块;The isolation switching module is used to control the external network processing module and the internal network processing module to be in a physically isolated state, perform format verification on the fifth data message, and after the fifth data message passes the format verification, Send the fifth data message to the external network processing module;

外网处理模块,用于按照外网设备的通信协议对所述第五数据报文进行协议格式转换处理,以获取第六数据报文并发送至外网设备。The external network processing module is configured to perform protocol format conversion processing on the fifth data message according to the communication protocol of the external network device, so as to obtain the sixth data message and send it to the external network device.

优选地,其中所述外网处理模块,还包括:Preferably, the external network processing module further includes:

格式校验单元,用于校验所述第一数据报文的报文格式是否符合电力物联网准入要求;其中,若校验通过,则对所述第一数据报文进行解析;若校验不通过,则拒绝所述外网设备的数据传输请求;Format verification unit, used to verify whether the message format of the first data message meets the power Internet of Things access requirements; wherein, if the verification passes, the first data message is parsed; if the verification If the verification fails, the data transmission request of the external network device will be rejected;

流量监测单元,用于监测外网设备的数据流量是否符合电力物联网准入要求,是否存在异常数据流;其中,若存在异常数据流,则拒绝所述外网设备的数据传输请求;若不存在异常数据流,则允许所述外网设备的数据传输请求。The flow monitoring unit is used to monitor whether the data flow of the external network equipment meets the power Internet of Things access requirements and whether there is an abnormal data flow; if there is an abnormal data flow, the data transmission request of the external network equipment is rejected; if not If there is an abnormal data flow, the data transmission request of the external network device is allowed.

优选地,其中所述隔离交换模块,控制外网处理模块和内网处理模块处于物理隔离的状态,包括:Preferably, the isolation switching module, controlling the external network processing module and the internal network processing module to be in a physically isolated state include:

控制所述外网处理模块与内网处理模块在同一时刻下处于物理切断的状态;其中,若所述外网处理模块和内网处理模块中的一个模块正在与逻辑隔离单元进行数据交互,则所述逻辑隔离单元与另一个模块处于断开状态,待进行数据交互的一个模块完成数据交互且释放隔离控制信号后,另一个模块能够与所述逻辑隔离单元进行数据交互。Control the external network processing module and the internal network processing module to be in a physically disconnected state at the same time; wherein, if one of the external network processing module and the internal network processing module is performing data interaction with the logical isolation unit, then The logical isolation unit is in a disconnected state from another module. After one module performing data interaction completes the data interaction and releases the isolation control signal, the other module can perform data interaction with the logical isolation unit.

优选地,其中所述隔离交换模块,利用如下方式进行格式校验,包括:Preferably, the isolation switching module uses the following method to perform format verification, including:

校验待传输的数据报文的格式是否符合数据摆渡协议;其中,若格式校验通过,则传输所述待传输的数据报文;若格式校验未通过,则拒绝所述待传输的数据报文。Verify whether the format of the data message to be transmitted conforms to the data ferry protocol; if the format verification passes, the data message to be transmitted is transmitted; if the format verification fails, the data to be transmitted is rejected message.

优选地,其中所述内网处理模块,还包括:Preferably, the intranet processing module further includes:

身份识别单元,用于根据解密后的第二数据报文,获取待接入的外网设备的身份信息,并根据待接入的外网设备的身份信息进行身份鉴别;其中,若身份鉴别成功,则允许所述待接入的网外设备接入电力物联网进行信息交互;若身份鉴别失败,则拒绝所述待接入的网外设备接入电力物联网进行信息交互;其中所述关键信息包括:外网设备的身份信息。The identity recognition unit is used to obtain the identity information of the external network device to be accessed based on the decrypted second data message, and perform identity authentication based on the identity information of the external network device to be accessed; wherein, if the identity authentication is successful , then the off-network device to be accessed is allowed to access the power Internet of Things for information exchange; if the identity authentication fails, the off-network device to be accessed is denied access to the power Internet of Things for information exchange; where the key The information includes: identity information of external network devices.

优选地,其中所述身份识别单元,根据待接入的外网设备的身份信息进行身份鉴别,包括:Preferably, the identity recognition unit performs identity authentication based on the identity information of the external network device to be accessed, including:

根据待接入的网外设备的身份信息按照预设的指纹生成策略,分别生成设备指纹和运行环境指纹,并将所述设备指纹和运行环境指纹和预设的设备准入白名单中的设备指纹和环境指纹进行比对,以进行身份鉴别;其中,所述身份信息包括:设备参数信息和运行环境参数信息;所述设备参数信息包括:外网设备的MAC地址、IP、通信协议、有效数据和数据格式;所述运行环境参数信息包括:外网设备的能耗变化、信号强度变化和流量变化。According to the identity information of the external device to be accessed, the device fingerprint and the operating environment fingerprint are generated respectively according to the preset fingerprint generation strategy, and the device fingerprint and operating environment fingerprint and the preset device are admitted to the devices in the white list The fingerprint is compared with the environmental fingerprint for identity authentication; wherein, the identity information includes: device parameter information and operating environment parameter information; the device parameter information includes: MAC address, IP, communication protocol, valid Data and data format; the operating environment parameter information includes: energy consumption changes, signal strength changes and traffic changes of external network equipment.

优选地,其中所述内网处理模块,还包括:Preferably, the intranet processing module further includes:

访问控制单元,用于根据预设的访问控制策略对所述外网设备进行接入控制,确定所述网外设备访问权限;An access control unit, configured to perform access control on the external network device according to a preset access control policy and determine the access rights of the external network device;

业务监控单元,用于对所述内网处理模块中的进程进行监测,并在出现异常事件时,及时对所述异常事件进行处理,以维护所述内网处理模块能够正常服务;A business monitoring unit is used to monitor the process in the intranet processing module, and when an abnormal event occurs, process the abnormal event in a timely manner to maintain the normal service of the intranet processing module;

日志记录单元,用于记录各类操作日志和通信日志;Log recording unit, used to record various operation logs and communication logs;

密钥证书导入单元,用于与电力统一密码基础设施对接,以实现外网设备密钥的分发和数字证书的申请及下发。The key certificate import unit is used to interface with the power unified cryptography infrastructure to realize the distribution of external network equipment keys and the application and issuance of digital certificates.

根据本发明的另一个方面,提供了一种适用于电力物联网客户侧的隔离方法,所述方法包括:According to another aspect of the present invention, an isolation method suitable for the client side of the power Internet of Things is provided, and the method includes:

对接收的外网设备发送的第一数据报文进行解析,以获取关键信息,并按照数据摆渡协议对所述关键信息进行协议格式转换处理,以获取第二数据报文;Parse the first data message sent by the received external network device to obtain key information, and perform protocol format conversion processing on the key information according to the data ferry protocol to obtain the second data message;

控制外网处理模块和内网处理模块处于物理隔离的状态,对所述第二数据报文进行格式校验;Control the external network processing module and the internal network processing module to be in a physically isolated state, and perform format verification on the second data message;

在所述第二数据报文通过格式校验后,对所述第二数据报文进行解密处理,并按照电力物联网专用通信协议对解密后的第二数据报文进行协议格式转换处理,以获取第三数据报文并发送至内网设备。After the second data message passes the format check, the second data message is decrypted, and the decrypted second data message is converted into a protocol format according to the power Internet of Things dedicated communication protocol, so as to Obtain the third data packet and send it to the intranet device.

优选地,其中所述方法还包括:Preferably, the method further includes:

对接收的网内设备发送的第四数据报文进行加密处理,并按照数据摆渡协议对加密后的第四数据进行协议格式转换处理,以获取第五数据报文;Encrypt the received fourth data message sent by the device in the network, and perform protocol format conversion on the encrypted fourth data according to the data ferry protocol to obtain the fifth data message;

控制外网处理模块和内网处理模块处于物理隔离的状态,对所述第五数据报文进行格式校验;Control the external network processing module and the internal network processing module to be in a physically isolated state, and perform format verification on the fifth data message;

在所述第五数据报文通过格式校验后,按照外网设备的通信协议对所述第五数据报文进行协议格式转换处理,以获取第六数据报文并发送至外网设备。After the fifth data message passes the format check, a protocol format conversion process is performed on the fifth data message according to the communication protocol of the external network device to obtain the sixth data message and send it to the external network device.

优选地,其中所述方法还包括:Preferably, the method further includes:

在对接收的外网设备发送的第一数据报文进行解析之前,校验所述第一数据报文的报文格式是否符合电力物联网准入要求;其中,若校验通过,则对所述第一数据报文进行解析;若校验不通过,则拒绝所述外网设备的数据传输请求;Before parsing the first data message sent by the received external network device, verify whether the message format of the first data message meets the power Internet of Things access requirements; wherein, if the verification passes, all The first data message is parsed; if the verification fails, the data transmission request of the external network device is rejected;

监测外网设备的数据流量是否符合电力物联网准入要求,是否存在异常数据流;其中,若存在异常数据流,则拒绝所述外网设备的数据传输请求;若不存在异常数据流,则允许所述外网设备的数据传输请求。Monitor whether the data flow of the external network equipment meets the power Internet of Things access requirements and whether there is an abnormal data flow; if there is an abnormal data flow, the data transmission request of the external network equipment is rejected; if there is no abnormal data flow, then Allow data transmission requests from the external network device.

优选地,其中所述控制外网处理模块和内网处理模块处于物理隔离的状态,包括:Preferably, the control external network processing module and the internal network processing module are in a physically isolated state, including:

控制所述外网处理模块与内网处理模块在同一时刻下处于物理切断的状态;其中,若所述外网处理模块和内网处理模块中的一个模块正在与逻辑隔离单元进行数据交互,则所述逻辑隔离单元与另一个模块处于断开状态,待进行数据交互的一个模块完成数据交互且释放隔离控制信号后,另一个模块能够与所述逻辑隔离单元进行数据交互。Control the external network processing module and the internal network processing module to be in a physically disconnected state at the same time; wherein, if one of the external network processing module and the internal network processing module is performing data interaction with the logical isolation unit, then The logical isolation unit is in a disconnected state from another module. After one module performing data interaction completes the data interaction and releases the isolation control signal, the other module can perform data interaction with the logical isolation unit.

优选地,其中所述方法利用如下方式进行格式校验,包括:Preferably, the method uses the following method to perform format verification, including:

校验待传输的数据报文的格式是否符合数据摆渡协议;其中,若格式校验通过,则传输所述待传输的数据报文;若格式校验未通过,则拒绝所述待传输的数据报文。Verify whether the format of the data message to be transmitted conforms to the data ferry protocol; if the format verification passes, the data message to be transmitted is transmitted; if the format verification fails, the data to be transmitted is rejected message.

优选地,其中所述方法还包括:Preferably, the method further includes:

根据解密后的第二数据报文,获取待接入的外网设备的身份信息,并根据待接入的外网设备的身份信息进行身份鉴别;其中,若身份鉴别成功,则允许所述待接入的网外设备接入电力物联网进行信息交互;若身份鉴别失败,则拒绝所述待接入的网外设备接入电力物联网进行信息交互;其中所述关键信息包括:外网设备的身份信息。According to the decrypted second data message, the identity information of the external network device to be accessed is obtained, and identity authentication is performed based on the identity information of the external network device to be accessed; wherein, if the identity authentication is successful, the identity information of the external network device to be accessed is allowed. The connected off-network device is connected to the electric power Internet of Things for information exchange; if the identity authentication fails, the off-network device to be accessed is refused to be connected to the electric power Internet of Things for information exchange; the key information includes: external network equipment identity information.

优选地,其中所述根据待接入的外网设备的身份信息进行身份鉴别,包括:Preferably, the identity authentication based on the identity information of the external network device to be accessed includes:

根据待接入的网外设备的身份信息按照预设的指纹生成策略,分别生成设备指纹和运行环境指纹,并将所述设备指纹和运行环境指纹和预设的设备准入白名单中的设备指纹和环境指纹进行比对,以进行身份鉴别;其中,所述身份信息包括:设备参数信息和运行环境参数信息;所述设备参数信息包括:外网设备的MAC地址、IP、通信协议、有效数据和数据格式;所述运行环境参数信息包括:外网设备的能耗变化、信号强度变化和流量变化。According to the identity information of the external device to be accessed, the device fingerprint and the operating environment fingerprint are generated respectively according to the preset fingerprint generation strategy, and the device fingerprint and operating environment fingerprint and the preset device are admitted to the devices in the white list The fingerprint is compared with the environmental fingerprint for identity authentication; wherein, the identity information includes: device parameter information and operating environment parameter information; the device parameter information includes: MAC address, IP, communication protocol, valid Data and data format; the operating environment parameter information includes: energy consumption changes, signal strength changes and traffic changes of external network equipment.

优选地,其中所述方法还包括:Preferably, the method further includes:

根据预设的访问控制策略对所述外网设备进行接入控制,确定所述网外设备访问权限;Perform access control on the external network device according to the preset access control policy, and determine the access rights of the external network device;

对所述内网处理模块中的进程进行监测,并在出现异常事件时,及时对所述异常事件进行处理,以维护所述内网处理模块能够正常服务;Monitor the processes in the intranet processing module, and when abnormal events occur, handle the abnormal events in a timely manner to maintain the normal service of the intranet processing module;

记录各类操作日志和通信日志;Record various operation logs and communication logs;

与电力统一密码基础设施对接,以实现外网设备密钥的分发和数字证书的申请及下发。Connect with the power unified cryptography infrastructure to realize the distribution of external network device keys and the application and issuance of digital certificates.

本发明提供了一种适用于电力物联网客户侧的隔离装置及隔离方法,利用外网处理模块对接收的外网设备发送的第一数据报文进行解析,以获取关键信息,并按照数据摆渡协议对所述关键信息进行协议格式转换处理,以获取第二数据报文;利用隔离交换模块控制外网处理模块和内网处理模块处于物理隔离的状态,对所述第二数据报文进行格式校验;并在所述第二数据报文通过格式校验后利用内网处理模块对所述第二数据报文进行解密处理,并按照电力物联网专用通信协议对解密后的第二数据报文进行协议格式转换处理,以获取第三数据报文并发送至内网设备,实现了开放的客户侧接入网络与电力物联网核心网络的安全隔离,能够有效防止核心业务系统被非法入侵。The present invention provides an isolation device and an isolation method suitable for the client side of the power Internet of Things. The external network processing module is used to analyze the first data message sent by the received external network device to obtain key information and ferry the data according to the data flow. The protocol performs protocol format conversion processing on the key information to obtain the second data message; the isolation switching module is used to control the external network processing module and the internal network processing module to be in a physically isolated state, and format the second data message. Verification; and after the second data message passes the format verification, the intranet processing module is used to decrypt the second data message, and the decrypted second data message is processed according to the power Internet of Things dedicated communication protocol. The protocol format conversion process is performed on the document to obtain the third data message and send it to the intranet device, realizing the safe isolation of the open client-side access network and the core network of the power Internet of Things, which can effectively prevent the core business system from being illegally intruded.

附图说明Description of the drawings

通过参考下面的附图,可以更为完整地理解本发明的示例性实施方式:A more complete understanding of exemplary embodiments of the invention may be obtained by reference to the following drawings:

图1为根据本发明实施方式的适用于电力物联网客户侧的隔离装置100的结构示意图;Figure 1 is a schematic structural diagram of an isolation device 100 suitable for the client side of the power Internet of Things according to an embodiment of the present invention;

图2为根据本发明实施方式的网络隔离装置的逻辑架构图;Figure 2 is a logical architecture diagram of a network isolation device according to an embodiment of the present invention;

图3为根据本发明实施方式的身份鉴别的流程图;Figure 3 is a flow chart of identity authentication according to an embodiment of the present invention;

图4为根据本发明实施方式的隔离装置的读写逻辑图;Figure 4 is a read and write logic diagram of an isolation device according to an embodiment of the present invention;

图5为根据本发明实施方式的基于透明代理模式的应用层数据交换的原理图;Figure 5 is a schematic diagram of application layer data exchange based on the transparent proxy mode according to an embodiment of the present invention;

图6为根据本发明实施方式的适用于电力物联网客户侧的隔离方法600的流程图。Figure 6 is a flow chart of an isolation method 600 suitable for the client side of the power Internet of Things according to an embodiment of the present invention.

具体实施方式Detailed ways

现在参考附图介绍本发明的示例性实施方式,然而,本发明可以用许多不同的形式来实施,并且不局限于此处描述的实施例,提供这些实施例是为了详尽地且完全地公开本发明,并且向所属技术领域的技术人员充分传达本发明的范围。对于表示在附图中的示例性实施方式中的术语并不是对本发明的限定。在附图中,相同的单元/元件使用相同的附图标记。Exemplary embodiments of the present invention will now be described with reference to the accompanying drawings. However, the present invention may be embodied in many different forms and is not limited to the embodiments described herein. These embodiments are provided so that this disclosure will be thorough and complete. invention, and fully convey the scope of the invention to those skilled in the art. The terminology used in the exemplary embodiments represented in the drawings does not limit the invention. In the drawings, identical units/elements use the same reference numerals.

除非另有说明,此处使用的术语(包括科技术语)对所属技术领域的技术人员具有通常的理解含义。另外,可以理解的是,以通常使用的词典限定的术语,应当被理解为与其相关领域的语境具有一致的含义,而不应该被理解为理想化的或过于正式的意义。Unless otherwise defined, the terms (including scientific and technical terms) used herein have the commonly understood meaning to one of ordinary skill in the art. In addition, it is understood that terms defined in commonly used dictionaries should be understood to have consistent meanings in the context of their relevant fields and should not be understood as having an idealized or overly formal meaning.

图1为根据本发明实施方式的适用于电力物联网客户侧的隔离装置100的结构示意图。如图1所示,本发明提供的适用于电力物联网客户侧的隔离装置实现了开放的客户侧接入网络与电力物联网核心网络的安全隔离,能够有效防止核心业务系统被非法入侵。本发明实施方式提供的适用于电力物联网客户侧的隔离装置100,包括:外网处理模块101、隔离交换模块102和内网处理摸103。Figure 1 is a schematic structural diagram of an isolation device 100 suitable for the client side of the power Internet of Things according to an embodiment of the present invention. As shown in Figure 1, the isolation device suitable for the client side of the power Internet of Things provided by the present invention realizes the safe isolation of the open client-side access network and the core network of the power Internet of Things, and can effectively prevent the core business system from being illegally intruded. The isolation device 100 provided by the embodiment of the present invention and suitable for the client side of the power Internet of Things includes: an external network processing module 101, an isolation switching module 102 and an internal network processing module 103.

优选地,所述外网处理模块101,用于对接收的外网设备发送的第一数据报文进行解析,以获取关键信息,并按照数据摆渡协议对所述关键信息进行协议格式转换处理,以获取第二数据报文并发送至隔离交换模块。Preferably, the external network processing module 101 is used to parse the first data message sent by the received external network device to obtain key information, and perform protocol format conversion processing on the key information according to the data ferry protocol, To obtain the second data packet and send it to the isolation switching module.

优选地,其中所述外网处理模块101,还包括:Preferably, the external network processing module 101 also includes:

格式校验单元,用于校验所述第一数据报文的报文格式是否符合电力物联网准入要求;其中,若校验通过,则对所述第一数据报文进行解析;若校验不通过,则拒绝所述外网设备的数据传输请求;Format verification unit, used to verify whether the message format of the first data message meets the power Internet of Things access requirements; wherein, if the verification passes, the first data message is parsed; if the verification If the verification fails, the data transmission request of the external network device will be rejected;

流量监测单元,用于监测外网设备的数据流量是否符合电力物联网准入要求,是否存在异常数据流;其中,若存在异常数据流,则拒绝所述外网设备的数据传输请求;若不存在异常数据流,则允许所述外网设备的数据传输请求。The flow monitoring unit is used to monitor whether the data flow of the external network equipment meets the power Internet of Things access requirements and whether there is an abnormal data flow; if there is an abnormal data flow, the data transmission request of the external network equipment is rejected; if not If there is an abnormal data flow, the data transmission request of the external network device is allowed.

图2为根据本发明实施方式的微型网络隔离装置的逻辑架构图。如图2所示,在本发明的实施方式中,外网处理模块包括:外网通信子模块和外网业务处理子模块。Figure 2 is a logical architecture diagram of a micro network isolation device according to an embodiment of the present invention. As shown in Figure 2, in the embodiment of the present invention, the external network processing module includes: an external network communication sub-module and an external network service processing sub-module.

其中,外网通信子模块包括:HPLC接口单元、WIFI接口单元和外网以太网接口单元;外网设备可通过WIFI、HPLC和以太网等方式实现网络接入。Among them, the external network communication sub-module includes: HPLC interface unit, WIFI interface unit and external Ethernet interface unit; external network equipment can achieve network access through WIFI, HPLC and Ethernet.

其中,外网业务处理子模块,主要包括外网数据收发单元、格式校验单元、流量监测单元、外网协议转换单元和外网升级管理单元。外网数据收发单元,用于接收外网设备发送的第一数据报文。格式校验单元用于校验所述第一数据报文的报文格式是否符合电力物联网准入要求;其中,若校验通过,则对所述第一数据报文进行解析;若校验不通过,则拒绝所述外网设备的数据传输请求。流量监测单元,用于监测外网设备的数据流量是否符合电力物联网准入要求,是否存在异常数据流;其中,若存在异常数据流,则拒绝所述外网设备的数据传输请求;若不存在异常数据流,则允许所述外网设备的数据传输请求。外网协议转换单元,用于对所述第一数据报文进行解析,以获取关键信息,并对所述关键信息进行去传输层协议处理和按照数据摆渡协议对关键信息进行封装处理,以获取第二数据报文并发送至隔离交换模块。其中,所述关键信息包括:设备MAC信息、IP地址、设备发送的指令有效数据等信息。协议转换处理前的数据报文格式符合外网设备的通信协议,协议转换处理后的数据符合数据摆渡协议。外网升级管理单元,主要负责对外网处理模块的软件进行升级维护。Among them, the external network business processing sub-module mainly includes an external network data transceiver unit, a format verification unit, a traffic monitoring unit, an external network protocol conversion unit and an external network upgrade management unit. The external network data transceiver unit is used to receive the first data message sent by the external network device. The format verification unit is used to verify whether the message format of the first data message meets the power Internet of Things access requirements; wherein, if the verification passes, the first data message is parsed; if the verification If it does not pass, the data transmission request of the external network device is rejected. The flow monitoring unit is used to monitor whether the data flow of the external network equipment meets the power Internet of Things access requirements and whether there is an abnormal data flow; if there is an abnormal data flow, the data transmission request of the external network equipment is rejected; if not If there is an abnormal data flow, the data transmission request of the external network device is allowed. The external network protocol conversion unit is used to parse the first data message to obtain key information, perform transport layer protocol processing on the key information and encapsulate the key information according to the data ferry protocol to obtain The second data packet is sent to the isolation switching module. Among them, the key information includes: device MAC information, IP address, valid instruction data sent by the device and other information. The data message format before protocol conversion processing conforms to the communication protocol of the external network device, and the data after protocol conversion processing conforms to the data ferry protocol. The external network upgrade management unit is mainly responsible for upgrading and maintaining the software of the external network processing module.

优选地,所述隔离交换模块102,用于控制外网处理模块和内网处理模块处于物理隔离的状态,对所述第二数据报文进行格式校验,并在所述第二数据报文通过格式校验后,将所述第二数据报文发送至内网处理模块。Preferably, the isolation switching module 102 is used to control the external network processing module and the internal network processing module to be in a physically isolated state, perform format verification on the second data message, and perform a format check on the second data message. After passing the format check, the second data message is sent to the intranet processing module.

优选地,其中所述隔离交换模块102,控制外网处理模块和内网处理模块处于物理隔离的状态,包括:Preferably, the isolation switching module 102 controls the external network processing module and the internal network processing module to be in a physically isolated state, including:

控制所述外网处理模块与内网处理模块在同一时刻下处于物理切断的状态;其中,若所述外网处理模块和内网处理模块中的一个模块正在与逻辑隔离单元进行数据交互,则所述逻辑隔离单元与另一个模块处于断开状态,待进行数据交互的一个模块完成数据交互且释放隔离控制信号后,另一个模块能够与所述逻辑隔离单元进行数据交互。Control the external network processing module and the internal network processing module to be in a physically disconnected state at the same time; wherein, if one of the external network processing module and the internal network processing module is performing data interaction with the logical isolation unit, then The logical isolation unit is in a disconnected state from another module. After one module performing data interaction completes the data interaction and releases the isolation control signal, the other module can perform data interaction with the logical isolation unit.

优选地,其中所述隔离交换模块,利用如下方式进行格式校验,包括:Preferably, the isolation switching module uses the following method to perform format verification, including:

校验待传输的数据报文的格式是否符合数据摆渡协议;其中,若格式校验通过,则传输所述待传输的数据报文;若格式校验未通过,则拒绝所述待传输的数据报文。Verify whether the format of the data message to be transmitted conforms to the data ferry protocol; if the format verification passes, the data message to be transmitted is transmitted; if the format verification fails, the data to be transmitted is rejected message.

如图2所示,在本发明的实施方式中,隔离交换模块,包括:隔离交换主控制器MCU和网络隔离子模块;网络隔离子模块包括:逻辑隔离单元和数据交换单元。As shown in Figure 2, in the embodiment of the present invention, the isolation switching module includes: an isolation switching main controller MCU and a network isolation sub-module; the network isolation sub-module includes: a logical isolation unit and a data switching unit.

其中,通过逻辑隔离单元控制外网处理模块和内网处理模块处理物理隔离的状态,并利用数据交换模块对第二数据报文进行格式校验和在所述第二数据报文通过格式校验后,将所述第二数据报文发送至内网处理模块的操作,完成数据传输。其中,利用隔离交换模块中的逻辑隔离单元控制所述外网处理模块与内网处理模块在同一时刻下处于物理切断的状态;其中,若所述外网处理模块和内网处理模块中的一个模块正在与逻辑隔离单元进行数据交互,则所述逻辑隔离单元与另一个模块处于断开状态,待进行数据交互的一个模块完成数据交互且释放隔离控制信号后,另一个模块能够与所述逻辑隔离单元进行数据交互。在校验第二数据报文的格式是否符合数据摆渡协议时,若格式校验通过,则传输所述待传输的数据报文;若格式校验未通过,则拒绝所述待传输的数据报文。Among them, the external network processing module and the internal network processing module are controlled by the logical isolation unit to process the physical isolation status, and the data exchange module is used to perform format verification on the second data message and the second data message passes the format verification. Finally, the operation of sending the second data message to the intranet processing module completes the data transmission. Among them, the logical isolation unit in the isolation switching module is used to control the external network processing module and the internal network processing module to be in a physically disconnected state at the same time; wherein, if one of the external network processing module and the internal network processing module The module is performing data interaction with the logical isolation unit, and the logical isolation unit is in a disconnected state from another module. After one module performing data interaction completes the data interaction and releases the isolation control signal, the other module can communicate with the logical isolation unit. Isolate units for data interaction. When verifying whether the format of the second data message conforms to the data ferry protocol, if the format verification passes, the data message to be transmitted is transmitted; if the format verification fails, the data message to be transmitted is rejected. arts.

其中,隔离交换主控制器MCU包括至少3个CPU,其中两个CPU分别用于处理内网业务和外网业务,另一个CPU用于对系统配置和安全策略设置进行管理。Among them, the isolation switching main controller MCU includes at least three CPUs, two of which are used to process intranet services and external network services respectively, and the other CPU is used to manage system configuration and security policy settings.

优选地,所述内网处理模块103,用于对所述第二数据报文进行解密处理,并按照电力物联网专用通信协议对解密后的第二数据报文进行协议格式转换处理,以获取第三数据报文并发送至内网设备。Preferably, the intranet processing module 103 is used to decrypt the second data message, and perform protocol format conversion on the decrypted second data message according to the power Internet of Things dedicated communication protocol to obtain The third data message is sent to the intranet device.

优选地,其中所述内网处理模块,还包括:Preferably, the intranet processing module further includes:

身份识别单元,用于根据解密后的第二数据报文,获取待接入的外网设备的身份信息,并根根据待接入的外网设备的身份信息进行身份鉴别;其中,若身份鉴别成功,则允许所述待接入的网外设备接入电力物联网进行信息交互;若身份鉴别失败,则拒绝所述待接入的网外设备接入电力物联网进行信息交互;其中所述关键信息包括:外网设备的身份信息。The identity recognition unit is used to obtain the identity information of the external network device to be accessed based on the decrypted second data message, and perform identity authentication based on the identity information of the external network device to be accessed; wherein, if the identity authentication If successful, the off-network device to be accessed is allowed to access the power Internet of Things for information exchange; if the identity authentication fails, the off-network device to be accessed is denied access to the power Internet of Things for information exchange; wherein the Key information includes: identity information of external network devices.

优选地,其中所述身份识别单元,根据待接入的外网设备的身份信息进行身份鉴别,包括:Preferably, the identity recognition unit performs identity authentication based on the identity information of the external network device to be accessed, including:

根据待接入的网外设备的身份信息按照预设的指纹生成策略,分别生成设备指纹和运行环境指纹,并将所述设备指纹和运行环境指纹和预设的设备准入白名单中的设备指纹和环境指纹进行比对,以进行身份鉴别;其中,所述身份信息包括:设备参数信息和运行环境参数信息;所述设备参数信息包括:外网设备的MAC地址、IP、通信协议、有效数据和数据格式;所述运行环境参数信息包括:外网设备的能耗变化、信号强度变化和流量变化。According to the identity information of the external device to be accessed, the device fingerprint and the operating environment fingerprint are generated respectively according to the preset fingerprint generation strategy, and the device fingerprint and operating environment fingerprint and the preset device are admitted to the devices in the white list The fingerprint is compared with the environmental fingerprint for identity authentication; wherein, the identity information includes: device parameter information and operating environment parameter information; the device parameter information includes: MAC address, IP, communication protocol, valid Data and data format; the operating environment parameter information includes: energy consumption changes, signal strength changes and traffic changes of external network equipment.

优选地,其中所述内网处理模块,还包括:Preferably, the intranet processing module further includes:

访问控制单元,用于根据预设的访问控制策略对所述外网设备进行接入控制,确定所述网外设备访问权限;An access control unit, configured to perform access control on the external network device according to a preset access control policy and determine the access rights of the external network device;

业务监控单元,用于对所述内网处理模块中的进程进行监测,并在出现异常事件时,及时对所述异常事件进行处理,以维护所述内网处理模块能够正常服务;A business monitoring unit is used to monitor the process in the intranet processing module, and when an abnormal event occurs, process the abnormal event in a timely manner to maintain the normal service of the intranet processing module;

日志记录单元,用于记录各类操作日志和通信日志;Log recording unit, used to record various operation logs and communication logs;

密钥证书导入单元,用于与电力统一密码基础设施对接,以实现外网设备密钥的分发和数字证书的申请及下发。The key certificate import unit is used to interface with the power unified cryptography infrastructure to realize the distribution of external network equipment keys and the application and issuance of digital certificates.

如图2所示,在本发明的实施方式中,内网处理模块包括:内网通信子模块、密码运算子模块和内网业务处理子模块。其中,内网通信子模块,包括:电力专网接口单元和内网以太网接口单元。密码运算子模块,包括:密钥管理单元和算法运算单元。内网业务处理子模块,包括:内网数据收发单元、内网协议转换单元、身份识别单元、业务监控单元、访问就控制单元、密钥证书导入单元、日志记录单元和内网升级管理单元。As shown in Figure 2, in the embodiment of the present invention, the intranet processing module includes: an intranet communication sub-module, a cryptographic operation sub-module and an intranet business processing sub-module. Among them, the intranet communication sub-module includes: power private network interface unit and intranet Ethernet interface unit. The cryptographic operation sub-module includes: key management unit and algorithm operation unit. The intranet business processing sub-module includes: intranet data transceiver unit, intranet protocol conversion unit, identity recognition unit, business monitoring unit, access control unit, key certificate import unit, log recording unit and intranet upgrade management unit.

在本发明的实施方式中,密钥管理单元,用于负责密钥全生命周期的安全管理。算法运算单元,用于进行国密SM1、SM2、SM3、SM4、SM7和SM9等密码算法的运算,对第二数据报文进行解密,以获取解密后的第二数据报文。内网处理模块在通过内网数据收发模块接收到隔离交换模块发送的第二报文数据后,通过算法运算模块对第二数据报文进行解密,利用内网协议转换单元按照电力物联网专用通信协议对解密后的第二数据报文进行协议格式转换处理,以获取第三数据报文,并利用内网数据收发单元将协议转换和封装后的第三数据报文发送至内网设备。其中,协议转换处理前的数据报文格式符合符合数据摆渡协议;协议转换处理后的数据符合电力物联网专用通信协议。另外,内网处理模块还利用身份识别单元根据待接入的外网设备的身份信息进行身份鉴别;其中,若身份鉴别成功,则允许所述待计入的外网设备接入;若身份鉴别失败,则拒绝所述待接入的外网设备接入。具体地,身份鉴别的过程如图3所示,包括:In the embodiment of the present invention, the key management unit is responsible for the security management of the entire life cycle of the key. The algorithm operation unit is used to perform operations on national secret cryptographic algorithms such as SM1, SM2, SM3, SM4, SM7 and SM9, and decrypt the second data message to obtain the decrypted second data message. After receiving the second message data sent by the isolation switching module through the intranet data transceiver module, the intranet processing module decrypts the second data message through the algorithm operation module, and uses the intranet protocol conversion unit to communicate according to the power Internet of Things dedicated The protocol performs protocol format conversion processing on the decrypted second data message to obtain the third data message, and uses the intranet data transceiver unit to send the protocol converted and encapsulated third data message to the intranet device. Among them, the data message format before protocol conversion processing conforms to the data ferry protocol; the data after protocol conversion processing conforms to the power Internet of Things dedicated communication protocol. In addition, the internal network processing module also uses the identity recognition unit to perform identity authentication based on the identity information of the external network device to be accessed; if the identity authentication is successful, the external network device to be included is allowed to access; if the identity authentication If it fails, access to the external network device to be accessed is denied. Specifically, the identity authentication process is shown in Figure 3, including:

(1)感知设备或用户电器设备将其MAC、IP、通信协议Pr、有效数据Dv、数据格式Df等设备参数信息发送给内网处理模块。内网处理模块分析其合法性和有效性,如果符合物联网环境准入要求,形成“设备指纹”Dfp,并将验证结果反馈给感知设备或用户电器设备。(1) The sensing device or user electrical device sends its MAC, IP, communication protocol Pr , valid data Dv , data format Df and other device parameter information to the intranet processing module. The intranet processing module analyzes its legality and validity. If it meets the Internet of Things environment access requirements, it forms a "device fingerprint" D fp and feeds the verification results back to the sensing device or user electrical equipment.

(2)感知设备或用户电器设备将能耗变化Ec、信号强度变化Sc、流量变化Fc等环境参数信息,发送给内网处理模块。隔离装置生成“运行环境指纹”Efp,并将接收结果反馈给感知设备或用户电器设备。(2) The sensing device or user electrical device sends environmental parameter information such as energy consumption change Ec, signal strength change Sc, traffic change Fc, etc. to the intranet processing module. The isolation device generates the "operating environment fingerprint" E fp and feeds back the received results to the sensing device or the user's electrical equipment.

(3)内网处理模块将采集到的指纹信息传输至后台集中管理平台中,建立感知设备准入白名单Wl(3) The intranet processing module transmits the collected fingerprint information to the background centralized management platform and establishes a sensing device access whitelist W l .

(4)当待接入的设备通过WIFI、HPLC或以太网方式接入隔离装置时,内网处理模块将再次根据待接入的网外设备的身份信息按照预设的指纹生成策略,分别生成设备指纹和运行环境指纹,并将所述设备指纹和运行环境指纹和预设的设备准入白名单中的设备指纹和环境指纹进行比对,以进行身份鉴别;其中,所述身份信息包括:设备参数信息和运行环境参数信息。(4) When the device to be accessed is connected to the isolation device through WIFI, HPLC or Ethernet, the internal network processing module will again generate fingerprints based on the identity information of the device to be accessed outside the network according to the preset fingerprint generation strategy. Device fingerprints and operating environment fingerprints, and comparing the device fingerprints and operating environment fingerprints with the device fingerprints and environment fingerprints in the preset device admission whitelist for identity authentication; wherein the identity information includes: Equipment parameter information and operating environment parameter information.

本发明实施方式的隔离装置主要通过双向身份认证、数据加密封装和数据完整性验证实现业务数据/指令加密保护。所述双向身份认证过程为:采用国密SM1、SM2和SM3等密码算法,基于挑战应答、数字证书签名验签等机制与主站业务应用系统进行双向身份认证。所述数据加密封装过程为:基于电力物联网专用安全通信协议实现对业务数据和控制指令的封装和数据加密。所述数据完整性验证过程为:通过消息鉴别码、数字签名及数据时效性验证保证业务数据和控制指令的完整性。The isolation device in the embodiment of the present invention mainly implements business data/instruction encryption protection through two-way identity authentication, data encryption encapsulation and data integrity verification. The two-way identity authentication process is: using national cryptographic algorithms such as SM1, SM2 and SM3, and conducting two-way identity authentication with the main station business application system based on mechanisms such as challenge response and digital certificate signature verification. The data encryption and encapsulation process is: encapsulation and data encryption of business data and control instructions based on a dedicated secure communication protocol for the power Internet of Things. The data integrity verification process is to ensure the integrity of business data and control instructions through message authentication code, digital signature and data timeliness verification.

在本发明的实施方式中,访问控制单元,用于根据预设的访问控制策略对所述外网设备进行接入控制,确定所述外网设备访问权限。内网升级管理单元,用于对内网处理模块的软件进行升级维护。密钥证书导入单元,负责与电力统一密码基础设施对接,实现外网设备密钥的分发和数字证书的申请及下发。日志记录单元,用于记录各类操作日志、通信日志等信息,供事后分析追溯。In an embodiment of the present invention, the access control unit is configured to perform access control on the external network device according to a preset access control policy and determine the access rights of the external network device. The intranet upgrade management unit is used to upgrade and maintain the software of the intranet processing module. The key certificate import unit is responsible for connecting with the power unified cryptography infrastructure to realize the distribution of external network equipment keys and the application and issuance of digital certificates. The logging unit is used to record various operation logs, communication logs and other information for subsequent analysis and traceability.

优选地,其中所述装置还包括:Preferably, the device further includes:

内网处理模块,用于对接收的网内设备发送的第四数据报文进行加密处理,并按照数据摆渡协议对加密后的第四数据进行协议格式转换处理,以获取第五数据报文并发送至隔离交换模块;The internal network processing module is used to encrypt the received fourth data message sent by the device in the network, and perform protocol format conversion processing on the encrypted fourth data according to the data ferry protocol to obtain the fifth data message and Sent to isolation switching module;

隔离交换模块,用于控制外网处理模块和内网处理模块处于物理隔离的状态,对所述第五数据报文进行格式校验,并在所述第五数据报文通过格式校验后,将所述第五数据报文发送至外网处理模块;The isolation switching module is used to control the external network processing module and the internal network processing module to be in a physically isolated state, perform format verification on the fifth data message, and after the fifth data message passes the format verification, Send the fifth data message to the external network processing module;

外网处理模块,用于按照外网设备的通信协议对所述第五数据报文进行协议格式转换处理,以获取第六数据报文并发送至外网设备。The external network processing module is configured to perform protocol format conversion processing on the fifth data message according to the communication protocol of the external network device, so as to obtain the sixth data message and send it to the external network device.

在本发明的实施方式中,在从内网向外网传递数据时,内网处理模块,还用于利用算法运算单元对接收的网内设备发送的第四数据报文进行加密处理,并利用内网协议转换单元按照隔离交换模块的数据摆渡协议对加密后的第四数据进行协议格式转换处理,以获取第五数据报文,并利用内网数据收发单元发送至隔离交换模块。其中,协议转换处理前的数据报文符合电力物联网专用通信协议,协议转换处理后的数据报文符合隔离交换模块的数据摆渡协议。隔离交换模块,还用于控制外网处理模块和内网处理模块处于物理隔离的状态,对所述第五数据报文进行格式校验,并在所述第五数据报文通过格式校验后,将所述第五数据报文发送至外网处理模块。外网处理模块,还用于利用外网协议转换单元按照外网设备的通信协议对所述第五数据报文进行协议格式转换处理,以获取第六数据报文并利用外网数据收发单元发送至外网设备。其中,协议转换处理前的数据报文符合数据摆渡协议;协议转换处理后的数据报文符合外网设备的通信协议。In the embodiment of the present invention, when transmitting data from the internal network to the external network, the internal network processing module is also used to use the algorithm operation unit to encrypt the received fourth data message sent by the device in the network, and use The intranet protocol conversion unit performs protocol format conversion processing on the encrypted fourth data according to the data ferry protocol of the isolation switching module to obtain the fifth data message, and sends it to the isolation switching module using the intranet data transceiver unit. Among them, the data messages before the protocol conversion process conform to the special communication protocol of the power Internet of Things, and the data messages after the protocol conversion process conform to the data ferry protocol of the isolation switching module. The isolation switching module is also used to control the external network processing module and the internal network processing module to be in a physically isolated state, perform format verification on the fifth data message, and after the fifth data message passes the format verification , sending the fifth data message to the external network processing module. The external network processing module is also configured to use the external network protocol conversion unit to perform protocol format conversion processing on the fifth data message according to the communication protocol of the external network device, so as to obtain the sixth data message and send it using the external network data transceiver unit. to external network equipment. Among them, the data packet before protocol conversion processing conforms to the data ferry protocol; the data packet after protocol conversion processing conforms to the communication protocol of the external network device.

图4为根据本发明实施方式的隔离装置的读写逻辑图。如图4所示,本发明实施方式的隔离装置主要采用内外网读写通道独立、信息摆渡机制实现内外网的安全隔离和信息安全交互。所述内外网处理模块之间交换的对象不是IP数据报文,而是经专用内部协议封装的应用层数据报文,任意原始IP数据报文不可能通过该通道。所示隔离装置能够在网络的物理层将两个网络或主机彻底断开,确保在同一时刻外网接口与内网接口物理切断的情况下,负责“摆渡”安全的网络数据。如果一端网络通过隔离装置交换数据,则隔离装置与另一端网络是处于断开状态。等该端进行完数据交互并释放了隔离控制信号后,另一端才能与隔离装置进行信息交互。两端的数据都会存入隔离装置的缓冲区内,写缓冲区前查看状态,状态允许时将数据写入缓冲区,否则等待。读缓冲区前查看状态,状态允许时读取缓冲区中的数据,否则等待。数据具体读写过程为:内网处理模块和外网处理模块如果要从一端网络发送数据到另一端网络,数据会写到发送FIFO模块中,这时会关闭FIFO接收模块,只有写通道处于连通状态;如果要从另一个处理单元读取数据,数据会写到FIFO接收模块,这时会关闭FIFO发送模块,只有读通道处于连通状态。Figure 4 is a read and write logic diagram of an isolation device according to an embodiment of the present invention. As shown in Figure 4, the isolation device in the embodiment of the present invention mainly uses independent internal and external network read and write channels and an information ferry mechanism to achieve safe isolation and information security interaction between internal and external networks. The objects exchanged between the internal and external network processing modules are not IP data messages, but application layer data messages encapsulated by a dedicated internal protocol. It is impossible for any original IP data message to pass through this channel. The isolation device shown can completely disconnect two networks or hosts at the physical layer of the network, ensuring that it is responsible for "ferrying" safe network data when the external network interface and the internal network interface are physically disconnected at the same time. If one end of the network exchanges data through the isolation device, the isolation device and the other end of the network are disconnected. After the end has completed data interaction and released the isolation control signal, the other end can interact with the isolation device. The data at both ends will be stored in the buffer of the isolation device. Check the status before writing to the buffer. If the status allows, write the data to the buffer, otherwise wait. Check the status before reading the buffer. Read the data in the buffer if the status allows, otherwise wait. The specific data reading and writing process is: If the internal network processing module and the external network processing module want to send data from one end of the network to the other end of the network, the data will be written to the sending FIFO module. At this time, the FIFO receiving module will be closed, and only the writing channel is connected. status; if data is to be read from another processing unit, the data will be written to the FIFO receiving module, and the FIFO sending module will be closed at this time, and only the reading channel is in the connected state.

图5为根据本发明实施方式的基于透明代理模式的应用层数据交换的原理图。如图5所示,在本发明的实施方式中,隔离装置主要采用透明代理模式实现应用层数据交换。所述透明代理包括代理引擎和代理存根两部分,分别位于不同的网络处理单元上。所述代理存根主要用于网络连接请求检查。所述代理引擎主要用于调用传输接口,将外部网络返回的信息通过高速交换通道交换到网络处理单元。所述代理引擎和代理存根基于高速交换通道和专用协议进行对话和数据通信。Figure 5 is a schematic diagram of application layer data exchange based on the transparent proxy mode according to an embodiment of the present invention. As shown in Figure 5, in the embodiment of the present invention, the isolation device mainly uses the transparent proxy mode to implement application layer data exchange. The transparent proxy includes two parts: a proxy engine and a proxy stub, which are respectively located on different network processing units. The proxy stub is mainly used for network connection request inspection. The proxy engine is mainly used to call the transmission interface and exchange the information returned by the external network to the network processing unit through the high-speed switching channel. The agent engine and agent stub perform dialogue and data communication based on high-speed switching channels and dedicated protocols.

本发明实施方式的隔离装置在数据机密性和完整性保护方面,隔离装置主要通过双向身份认证、数据加密封装和数据完整性验证实现业务数据/指令加密保护。所述双向身份认证过程为:采用国密SM1、SM2和SM3等密码算法,基于挑战应答、数字证书签名验签等机制与主站业务应用系统进行双向身份认证。所述数据加密封装过程为:基于电力物联网专用安全通信协议实现对业务数据和控制指令的封装和数据加密。所述数据完整性验证过程为:通过消息鉴别码、数字签名及数据时效性验证保证业务数据和控制指令的完整性。In terms of data confidentiality and integrity protection, the isolation device according to the embodiment of the present invention mainly implements business data/instruction encryption protection through two-way identity authentication, data encryption encapsulation and data integrity verification. The two-way identity authentication process is: using national cryptographic algorithms such as SM1, SM2 and SM3, and conducting two-way identity authentication with the main station business application system based on mechanisms such as challenge response and digital certificate signature verification. The data encryption and encapsulation process is: encapsulation and data encryption of business data and control instructions based on a dedicated secure communication protocol for the power Internet of Things. The data integrity verification process is to ensure the integrity of business data and control instructions through message authentication code, digital signature and data timeliness verification.

本发明实施方式的隔离装置实现了开放的客户侧接入网络与电力物联网核心网络的安全隔离,能够有效防止核心业务系统被非法入侵。The isolation device in the embodiment of the present invention realizes the safe isolation of the open client-side access network and the core network of the power Internet of Things, and can effectively prevent the core business system from being illegally invaded.

图6为根据本发明实施方式的适用于电力物联网客户侧的隔离方法600的流程图。如图6所示,本发明实施方式提供的适用于电力物联网客户侧的隔离方法600,从步骤601处开始,在步骤601对接收的外网设备发送的第一数据报文进行解析,以获取关键信息,并按照数据摆渡协议对所述关键信息进行协议格式转换处理,以获取第二数据报文。Figure 6 is a flow chart of an isolation method 600 suitable for the client side of the power Internet of Things according to an embodiment of the present invention. As shown in Figure 6, the isolation method 600 provided by the embodiment of the present invention and suitable for the client side of the power Internet of Things starts from step 601. In step 601, the first data message sent by the received external network device is parsed to Obtain key information, and perform protocol format conversion processing on the key information according to the data ferry protocol to obtain the second data message.

优选地,其中所述方法还包括:Preferably, the method further includes:

在对接收的外网设备发送的第一数据报文进行解析之前,校验所述第一数据报文的报文格式是否符合电力物联网准入要求;其中,若校验通过,则对所述第一数据报文进行解析;若校验不通过,则拒绝所述外网设备的数据传输请求;Before parsing the first data message sent by the received external network device, verify whether the message format of the first data message meets the power Internet of Things access requirements; wherein, if the verification passes, all The first data message is parsed; if the verification fails, the data transmission request of the external network device is rejected;

监测外网设备的数据流量是否符合电力物联网准入要求,是否存在异常数据流;其中,若存在异常数据流,则拒绝所述外网设备的数据传输请求;若不存在异常数据流,则允许所述外网设备的数据传输请求。Monitor whether the data flow of the external network equipment meets the power Internet of Things access requirements and whether there is an abnormal data flow; if there is an abnormal data flow, the data transmission request of the external network equipment is rejected; if there is no abnormal data flow, then Allow data transmission requests from the external network device.

在步骤602,控制外网处理模块和内网处理模块处于物理隔离的状态,对所述第二数据报文进行格式校验。In step 602, control the external network processing module and the internal network processing module to be in a physically isolated state, and perform format verification on the second data message.

在步骤603,在所述第二数据报文通过格式校验后,对所述第二数据报文进行解密处理,并按照电力物联网专用通信协议对解密后的第二数据报文进行协议格式转换处理,以获取第三数据报文并发送至内网设备。In step 603, after the second data message passes the format check, the second data message is decrypted, and the decrypted second data message is formatted according to the power Internet of Things dedicated communication protocol. Conversion processing to obtain the third data packet and send it to the intranet device.

优选地,其中所述方法还包括:Preferably, the method further includes:

根据解密后的第二数据报文,获取待接入的外网设备的身份信息,并根据待接入的外网设备的身份信息进行身份鉴别;其中,若身份鉴别成功,则允许所述待接入的网外设备接入电力物联网进行信息交互;若身份鉴别失败,则拒绝所述待接入的网外设备接入电力物联网进行信息交互;其中所述关键信息包括:外网设备的身份信息。According to the decrypted second data message, the identity information of the external network device to be accessed is obtained, and identity authentication is performed based on the identity information of the external network device to be accessed; wherein, if the identity authentication is successful, the identity information of the external network device to be accessed is allowed. The connected off-network device is connected to the electric power Internet of Things for information exchange; if the identity authentication fails, the off-network device to be accessed is refused to be connected to the electric power Internet of Things for information exchange; the key information includes: external network equipment identity information.

优选地,其中所述根据待接入的外网设备的身份信息进行身份鉴别,包括:Preferably, the identity authentication based on the identity information of the external network device to be accessed includes:

根据待接入的网外设备的身份信息按照预设的指纹生成策略,分别生成设备指纹和运行环境指纹,并将所述设备指纹和运行环境指纹和预设的设备准入白名单中的设备指纹和环境指纹进行比对,以进行身份鉴别;其中,所述身份信息包括:设备参数信息和运行环境参数信息;所述设备参数信息包括:外网设备的MAC地址、IP、通信协议、有效数据和数据格式;所述运行环境参数信息包括:外网设备的能耗变化、信号强度变化和流量变化。According to the identity information of the external device to be accessed, the device fingerprint and the operating environment fingerprint are generated respectively according to the preset fingerprint generation strategy, and the device fingerprint and operating environment fingerprint and the preset device are admitted to the devices in the white list The fingerprint is compared with the environmental fingerprint for identity authentication; wherein, the identity information includes: device parameter information and operating environment parameter information; the device parameter information includes: MAC address, IP, communication protocol, valid Data and data format; the operating environment parameter information includes: energy consumption changes, signal strength changes and traffic changes of external network equipment.

优选地,其中所述方法还包括:Preferably, the method further includes:

对接收的网内设备发送的第四数据报文进行加密处理,并按照数据摆渡协议对加密后的第四数据进行协议格式转换处理,以获取第五数据报文;Encrypt the received fourth data message sent by the device in the network, and perform protocol format conversion on the encrypted fourth data according to the data ferry protocol to obtain the fifth data message;

控制外网处理模块和内网处理模块处于物理隔离的状态,对所述第五数据报文进行格式校验;Control the external network processing module and the internal network processing module to be in a physically isolated state, and perform format verification on the fifth data message;

在所述第五数据报文通过格式校验后,按照外网设备的通信协议对所述第五数据报文进行协议格式转换处理,以获取第六数据报文并发送至外网设备。After the fifth data message passes the format check, a protocol format conversion process is performed on the fifth data message according to the communication protocol of the external network device to obtain the sixth data message and send it to the external network device.

优选地,其中所述控制外网处理模块和内网处理模块处于物理隔离的状态,包括:Preferably, the control external network processing module and the internal network processing module are in a physically isolated state, including:

控制所述外网处理模块与内网处理模块在同一时刻下处于物理切断的状态;其中,若所述外网处理模块和内网处理模块中的一个模块正在与逻辑隔离单元进行数据交互,则所述逻辑隔离单元与另一个模块处于断开状态,待进行数据交互的一个模块完成数据交互且释放隔离控制信号后,另一个模块能够与所述逻辑隔离单元进行数据交互。Control the external network processing module and the internal network processing module to be in a physically disconnected state at the same time; wherein, if one of the external network processing module and the internal network processing module is performing data interaction with the logical isolation unit, then The logical isolation unit is in a disconnected state from another module. After one module performing data interaction completes the data interaction and releases the isolation control signal, the other module can perform data interaction with the logical isolation unit.

优选地,其中所述方法利用如下方式进行格式校验,包括:Preferably, the method uses the following method to perform format verification, including:

校验待传输的数据报文的格式是否符合数据摆渡协议;其中,若格式校验通过,则传输所述待传输的数据报文;若格式校验未通过,则拒绝所述待传输的数据报文。Verify whether the format of the data message to be transmitted conforms to the data ferry protocol; if the format verification passes, the data message to be transmitted is transmitted; if the format verification fails, the data to be transmitted is rejected message.

优选地,其中所述方法还包括:Preferably, the method further includes:

根据预设的访问控制策略对所述外网设备进行接入控制,确定所述网外设备访问权限;Perform access control on the external network device according to the preset access control policy, and determine the access rights of the external network device;

对所述内网处理模块中的进程进行监测,并在出现异常事件时,及时对所述异常事件进行处理,以维护所述内网处理模块能够正常服务;Monitor the processes in the intranet processing module, and when abnormal events occur, handle the abnormal events in a timely manner to maintain the normal service of the intranet processing module;

记录各类操作日志和通信日志;Record various operation logs and communication logs;

与电力统一密码基础设施对接,以实现外网设备密钥的分发和数字证书的申请及下发。Connect with the power unified cryptography infrastructure to realize the distribution of external network device keys and the application and issuance of digital certificates.

本发明的实施例的适用于电力物联网客户侧的隔离方法600与本发明的另一个实施例的适用于电力物联网客户侧的隔离装置100相对应,在此不再赘述。The isolation method 600 suitable for the client side of the electric power Internet of Things in the embodiment of the present invention corresponds to the isolation device 100 suitable for the client side of the electric power Internet of Things according to another embodiment of the present invention, and will not be described again here.

已经通过参考少量实施方式描述了本发明。然而,本领域技术人员所公知的,除了本发明以上公开的其他的实施例等同地落在本发明的范围内。The invention has been described with reference to a few embodiments. However, it is known to those skilled in the art that other embodiments than those disclosed above are equally within the scope of the present invention.

通常地,使用的所有术语都根据他们在技术领域的通常含义被解释,除非在其中被另外明确地定义。所有的参考“一个/所述/该[装置、组件等]”都被开放地解释为所述装置、组件等中的至少一个实例,除非另外明确地说明。这里公开的任何方法的步骤都没必要以公开的准确的顺序运行,除非明确地说明。Generally, all terms used are to be interpreted according to their ordinary meaning in the technical field, unless otherwise expressly defined therein. All references to "a/the/the [means, component, etc.]" are to be construed openly to mean at least one instance of the said means, component, etc., unless expressly stated otherwise. The steps of any method disclosed herein are not necessarily performed in the exact order disclosed unless explicitly stated.

本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will understand that embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment that combines software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine, such that the instructions executed by the processor of the computer or other programmable data processing device produce a use A device for realizing the functions specified in one process or multiple processes of the flowchart and/or one block or multiple blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that causes a computer or other programmable data processing apparatus to operate in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction means, the instructions The device implements the functions specified in a process or processes of the flowchart and/or a block or blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device, causing a series of operating steps to be performed on the computer or other programmable device to produce computer-implemented processing, thereby executing on the computer or other programmable device. Instructions provide steps for implementing the functions specified in a process or processes of a flowchart diagram and/or a block or blocks of a block diagram.

最后应当说明的是:以上实施例仅用以说明本发明的技术方案而非对其限制,尽管参照上述实施例对本发明进行了详细的说明,所属领域的普通技术人员应当理解:依然可以对本发明的具体实施方式进行修改或者等同替换,而未脱离本发明精神和范围的任何修改或者等同替换,其均应涵盖在本发明的保护范围之内。Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention and not to limit it. Although the present invention has been described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that the present invention can still be modified. Any modifications or equivalent substitutions that do not depart from the spirit and scope of the present invention shall be included in the protection scope of the present invention.

Claims (8)

1.一种适用于电力物联网客户侧的隔离装置,其特征在于,所述装置包括:1. An isolation device suitable for the client side of the power Internet of Things, characterized in that the device includes: 外网处理模块,用于对接收的外网设备发送的第一数据报文进行解析,以获取关键信息,并按照数据摆渡协议对所述关键信息进行协议格式转换处理,以获取第二数据报文并发送至隔离交换模块;The external network processing module is used to parse the first data message sent by the received external network device to obtain key information, and perform protocol format conversion processing on the key information according to the data ferry protocol to obtain the second data message. The file is sent to the isolation switching module; 隔离交换模块,用于控制外网处理模块和内网处理模块处于物理隔离的状态,对所述第二数据报文进行格式校验,并在所述第二数据报文通过格式校验后,将所述第二数据报文发送至内网处理模块;The isolation switching module is used to control the external network processing module and the internal network processing module to be in a physically isolated state, perform format verification on the second data message, and after the second data message passes the format verification, Send the second data message to the intranet processing module; 内网处理模块,用于对所述第二数据报文进行解密处理,并按照电力物联网专用通信协议对解密后的第二数据报文进行协议格式转换处理,以获取第三数据报文并发送至内网设备;The intranet processing module is used to decrypt the second data message, and perform protocol format conversion processing on the decrypted second data message according to the power Internet of Things dedicated communication protocol to obtain the third data message and Send to intranet device; 其中,所述装置还包括:Wherein, the device also includes: 内网处理模块,用于对接收的内网设备发送的第四数据报文进行加密处理,并按照数据摆渡协议对加密后的第四数据进行协议格式转换处理,以获取第五数据报文并发送至隔离交换模块;The intranet processing module is used to encrypt the received fourth data message sent by the intranet device, and perform protocol format conversion processing on the encrypted fourth data according to the data ferry protocol to obtain the fifth data message and Sent to isolation switching module; 隔离交换模块,用于控制外网处理模块和内网处理模块处于物理隔离的状态,对所述第五数据报文进行格式校验,并在所述第五数据报文通过格式校验后,将所述第五数据报文发送至外网处理模块;The isolation switching module is used to control the external network processing module and the internal network processing module to be in a physically isolated state, perform format verification on the fifth data message, and after the fifth data message passes the format verification, Send the fifth data message to the external network processing module; 外网处理模块,用于按照外网设备的通信协议对所述第五数据报文进行协议格式转换处理,以获取第六数据报文并发送至外网设备;The external network processing module is used to perform protocol format conversion processing on the fifth data message according to the communication protocol of the external network device, so as to obtain the sixth data message and send it to the external network device; 其中,所述内网处理模块,还包括:Among them, the intranet processing module also includes: 身份识别单元,用于根据解密后的第二数据报文,获取待接入的外网设备的身份信息,并根据待接入的外网设备的身份信息进行身份鉴别;其中,若身份鉴别成功,则允许所述待接入的外网设备接入电力物联网进行信息交互;若身份鉴别失败,则拒绝所述待接入的外网设备接入电力物联网进行信息交互;其中所述关键信息包括:外网设备的身份信息;The identity recognition unit is used to obtain the identity information of the external network device to be accessed based on the decrypted second data message, and perform identity authentication based on the identity information of the external network device to be accessed; wherein, if the identity authentication is successful , then the external network device to be accessed is allowed to access the power Internet of Things for information exchange; if the identity authentication fails, the external network device to be accessed is denied access to the power Internet of Things for information exchange; where the key The information includes: identity information of external network devices; 身份鉴别的过程包括:The identity authentication process includes: (1)感知设备或用户电器设备将其MAC、IP、通信协议Pr、有效数据Dv、数据格式Df设备参数信息发送给内网处理模块;内网处理模块分析其合法性和有效性,如果符合物联网环境准入要求,形成“设备指纹”Dfp,并将验证结果反馈给感知设备或用户电器设备;(1) The sensing device or user electrical device sends its MAC, IP, communication protocol P r , valid data D v and data format D f device parameter information to the intranet processing module; the intranet processing module analyzes its legality and validity , if it meets the Internet of Things environment access requirements, form a "device fingerprint" D fp and feed back the verification results to the sensing device or user electrical equipment; (2)感知设备或用户电器设备将能耗变化Ec、信号强度变化Sc、流量变化Fc环境参数信息,发送给内网处理模块;隔离装置生成“运行环境指纹”Efp,并将接收结果反馈给感知设备或用户电器设备;(2) The sensing device or user electrical equipment sends the environmental parameter information of energy consumption change Ec, signal strength change Sc, and flow change Fc to the intranet processing module; the isolation device generates the "operating environment fingerprint" E fp and feeds back the received results. to sensing devices or user electrical devices; (3)内网处理模块将采集到的指纹信息传输至后台集中管理平台中,建立感知设备准入白名单Wl(3) The intranet processing module transmits the collected fingerprint information to the background centralized management platform, and establishes a sensing device access whitelist W l ; (4)当待接入的设备通过WIFI、HPLC或以太网方式接入隔离装置时,内网处理模块将再次根据待接入的外网设备的身份信息按照预设的指纹生成策略,分别生成设备指纹和运行环境指纹,并将所述设备指纹和运行环境指纹和预设的设备准入白名单中的设备指纹和环境指纹进行比对,以进行身份鉴别;其中,所述身份信息包括:设备参数信息和运行环境参数信息;(4) When the device to be accessed is connected to the isolation device through WIFI, HPLC or Ethernet, the internal network processing module will again generate fingerprints based on the identity information of the external network device to be accessed according to the preset fingerprint generation strategy. Device fingerprints and operating environment fingerprints, and comparing the device fingerprints and operating environment fingerprints with the device fingerprints and environment fingerprints in the preset device admission whitelist for identity authentication; wherein the identity information includes: Equipment parameter information and operating environment parameter information; 其中,所述身份识别单元,根据待接入的外网设备的身份信息进行身份鉴别,包括:Wherein, the identity recognition unit performs identity authentication based on the identity information of the external network device to be accessed, including: 根据待接入的外网设备的身份信息按照预设的指纹生成策略,分别生成设备指纹和运行环境指纹,并将所述设备指纹和运行环境指纹和预设的设备准入白名单中的设备指纹和环境指纹进行比对,以进行身份鉴别;其中,所述身份信息包括:设备参数信息和运行环境参数信息;所述设备参数信息包括:外网设备的MAC地址、IP、通信协议、有效数据和数据格式;所述运行环境参数信息包括:外网设备的能耗变化、信号强度变化和流量变化;According to the identity information of the external network device to be accessed according to the preset fingerprint generation strategy, the device fingerprint and the operating environment fingerprint are respectively generated, and the device fingerprint and operating environment fingerprint and the preset device are admitted to the devices in the white list The fingerprint is compared with the environmental fingerprint for identity authentication; wherein, the identity information includes: device parameter information and operating environment parameter information; the device parameter information includes: MAC address, IP, communication protocol, valid Data and data format; the operating environment parameter information includes: energy consumption changes, signal strength changes and traffic changes of external network equipment; 其中,所述隔离交换模块,控制外网处理模块和内网处理模块处于物理隔离的状态,包括:Among them, the isolation switching module controls the external network processing module and the internal network processing module to be in a physically isolated state, including: 控制所述外网处理模块与内网处理模块在同一时刻下处于物理切断的状态;其中,若所述外网处理模块和内网处理模块中的一个模块正在与逻辑隔离单元进行数据交互,则所述逻辑隔离单元与另一个模块处于断开状态,待进行数据交互的一个模块完成数据交互且释放隔离控制信号后,另一个模块能够与所述逻辑隔离单元进行数据交互。Control the external network processing module and the internal network processing module to be in a physically disconnected state at the same time; wherein, if one of the external network processing module and the internal network processing module is performing data interaction with the logical isolation unit, then The logical isolation unit is in a disconnected state from another module. After one module performing data interaction completes the data interaction and releases the isolation control signal, the other module can perform data interaction with the logical isolation unit. 2.根据权利要求1所述的装置,其特征在于,所述外网处理模块,还包括:2. The device according to claim 1, characterized in that the external network processing module further includes: 格式校验单元,用于校验所述第一数据报文的报文格式是否符合电力物联网准入要求;其中,若校验通过,则对所述第一数据报文进行解析;若校验不通过,则拒绝所述外网设备的数据传输请求;Format verification unit, used to verify whether the message format of the first data message meets the power Internet of Things access requirements; wherein, if the verification passes, the first data message is parsed; if the verification If the verification fails, the data transmission request of the external network device will be rejected; 流量监测单元,用于监测外网设备的数据流量是否符合电力物联网准入要求,是否存在异常数据流;其中,若存在异常数据流,则拒绝所述外网设备的数据传输请求;若不存在异常数据流,则允许所述外网设备的数据传输请求。The flow monitoring unit is used to monitor whether the data flow of the external network equipment meets the power Internet of Things access requirements and whether there is an abnormal data flow; if there is an abnormal data flow, the data transmission request of the external network equipment is rejected; if not If there is an abnormal data flow, the data transmission request of the external network device is allowed. 3.根据权利要求1所述的装置,其特征在于,所述隔离交换模块,利用如下方式进行格式校验,包括:3. The device according to claim 1, wherein the isolation switching module performs format verification in the following manner, including: 校验待传输的数据报文的格式是否符合数据摆渡协议;其中,若格式校验通过,则传输所述待传输的数据报文;若格式校验未通过,则拒绝所述待传输的数据报文。Verify whether the format of the data message to be transmitted conforms to the data ferry protocol; if the format verification passes, the data message to be transmitted is transmitted; if the format verification fails, the data to be transmitted is rejected message. 4.根据权利要求1所述的装置,其特征在于,所述内网处理模块,还包括:4. The device according to claim 1, characterized in that the intranet processing module further includes: 访问控制单元,用于根据预设的访问控制策略对所述外网设备进行接入控制,确定所述外网设备访问权限;An access control unit, configured to perform access control on the external network device according to a preset access control policy and determine the access rights of the external network device; 业务监控单元,用于对所述内网处理模块中的进程进行监测,并在出现异常事件时,及时对所述异常事件进行处理,以维护所述内网处理模块能够正常服务;A business monitoring unit is used to monitor the process in the intranet processing module, and when an abnormal event occurs, process the abnormal event in a timely manner to maintain the normal service of the intranet processing module; 日志记录单元,用于记录各类操作日志和通信日志;Log recording unit, used to record various operation logs and communication logs; 密钥证书导入单元,用于与电力统一密码基础设施对接,以实现外网设备密钥的分发和数字证书的申请及下发。The key certificate import unit is used to interface with the power unified cryptography infrastructure to realize the distribution of external network equipment keys and the application and issuance of digital certificates. 5.一种适用于电力物联网客户侧的隔离方法,其特征在于,所述方法包括:5. An isolation method suitable for the client side of the power Internet of Things, characterized in that the method includes: 对接收的外网设备发送的第一数据报文进行解析,以获取关键信息,并按照数据摆渡协议对所述关键信息进行协议格式转换处理,以获取第二数据报文;Parse the first data message sent by the received external network device to obtain key information, and perform protocol format conversion processing on the key information according to the data ferry protocol to obtain the second data message; 控制外网处理模块和内网处理模块处于物理隔离的状态,对所述第二数据报文进行格式校验;Control the external network processing module and the internal network processing module to be in a physically isolated state, and perform format verification on the second data message; 在所述第二数据报文通过格式校验后,对所述第二数据报文进行解密处理,并按照电力物联网专用通信协议对解密后的第二数据报文进行协议格式转换处理,以获取第三数据报文并发送至内网设备;After the second data message passes the format check, the second data message is decrypted, and the decrypted second data message is converted into a protocol format according to the power Internet of Things dedicated communication protocol, so as to Obtain the third data packet and send it to the intranet device; 其中,所述方法还包括:Wherein, the method also includes: 对接收的内网设备发送的第四数据报文进行加密处理,并按照数据摆渡协议对加密后的第四数据进行协议格式转换处理,以获取第五数据报文;Encrypt the received fourth data message sent by the internal network device, and perform protocol format conversion on the encrypted fourth data according to the data ferry protocol to obtain the fifth data message; 控制外网处理模块和内网处理模块处于物理隔离的状态,对所述第五数据报文进行格式校验;Control the external network processing module and the internal network processing module to be in a physically isolated state, and perform format verification on the fifth data message; 在所述第五数据报文通过格式校验后,按照外网设备的通信协议对所述第五数据报文进行协议格式转换处理,以获取第六数据报文并发送至外网设备;After the fifth data message passes the format check, perform protocol format conversion processing on the fifth data message according to the communication protocol of the external network device to obtain the sixth data message and send it to the external network device; 其中,所述方法还包括:Wherein, the method also includes: 根据解密后的第二数据报文,获取待接入的外网设备的身份信息,并根根据待接入的外网设备的身份信息进行身份鉴别;其中,若身份鉴别成功,则允许所述待接入的外网设备接入电力物联网进行信息交互;若身份鉴别失败,则拒绝所述待接入的外网设备接入电力物联网进行信息交互;其中所述关键信息包括:外网设备的身份信息;According to the decrypted second data message, the identity information of the external network device to be accessed is obtained, and the identity is authenticated based on the identity information of the external network device to be accessed; wherein, if the identity authentication is successful, the The external network equipment to be accessed is connected to the electric power Internet of Things for information exchange; if the identity authentication fails, the external network equipment to be accessed is refused to be connected to the electric power Internet of Things for information exchange; the key information includes: external network Identity information of the device; 身份鉴别的过程包括:The identity authentication process includes: (1)感知设备或用户电器设备将其MAC、IP、通信协议Pr、有效数据Dv、数据格式Df设备参数信息发送给内网处理模块;内网处理模块分析其合法性和有效性,如果符合物联网环境准入要求,形成“设备指纹”Dfp,并将验证结果反馈给感知设备或用户电器设备;(1) The sensing device or user electrical device sends its MAC, IP, communication protocol P r , valid data D v and data format D f device parameter information to the intranet processing module; the intranet processing module analyzes its legality and validity , if it meets the Internet of Things environment access requirements, form a "device fingerprint" D fp and feed back the verification results to the sensing device or user electrical equipment; (2)感知设备或用户电器设备将能耗变化Ec、信号强度变化Sc、流量变化Fc环境参数信息,发送给内网处理模块;隔离装置生成“运行环境指纹”Efp,并将接收结果反馈给感知设备或用户电器设备;(2) The sensing device or user electrical equipment sends the environmental parameter information of energy consumption change Ec, signal strength change Sc, and flow change Fc to the intranet processing module; the isolation device generates the "operating environment fingerprint" E fp and feeds back the received results. to sensing devices or user electrical devices; (3)内网处理模块将采集到的指纹信息传输至后台集中管理平台中,建立感知设备准入白名单Wl(3) The intranet processing module transmits the collected fingerprint information to the background centralized management platform, and establishes a sensing device access whitelist W l ; (4)当待接入的设备通过WIFI、HPLC或以太网方式接入隔离装置时,内网处理模块将再次根据待接入的外网设备的身份信息按照预设的指纹生成策略,分别生成设备指纹和运行环境指纹,并将所述设备指纹和运行环境指纹和预设的设备准入白名单中的设备指纹和环境指纹进行比对,以进行身份鉴别;其中,所述身份信息包括:设备参数信息和运行环境参数信息;(4) When the device to be accessed is connected to the isolation device through WIFI, HPLC or Ethernet, the internal network processing module will again generate fingerprints based on the identity information of the external network device to be accessed according to the preset fingerprint generation strategy. Device fingerprints and operating environment fingerprints, and comparing the device fingerprints and operating environment fingerprints with the device fingerprints and environment fingerprints in the preset device admission whitelist for identity authentication; wherein the identity information includes: Equipment parameter information and operating environment parameter information; 其中,所述根据待接入的外网设备的身份信息进行身份鉴别,包括:Among them, the identity authentication based on the identity information of the external network device to be accessed includes: 根据待接入的外网设备的身份信息按照预设的指纹生成策略,分别生成设备指纹和运行环境指纹,并将所述设备指纹和运行环境指纹和预设的设备准入白名单中的设备指纹和环境指纹进行比对,以进行身份鉴别;其中,所述身份信息包括:设备参数信息和运行环境参数信息;所述设备参数信息包括:外网设备的MAC地址、IP、通信协议、有效数据和数据格式;所述运行环境参数信息包括:外网设备的能耗变化、信号强度变化和流量变化;According to the identity information of the external network device to be accessed according to the preset fingerprint generation strategy, the device fingerprint and the operating environment fingerprint are respectively generated, and the device fingerprint and operating environment fingerprint and the preset device are admitted to the devices in the white list The fingerprint is compared with the environmental fingerprint for identity authentication; wherein, the identity information includes: device parameter information and operating environment parameter information; the device parameter information includes: MAC address, IP, communication protocol, valid Data and data format; the operating environment parameter information includes: energy consumption changes, signal strength changes and traffic changes of external network equipment; 其中,所述控制外网处理模块和内网处理模块处于物理隔离的状态,包括:Wherein, the control external network processing module and the internal network processing module are in a physically isolated state, including: 控制所述外网处理模块与内网处理模块在同一时刻下处于物理切断的状态;其中,若所述外网处理模块和内网处理模块中的一个模块正在与逻辑隔离单元进行数据交互,则所述逻辑隔离单元与另一个模块处于断开状态,待进行数据交互的一个模块完成数据交互且释放隔离控制信号后,另一个模块能够与所述逻辑隔离单元进行数据交互。Control the external network processing module and the internal network processing module to be in a physically disconnected state at the same time; wherein, if one of the external network processing module and the internal network processing module is performing data interaction with the logical isolation unit, then The logical isolation unit is in a disconnected state from another module. After one module performing data interaction completes the data interaction and releases the isolation control signal, the other module can perform data interaction with the logical isolation unit. 6.根据权利要求5所述的方法,其特征在于,所述方法还包括:在对接收的外网设备发送的第一数据报文进行解析之前,校验所述第一数据报文的报文格式是否符合电力物联网准入要求;其中,若校验通过,则对所述第一数据报文进行解析;若校验不通过,则拒绝所述外网设备的数据传输请求;6. The method according to claim 5, characterized in that the method further comprises: before parsing the first data message sent by the external network device, verifying the first data message. Whether the text format meets the power Internet of Things access requirements; wherein, if the verification passes, the first data message is parsed; if the verification fails, the data transmission request of the external network device is rejected; 监测外网设备的数据流量是否符合电力物联网准入要求,是否存在异常数据流;其中,若存在异常数据流,则拒绝所述外网设备的数据传输请求;若不存在异常数据流,则允许所述外网设备的数据传输请求。Monitor whether the data flow of the external network equipment meets the power Internet of Things access requirements and whether there is an abnormal data flow; if there is an abnormal data flow, the data transmission request of the external network equipment is rejected; if there is no abnormal data flow, then Allow data transmission requests from the external network device. 7.根据权利要求5所述的方法,其特征在于,所述方法利用如下方式进行格式校验,包括:7. The method according to claim 5, characterized in that the method uses the following methods to perform format verification, including: 校验待传输的数据报文的格式是否符合数据摆渡协议;其中,若格式校验通过,则传输所述待传输的数据报文;若格式校验未通过,则拒绝所述待传输的数据报文。Verify whether the format of the data message to be transmitted conforms to the data ferry protocol; if the format verification passes, the data message to be transmitted is transmitted; if the format verification fails, the data to be transmitted is rejected message. 8.根据权利要求5所述的方法,其特征在于,所述方法还包括:8. The method according to claim 5, characterized in that, the method further comprises: 根据预设的访问控制策略对所述外网设备进行接入控制,确定所述外网设备访问权限;Perform access control on the external network device according to the preset access control policy, and determine the access rights of the external network device; 对所述内网处理模块中的进程进行监测,并在出现异常事件时,及时对所述异常事件进行处理,以维护所述内网处理模块能够正常服务;Monitor the processes in the intranet processing module, and when abnormal events occur, handle the abnormal events in a timely manner to maintain the normal service of the intranet processing module; 记录各类操作日志和通信日志;Record various operation logs and communication logs; 与电力统一密码基础设施对接,以实现外网设备密钥的分发和数字证书的申请及下发。Connect with the power unified cryptography infrastructure to realize the distribution of external network device keys and the application and issuance of digital certificates.
CN202010789502.2A 2020-08-07 2020-08-07 An isolation device and isolation method suitable for the client side of the power Internet of Things Active CN112073375B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010789502.2A CN112073375B (en) 2020-08-07 2020-08-07 An isolation device and isolation method suitable for the client side of the power Internet of Things

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010789502.2A CN112073375B (en) 2020-08-07 2020-08-07 An isolation device and isolation method suitable for the client side of the power Internet of Things

Publications (2)

Publication Number Publication Date
CN112073375A CN112073375A (en) 2020-12-11
CN112073375B true CN112073375B (en) 2023-09-26

Family

ID=73662549

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010789502.2A Active CN112073375B (en) 2020-08-07 2020-08-07 An isolation device and isolation method suitable for the client side of the power Internet of Things

Country Status (1)

Country Link
CN (1) CN112073375B (en)

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112769774B (en) * 2020-12-24 2023-04-18 国网冀北电力有限公司信息通信分公司 Data ferrying system and method
CN113329018A (en) * 2021-05-28 2021-08-31 中国电子信息产业集团有限公司第六研究所 Novel security isolation IPsec VPN processing architecture
CN113645610B (en) * 2021-07-09 2024-04-02 厦门市美亚柏科信息股份有限公司 Mobile phone data parallel acquisition method and system based on intranet system
CN113612734A (en) * 2021-07-13 2021-11-05 共道网络科技有限公司 Cross-network remote court trial media stream transmission method and device
CN113506096B (en) * 2021-09-08 2021-12-17 国网浙江省电力有限公司 An inter-system interface method based on industrial Internet identification resolution system
CN114039748B (en) * 2021-10-25 2024-09-03 中广核工程有限公司 Authentication method, system, computer device and storage medium
CN114124549A (en) * 2021-11-26 2022-03-01 绿盟科技集团股份有限公司 Method, system and device for safely accessing mails based on visible light system
CN114024781B (en) * 2022-01-07 2022-03-25 广东电力信息科技有限公司 Electric power Internet of things low-speed stable equipment access method based on edge calculation
CN114422493A (en) * 2022-01-19 2022-04-29 平安壹钱包电子商务有限公司 Data transmission method, device, device and storage medium for distributed system
CN114726574A (en) * 2022-02-28 2022-07-08 新华三信息安全技术有限公司 Safety isolation protection system and safety isolation protection method
CN114745454A (en) * 2022-04-11 2022-07-12 中国南方电网有限责任公司 Boundary protection device, system, method, computer equipment and storage medium
CN114745182A (en) * 2022-04-12 2022-07-12 宇辰科技(山东)有限公司 Internal and external network application data safety interaction intelligent travel system and equipment thereof
CN115065498B (en) * 2022-04-15 2024-03-22 北京全路通信信号研究设计院集团有限公司 Peripheral ferry device and system thereof
CN114944940B (en) * 2022-04-26 2023-10-03 国网山东省电力公司滨州供电公司 Electronic archive processing system and method for electrical test data
CN115208612B (en) * 2022-05-10 2023-10-13 北京市遥感信息研究所 Complex networking safety system
CN115190379B (en) * 2022-07-28 2024-04-02 国核信息科技有限公司 Split wind power vibration monitoring data transmission method and monitoring device
CN115348081A (en) * 2022-08-15 2022-11-15 矩阵时光数字科技有限公司 Method, device, system, equipment and medium for checking safe transmission
CN114978784B (en) * 2022-08-02 2022-11-29 矩阵时光数字科技有限公司 Data protection equipment and system
CN115484091A (en) * 2022-09-13 2022-12-16 国网智能电网研究院有限公司 A virtual power plant aggregation gateway device and data transmission method for internal and external networks
CN115664841B (en) * 2022-11-14 2024-10-18 济南大学 Data acquisition system and method with network isolation and unidirectional encryption transmission functions
CN116094828B (en) * 2023-02-14 2023-11-17 深圳市利谱信息技术有限公司 Dynamic protocol gateway system based on physical isolation
CN116319094B (en) * 2023-05-19 2023-08-11 北京安帝科技有限公司 Data safety transmission method, computer equipment and medium based on tobacco industry
CN117201207B (en) * 2023-11-08 2024-02-27 深圳市顺源科技有限公司 Industrial Internet of things system based on high-isolation mode network data conversion

Citations (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103619020A (en) * 2013-12-09 2014-03-05 成都达信通通讯设备有限公司 Mobile payment security system for wireless data private network physical isolation internet
CN103905451A (en) * 2014-04-03 2014-07-02 国家电网公司 A smart grid embedded device network attack trapping system and trapping method
CN104486336A (en) * 2014-12-12 2015-04-01 冶金自动化研究设计院 Device for safely isolating and exchanging industrial control networks
CN104683332A (en) * 2015-02-10 2015-06-03 杭州优稳自动化系统有限公司 Security isolation gateway in industrial control network and security isolation method thereof
CN105656883A (en) * 2015-12-25 2016-06-08 冶金自动化研究设计院 Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network
CN106250857A (en) * 2016-08-04 2016-12-21 深圳先进技术研究院 A kind of identity recognition device and method
CN106941494A (en) * 2017-03-30 2017-07-11 中国电力科学研究院 A kind of security isolation gateway and its application method suitable for power information acquisition system
CN106991317A (en) * 2016-12-30 2017-07-28 中国银联股份有限公司 Safe verification method, platform, device and system
CN107276987A (en) * 2017-05-17 2017-10-20 厦门奥普拓自控科技有限公司 A kind of the special line physical isolation industrial data means of communication and system
CN207638693U (en) * 2017-12-29 2018-07-20 深圳市风云实业有限公司 Gateway is isolated
CN108965283A (en) * 2018-07-06 2018-12-07 中国电力财务有限公司 A kind of means of communication, device, application server and communication system
CN109005189A (en) * 2018-08-27 2018-12-14 广东电网有限责任公司信息中心 A kind of access transmission platform suitable for double net isolation
CN109525606A (en) * 2019-01-04 2019-03-26 安徽和信科技发展有限责任公司 A kind of Internet of Things security access terminal based on business data acquisition
CN109842585A (en) * 2017-11-27 2019-06-04 中国科学院沈阳自动化研究所 Network information security protective unit and means of defence towards industrial embedded system
CN109889532A (en) * 2019-03-08 2019-06-14 武汉大学 Security authentication and key agreement method for IoT devices based on environmental context
CN110210858A (en) * 2019-05-31 2019-09-06 上海观安信息技术股份有限公司 A kind of air control guard system design method based on intelligent terminal identification
CN110472584A (en) * 2019-08-16 2019-11-19 四川九洲电器集团有限责任公司 A kind of communication equipment personal identification method, electronic equipment and computer program product
CN110493225A (en) * 2019-08-20 2019-11-22 杭州安恒信息技术股份有限公司 A kind of request transmission method, device, equipment and readable storage medium storing program for executing
CN110620791A (en) * 2019-10-10 2019-12-27 江苏亨通工控安全研究院有限公司 Industrial safety data ferrying system with early warning function
CN110855756A (en) * 2019-10-25 2020-02-28 珠海库奇科技有限公司 Meter reading management system and method based on Internet of things
CN110933055A (en) * 2019-11-19 2020-03-27 江苏恒宝智能系统技术有限公司 Authentication system based on Internet of things equipment
CN111447153A (en) * 2020-04-03 2020-07-24 北京天地和兴科技有限公司 Industrial equipment fingerprint identification method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8239688B2 (en) * 2007-01-07 2012-08-07 Apple Inc. Securely recovering a computing device
US9742757B2 (en) * 2013-11-27 2017-08-22 International Business Machines Corporation Identifying and destroying potentially misappropriated access tokens
US20180048550A1 (en) * 2015-03-06 2018-02-15 Georgia Tech Research Corporation Device fingerprinting for cyber-physical systems

Patent Citations (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015085809A1 (en) * 2013-12-09 2015-06-18 成都达信通通讯设备有限公司 Mobile payment security system with wireless data private network physically isolated from internet
CN103619020A (en) * 2013-12-09 2014-03-05 成都达信通通讯设备有限公司 Mobile payment security system for wireless data private network physical isolation internet
CN103905451A (en) * 2014-04-03 2014-07-02 国家电网公司 A smart grid embedded device network attack trapping system and trapping method
CN104486336A (en) * 2014-12-12 2015-04-01 冶金自动化研究设计院 Device for safely isolating and exchanging industrial control networks
CN104683332A (en) * 2015-02-10 2015-06-03 杭州优稳自动化系统有限公司 Security isolation gateway in industrial control network and security isolation method thereof
CN105656883A (en) * 2015-12-25 2016-06-08 冶金自动化研究设计院 Unidirectional transmission internal and external network secure isolating gateway applicable to industrial control network
CN106250857A (en) * 2016-08-04 2016-12-21 深圳先进技术研究院 A kind of identity recognition device and method
CN106991317A (en) * 2016-12-30 2017-07-28 中国银联股份有限公司 Safe verification method, platform, device and system
CN106941494A (en) * 2017-03-30 2017-07-11 中国电力科学研究院 A kind of security isolation gateway and its application method suitable for power information acquisition system
CN107276987A (en) * 2017-05-17 2017-10-20 厦门奥普拓自控科技有限公司 A kind of the special line physical isolation industrial data means of communication and system
CN109842585A (en) * 2017-11-27 2019-06-04 中国科学院沈阳自动化研究所 Network information security protective unit and means of defence towards industrial embedded system
CN207638693U (en) * 2017-12-29 2018-07-20 深圳市风云实业有限公司 Gateway is isolated
CN108965283A (en) * 2018-07-06 2018-12-07 中国电力财务有限公司 A kind of means of communication, device, application server and communication system
CN109005189A (en) * 2018-08-27 2018-12-14 广东电网有限责任公司信息中心 A kind of access transmission platform suitable for double net isolation
CN109525606A (en) * 2019-01-04 2019-03-26 安徽和信科技发展有限责任公司 A kind of Internet of Things security access terminal based on business data acquisition
CN109889532A (en) * 2019-03-08 2019-06-14 武汉大学 Security authentication and key agreement method for IoT devices based on environmental context
CN110210858A (en) * 2019-05-31 2019-09-06 上海观安信息技术股份有限公司 A kind of air control guard system design method based on intelligent terminal identification
CN110472584A (en) * 2019-08-16 2019-11-19 四川九洲电器集团有限责任公司 A kind of communication equipment personal identification method, electronic equipment and computer program product
CN110493225A (en) * 2019-08-20 2019-11-22 杭州安恒信息技术股份有限公司 A kind of request transmission method, device, equipment and readable storage medium storing program for executing
CN110620791A (en) * 2019-10-10 2019-12-27 江苏亨通工控安全研究院有限公司 Industrial safety data ferrying system with early warning function
CN110855756A (en) * 2019-10-25 2020-02-28 珠海库奇科技有限公司 Meter reading management system and method based on Internet of things
CN110933055A (en) * 2019-11-19 2020-03-27 江苏恒宝智能系统技术有限公司 Authentication system based on Internet of things equipment
CN111447153A (en) * 2020-04-03 2020-07-24 北京天地和兴科技有限公司 Industrial equipment fingerprint identification method

Also Published As

Publication number Publication date
CN112073375A (en) 2020-12-11

Similar Documents

Publication Publication Date Title
CN112073375B (en) An isolation device and isolation method suitable for the client side of the power Internet of Things
CN109088870B (en) Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform
CN102685749B (en) Wireless safety authentication method orienting to mobile terminal
CN103023911B (en) Trustable network equipment access trustable network authentication method
EP3073668A1 (en) Apparatus and method for authenticating network devices
CN106941494A (en) A kind of security isolation gateway and its application method suitable for power information acquisition system
US10680835B2 (en) Secure authentication of remote equipment
CN101488952A (en) Mobile storage apparatus, data secured transmission method and system
CN111935714A (en) Identity authentication method in mobile edge computing network
CN111954211B (en) Novel authentication key negotiation system of mobile terminal
CN108683498A (en) A kind of cloud terminal management-control method based on changeable key national secret algorithm
CN111181912A (en) Browser identifier processing method and device, electronic equipment and storage medium
CN113849815B (en) Unified identity authentication platform based on zero trust and confidential calculation
WO2023071751A1 (en) Authentication method and communication apparatus
CN116827680A (en) A method for data security protection of electric power Internet of Things
CN115550069A (en) An electric vehicle intelligent charging system and its safety protection method
CN113328979B (en) Method and device for recording access behaviors
US11240661B2 (en) Secure simultaneous authentication of equals anti-clogging mechanism
CN115835194A (en) NB-IOT (network B-Internet of things) terminal security access system and access method
CN205647581U (en) Cloud safe gateway and cloud safety coefficient
CN115333839A (en) Data security transmission method, system, device and storage medium
Zhang et al. A systematic approach to formal analysis of QUIC handshake protocol using symbolic model checking
CN117061212A (en) Method, system, equipment and medium for isolating internal and external networks supporting block chain protocol
CN114553577B (en) A network interaction system and method based on multi-host dual isolation and confidentiality architecture
CN110572352A (en) An intelligent distribution network security access platform and its implementation method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant