[go: up one dir, main page]

CN115118509B - Substation secondary equipment debugging file authority detection method and safety control device - Google Patents

Substation secondary equipment debugging file authority detection method and safety control device Download PDF

Info

Publication number
CN115118509B
CN115118509B CN202210753821.7A CN202210753821A CN115118509B CN 115118509 B CN115118509 B CN 115118509B CN 202210753821 A CN202210753821 A CN 202210753821A CN 115118509 B CN115118509 B CN 115118509B
Authority
CN
China
Prior art keywords
debugging
control device
file
authority
secondary equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210753821.7A
Other languages
Chinese (zh)
Other versions
CN115118509A (en
Inventor
韩伟
蔡得雨
杜兴伟
郭培
马伟东
刘磊
王阳
段文岩
陈宇
孔圣立
吴春红
党一奇
刘超
乔利红
张峰
赵治博
王书州
蒋科寻
石琳
蒋雨烟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Henan Nerui Technology Co ltd
Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
Original Assignee
Henan Nerui Technology Co ltd
Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Henan Nerui Technology Co ltd, Electric Power Research Institute of State Grid Henan Electric Power Co Ltd filed Critical Henan Nerui Technology Co ltd
Priority to CN202210753821.7A priority Critical patent/CN115118509B/en
Publication of CN115118509A publication Critical patent/CN115118509A/en
Application granted granted Critical
Publication of CN115118509B publication Critical patent/CN115118509B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)
  • Testing And Monitoring For Control Systems (AREA)

Abstract

一种变电站二次设备调试文件权限检测方法,包括调试工具、安全管控装置和二次设备,安全管控装置串接在调试工具和二次设备之间,包括以下步骤:步骤S1,安全管控装置对调试工具进行身份权限检测,若身份权限检测通过,则在调试工具和安全管控装置之间建立数据加密传输通道,并执行步骤S2;步骤S2,安全管控装置对调试工具传输的调试文件进行报文特征提取,并将提取出的特征信息与授权信息进行匹配,如果匹配一致,则调试文件已授予传输权限,并执行步骤S3,若匹配不一致,则进行报文拦截并记录日志;步骤S3,对调试工具进行MAC地址信息匹配,检测其地址权限。

A method for detecting the permission of debugging files of secondary equipment in a substation comprises a debugging tool, a security control device and a secondary equipment, wherein the security control device is connected in series between the debugging tool and the secondary equipment, and comprises the following steps: Step S1, the security control device performs identity permission detection on the debugging tool, if the identity permission detection passes, a data encryption transmission channel is established between the debugging tool and the security control device, and step S2 is executed; Step S2, the security control device extracts message features of the debugging file transmitted by the debugging tool, and matches the extracted feature information with the authorization information, if the match is consistent, the debugging file has been granted the transmission permission, and step S3 is executed, if the match is inconsistent, the message is intercepted and a log is recorded; Step S3, MAC address information of the debugging tool is matched to detect its address permission.

Description

变电站二次设备调试文件权限检测方法及安全管控装置Substation secondary equipment debugging file authority detection method and safety control device

技术领域Technical Field

本发明属于变电站信息安全风险防控技术领域,具体地,涉及一种变电站二次设备调试文件权限检测方法及安全管控装置。The present invention belongs to the technical field of substation information security risk prevention and control, and specifically relates to a substation secondary equipment debugging file authority detection method and a security control device.

背景技术Background technique

近年来,随着国家电网的建设和发展,智能化技术逐渐的应用到电网建设中,逐步实现了电网的智能化。相应的,智能变电站的建设规模逐渐扩大,电力设备也逐渐的更新换代,智能变电站二次设备的安全稳定运行也变得越来越重要,传统的二次设备检修方式已经不能满足智能变电站二次设备检修的要求,实现对二次设备的状态检修,对于保障智能站检修工作中保护监控系统的网络安全非常必要。In recent years, with the construction and development of the national power grid, intelligent technology has been gradually applied to the construction of the power grid, and the intelligence of the power grid has been gradually realized. Correspondingly, the construction scale of smart substations has gradually expanded, and power equipment has gradually been updated. The safe and stable operation of the secondary equipment of smart substations has become more and more important. The traditional secondary equipment maintenance method can no longer meet the requirements of the maintenance of secondary equipment in smart substations. It is very necessary to realize the status maintenance of secondary equipment to ensure the network security of the monitoring system during the maintenance of smart substations.

目前,变电站的保护、自动化及监控系统已经逐步实现网络化、数字化,保护装置、测控装置、合并单元、智能终端等二次设备与监控主站、通信网关机等站控层设备甚至调度系统的信息交互均在同一网络上进行。智能变电站二次设备在进行配置、升级等操作时,均需要将调试工具直接连入二次设备,这种无防控措施的接入方式,存在二次系统感染木马、病毒,数据非法外联等隐患,给变电站二次系统带来极大的安全隐患,影响电网的安全稳定运行。At present, the protection, automation and monitoring systems of substations have gradually been networked and digitized. The information exchange between secondary equipment such as protection devices, measurement and control devices, merging units, and intelligent terminals and station control layer equipment such as monitoring master stations and communication gateways, and even dispatching systems, is carried out on the same network. When configuring and upgrading the secondary equipment of smart substations, the debugging tools need to be directly connected to the secondary equipment. This access method without prevention and control measures has the potential risks of secondary system infection with Trojans and viruses, illegal external data connection, etc., which brings great security risks to the secondary system of substations and affects the safe and stable operation of the power grid.

变电站随着智能化的加快,网络安全风险面临着考验,调试工具直接接入站内二次设备网络存在极大的安全隐患,所以对于变电站二次设备调试文件权限检测研究出相应的调试安全管控装置,能够提升智能变电站调试工具接入二次设备信息安全风险防控能力。With the acceleration of intelligentization of substations, network security risks are facing challenges. There are great security risks when debugging tools are directly connected to the secondary equipment network in the station. Therefore, corresponding debugging security management and control devices are developed for the debugging file permission detection of substation secondary equipment, which can improve the information security risk prevention and control capabilities of smart substation debugging tools connected to secondary equipment.

发明内容Summary of the invention

为解决现有技术中存在的不足,本发明的目的在于,提供一种变电站二次设备调试文件权限检测方法及安全管控装置。In order to solve the deficiencies in the prior art, the purpose of the present invention is to provide a method for detecting the debugging file permissions of substation secondary equipment and a security control device.

本发明采用如下的技术方案。The present invention adopts the following technical solution.

一种变电站二次设备调试文件权限检测方法,包括调试工具、安全管控装置和二次设备,安全管控装置串接在调试工具和二次设备之间,该方法包括以下步骤:A method for detecting the permission of debugging files of secondary equipment in a substation includes a debugging tool, a safety control device and a secondary equipment, wherein the safety control device is connected in series between the debugging tool and the secondary equipment. The method includes the following steps:

步骤S1,安全管控装置对调试工具进行身份权限检测,若身份权限检测通过,则在调试工具和安全管控装置之间建立数据加密传输通道,并执行步骤S2;Step S1, the security control device performs identity and authority detection on the debugging tool. If the identity and authority detection passes, a data encryption transmission channel is established between the debugging tool and the security control device, and step S2 is executed;

步骤S2,安全管控装置对调试工具传输的调试文件进行报文特征提取,并将提取出的特征信息与授权信息进行匹配,如果匹配一致,则调试文件已授予传输权限,并执行步骤S3,若匹配不一致,则进行报文拦截并记录日志;Step S2, the security control device extracts message features from the debugging file transmitted by the debugging tool, and matches the extracted feature information with the authorization information. If the match is consistent, the debugging file has been granted transmission permission, and step S3 is executed. If the match is inconsistent, the message is intercepted and a log is recorded;

步骤S3,对调试工具进行MAC地址信息匹配,检测其地址权限,地址权限通过后将步骤S2所述调试文件转发至二次设备。Step S3, matching the MAC address information of the debugging tool, detecting its address authority, and forwarding the debugging file described in step S2 to the secondary device after the address authority is passed.

身份权限检测为安全管控装置对调试工具的“证书+PIN码+用户名/密码”三因子身份认证;其中,认证过程包括:将存有证书的Ukey插入调试工具;在调试工具上依次输入PIN码和用户名/密码;安全管控装置检测PIN码和用户名/密码是否正确,并检测证书是否过期以及证书编码是否正确;根据证书+PIN码+用户名/密码信息得到认证结果;Identity authority detection is a three-factor identity authentication of the debugging tool by the security control device, which is "certificate + PIN code + user name / password". The authentication process includes: inserting the Ukey with the certificate into the debugging tool; inputting the PIN code and user name / password on the debugging tool in sequence; the security control device detects whether the PIN code and user name / password are correct, and detects whether the certificate is expired and whether the certificate code is correct; and obtains the authentication result based on the certificate + PIN code + user name / password information;

身份认证结果如下:The authentication results are as follows:

若PIN码或用户名/密码连续错误输入超过3次,则身份权限检测失败,进行持续设定时长的禁止输入措施,且发出通道建立失败警示;If the PIN code or user name/password is entered incorrectly more than 3 times in a row, the identity authority detection fails, and the input is prohibited for a set period of time, and a channel establishment failure warning is issued;

若UKey中存储的证书过期或者编码错误,则身份权限检测失败,拒绝调试工具接入二次设备;If the certificate stored in the UKey is expired or incorrectly encoded, the identity permission detection fails and the debugging tool is denied access to the secondary device;

若证书、PIN码、用户名/密码身份认证通过,则身份权限检测通过。If the certificate, PIN code, and username/password authentication are passed, the identity authority detection is passed.

数据加密通道为SSLVPN数据加密通道,采用分组加密算法加密。The data encryption channel is an SSLVPN data encryption channel, which is encrypted using a block encryption algorithm.

SSLVPN数据加密传输通道通过构建虚拟网卡接管调试工具所有应用流量,SSLVPN数据加密传输通道建立后调试工具禁用无线网卡,安全管控装置对调试工具的调试文件进行全局代理转发。The SSLVPN data encryption transmission channel takes over all application traffic of the debugging tool by building a virtual network card. After the SSLVPN data encryption transmission channel is established, the debugging tool disables the wireless network card, and the security control device performs global proxy forwarding on the debugging files of the debugging tool.

授权信息包括调试文件名、调试文件大小、调试文件MD5值、工作人员姓名、工作人员联系电话、二次设备厂商、调试时间、传输协议、二次设备名称、二次设备型号、二次设备服务端口、安全管控装置编号、调试工具品牌、调试工具型号、调试工具用户名、调试工具mac。The authorization information includes the debugging file name, debugging file size, debugging file MD5 value, staff name, staff contact number, secondary equipment manufacturer, debugging time, transmission protocol, secondary equipment name, secondary equipment model, secondary equipment service port, security control device number, debugging tool brand, debugging tool model, debugging tool user name, and debugging tool mac.

报文特征提取包括:获取待调试二次设备厂家通信协议报文的16进制特征字符串;对特征字符串进行分析、裁剪获取厂家协议报文的关键字;根据关键字对报文进行筛选、提取、拆分、拼接、转码得到特征信息。Message feature extraction includes: obtaining the hexadecimal feature string of the communication protocol message of the manufacturer of the secondary equipment to be debugged; analyzing and cutting the feature string to obtain the keywords of the manufacturer's protocol message; filtering, extracting, splitting, splicing and transcoding the message according to the keywords to obtain feature information.

特征信息包括调试文件名、调试文件大小、调试文件MD5值和特征码流量信息,其中,特征码流量信息为步骤1所述授权信息经过标准hash算法计算得到的特征码流量信息。The characteristic information includes the debugging file name, debugging file size, debugging file MD5 value and characteristic code flow information, wherein the characteristic code flow information is the characteristic code flow information calculated by the standard hash algorithm based on the authorization information in step 1.

步骤S3包括:Step S3 includes:

S301,采集调试工具的MAC地址;S301, collecting the MAC address of the debugging tool;

S302,将MAC地址与已存储的授权信息进行匹配,若匹配不通过,则进行报文拦截、会话阻断,并予以界面弹出框警示,若匹配通过,则执行S303;S302, matching the MAC address with the stored authorization information, if the match fails, intercepting the message, blocking the session, and giving an interface pop-up box warning, if the match succeeds, executing S303;

S303,将报文代理转发到二次设备。S303, forwarding the message proxy to the secondary device.

MAC地址为以太网卡MAC地址。The MAC address is the MAC address of the Ethernet card.

基于变电站二次设备调试文件权限检测方法的变电站二次设备调试文件权限检测安全管控装置,Substation secondary equipment debugging file permission detection security control device based on substation secondary equipment debugging file permission detection method,

该安全管控装置包括身份权限检测模块、传输权限检测模块、存储模块、文件权限检测模块和地址权限检测模块;The security management and control device includes an identity authority detection module, a transmission authority detection module, a storage module, a file authority detection module and an address authority detection module;

身份权限检测模块用于对调试工具进行身份权限检测;The identity and permission detection module is used to perform identity and permission detection on the debugging tool;

传输权限检测模块用于对调试文件进行报文特征提取,并判断特征信息与授权信息是否匹配,如果一致,则通过传输权限;The transmission permission detection module is used to extract message features from the debugging file and determine whether the feature information matches the authorization information. If they match, the transmission permission is passed;

存储模块用于存储授权信息;The storage module is used to store authorization information;

文件权限检测模块用于对流经安全管控装置的报文进行读取分析,获取所需文件信息,并根据获取的文件信息与安全管控装置本地的授权信息进行信息匹配;The file permission detection module is used to read and analyze the messages flowing through the security control device, obtain the required file information, and match the obtained file information with the local authorization information of the security control device;

地址权限检测模块用于判断调试工具的MAC地址是否与授权信息匹配。The address authority detection module is used to determine whether the MAC address of the debugging tool matches the authorization information.

本发明的有益效果在于,与现有技术相比,本发明在调试工具和变电站二次设备连接中增加了调试文件权限检测安全管控装置,为传输过程中提高了安全性、稳定性,保持系统连续可靠正常地运行,添加了调试文件的权限检测,让调试工具与变电站二次设备安全审核更加牢靠,可以有效地降低电力网络安全风险。The beneficial effect of the present invention is that compared with the prior art, the present invention adds a debugging file permission detection security management device in the connection between the debugging tool and the substation secondary equipment, which improves the security and stability in the transmission process, keeps the system running continuously, reliably and normally, and adds the permission detection of the debugging file, so that the security audit of the debugging tool and the substation secondary equipment is more reliable, which can effectively reduce the security risks of the power network.

本发明的有益效果还包括:The beneficial effects of the present invention also include:

(1)建立数据加密传输通道,保护数据在网络传输中的安全,避免电网数据被拦截和窃取;(1) Establish a data encryption transmission channel to protect the security of data during network transmission and prevent power grid data from being intercepted and stolen;

(2)对调试文件进行报文特征提取和授权信息匹配,避免非法文件获得传输权限。(2) Extract message features and match authorization information of debug files to prevent illegal files from obtaining transmission permissions.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1为本发明的一种变电站二次设备调试工具的权限检测流程图;FIG1 is a flowchart of authority detection of a substation secondary equipment debugging tool of the present invention;

图2为本发明的一种变电站调试工具传输文件权限检测方法的连接示意图。FIG. 2 is a connection diagram of a method for detecting file transmission permissions of a substation debugging tool according to the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整的描述。显然,所描述的实施例仅仅是本发明的一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有付出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will be combined with the drawings in the embodiments of the present invention to clearly and completely describe the technical solutions in the embodiments of the present invention. Obviously, the described embodiments are only part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.

一种变电站二次设备调试文件权限检测方法,包括调试工具、安全管控装置和二次设备,安全管控装置串接在调试工具和二次设备之间,该方法包括以下步骤:步骤S1,安全管控装置对调试工具进行身份权限检测,若身份权限检测通过,则在调试工具和安全管控装置之间建立SSLVPN数据加密传输通道,并执行步骤S2;步骤S2,安全管控装置对调试工具传输的调试文件进行报文特征提取,并将提取出的特征信息与授权信息进行匹配,如果匹配一致,则调试文件已授予传输权限,并执行步骤S3,若匹配不一致,则进行报文拦截并记录日志;步骤S3,对调试工具进行MAC地址信息匹配,检测其地址权限。A method for detecting the permission of debugging files of secondary equipment in a substation comprises a debugging tool, a security control device and a secondary equipment, wherein the security control device is connected in series between the debugging tool and the secondary equipment, and the method comprises the following steps: Step S1, the security control device performs identity permission detection on the debugging tool, if the identity permission detection passes, an SSLVPN data encryption transmission channel is established between the debugging tool and the security control device, and step S2 is executed; Step S2, the security control device performs message feature extraction on the debugging file transmitted by the debugging tool, and matches the extracted feature information with the authorization information, if the match is consistent, the debugging file has been granted the transmission permission, and step S3 is executed, if the match is inconsistent, the message is intercepted and a log is recorded; Step S3, MAC address information matching is performed on the debugging tool to detect its address permission.

身份权限检测为安全管控装置对调试工具的“证书+PIN码+用户名/密码”三因子身份认证;其中,认证过程包括:将存有证书的Ukey插入调试工具;在调试工具上依次输入PIN码和用户名/密码;安全管控装置检测PIN码和用户名/密码是否正确,并检测证书是否过期以及证书编码是否正确;根据证书+PIN码+用户名/密码信息得到认证结果;Identity authority detection is a three-factor identity authentication of the debugging tool by the security control device, which is "certificate + PIN code + user name / password". The authentication process includes: inserting the Ukey with the certificate into the debugging tool; inputting the PIN code and user name / password on the debugging tool in sequence; the security control device detects whether the PIN code and user name / password are correct, and detects whether the certificate is expired and whether the certificate code is correct; and obtains the authentication result based on the certificate + PIN code + user name / password information;

身份认证结果如下:The authentication results are as follows:

若PIN码或用户名/密码连续错误输入超过3次,则身份权限检测失败,进行持续设定时长的禁止输入措施,且发出通道建立失败警示;If the PIN code or user name/password is entered incorrectly more than 3 times in a row, the identity authority detection fails, and the input is prohibited for a set period of time, and a channel establishment failure warning is issued;

若UKey中存储的证书过期或者编码错误,则身份权限检测失败,拒绝调试工具接入二次设备;If the certificate stored in the UKey is expired or incorrectly encoded, the identity permission detection fails and the debugging tool is denied access to the secondary device;

若证书、PIN码、用户名/密码身份认证通过,则身份权限检测通过。If the certificate, PIN code, and username/password authentication are passed, the identity authority detection is passed.

数据加密通道为SSLVPN数据加密通道,采用分组加密算法加密。The data encryption channel is the SSLVPN data encryption channel, which is encrypted using a block encryption algorithm.

SSLVPN数据加密传输通道通过构建虚拟网卡接管调试工具所有应用流量,SSLVPN数据加密传输通道建立后调试工具将主动禁用无线网卡,安全管控装置对调试工具的报文数据进行全局代理转发。The SSLVPN data encryption transmission channel takes over all application traffic of the debugging tool by building a virtual network card. After the SSLVPN data encryption transmission channel is established, the debugging tool will actively disable the wireless network card, and the security control device will perform global proxy forwarding on the message data of the debugging tool.

授权信息包括调试文件名、调试文件大小、调试文件MD5值、工作人员姓名、工作人员联系电话、二次设备厂商、调试时间、传输协议、二次设备名称、二次设备型号、二次设备服务端口、安全管控装置编号、调试工具品牌、调试工具型号、调试工具用户名、调试工具mac。The authorization information includes the debugging file name, debugging file size, debugging file MD5 value, staff name, staff contact number, secondary equipment manufacturer, debugging time, transmission protocol, secondary equipment name, secondary equipment model, secondary equipment service port, security control device number, debugging tool brand, debugging tool model, debugging tool user name, and debugging tool mac.

报文特征提取包括:获取待调试二次设备厂家通信协议报文的16进制特征字符串;对特征字符串进行分析、裁剪获取厂家协议报文的关键字;根据关键字对报文进行筛选、提取、拆分、拼接、转码得到特征信息。Message feature extraction includes: obtaining the hexadecimal feature string of the communication protocol message of the manufacturer of the secondary equipment to be debugged; analyzing and cutting the feature string to obtain the keywords of the manufacturer's protocol message; filtering, extracting, splitting, splicing and transcoding the message according to the keywords to obtain feature information.

特征信息包括调试文件名、调试文件大小、调试文件MD5值和特征码流量信息,其中,特征码流量信息为步骤1所述授权信息经过标准hash算法计算得到的特征码流量信息。The characteristic information includes the debugging file name, debugging file size, debugging file MD5 value and characteristic code flow information, wherein the characteristic code flow information is the characteristic code flow information calculated by the standard hash algorithm based on the authorization information in step 1.

步骤S3包括:Step S3 includes:

S301,采集调试工具的MAC地址;S301, collecting the MAC address of the debugging tool;

S302,将MAC地址与已存储的授权信息进行匹配,若匹配不通过,则进行报文拦截、会话阻断,并予以界面弹出框警示,若匹配通过,则执行S303;S302, matching the MAC address with the stored authorization information, if the match fails, intercepting the message, blocking the session, and giving an interface pop-up box warning, if the match succeeds, executing S303;

S303,将报文代理转发到二次设备。S303, forwarding the message proxy to the secondary device.

MAC地址为以太网卡MAC地址。The MAC address is the MAC address of the Ethernet card.

基于变电站二次设备调试文件权限检测方法的变电站二次设备调试文件权限检测安全管控装置,Substation secondary equipment debugging file permission detection security control device based on substation secondary equipment debugging file permission detection method,

该安全管控装置包括身份权限检测模块、传输权限检测模块、存储模块、文件权限检测模块和地址权限检测模块;身份权限检测模块用于对调试工具进行身份权限检测;传输权限检测模块用于对调试文件进行报文特征提取,并判断特征信息与授权信息是否匹配,如果一致,则通过传输权限;存储模块用于存储授权信息;文件权限检测模块用于对流经安全管控装置的报文进行读取分析,获取所需文件信息,并根据获取的文件信息与安全管控装置本地的授权信息进行信息匹配;地址权限检测模块用于判断调试工具的MAC地址是否与授权信息匹配。The security management and control device includes an identity authority detection module, a transmission authority detection module, a storage module, a file authority detection module and an address authority detection module; the identity authority detection module is used to perform identity authority detection on the debugging tool; the transmission authority detection module is used to extract message features of the debugging file and determine whether the feature information matches the authorization information. If they are consistent, the transmission authority is passed; the storage module is used to store the authorization information; the file authority detection module is used to read and analyze the messages flowing through the security management and control device, obtain the required file information, and match the information based on the obtained file information with the local authorization information of the security management and control device; the address authority detection module is used to determine whether the MAC address of the debugging tool matches the authorization information.

本发明实施例的描述中,术语“调试工具”为在变电站二次设备检修、配置、升级等工作中,与二次设备通过调试口连接,进行文件查阅、文件传输等数据交互,或开展信息安全防护的工具,通常包括专用调试电脑、调试软件、安全管控工具等。In the description of the embodiments of the present invention, the term "debugging tool" refers to a tool that is connected to the secondary equipment through the debugging port to perform data interaction such as file viewing and file transfer, or to carry out information security protection during the maintenance, configuration, and upgrade of the secondary equipment in the substation. It usually includes a dedicated debugging computer, debugging software, security management tools, etc.

本发明所公开的一种变电站二次设备调试文件权限检测方法,包括调试工具、安全管控装置和二次设备,安全管控装置串接在调试工具和二次设备之间,如图1所示,具体步骤如下所述:A method for detecting the permission of a debugging file of a substation secondary device disclosed in the present invention includes a debugging tool, a safety control device and a secondary device, wherein the safety control device is connected in series between the debugging tool and the secondary device, as shown in FIG1 , and the specific steps are as follows:

步骤S1,安全管控装置对调试工具进行身份权限检测,若身份权限检测通过,则在调试工具和安全管控装置之间建立SSLVPN数据加密传输通道,并执行步骤S2;Step S1, the security control device performs identity and authority detection on the debugging tool. If the identity and authority detection passes, an SSLVPN data encryption transmission channel is established between the debugging tool and the security control device, and step S2 is executed;

调试工具通过可信认证客户端进行SSLVPN身份认证,将存有证书的UKey插入调试工具,并进行对调试工具的“证书+PIN码+用户名/密码”三因子身份认证,根据认证结果进行相应的策略处置:具体地,身份权限检测为安全管控装置对调试工具的“证书+PIN码+用户名/密码”三因子身份认证;其中,认证过程包括:将存有证书的Ukey插入调试工具;在调试工具上依次输入PIN码和用户名/密码;安全管控装置检测PIN码和用户名/密码是否正确,并检测证书是否过期以及证书编码是否正确;根据证书+PIN码+用户名/密码信息得到认证结果。The debugging tool performs SSLVPN identity authentication through a trusted authentication client, inserts the UKey containing the certificate into the debugging tool, and performs a three-factor identity authentication of the debugging tool using "certificate + PIN code + user name/password", and performs corresponding policy disposal according to the authentication result: Specifically, the identity authority detection is a three-factor identity authentication of the debugging tool using "certificate + PIN code + user name/password" by the security management and control device; the authentication process includes: inserting the Ukey containing the certificate into the debugging tool; entering the PIN code and user name/password in sequence on the debugging tool; the security management and control device detects whether the PIN code and user name/password are correct, and detects whether the certificate is expired and whether the certificate encoding is correct; and obtaining the authentication result based on the certificate + PIN code + user name/password information.

若PIN码或用户名/密码连续错误输入超过3次,则身份权限检测失败,将进行持续1小时的禁止输入措施,且进行通道建立失败警示;If the PIN code or user name/password is entered incorrectly more than 3 times in a row, the identity authority detection fails, and the input will be prohibited for 1 hour, and a channel establishment failure warning will be issued;

若UKey中存储的证书过期或者编码错误,视为身份权限检测失败,安全管控装置拒绝调试工具的接入;If the certificate stored in the UKey is expired or incorrectly encoded, it is considered that the identity permission detection has failed, and the security control device refuses access to the debugging tool;

若身份认证通过,则身份权限检测通过,调试工具和安全管控装置之间建立SSLVPN加密通道,以实现调试工具的网络准入。If the identity authentication is passed, the identity permission detection is passed, and an SSLVPN encrypted channel is established between the debugging tool and the security control device to achieve network access for the debugging tool.

由于调试工具和安全管控装置之间采用SSLVPN建立数据加密传输通道,因此数据加密通道中采用国密算法加密,保障调试工具数据安全传输的同时,实现了国产密码算法加密。Since SSLVPN is used to establish a data encryption transmission channel between the debugging tool and the security control device, the national secret algorithm is used in the data encryption channel to ensure the secure transmission of the debugging tool data while realizing domestic cryptographic algorithm encryption.

证书具有唯一性,调试二次设备需使用与其对应厂家证书,并且证书需对应到二次设备具体名称、型号,因证书内含有二次设备唯一标识内容,证书认证时应与所要调试的二次设备厂家保持一致方能通过验证,且仅能调试所对应的厂家设备,避免调试工具越权调试。证书存储于UKey,执行身份认证前将存有证书的Ukey插入调试工具。The certificate is unique. To debug a secondary device, you need to use the corresponding manufacturer's certificate, and the certificate must correspond to the specific name and model of the secondary device. Because the certificate contains the unique identification content of the secondary device, the certificate authentication should be consistent with the manufacturer of the secondary device to be debugged in order to pass the verification, and only the corresponding manufacturer's equipment can be debugged to avoid unauthorized debugging by the debugging tool. The certificate is stored in UKey. Before performing identity authentication, insert the Ukey containing the certificate into the debugging tool.

SSLVPN数据加密传输通道通过构建虚拟网卡接管调试工具所有应用流量,随着SSLVPN数据加密传输通道建立将主动禁用无线网卡,自动对调试工具报文数据进行全局代理转发,避免内网二次设备通过调试工具无线热点进行外连,实现内、外网之间的安全防护。The SSLVPN data encryption transmission channel takes over all application traffic of the debugging tool by building a virtual network card. As the SSLVPN data encryption transmission channel is established, the wireless network card will be actively disabled, and the debugging tool message data will be automatically forwarded by a global proxy to prevent secondary devices on the intranet from connecting to the outside through the debugging tool wireless hotspot, thereby achieving security protection between the internal and external networks.

步骤S2,对调试工具传输的调试文件进行报文特征提取,并将提取出的特征信息与授权信息进行匹配,如果匹配一致,则调试文件已授予传输权限,并执行步骤S3,若匹配不一致,则进行报文拦截并记录日志;Step S2, extracting message features from the debugging file transmitted by the debugging tool, and matching the extracted feature information with the authorization information. If the match is consistent, the debugging file has been granted transmission permission, and step S3 is executed. If the match is inconsistent, the message is intercepted and a log is recorded;

授权信息包括调试文件名、调试文件大小、调试文件MD5值、工作人员姓名、工作人员联系电话、二次设备厂商、调试时间、传输协议、二次设备名称、二次设备型号、二次设备服务端口、管控装置编号、调试工具品牌、调试工具型号、调试工具用户名、调试工具mac。The authorization information includes the debugging file name, debugging file size, debugging file MD5 value, staff name, staff contact number, secondary equipment manufacturer, debugging time, transmission protocol, secondary equipment name, secondary equipment model, secondary equipment service port, control device number, debugging tool brand, debugging tool model, debugging tool user name, and debugging tool mac.

报文特征提取包括获取待调试二次设备厂家通信协议报文的16进制特征字符串;对字符串进行分析、裁剪获取厂家协议报文的关键字;根据关键字对报文进行筛选、提取、拆分、拼接、转码得到特征信息。Message feature extraction includes obtaining the hexadecimal feature string of the manufacturer's communication protocol message of the secondary device to be debugged; analyzing and cutting the string to obtain the keywords of the manufacturer's protocol message; and filtering, extracting, splitting, splicing, and transcoding the message according to the keywords to obtain feature information.

特征信息包括调试文件名、调试文件大小、调试文件MD5值和特征码流量信息,其中,特征码流量信息为步骤1所述授权信息经过标准hash算法计算得到的特征码流量信息。The characteristic information includes the debugging file name, debugging file size, debugging file MD5 value and characteristic code flow information, wherein the characteristic code flow information is the characteristic code flow information calculated by the standard hash algorithm based on the authorization information in step 1.

具体地,文件权限检测模块对流经安全管控装置的报文进行内核态读取分析,基于关键字对报文进行筛选、提取、拆分、拼接、转码等操作获取所需的关键文件信息,根据获取的关键信息与安全管控装置本地的授权信息进行信息匹配,若匹配一致,则证明调试文件已授予传输权限,若匹配结果不同,则该调试文件未经授权,进行报文拦截并记录日志。Specifically, the file permission detection module performs kernel-state reading and analysis on the messages flowing through the security control device, and obtains the required key file information by filtering, extracting, splitting, splicing, transcoding and other operations on the messages based on keywords, and matches the obtained key information with the local authorization information of the security control device. If the match is consistent, it proves that the debugging file has been granted transmission permission. If the matching results are different, the debugging file is unauthorized, and the message is intercepted and the log is recorded.

其中,关键字的获取是根据报文流量的16进制特征值进行判断,针对不同厂家二次设备的私有通信协议分析,首先获取厂家通信协议报文的16进制特征字符串,再对字符串进行多层次分析、裁剪获取厂家协议报文的关键字特征值,进而根据关键字从报文流量中获得所需要的信息,与本地存储的授权信息进行匹配。Among them, the acquisition of keywords is judged based on the hexadecimal characteristic value of the message traffic. For the analysis of private communication protocols of secondary devices of different manufacturers, the hexadecimal characteristic string of the manufacturer's communication protocol message is first obtained, and then the string is analyzed and trimmed at multiple levels to obtain the keyword characteristic value of the manufacturer's protocol message, and then the required information is obtained from the message traffic based on the keyword and matched with the locally stored authorization information.

步骤S3,对调试工具进行MAC地址信息匹配,检测其地址权限。Step S3, matching the MAC address information of the debugging tool to detect its address authority.

步骤S3具体包括:Step S3 specifically includes:

S301,采集调试工具的MAC地址;S301, collecting the MAC address of the debugging tool;

S302,将MAC地址与已存储的授权信息进行匹配,若匹配不通过,则进行报文拦截、会话阻断,并予以界面弹出框警示,若匹配通过,则执行S303;S302, matching the MAC address with the stored authorization information, if the match fails, intercepting the message, blocking the session, and giving an interface pop-up box warning, if the match succeeds, executing S303;

S303,将报文代理转发到二次设备。S303, forwarding the message proxy to the secondary device.

安全管控装置提取通过SSLVPN连接的调试工具的MAC地址,与已存储的授权信息进行匹配,若匹配不通过,则进行报文拦截、会话阻断,并予以界面弹出框警示,若匹配通过则表明调试工具已授权,并将报文代理转发到二次设备。The security control device extracts the MAC address of the debugging tool connected through SSLVPN and matches it with the stored authorization information. If the match fails, the message is intercepted, the session is blocked, and an interface pop-up box is displayed to warn. If the match succeeds, it indicates that the debugging tool has been authorized and the message proxy is forwarded to the secondary device.

所述MAC地址必须是以太网卡MAC地址,以太网MAC地址固定不变,安全性更高,有效的标识设备唯一性。The MAC address must be the Ethernet card MAC address. The Ethernet MAC address is fixed, has higher security, and can effectively identify the uniqueness of the device.

本实施例还提供一种变电站二次设备调试文件权限检测安全管控装置,This embodiment also provides a substation secondary equipment debugging file authority detection security management and control device,

安全管控装置包括身份权限检测模块、传输权限检测模块、存储模块、文件权限检测模块和地址权限检测模块;The security control device includes an identity authority detection module, a transmission authority detection module, a storage module, a file authority detection module and an address authority detection module;

身份权限检测模块用于对调试工具进行身份权限检测;The identity and permission detection module is used to perform identity and permission detection on the debugging tool;

传输权限检测模块用于对调试文件进行报文特征提取,并判断特征信息与授权信息是否匹配,如果一致,则通过传输权限;The transmission permission detection module is used to extract message features from the debugging file and determine whether the feature information matches the authorization information. If they match, the transmission permission is passed;

存储模块用于存储授权信息;The storage module is used to store authorization information;

文件权限检测模块用于对流经安全管控装置的报文进行读取分析,获取所需文件信息,并根据获取的文件信息与安全管控装置本地的授权信息进行信息匹配;The file permission detection module is used to read and analyze the messages flowing through the security control device, obtain the required file information, and match the obtained file information with the local authorization information of the security control device;

地址权限检测模块用于判断调试工具的MAC地址是否与授权信息匹配。本发明的有益效果在于,与现有技术相比,本发明在调试工具和变电站二次设备连接中增加了安全管控装置,为传输过程中提高了安全性、稳定性,保持系统连续可靠正常地运行,添加了调试文件的权限检测,让调试工具与变电站二次设备安全审核更加牢靠,可以有效地降低电力网络安全风险。The address authority detection module is used to determine whether the MAC address of the debugging tool matches the authorization information. The beneficial effect of the present invention is that, compared with the prior art, the present invention adds a security control device in the connection between the debugging tool and the substation secondary equipment, which improves the security and stability during the transmission process, keeps the system running continuously and reliably, and adds the authority detection of the debugging file, making the security audit of the debugging tool and the substation secondary equipment more reliable, which can effectively reduce the security risk of the power network.

本发明的有益效果还包括:The beneficial effects of the present invention also include:

(1)建立数据加密传输通道,保护数据在网络传输中的安全,避免电网数据被拦截和窃取;(1) Establish a data encryption transmission channel to protect the security of data during network transmission and prevent power grid data from being intercepted and stolen;

(2)对调试文件进行报文特征提取和授权信息匹配,避免非法文件获得传输权限。(2) Extract message features and match authorization information of debugging files to prevent illegal files from obtaining transmission permissions.

本发明申请人结合说明书附图对本发明的实施示例做了详细的说明与描述,但是本领域技术人员应该理解,以上实施示例仅为本发明的优选实施方案,详尽的说明只是为了帮助读者更好地理解本发明精神,而并非对本发明保护范围的限制,相反,任何基于本发明的发明精神所作的任何改进或修饰都应当落在本发明的保护范围之内。The applicant of the present invention has made a detailed explanation and description of the implementation examples of the present invention in conjunction with the drawings in the specification. However, those skilled in the art should understand that the above implementation examples are only preferred implementation schemes of the present invention, and the detailed description is only to help readers better understand the spirit of the present invention, and it is not a limitation on the protection scope of the present invention. On the contrary, any improvements or modifications based on the inventive spirit of the present invention should fall within the protection scope of the present invention.

Claims (9)

1.一种变电站二次设备调试文件权限检测方法,其特征在于,包括调试工具、安全管控装置和二次设备,安全管控装置串接在调试工具和二次设备之间,所述方法包括以下步骤:1. A method for detecting the authority of debugging files of secondary equipment in a substation, characterized in that it comprises a debugging tool, a safety control device and a secondary equipment, wherein the safety control device is connected in series between the debugging tool and the secondary equipment, and the method comprises the following steps: 步骤S1,安全管控装置对调试工具进行身份权限检测,所述身份权限检测为安全管控装置对调试工具的“证书+PIN码+用户名/密码”三因子身份认证;若身份权限检测通过,则在调试工具和安全管控装置之间建立数据加密传输通道,并执行步骤S2;Step S1, the security control device performs identity and authority detection on the debugging tool, and the identity and authority detection is a three-factor identity authentication of the debugging tool by the security control device: "certificate + PIN code + user name / password"; if the identity and authority detection passes, a data encryption transmission channel is established between the debugging tool and the security control device, and step S2 is executed; 步骤S2,安全管控装置对调试工具传输的调试文件进行报文特征提取,并将提取出的特征信息与授权信息进行匹配,如果匹配一致,则调试文件已授予传输权限,并执行步骤S3,若匹配不一致,则进行报文拦截并记录日志;Step S2, the security control device extracts message features from the debugging file transmitted by the debugging tool, and matches the extracted feature information with the authorization information. If the match is consistent, the debugging file has been granted transmission permission, and step S3 is executed. If the match is inconsistent, the message is intercepted and a log is recorded; 所述报文特征提取包括:获取待调试二次设备厂家通信协议报文的16进制特征字符串;对特征字符串进行分析、裁剪获取厂家协议报文的关键字;根据关键字对报文进行筛选、提取、拆分、拼接、转码得到特征信息;The message feature extraction includes: obtaining a hexadecimal feature string of the manufacturer's communication protocol message of the secondary device to be debugged; analyzing and cutting the feature string to obtain keywords of the manufacturer's protocol message; screening, extracting, splitting, splicing, and transcoding the message according to the keywords to obtain feature information; 步骤S3,对调试工具进行MAC地址信息匹配,检测其地址权限,地址权限通过后将步骤S2所述调试文件转发至二次设备。Step S3, matching the MAC address information of the debugging tool, detecting its address authority, and forwarding the debugging file described in step S2 to the secondary device after the address authority is passed. 2.根据权利要求1所述的一种变电站二次设备调试文件权限检测方法,其特征在于,2. A method for detecting the authority of a substation secondary equipment debugging file according to claim 1, characterized in that: 其中,认证过程包括:将存有证书的Ukey插入调试工具;在调试工具上依次输入PIN码和用户名/密码;安全管控装置检测PIN码和用户名/密码是否正确,并检测证书是否过期以及证书编码是否正确;根据证书+PIN码+用户名/密码信息得到认证结果;The authentication process includes: inserting the Ukey containing the certificate into the debugging tool; inputting the PIN code and username/password in sequence on the debugging tool; the security control device detects whether the PIN code and username/password are correct, and detects whether the certificate is expired and whether the certificate encoding is correct; and obtaining the authentication result based on the certificate + PIN code + username/password information; 所述认证结果如下:The authentication results are as follows: 若PIN码或用户名/密码连续错误输入超过3次,则身份权限检测失败,进行持续设定时长的禁止输入措施,且发出通道建立失败警示;If the PIN code or user name/password is entered incorrectly more than 3 times in a row, the identity authority detection fails, and the input is prohibited for a set period of time, and a channel establishment failure warning is issued; 若UKey中存储的证书过期或者编码错误,则身份权限检测失败,拒绝调试工具接入二次设备;If the certificate stored in the UKey is expired or incorrectly encoded, the identity permission detection fails and the debugging tool is denied access to the secondary device; 若证书、PIN码、用户名/密码身份认证通过,则身份权限检测通过。If the certificate, PIN code, and username/password authentication are passed, the identity authority detection is passed. 3.根据权利要求1所述的一种变电站二次设备调试文件权限检测方法,其特征在于,3. A method for detecting the authority of a substation secondary equipment debugging file according to claim 1, characterized in that: 数据加密通道为SSLVPN数据加密通道,采用分组加密算法加密。The data encryption channel is the SSLVPN data encryption channel, which is encrypted using a block encryption algorithm. 4.根据权利要求3所述的一种变电站二次设备调试文件权限检测方法,其特征在于,4. A method for detecting the authority of a substation secondary equipment debugging file according to claim 3, characterized in that: SSLVPN数据加密传输通道通过构建虚拟网卡接管调试工具所有应用流量,SSLVPN数据加密传输通道建立后调试工具禁用无线网卡,安全管控装置对调试工具的报文数据进行全局代理转发。The SSLVPN data encryption transmission channel takes over all application traffic of the debugging tool by building a virtual network card. After the SSLVPN data encryption transmission channel is established, the debugging tool disables the wireless network card, and the security control device performs global proxy forwarding on the message data of the debugging tool. 5.根据权利要求1所述的一种变电站二次设备调试文件权限检测方法,其特征在于,5. A method for detecting the authority of a substation secondary equipment debugging file according to claim 1, characterized in that: 授权信息包括调试文件名、调试文件大小、调试文件MD5值、工作人员姓名、工作人员联系电话、二次设备厂商、调试时间、传输协议、二次设备名称、二次设备型号、二次设备服务端口、安全管控装置编号、调试工具品牌、调试工具型号、调试工具用户名、调试工具mac。The authorization information includes the debugging file name, debugging file size, debugging file MD5 value, staff name, staff contact number, secondary equipment manufacturer, debugging time, transmission protocol, secondary equipment name, secondary equipment model, secondary equipment service port, security control device number, debugging tool brand, debugging tool model, debugging tool user name, and debugging tool mac. 6.根据权利要求5所述的一种变电站二次设备调试文件权限检测方法,其特征在于,6. A method for detecting the authority of a substation secondary equipment debugging file according to claim 5, characterized in that: 所述特征信息包括调试文件名、调试文件大小、调试文件MD5值和特征码流量信息,其中,特征码流量信息为步骤1所述授权信息经过标准hash算法计算得到的特征码流量信息。The characteristic information includes the debugging file name, debugging file size, debugging file MD5 value and characteristic code flow information, wherein the characteristic code flow information is the characteristic code flow information calculated by the standard hash algorithm based on the authorization information in step 1. 7.根据权利要求1所述的一种变电站二次设备调试文件权限检测方法,其特征在于,7. A method for detecting the authority of a substation secondary equipment debugging file according to claim 1, characterized in that: 所述步骤S3包括:The step S3 comprises: S301,采集调试工具的MAC地址;S301, collecting the MAC address of the debugging tool; S302,将MAC地址与已存储的授权信息进行匹配,若匹配不通过,则进行报文拦截、会话阻断,并予以界面弹出框警示,若匹配通过,则执行S303;S302, matching the MAC address with the stored authorization information, if the match fails, intercepting the message, blocking the session, and giving an interface pop-up box warning, if the match succeeds, executing S303; S303,将调试文件代理转发到二次设备。S303, forwarding the debugging file proxy to the secondary device. 8.根据权利要求7所述的一种变电站二次设备调试文件权限检测方法,其特征在于,8. A method for detecting the authority of a substation secondary equipment debugging file according to claim 7, characterized in that: 所述MAC地址为以太网卡MAC地址。The MAC address is the Ethernet card MAC address. 9.基于权利要求1至8中任一项所述的变电站二次设备调试文件权限检测方法的变电站二次设备调试文件权限检测安全管控装置,其特征在于,9. A substation secondary equipment debugging file authority detection security management and control device based on the substation secondary equipment debugging file authority detection method according to any one of claims 1 to 8, characterized in that: 安全管控装置包括身份权限检测模块、传输权限检测模块、存储模块、文件权限检测模块和地址权限检测模块;The security control device includes an identity authority detection module, a transmission authority detection module, a storage module, a file authority detection module and an address authority detection module; 所述身份权限检测模块用于对调试工具进行身份权限检测;The identity authority detection module is used to perform identity authority detection on the debugging tool; 传输权限检测模块用于对调试文件进行报文特征提取,并判断特征信息与授权信息是否匹配,如果一致,则通过传输权限;The transmission permission detection module is used to extract message features from the debugging file and determine whether the feature information matches the authorization information. If they match, the transmission permission is passed; 存储模块用于存储授权信息;The storage module is used to store authorization information; 文件权限检测模块用于对流经安全管控装置的报文进行读取分析,获取所需文件信息,并根据获取的文件信息与安全管控装置本地的授权信息进行信息匹配;The file permission detection module is used to read and analyze the messages flowing through the security control device, obtain the required file information, and match the obtained file information with the local authorization information of the security control device; 地址权限检测模块用于判断调试工具的MAC地址是否与授权信息匹配。The address authority detection module is used to determine whether the MAC address of the debugging tool matches the authorization information.
CN202210753821.7A 2022-06-29 2022-06-29 Substation secondary equipment debugging file authority detection method and safety control device Active CN115118509B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210753821.7A CN115118509B (en) 2022-06-29 2022-06-29 Substation secondary equipment debugging file authority detection method and safety control device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210753821.7A CN115118509B (en) 2022-06-29 2022-06-29 Substation secondary equipment debugging file authority detection method and safety control device

Publications (2)

Publication Number Publication Date
CN115118509A CN115118509A (en) 2022-09-27
CN115118509B true CN115118509B (en) 2024-06-18

Family

ID=83331286

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210753821.7A Active CN115118509B (en) 2022-06-29 2022-06-29 Substation secondary equipment debugging file authority detection method and safety control device

Country Status (1)

Country Link
CN (1) CN115118509B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112383524A (en) * 2020-11-03 2021-02-19 中国南方电网有限责任公司 Operation and maintenance auditing method, device and medium

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2136150C (en) * 1994-11-18 2007-01-30 Hung T. Vu Apparatus and method for providing a secure gateway for communication and data exchanges between networks
JP2003177938A (en) * 2001-12-07 2003-06-27 Fujitsu Ltd Electronic device and debug authentication method thereof
US8639922B2 (en) * 2009-06-01 2014-01-28 Dhananjay S. Phatak System, method, and apparata for secure communications using an electrical grid network
CN103903188A (en) * 2014-03-18 2014-07-02 国家电网公司 Controlling method of configuration file of intelligent transformer substation system
CN106209403B (en) * 2015-04-30 2019-09-13 深圳市中兴微电子技术有限公司 A debugging method and a debugging device
CN108663581A (en) * 2017-11-15 2018-10-16 云南电网有限责任公司大理供电局 A kind of secondary equipment of intelligent converting station test method
CN109302404A (en) * 2018-10-30 2019-02-01 国电南瑞南京控制系统有限公司 A kind of remote maintenance authenticating operation method of wide area operational system
CN110996318B (en) * 2019-12-23 2021-07-23 广西电网有限责任公司电力科学研究院 Safety communication access system of intelligent inspection robot of transformer substation
CN111565167B (en) * 2020-03-09 2022-05-17 国网浙江省电力有限公司绍兴供电公司 Generalized remote operation information safety device and safety operation and maintenance method for intelligent substation
US11468199B2 (en) * 2020-07-22 2022-10-11 Apple Inc. Authenticated debug for computing systems
CN113098980B (en) * 2021-05-12 2022-08-02 国网湖南省电力有限公司 Portable safety operation and maintenance system for power monitoring system
CN114444101A (en) * 2022-01-24 2022-05-06 国网河南省电力公司电力科学研究院 A method and system for allocating file permissions for transmission of substation debugging tools

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112383524A (en) * 2020-11-03 2021-02-19 中国南方电网有限责任公司 Operation and maintenance auditing method, device and medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
侯永春.保护调试工具接入二次设备网...安全风险分析与防控技术研究.信息通信.2020,(第12期),第167-171页. *
保护调试工具接入二次设备网...安全风险分析与防控技术研究;侯永春;信息通信(第12期);第167-171页 *

Also Published As

Publication number Publication date
CN115118509A (en) 2022-09-27

Similar Documents

Publication Publication Date Title
CN112073375A (en) Isolation device and isolation method suitable for power Internet of things client side
CN105099705B (en) A kind of safety communicating method and its system based on usb protocol
CN118194330B (en) Internet-based office data encryption storage system and method
CN117313122A (en) Data sharing and exchanging management system based on block chain
CN113098980B (en) Portable safety operation and maintenance system for power monitoring system
CN108712369B (en) Multi-attribute constraint access control decision system and method for industrial control network
CN118368080A (en) Enterprise privacy analysis and anomaly detection method, device, equipment and storage medium
CN109033784A (en) Identity identifying method and device in a communication network
CN114996724B (en) Safe operating system based on cryptographic algorithm module
CN119397599A (en) Security protection method, system and storage medium for information management system
CN113794563B (en) Communication network security control method and system
CN115118509B (en) Substation secondary equipment debugging file authority detection method and safety control device
CN112199700B (en) A security management method and system for an MES data system
CN112565279A (en) Sensor signal processing system based on safety network
CN117714101A (en) Trusted network connection architecture system applied to power system
CN117763580A (en) Authorization management method, device, electronic equipment and storage medium
CN113132310A (en) Safe access method and system for power distribution terminal and power distribution master station
CN109547494A (en) Network security detection gateway and system
CN113468607B (en) Method for generating and using encrypted tamper-proof file
CN208400132U (en) A kind of Multi-domain security access terminal
Zhang et al. Design and implementation of iec61850 communication security protection scheme for smart substation based on bilinear function
CN114143028A (en) A method and system for data cross-region secure transmission based on electricity spot trading business scenario
CN113704061A (en) Secret-related computer protection system
CN110704839A (en) Data encryption protection method based on national cryptographic algorithm
CN113395352B (en) A detection method and system suitable for power distribution Internet of Things business security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant