基于深度报文检测和安全增强的正向隔离装置设计及实现
|
摘要
为了提高新的网络安全环境及配电网接入环境中电力系统内部通信网络的安全性,提出了基于深度报文检测和安全增强的正向隔离装置。在对传统正向隔离装置原理和脆弱性分析的基础上,通过采用现场可编程门阵列(FPGA)作为隔离岛部件提高了隔离岛的传输速率并降低了误码率,通过采用深度报文检测技术解决了反向穿透性威胁,通过采用双因子身份鉴别技术提高了人机用户管理的安全性,通过采用基于国密算法的加密认证技术提高了本地管理的安全性。与传统的正向隔离装置相比,装置的性能和安全性都得到了提高。最后通过工程应用验证了理论的可行性和技术的实用性。
In order to improve the security of power system communication network in the emerging network security environment and distribution network accessing environment,a forward isolation device based on deep packet inspection and security enhancement is proposed.Based on the principle and vulnerability analysis of the traditional forward isolation device,the field programmable gate array(FPGA)is adopted as isolation island to improve the transmission speed and reduce the error bit rate,the reverse penetrating threat is solved by the deep packet inspection technology,the security of human machine interface(HMI)management is improved by two factor authentication technology,the security of local management is improved by the encryption and authentication technology based on the state secret algorithm.Compared with the traditional forward isolation device,the performance and the security level of proposed device are both improved.Finally,the feasibility of the theory and the practicability of the technology are verified by project application.
In order to improve the security of power system communication network in the emerging network security environment and distribution network accessing environment,a forward isolation device based on deep packet inspection and security enhancement is proposed.Based on the principle and vulnerability analysis of the traditional forward isolation device,the field programmable gate array(FPGA)is adopted as isolation island to improve the transmission speed and reduce the error bit rate,the reverse penetrating threat is solved by the deep packet inspection technology,the security of human machine interface(HMI)management is improved by two factor authentication technology,the security of local management is improved by the encryption and authentication technology based on the state secret algorithm.Compared with the traditional forward isolation device,the performance and the security level of proposed device are both improved.Finally,the feasibility of the theory and the practicability of the technology are verified by project application.
引文
[1]童晓阳,王晓茹.乌克兰停电事件引起的网络攻击与电网信息安全防范思考[J].电力系统自动化,2016,40(7):144-148.DOI:10.7500/AEPS20160202101.TONG Xiaoyang,WANG Xiaoru.Inference and countermeasure presupposition of network attack in incident on Ukrainian power grid[J].Automation of Electric Power Systems,2016,40(7):144-148.DOI:10.7500/AEPS20160202101.
[2]倪明,颜诘,柏瑞,等.电力系统防恶意信息攻击的思考[J].电力系统自动化,2016,40(5):148-151.DOI:10.7500/AEPS20160113102.NI Ming,YAN Jie,BAI Rui,et al.Power system cyber-attack and its defense[J].Automation of Electric Power Systems,2016,40(5):148-151.DOI:10.7500/AEPS20160113102.
[3]郑宗强,韩冰,闪鑫,等.输配电网高级应用协同运行关键技术分析[J].电力系统自动化,2017,41(6):122-128.DOI:10.7500/AEPS20161212003.ZHENG Zongqiang,HAN Bing,SHAN Xin,et al.Analysis on key technologies for coordinated operation of advanced application software in transmission and distribution network[J].Automation of Electric Power Systems,2017,41(6):122-128.DOI:10.7500/AEPS20161212003.
[4]王济意.基于物理隔离技术的安全信息交换系统[D].西安:西安电子科技大学,2015.WANG Jiyi.Secure information exchange system based on physical isolation technology[D].Xi’an:Xidian University,2015.
[5]李凤华,谈苗苗,樊凯,等.抗隐蔽通道的网络隔离通信方案[J].通信学报,2014,35(11):96-106.LI Fenghua,TAN Miaomiao,FAN Kai,et al.Network isolation communication scheme to resist against covert channel[J].Journal on Communications,2014,35(11):96-106.
[6]孙艺,顾欢.基于带缓冲的双通道开关技术的网络隔离器设计[J].工业控制计算机,2014,27(4):106-107.SUN Yi,GU Huan.Network isolation of based on buffered dual channel switching technology[J].Industrial Control Computer,2014,27(4):106-107.
[7]田新广,邱志明,孙春来,等.基于硬件分区和IP报文还原的网络隔离与信息交换[J].计算机科学,2008,35(2):81-83.TIAN Xinguang,QIU Zhiming,SUN Chunlai,et al.Network isolation and switching based on hardware region division and IPpacket reintegration[J].Computer Science,2008,35(2):81-83.
[8]于华楠,武云瑞,胡绪超.正向隔离网闸在电力系统中的应用[J].计算机与数字工程,2014,42(10):1817-1818.YU Huanan,WU Yunrui,HU Xuchao.Application of positiveisolation gap in electricity system[J].Computer&Digital Engineering,2014,42(10):1817-1818.
[9]薛志文.基于信息安全管理的网络隔离技术研究[J].石家庄学院学报,2014,16(6):54-58.XUE Zhiwen.A research of network isolation technique based on information security management[J].Journal of Shijiazhuang University,2014,16(6):54-58.
[10]王永建,杨建华,郭广涛,等.网络安全物理隔离技术分析及展望[J].信息安全与通信保密,2016(2):117-122.WANG Yongjian,YANG Jianhua,GUO Guangtao,et al.Analysis and prospect of physical isolation technology for network security[J].Information Security and Communications Privacy,2016(2):117-122.
[11]何宁,石磊,王长周,等.发电企业内外网隔离技术研究与应用[J].电力信息与通信技术,2016,14(9):33-37.HE Ning,SHI Lei,WANG Changzhou,et al.Research and application of internal and external network isolation technology for power generation enterprises[J].Electric Power Information and Communication Technology,2016,14(9):33-37.
[12]路琪,黄芝平,鲁佳琪.基于深度包检测的防火墙系统设计[J].计算机科学,2017,44(11):334-337.LU Qi,HUANG Zhiping,LU Jiaqi.System design of firewall based on deep packet inspection[J].Computer Science,2017,44(11):334-337.
[13]周林.一种不可靠环境中的智能电表数据安全采集方案[J].上海电力学院学报,2017,33(4):346-352.ZHOU Lin.An identification and IDS based scheme for smart meter data acquisition[J].Journal of Shanghai University of Electric Power,2017,33(4):346-352.
[14]廖建容,段斌,谭步学,等.基于口令的变电站数据与通信安全认证[J].电力系统自动化,2007,31(10):71-75.LIAO Jianrong,DUAN Bin,TAN Buxue,et al.Authentication of substation automation data and communication security based on password[J].Automation of Electric Power Systems,2007,31(10):71-75.
[15]赵华伟,刘月.基于Ukey的内网安全管控平台关键技术研究[J].计算机应用与软件,2010,27(10):23-26.ZHAO Huawei,LIU Yue.Research on critical technologies of intranet SMP based on Ukey devices[J].Computer Application and Software,2010,27(10):23-26.
[16]骆钊,谢吉华,顾伟,等.SM2加密体系在智能变电站站内通信中的应用[J].电力系统自动化,2015,39(13):116-123.DOI:10.7500/AEPS20140817004.LUO Zhao,XIE Jihua,GU Wei,et al.Application of SM2encrypted system in smart substation inner communication[J].Automation of Electric Power Systems,2015,39(13):116-123.DOI:10.7500/AEPS20140817004.
[17]骆钊,谢吉华,顾伟,等.基于SM2密码体系的电网信息安全支撑平台开发[J].电力系统自动化,2014,38(6):68-74.DOI:10.7500/AEPS20130629002.LUO Zhao,XIE Jihua,GU Wei,et al.SM2-cryptosystem based information security supporting platform in power grid[J].Automation of Electric Power Systems,2014,38(6):68-74.DOI:10.7500/AEPS20130629002.
[2]倪明,颜诘,柏瑞,等.电力系统防恶意信息攻击的思考[J].电力系统自动化,2016,40(5):148-151.DOI:10.7500/AEPS20160113102.NI Ming,YAN Jie,BAI Rui,et al.Power system cyber-attack and its defense[J].Automation of Electric Power Systems,2016,40(5):148-151.DOI:10.7500/AEPS20160113102.
[3]郑宗强,韩冰,闪鑫,等.输配电网高级应用协同运行关键技术分析[J].电力系统自动化,2017,41(6):122-128.DOI:10.7500/AEPS20161212003.ZHENG Zongqiang,HAN Bing,SHAN Xin,et al.Analysis on key technologies for coordinated operation of advanced application software in transmission and distribution network[J].Automation of Electric Power Systems,2017,41(6):122-128.DOI:10.7500/AEPS20161212003.
[4]王济意.基于物理隔离技术的安全信息交换系统[D].西安:西安电子科技大学,2015.WANG Jiyi.Secure information exchange system based on physical isolation technology[D].Xi’an:Xidian University,2015.
[5]李凤华,谈苗苗,樊凯,等.抗隐蔽通道的网络隔离通信方案[J].通信学报,2014,35(11):96-106.LI Fenghua,TAN Miaomiao,FAN Kai,et al.Network isolation communication scheme to resist against covert channel[J].Journal on Communications,2014,35(11):96-106.
[6]孙艺,顾欢.基于带缓冲的双通道开关技术的网络隔离器设计[J].工业控制计算机,2014,27(4):106-107.SUN Yi,GU Huan.Network isolation of based on buffered dual channel switching technology[J].Industrial Control Computer,2014,27(4):106-107.
[7]田新广,邱志明,孙春来,等.基于硬件分区和IP报文还原的网络隔离与信息交换[J].计算机科学,2008,35(2):81-83.TIAN Xinguang,QIU Zhiming,SUN Chunlai,et al.Network isolation and switching based on hardware region division and IPpacket reintegration[J].Computer Science,2008,35(2):81-83.
[8]于华楠,武云瑞,胡绪超.正向隔离网闸在电力系统中的应用[J].计算机与数字工程,2014,42(10):1817-1818.YU Huanan,WU Yunrui,HU Xuchao.Application of positiveisolation gap in electricity system[J].Computer&Digital Engineering,2014,42(10):1817-1818.
[9]薛志文.基于信息安全管理的网络隔离技术研究[J].石家庄学院学报,2014,16(6):54-58.XUE Zhiwen.A research of network isolation technique based on information security management[J].Journal of Shijiazhuang University,2014,16(6):54-58.
[10]王永建,杨建华,郭广涛,等.网络安全物理隔离技术分析及展望[J].信息安全与通信保密,2016(2):117-122.WANG Yongjian,YANG Jianhua,GUO Guangtao,et al.Analysis and prospect of physical isolation technology for network security[J].Information Security and Communications Privacy,2016(2):117-122.
[11]何宁,石磊,王长周,等.发电企业内外网隔离技术研究与应用[J].电力信息与通信技术,2016,14(9):33-37.HE Ning,SHI Lei,WANG Changzhou,et al.Research and application of internal and external network isolation technology for power generation enterprises[J].Electric Power Information and Communication Technology,2016,14(9):33-37.
[12]路琪,黄芝平,鲁佳琪.基于深度包检测的防火墙系统设计[J].计算机科学,2017,44(11):334-337.LU Qi,HUANG Zhiping,LU Jiaqi.System design of firewall based on deep packet inspection[J].Computer Science,2017,44(11):334-337.
[13]周林.一种不可靠环境中的智能电表数据安全采集方案[J].上海电力学院学报,2017,33(4):346-352.ZHOU Lin.An identification and IDS based scheme for smart meter data acquisition[J].Journal of Shanghai University of Electric Power,2017,33(4):346-352.
[14]廖建容,段斌,谭步学,等.基于口令的变电站数据与通信安全认证[J].电力系统自动化,2007,31(10):71-75.LIAO Jianrong,DUAN Bin,TAN Buxue,et al.Authentication of substation automation data and communication security based on password[J].Automation of Electric Power Systems,2007,31(10):71-75.
[15]赵华伟,刘月.基于Ukey的内网安全管控平台关键技术研究[J].计算机应用与软件,2010,27(10):23-26.ZHAO Huawei,LIU Yue.Research on critical technologies of intranet SMP based on Ukey devices[J].Computer Application and Software,2010,27(10):23-26.
[16]骆钊,谢吉华,顾伟,等.SM2加密体系在智能变电站站内通信中的应用[J].电力系统自动化,2015,39(13):116-123.DOI:10.7500/AEPS20140817004.LUO Zhao,XIE Jihua,GU Wei,et al.Application of SM2encrypted system in smart substation inner communication[J].Automation of Electric Power Systems,2015,39(13):116-123.DOI:10.7500/AEPS20140817004.
[17]骆钊,谢吉华,顾伟,等.基于SM2密码体系的电网信息安全支撑平台开发[J].电力系统自动化,2014,38(6):68-74.DOI:10.7500/AEPS20130629002.LUO Zhao,XIE Jihua,GU Wei,et al.SM2-cryptosystem based information security supporting platform in power grid[J].Automation of Electric Power Systems,2014,38(6):68-74.DOI:10.7500/AEPS20130629002.