CN115065515A - Network security monitoring device of transformer substation - Google Patents

Network security monitoring device of transformer substation Download PDF

Info

Publication number
CN115065515A
CN115065515A CN202210625594.XA CN202210625594A CN115065515A CN 115065515 A CN115065515 A CN 115065515A CN 202210625594 A CN202210625594 A CN 202210625594A CN 115065515 A CN115065515 A CN 115065515A
Authority
CN
China
Prior art keywords
network
white list
module
host
rule base
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210625594.XA
Other languages
Chinese (zh)
Inventor
宋博言
张贤
付炜平
王昭雷
张睿智
刘杉
张炜琦
曹一楠
孟荣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Super High Voltage Branch Of State Grid Hebei Electric Power Co ltd
State Grid Corp of China SGCC
Original Assignee
Super High Voltage Branch Of State Grid Hebei Electric Power Co ltd
State Grid Corp of China SGCC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Super High Voltage Branch Of State Grid Hebei Electric Power Co ltd, State Grid Corp of China SGCC filed Critical Super High Voltage Branch Of State Grid Hebei Electric Power Co ltd
Priority to CN202210625594.XA priority Critical patent/CN115065515A/en
Publication of CN115065515A publication Critical patent/CN115065515A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a transformer substation network security monitoring device which comprises a network message analysis module, a network white list management module, a network host checking module and a network security risk assessment and audit module, wherein the network white list management module is provided with a white list rule base, the network message analysis module collects an original message of a switch and carries out network analysis to decompose network process characteristics and network statistical information, the state of network equipment and network connection in the network process characteristics is input into the network white list management module and is compared and analyzed with the white list rule base, and meanwhile, the network host checking module carries out security checking on a network host in a manual or periodic mode.

Description

Network security monitoring device of transformer substation
Technical Field
The invention relates to a transformer substation network safety monitoring device.
Background
At present, the network security protection of the transformer substation is mainly based on boundary protection, and the network protection in the substation only comprises a network security monitoring device, an IDS (intrusion detection system) and firewalls and isolation devices between different security partitions. The working principle of the network safety monitoring device is that a probe program is required to be installed on equipment or a log alarm function is started, the network safety monitoring device is triggered to alarm when an alarm condition is met, and the network safety alarm cannot be triggered if the equipment does not support the alarm; the IDS equipment is not completely and uniformly deployed in the transformer substation, the rule base needs to be regularly updated and is a universal rule, the rule base is not necessarily completely matched with service communication in the transformer substation, and if the IDS equipment is under network attack and is not in the range of the rule base, an alarm cannot be given; the firewall and the isolation device only protect the boundaries of different security partitions.
Existing document CN216490529U, a network security is protection alarm device for wireless monitoring, this network security is protection alarm device for wireless monitoring aims at solving prior art down can not carry out the angle modulation according to the demand and handle, and is not convenient for accomodate the technical problem who carries. The protection alarm device for wireless monitoring of network security comprises a processor main body; the bottom fixed mounting of treater main part has the protection to fill up, the outside of treater main part is provided with first pivot, the outside of first pivot is provided with the apron, the apron passes through first pivot with the treater main part rotates to be connected, the upper end fixed mounting of treater main part has a rectangle section of thick bamboo, the upper end of treater main part is provided with display module.
The existing document, CN210745181U, a network security monitoring and warning device for power generation equipment, includes a housing provided with an ethernet interface as a network traffic input signal and a management input signal port, and a DO data output interface as an output signal port, so as to implement analysis of network security of the power generation equipment and transmit warning information to a control and protection unit of the power generation equipment in real time through an I/O signal, thereby meeting the power production requirement that the power generation equipment can still ensure its own security and maintain normal operation under the condition of network attack.
The two modes do not adopt a white list strategy, and the updating is needed in real time when the network security monitoring is carried out.
Disclosure of Invention
The invention aims to solve the technical problem of providing a transformer substation network safety monitoring device for solving the problem.
The invention adopts the following technical scheme:
the network security risk assessment and audit method comprises a network message analysis module, a network white list management module, a network host check module and a network security risk assessment and audit module, wherein the network white list management module is provided with a white list rule base, the network message analysis module collects original messages of a switch and carries out network analysis, network process characteristics and network statistical information are decomposed, states of network equipment and network connection in the network process characteristics are input into the network white list management module and are compared with the white list rule base for analysis, and meanwhile, the network host check module carries out security check on a network host in a manual or periodic mode.
The network security risk assessment and audit module comprehensively collects network statistical information, a white list rule base comparison result and a network host check result, and performs security audit and risk assessment of network behaviors.
The network security risk assessment and audit module is provided with an alarm module, and when a message which does not accord with a white list rule base appears, an alarm is triggered.
The network message real-time monitoring, analyzing and recording module collects all original messages on a substation switch in real time, analyzes the configuration and behavior of the current network, records the occurrence time of the messages, then stores the messages in a message library, and decomposes network process characteristics including the processes and states of network equipment, network ports and network connection, wherein the process characteristics are used as the input of a network white list management module; meanwhile, network communication statistical information including flow and on-off times of network connection is calculated.
The network white list management module of the invention further judges the legality after acquiring the process characteristics of network equipment and network connection, and the legality judgment comprises the following steps:
step one, setting a white list rule base of network process characteristics;
inputting the collected network process characteristics;
and step three, comparing the network process characteristics with a white list rule base, wherein the white list rule base is legal, and the rest are illegal.
The network host checking module of the invention carries out safety checking on workstations and servers in the network host in a periodic mode and a manual mode, and comprises the following steps:
setting checking parameters including cycle time, weak password standard and a legal process list;
performing periodic check and manual check according to the check parameters, wherein the contents comprise a system weak password, whether antivirus software is installed, software installation and uninstallation records, whether an operation process is legal, and whether mobile storage access exists;
and step three, recording the checking result.
The white list rule base comprises a monitoring host, a remote motivation, a monitoring and controlling device of the monitoring host and the remote motivation, a protecting device of the monitoring host and the remote motivation and communication of an integrated power supply, and the port number is TCP 102 through a 61850 protocol.
The white list rule base of the present invention also includes monitoring the communication of database synchronization between host servers.
The white list rule base comprises the communication between the time setting host computer and the monitoring host computer and the comprehensive application server, and the number of the port is UDP123 through SNTP service.
The white list rule base comprises the communication of a network security monitoring device, a monitoring host, a comprehensive application server, a remote server, a message protection substation, online monitoring, a fault recorder, a firewall, a one-way isolating device and switches of all station control layers and partition layers.
The invention has the following positive effects:
due to the fact that communication services in the transformer substation are few, the white list rule base has the feasibility of completely listing all communication processes, almost all intelligent transformer substations are universal after listing, only the services used by different manufacturers and the number of different devices of different transformer substations need to be debugged on site, the services do not change for a long time after debugging is completed, a black list mode of updating rules regularly is not needed, and unknown attack behaviors can be found in time.
Drawings
FIG. 1 is a block diagram of a substation network security monitoring device according to the present invention;
FIG. 2 is a flow diagram of a network message analysis module in accordance with the present invention;
FIG. 3 is a flow chart of a network white list management module in the present invention;
FIG. 4 is a flow chart of a network host checking module according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the application, its application, or uses. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of exemplary embodiments according to the present application. As used herein, the singular forms "a", "an", and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
The relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present application unless specifically stated otherwise. Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description. Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate. In all examples shown and discussed herein, any particular value should be construed as exemplary only and not as limiting. Thus, other examples of the exemplary embodiments may have different values. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
In the description of the present application, it is to be understood that the orientation or positional relationship indicated by the directional terms such as "front, rear, upper, lower, left, right", "lateral, vertical, horizontal" and "top, bottom", etc., are generally based on the orientation or positional relationship shown in the drawings, and are used for convenience of description and simplicity of description only, and in the case of not making a reverse description, these directional terms do not indicate and imply that the device or element being referred to must have a particular orientation or be constructed and operated in a particular orientation, and therefore, should not be considered as limiting the scope of the present application; the terms "inner and outer" refer to the inner and outer relative to the profile of the respective component itself.
Spatially relative terms, such as "above … …," "above … …," "above … …," "above," and the like, may be used herein for ease of description to describe one device or feature's spatial relationship to another device or feature as illustrated in the figures. It will be understood that the spatially relative terms are intended to encompass different orientations of the device in use or operation in addition to the orientation depicted in the figures. For example, if a device in the figures is turned over, devices described as "above" or "on" other devices or configurations would then be oriented "below" or "under" the other devices or configurations. Thus, the exemplary term "above … …" can include both an orientation of "above … …" and "below … …". The device may be otherwise variously oriented (rotated 90 degrees or at other orientations) and the spatially relative descriptors used herein interpreted accordingly.
It should be noted that the terms "first", "second", and the like are used to define the components, and are only used for convenience of distinguishing the corresponding components, and the terms have no special meanings unless otherwise stated, and therefore, the scope of protection of the present application is not to be construed as being limited.
Example 1
As shown in fig. 1-4, the network security risk assessment and audit system comprises a network message analysis module, a network white list management module, a network host check module and a network security risk assessment and audit module, wherein the network white list management module is provided with a white list rule base, the network message analysis module collects an original message of a switch and performs network analysis to decompose network process characteristics and network statistical information, the state of network equipment and network connection in the network process characteristics is input to the network white list management module and is compared with the white list rule base for analysis, and meanwhile, the network host check module performs security check on a network host in a manual or periodic mode.
The network security risk assessment and audit module comprehensively collects network statistical information, a white list rule base comparison result and a network host check result, and performs security audit and risk assessment of network behaviors.
The network security risk assessment and audit module is provided with an alarm module, and when a message which does not accord with a white list rule base appears, an alarm is triggered.
The network message real-time monitoring, analyzing and recording module collects all original messages on a substation switch in real time, analyzes the configuration and behavior of the current network, records the occurrence time of the messages, then stores the messages in a message library, and decomposes network process characteristics including the processes and states of network equipment, network ports and network connection, wherein the process characteristics are used as the input of a network white list management module; meanwhile, network communication statistical information including flow and on-off times of network connection is calculated.
The network white list management module further performs legality judgment after acquiring the process characteristics of network equipment and network connection, wherein the legality judgment comprises the following steps of:
step one, setting a white list rule base of network process characteristics;
inputting the collected network process characteristics;
and step three, comparing the network process characteristics with a white list rule base, wherein the white list rule base is legal, and the rest are illegal.
The network host checking module of the invention carries out safety checking on workstations and servers in the network host in a periodic mode and a manual mode, and comprises the following steps:
setting checking parameters including cycle time, weak password standard and a legal process list;
performing periodic check and manual check according to the check parameters, wherein the contents comprise a system weak password, whether antivirus software is installed, software installation and uninstallation records, whether an operation process is legal, and whether mobile storage access exists;
and step three, recording the checking result.
The white list rule base comprises a monitoring host, a remote motivation, a monitoring and controlling device of the monitoring host and the remote motivation, a protecting device of the monitoring host and the remote motivation and communication of an integrated power supply, and the port number is TCP 102 through a 61850 protocol.
Example 2
This example is based on example 1, and is the same as example 1:
the network safety risk assessment and audit method comprises a network message analysis module, a network white list management module, a network host machine check module and a network safety risk assessment and audit module, wherein the network white list management module is provided with a white list rule base, the network message analysis module collects original messages of a switch and carries out network analysis, network process characteristics and network statistical information are decomposed, the state of network equipment and network connection in the network process characteristics is input into the network white list management module and is compared and analyzed with the white list rule base, and meanwhile, the network host machine check module carries out safety check on a network host machine in a manual or periodic mode.
The network security risk assessment and audit module comprehensively collects network statistical information, a white list rule base comparison result and a network host check result, and performs security audit and risk assessment of network behaviors.
The network security risk assessment and audit module is provided with an alarm module, and when a message which does not accord with a white list rule base appears, an alarm is triggered.
The network message real-time monitoring, analyzing and recording module collects all original messages on a substation switch in real time, analyzes the configuration and behavior of the current network, records the occurrence time of the messages, then stores the messages in a message library, and decomposes network process characteristics including the processes and states of network equipment, network ports and network connection, wherein the process characteristics are used as the input of a network white list management module; meanwhile, network communication statistical information including flow and on-off times of network connection is calculated.
The network white list management module further performs legality judgment after acquiring the process characteristics of network equipment and network connection, wherein the legality judgment comprises the following steps of:
step one, setting a white list rule base of network process characteristics;
inputting the collected network process characteristics;
and step three, comparing the network process characteristics with a white list rule base, wherein the white list rule base is legal, and the rest are illegal.
The network host checking module of the invention carries out safety checking on workstations and servers in the network host in a periodic mode and a manual mode, and comprises the following steps:
setting checking parameters including cycle time, weak password standard and a legal process list;
performing periodic check and manual check according to the check parameters, wherein the contents comprise a system weak password, whether antivirus software is installed, software installation and uninstallation records, whether an operation process is legal, and whether mobile storage access exists;
and step three, recording the checking result.
The white list rule base comprises a monitoring host, a remote motivation, a monitoring and controlling device of the monitoring host and the remote motivation, a protecting device of the monitoring host and the remote motivation and communication of an integrated power supply, and the port number is TCP 102 through a 61850 protocol.
The difference is that:
the white list rule base also comprises a monitoring unit for monitoring the synchronous communication of the database between the host servers, and port numbers are required to be configured according to the field.
Example 3
This example is based on example 2, and is the same as example 2:
the network safety risk assessment and audit method comprises a network message analysis module, a network white list management module, a network host machine check module and a network safety risk assessment and audit module, wherein the network white list management module is provided with a white list rule base, the network message analysis module collects original messages of a switch and carries out network analysis, network process characteristics and network statistical information are decomposed, the state of network equipment and network connection in the network process characteristics is input into the network white list management module and is compared and analyzed with the white list rule base, and meanwhile, the network host machine check module carries out safety check on a network host machine in a manual or periodic mode.
The network security risk assessment and audit module comprehensively collects network statistical information, a white list rule base comparison result and a network host check result, and performs security audit and risk assessment of network behaviors.
The network security risk assessment and audit module is provided with an alarm module, and when a message which does not accord with a white list rule base appears, an alarm is triggered.
The network message real-time monitoring, analyzing and recording module collects all original messages on a substation switch in real time, analyzes the configuration and behavior of the current network, records the occurrence time of the messages, then stores the messages in a message library, and decomposes network process characteristics including the processes and states of network equipment, network ports and network connection, wherein the process characteristics are used as the input of a network white list management module; meanwhile, network communication statistical information including flow and on-off times of network connection is calculated.
The network white list management module further performs legality judgment after acquiring the process characteristics of network equipment and network connection, wherein the legality judgment comprises the following steps of:
step one, setting a white list rule base of network process characteristics;
inputting the collected network process characteristics;
and step three, comparing the network process characteristics with a white list rule base, wherein the white list rule base is legal, and the rest are illegal.
The network host checking module of the invention carries out safety checking on workstations and servers in the network host in a periodic mode and a manual mode, and comprises the following steps:
setting checking parameters including cycle time, weak password standard and a legal process list;
performing periodic check and manual check according to the check parameters, wherein the contents comprise a system weak password, whether antivirus software is installed, software installation and uninstallation records, whether an operation process is legal, and whether mobile storage access exists;
and step three, recording the checking result.
The white list rule base comprises a monitoring host, a remote motivation, a monitoring and controlling device of the monitoring host and the remote motivation, a protecting device of the monitoring host and the remote motivation and communication of an integrated power supply, and the port number is TCP 102 through a 61850 protocol.
The white list rule base also comprises the step of monitoring the synchronous communication of the database between the host servers, and port numbers are required to be configured according to the field.
The difference is that:
the white list rule base comprises the communication between the time setting host computer and the monitoring host computer and the comprehensive application server, and the number of the port is UDP123 through SNTP service.
Example 4
This example is based on example 3, and is the same as example 3:
the network safety risk assessment and audit method comprises a network message analysis module, a network white list management module, a network host machine check module and a network safety risk assessment and audit module, wherein the network white list management module is provided with a white list rule base, the network message analysis module collects original messages of a switch and carries out network analysis, network process characteristics and network statistical information are decomposed, the state of network equipment and network connection in the network process characteristics is input into the network white list management module and is compared and analyzed with the white list rule base, and meanwhile, the network host machine check module carries out safety check on a network host machine in a manual or periodic mode.
The network security risk assessment and audit module comprehensively collects network statistical information, a white list rule base comparison result and a network host check result, and performs security audit and risk assessment of network behaviors.
The network security risk assessment and audit module is provided with an alarm module, and when a message which does not accord with a white list rule base appears, an alarm is triggered.
The network message real-time monitoring, analyzing and recording module collects all original messages on a substation switch in real time, analyzes the configuration and behavior of the current network, records the occurrence time of the messages, then stores the messages in a message library, and decomposes network process characteristics including the processes and states of network equipment, network ports and network connection, wherein the process characteristics are used as the input of a network white list management module; meanwhile, network communication statistical information including flow and on-off times of network connection is calculated.
The network white list management module further performs legality judgment after acquiring the process characteristics of network equipment and network connection, wherein the legality judgment comprises the following steps of:
step one, setting a white list rule base of network process characteristics;
inputting the collected network process characteristics;
and step three, comparing the network process characteristics with a white list rule base, wherein the white list rule base is legal, and the rest are illegal.
The network host checking module of the invention carries out the safety checking of a work station and a server in the network host in a periodic mode and a manual mode, and comprises the following steps:
setting checking parameters including cycle time, weak password standard and a legal process list;
performing periodic check and manual check according to the check parameters, wherein the contents comprise a system weak password, whether antivirus software is installed, software installation and uninstallation records, whether an operation process is legal, and whether mobile storage access exists;
and step three, recording the checking result.
The white list rule base comprises a monitoring host, a remote motivation, a monitoring and controlling device of the monitoring host and the remote motivation, a protecting device of the monitoring host and the remote motivation and communication of an integrated power supply, and the port number is TCP 102 through a 61850 protocol.
The white list rule base also comprises the step of monitoring the synchronous communication of the database between the host servers, and port numbers are required to be configured according to the field.
The white list rule base comprises the communication between the time setting host computer and the monitoring host computer and the comprehensive application server, and the number of the port is UDP123 through SNTP service.
The difference is that:
the white list rule base comprises the communication of a network safety monitoring device, a monitoring host, a comprehensive application server, a remote server, a message protection substation, online monitoring, a fault recorder, a firewall, a one-way isolating device and all station control layer and spacer layer switches, and port numbers are required to be configured according to the actual field setting conditions.
At present, the technical scheme of the application has been subjected to pilot plant test, namely small-scale experiment before large-scale mass production of products; after the pilot test is finished, the investigation for the use of the user is carried out in a small range, and the investigation result shows that the satisfaction degree of the user is higher; the preparation of products for official production for industrialization (including intellectual property risk early warning investigation) has been set forth.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the embodiments or portions thereof without departing from the spirit and scope of the invention.

Claims (10)

1. The utility model provides a transformer substation's network safety monitoring device which characterized in that: the network security risk assessment and audit method comprises a network message analysis module, a network white list management module, a network host machine check module and a network security risk assessment and audit module, wherein the network white list management module is provided with a white list rule base, the network message analysis module collects original messages of a switch and carries out network analysis to decompose network process characteristics and network statistical information, the state of network equipment and network connection in the network process characteristics is input into the network white list management module and is compared and analyzed with the white list rule base, and meanwhile, the network host machine check module carries out security check on a network host machine in a manual or periodic mode.
2. The substation network security monitoring device of claim 1, wherein the network security risk assessment and audit module comprehensively collects network statistical information, comparison results of white list rule bases and network host verification results, and performs security audit and risk assessment of network behavior.
3. The substation network security monitoring device of claim 2, wherein the network security risk assessment and audit module is provided with an alarm module to trigger an alarm when a message that does not conform to the white list rule base occurs.
4. The substation network safety monitoring device according to claim 3, wherein the network message real-time monitoring analysis recording module collects all original messages on a substation switch in real time, analyzes the configuration and behavior of the current network, and records the occurrence time of the messages, and then the messages enter a message library for storage, so as to decompose network process characteristics including the processes and states of network equipment, network ports and network connections, and the process characteristics are used as the input of the network white list management module; meanwhile, network communication statistical information including flow and on-off times of network connection is calculated.
5. The transformer substation network safety monitoring device according to claim 4, wherein the network white list management module further performs validity judgment after acquiring process characteristics of network equipment and network connection, and the validity judgment comprises the following steps:
step one, setting a white list rule base of network process characteristics;
inputting the collected network process characteristics;
and step three, comparing the network process characteristics with a white list rule base, wherein the white list rule base is legal, and the rest are illegal.
6. The substation network security monitoring device according to claim 5, wherein the network host checking module performs security checking on workstations and servers in the network host in a periodic and manual manner, and comprises the following steps:
setting checking parameters including cycle time, weak password standard and a legal process list;
performing periodic check and manual check according to the check parameters, wherein the contents comprise a system weak password, whether antivirus software is installed, software installation and uninstallation records, whether an operation process is legal, and whether mobile storage access exists;
and step three, recording the checking result.
7. The substation network security monitoring device of claim 6, wherein the white list rule base comprises a monitoring host, a remote machine, a monitoring and controlling device for the monitoring host and the remote machine, a protecting device for the monitoring host and the remote machine, and communication of the integrated power supply, and the port number is TCP 102 through a 61850 protocol.
8. The substation network security monitoring device of claim 7, wherein the white list rule base further comprises a communication that monitors database synchronization between host servers.
9. The substation network security monitoring device of claim 8, wherein the white list rule base comprises communication between the time host and the monitoring host and the integrated application server, and the port number is UDP123 through SNTP service.
10. The substation network security monitoring device of claim 9, wherein the white list rule base comprises communication between the network security monitoring device and a monitoring host, an integrated application server, a remote server, a security substation, online monitoring, a fault recorder, a firewall, a unidirectional isolation device, and all switches of the station control layer and the bay layer.
CN202210625594.XA 2022-06-02 2022-06-02 Network security monitoring device of transformer substation Pending CN115065515A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210625594.XA CN115065515A (en) 2022-06-02 2022-06-02 Network security monitoring device of transformer substation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210625594.XA CN115065515A (en) 2022-06-02 2022-06-02 Network security monitoring device of transformer substation

Publications (1)

Publication Number Publication Date
CN115065515A true CN115065515A (en) 2022-09-16

Family

ID=83199130

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210625594.XA Pending CN115065515A (en) 2022-06-02 2022-06-02 Network security monitoring device of transformer substation

Country Status (1)

Country Link
CN (1) CN115065515A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106570613A (en) * 2016-10-12 2017-04-19 中国南方电网有限责任公司 Secondary equipment maintenance strategy generation method based on state monitoring
CN106603489A (en) * 2016-11-08 2017-04-26 南京南瑞继保电气有限公司 Network security management and control apparatus for transformer substation
CN109861398A (en) * 2019-04-04 2019-06-07 南京电研电力自动化股份有限公司 A kind of the electrical power services device and its network system realization of digital transformer substation
CN110022361A (en) * 2019-04-01 2019-07-16 安徽九翔信息科技有限责任公司 A kind of service platform communication system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106570613A (en) * 2016-10-12 2017-04-19 中国南方电网有限责任公司 Secondary equipment maintenance strategy generation method based on state monitoring
CN106603489A (en) * 2016-11-08 2017-04-26 南京南瑞继保电气有限公司 Network security management and control apparatus for transformer substation
CN110022361A (en) * 2019-04-01 2019-07-16 安徽九翔信息科技有限责任公司 A kind of service platform communication system
CN109861398A (en) * 2019-04-04 2019-06-07 南京电研电力自动化股份有限公司 A kind of the electrical power services device and its network system realization of digital transformer substation

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
张媛;: "基于电力物联网的变电站设计改进", 电气时代, no. 07 *
耿毅刚: "智能变电站二次***安全防护方案的研究", 中国优秀硕士学位论文全文数据库, pages 1 *
马进;徐昀;: "宜兴220kV广汇变智能站自动化***方案", 电脑知识与技术, no. 18 *

Similar Documents

Publication Publication Date Title
CN108769022B (en) Industrial control system safety experiment system for penetration test
Oman et al. Intrusion detection and event monitoring in SCADA networks
CN103066703B (en) Intelligent SPD (Surge Protective Device) based on internet of things
CN109413642B (en) Terminal safety detection and monitoring systematization method
CN112799358B (en) Industrial control safety defense system
CN104811437B (en) A kind of system and method that security strategy is generated in industrial control network
CN109034400A (en) A kind of substation's exception metric data predicting platform system
CN113673959B (en) Comprehensive management and control method and device for site operation safety and storage medium
CN103378991A (en) Online service abnormity monitoring method and monitoring system thereof
CN111244806B (en) Power equipment safety debugging monitoring system and processing method
CN109327076A (en) A kind of system improving automated system O&M efficiency
CN110049015B (en) Network security situation awareness system
CN112543123B (en) Safety protection and early warning system of industrial automatic control system
EP3457286B1 (en) Method and computing device for commissioning an industrial automation control system
CN111210547A (en) Optical cross-connecting box intelligent lock system and method remotely controlled through NB-IOT technology
CN106789275B (en) Power transmission network security test system and method for electric power system
CN108333449A (en) Substation equipment on-line monitoring method and device
CN109617918B (en) Safe operation and maintenance gateway and operation and maintenance method thereof
CN115065515A (en) Network security monitoring device of transformer substation
CN115550034B (en) Service flow monitoring method and device for distribution network power monitoring system
Zou et al. Research and implementation of intelligent substation information security risk assessment tool
CN113240864A (en) Intelligent management system and method for car washer
CN113765780A (en) Portable operation and maintenance gateway based on Internet of things
CN206946235U (en) A kind of integrated environment monitoring host computer
CN109412861A (en) A kind of terminal network establishes security association methods of exhibiting

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination