CN117240550B - Isolation control method and firewall for production control zone I and zone II of transformer substation - Google Patents

Abstract

A firewall is arranged between a production control zone I and a production control zone II in an intelligent substation monitoring system, and the firewall is respectively connected to switches of the production control zone I and the production control zone II through network cables; the isolation control method is applied to the firewall and comprises the following steps: respectively configuring a white list of an MAC address, an IP address and a port number in advance; capturing a network message flowing from a production control area II to a production control area I; sequentially judging whether the MAC address, the IP address and the port number of the network message are respectively positioned in the corresponding white lists; if the MAC address, the IP address and the port number of the network message do not all exist in the white list corresponding to the MAC address, the IP address and the port number, the network message is refused to be forwarded to the production control I area, and alarm operation representing abnormal request is executed. The scheme can improve the safety of the intelligent substation monitoring system.

Description

Isolation control method and firewall for production control zone I and zone II of transformer substation

Technical Field

The invention relates to the technical field of network safety protection of substations, in particular to an isolation control method and a firewall for a production control zone I and a production control zone II of a substation.

Background

The substation monitoring system realizes unified access, unified storage and unified management of substation information such as power grid and equipment operation information, state monitoring information, metering information and the like through system integration optimization and information sharing, and further realizes operation monitoring, operation control, comprehensive information analysis, intelligent alarm and the like of the substation. Usually, 2 sets of power dispatching data network access equipment which are independently configured are deployed in an ultra-high voltage transformer substation, and a dispatching data access network and a provincial dispatching data access network are respectively accessed by adopting special channels based on different channels such as synchronous digital hierarchy SDH or quasi-synchronous digital hierarchy PDH, so that network special on a physical layer is realized. Each set of power dispatching data network is divided into a real-time subnet and a non-real-time subnet which are logically isolated, and the power dispatching data networks are respectively connected with the services of a substation monitoring system, a motion system, an alarm graph gateway, a stability control system, a time synchronization system, a relay protection system, a five-prevention system, a synchronous phasor measurement system, a signal protection substation, fault wave recording, network safety monitoring, electric quantity acquisition, one-time online monitoring, auxiliary control system and the like in the station.

The production control I area of the transformer substation is generally connected with a motion system, an alarm graphic gateway, a stability control system, a time synchronization system, a relay protection system, a five-prevention system, a synchronous phasor measurement system and the like. The production control II area of the transformer substation is usually connected with a signal protection substation, a network safety monitoring device, an electric quantity collector, a fault wave recording system, a primary online monitoring system, an auxiliary control system and the like. The production control I area and the production control II area of the transformer substation are connected through a network firewall, so that the function of network protection is achieved. However, in the existing transformer substation protection system, the firewall configuration strategy of the transformer substation monitoring system is imperfect, so that the production control area II can penetrate through the firewall to control the power grid equipment of the production control area I, the requirement that the production control area II cannot control the production control area I obviously cannot be met, and the safety of the transformer substation protection system is greatly reduced.

Disclosure of Invention

In view of the foregoing, it is necessary to provide an isolation control method and firewall for controlling the production control zone i and zone ii of a substation, so as to improve the security of the intelligent substation monitoring system.

In a first aspect, the invention provides an isolation control method for a production control area I and a production control area II of a transformer substation, wherein the production control area I and the production control area II are two production control areas in an intelligent transformer substation monitoring system; wherein the production control zone I can control the production control zone II, and the production control zone II cannot control the production control zone I; a firewall is arranged between the production control area I and the production control area II in the intelligent substation monitoring system, and the firewall is respectively connected to the switches of the production control area I and the production control area II through network cables;

the isolation control method is applied to the firewall and comprises the following steps:

respectively configuring a white list of an MAC address, an IP address and a port number in advance;

Capturing a network message flowing from the production control area II to the production control area I;

sequentially judging whether the MAC address, the IP address and the port number of the network message are respectively positioned in the corresponding white lists;

If the MAC address, the IP address and the port number of the network message do not all exist in the white list corresponding to the MAC address, the IP address and the port number, the network message is refused to be forwarded to the production control I area, and alarm operation representing abnormal request is executed.

Preferably, after determining that the MAC address, the IP address, and the port number of the network packet all exist in the corresponding white list, the method further includes:

analyzing the network message;

judging whether a remote control prefabricated instruction or a remote control execution instruction exists in the analyzed network message; the remote control prefabricated commander is used for performing functional test on equipment in the intelligent substation monitoring system, and the remote control execution commander is used for performing control execution on the equipment in the intelligent substation monitoring system;

If any one of the remote control prefabrication instruction character or the remote control execution instruction character exists in the analyzed network message, the network message is refused to be forwarded to the production control I area, and alarm information is sent to a remote signaling loop of a public measurement and control device in the intelligent substation monitoring system, so that the public measurement and control device sends an alarm of illegal network intrusion to a background monitoring system through an in-station network.

Preferably, the isolation control method further includes:

based on a hash algorithm, carrying out hash operation on a target user name and a target password which can successfully log in an account in advance, and storing after obtaining a first hash value;

Acquiring a current user name and a current password input by a current user;

performing hash operation on the current user name and the current password to obtain a second hash value; wherein the hash algorithm based on the second hash value is the same as the hash algorithm based on the first hash value;

Comparing the first hash value with the second hash value; if the first hash value is not identical to the second hash value, determining that the current login is illegal, and rejecting the current login request.

Preferably, the target password satisfies the following requirements:

A length of not less than 8 characters;

Is formed by mixing at least two of capital letters, lowercase letters, numbers and special characters;

The target password is not identical to the target user name;

And/or the hash algorithm includes any one of MD5, SHA1, SHA256, and SHA 512.

Preferably, after successfully logging in the current account, the method further comprises:

and monitoring the operation executed in the current account, and controlling the current account to exit when no operation is executed within a preset time length.

Preferably, the types of privileged users capable of logging into the intelligent substation monitoring system include: a system management privilege user, a network security privilege user and a security audit privilege user; each type of privileged user has the relevant authority of the type of privileged user to realize the corresponding function, but the system management privileged user does not have the right to operate the audit record.

Preferably, the isolation control method further includes:

after the login failure of the equipment is monitored, the following operations are executed:

rejecting all communications based on the unsecure transmission protocol; wherein the unsecure transmission protocol includes: text transfer protocol FTP and Telnet protocols;

Limiting the login address of the system management privilege user to a preset safe login address;

And rejecting all requests for remote management of the equipment in the production control area I.

Preferably, after capturing the network packet flowing from the production control ii area to the production control i area, the method further includes:

judging whether the current network message is a non-service request for the longitudinal authentication equipment;

if the current network message is the non-service request, judging whether the transmission protocol of the current network message is ICMP protocol or not;

And if the current network message is not the ICMP protocol, refusing to forward the current network message to the corresponding equipment in the production control I area.

The isolation control method further comprises the following steps:

counting the equipment in the production control II area corresponding to the network message refused to be forwarded to the production control I area in unit time;

if the number of times that the network message sent by the first device in the production control area II is refused to be forwarded to the production control area I is greater than a preset first threshold value in unit time, executing the following operations:

sending a right acquisition signal to a switch located in the production control area II;

Receiving a permission grant instruction sent by a switch positioned in a production control II area; the permission grant instruction comprises port numbers for connecting each device in the production control II area with the switch;

And determining a target port corresponding to the first equipment by using the permission grant instruction, and controlling a switch positioned in a production control II area to close the target port. .

In a second aspect, the present invention provides a firewall deployed between a production control zone i and a production control zone ii in an intelligent substation monitoring system; the firewall includes: the system comprises a configuration module, a message grabbing module, a comparison judging module and an executing module;

The configuration module is configured to configure a white list of the MAC address, the IP address and the port number in advance respectively;

the message grabbing module is configured to grab network messages flowing from the production control area II to the production control area I;

The comparison judging module is configured to sequentially judge whether the MAC address, the IP address and the port number of the network message grabbed by the report Wen Zhuaqu module are respectively located in the respective corresponding whitelists configured by the configuration module;

The execution module is configured to refuse to forward the network message to the production control area I and execute alarm operation representing abnormal request occurrence when the comparison judging module judges that the MAC address, the IP address and the port number of the network message do not all exist in the corresponding white list.

According to the technical scheme, in the isolation control method for the production control I area and the production control II area of the transformer substation provided by the embodiment of the invention, a firewall is deployed between the production control I area and the production control II area, the firewall grabs the network message flowing to the production control I area in real time, judges whether the MAC address, the IP address, the port number and the like of the network message exist in a pre-stored white list, if not, the current network message is not in accordance with the safety regulation of a transformer substation monitoring system, and the potential safety hazard of the production control II area for controlling equipment in the production control I area possibly exists, so that forwarding of the network message is refused, and alarm operation is executed. Therefore, the potential safety hazard that the production control II zone passes through the firewall to control the equipment in the production control I zone can be avoided based on the scheme, so that the safety of the intelligent substation monitoring system is greatly improved.

Drawings

Fig. 1 is a flowchart of an isolation control method for controlling a zone i and a zone ii in substation production according to an embodiment of the present invention.

Fig. 2 is a schematic diagram of a firewall according to an embodiment of the invention.

Detailed Description

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

In the communication of the intelligent substation, an IEC61850 series standard substation communication network and system are adopted, 2 sets of independently configured power dispatching data network access equipment are deployed in the ultra-high voltage substation, and different special channels are adopted to access the network, so that network special on a physical level is realized. The production control I area and the production control II area are two production control areas in the intelligent substation monitoring system, and the two production control areas have different control grades, for example, the production control I area can control the production control II area, and the production control II area can not control the production control I; the potential safety hazard of the intelligent substation monitoring system is mainly that the production control area II at a lower level can control power grid equipment in the production control area I. Therefore, the firewall is arranged between the production control area I and the production control area II in the intelligent substation monitoring system, and is respectively connected to the switches of the production control area I and the production control area II through the network cable, and further protection of the intelligent substation monitoring system is achieved through arrangement of a firewall strategy.

As shown in fig. 1, the embodiment of the invention provides an isolation control method for controlling a zone i and a zone ii of a substation production, which is applied to a firewall and can include the following steps:

step 101: respectively configuring a white list of an MAC address, an IP address and a port number in advance;

step 102: capturing a network message flowing from a production control area II to a production control area I;

step 103: sequentially judging whether the MAC address, the IP address and the port number of the network message are respectively positioned in the corresponding white lists;

Step 104: if the MAC address, the IP address and the port number of the network message do not all exist in the white list corresponding to the MAC address, the IP address and the port number, the network message is refused to be forwarded to the production control I area, and alarm operation representing abnormal request is executed.

In this embodiment, a white list of MAC addresses, a white list of IP addresses, and a white list of port numbers are configured in advance, that is, a trusted or secure MAC address is stored in the white list of MAC addresses, a trusted or secure IP address is stored in the white list of IP addresses, and a trusted or secure port number is stored in the white list of port numbers. Therefore, when the grabbed network message flowing to the production control I area from the production control II area is not in the white list configured in the above way, the network message is indicated to be an abnormal network message, and the network message is refused to be forwarded to the production control I area, so that the production control II area is prevented from controlling power grid equipment in the production control I area through the network message, and the safety of the intelligent substation monitoring system is greatly improved.

It is easy to understand that, in addition to the above-mentioned white list of MAC address, IP address and port number, the white list of addresses and ports of service requests may be configured, so that the non-service request addresses and ports may be uniformly prohibited from passing through. The unwanted restricted ports may also be closed and the unwanted cable removed.

Further, if it is determined that the MAC address, the IP address, and the port number of the network packet are all in the white list corresponding to the MAC address, the IP address, and the port number of the network packet, the network packet may be further parsed;

then judging whether a remote control prefabricated instruction or a remote control execution instruction exists in the analyzed network message; the remote control prefabricated commander is used for performing functional test on equipment in the intelligent substation monitoring system, and the remote control execution commander is used for performing control execution on the equipment in the intelligent substation monitoring system;

If any one of the remote control prefabrication instruction character or the remote control execution instruction character exists in the analyzed network message, the network message is refused to be forwarded to the production control I area, and alarm information is sent to a remote signaling loop of a public measurement and control device in the intelligent substation monitoring system, so that the public measurement and control device sends an alarm of illegal network intrusion to a background monitoring system through an in-station network.

Therefore, whether the remote control message is a remote control prefabricated message or a remote control execution message is judged, and the remote control message is forbidden, so that remote invasion of external equipment and a network can be avoided, and further, the intelligent substation monitoring system is prevented from being invaded by illegal persons such as hackers, and the safety of the intelligent substation monitoring system is ensured.

For example, the remote control pre-made command is SBOW and the remote control execution command is oper. After the network message is analyzed, the network message is PTRC1$ VEBT1$ SBOW, namely, the network message is a remote control prefabricated message, and there may be an external device that remotely performs a function test on the device in the production area, and the network message needs to be refused to be forwarded to the production control I area and an alarm operation is executed. For another example, after the network message is analyzed, the network message is PTRC1$CO VEBT1$ oper, that is, at this time, the network message is a remote control execution message, and there may be an external device that remotely controls the device in the production area, and it is necessary to reject forwarding the network message to the production control area I and execute a corresponding alarm operation.

For the equipment in the production control area I and the production control area II, the firewall should regularly backup each configuration file in an offline state, so as to avoid data loss caused by illegal access, power failure, network disconnection and other emergency conditions. Meanwhile, each device in the production control I area and the production control II area should be configured with an NTP network so as to realize one time of time synchronization of each device within a preset time length, thereby ensuring the time consistency of each device and avoiding misoperation of each device due to time errors when responding to an operation instruction.

Further, the isolation control method can verify the user name and the password of the login account so as to ensure the legality of the login user. Specifically, the login verification may include:

based on a hash algorithm, carrying out hash operation on a target user name and a target password which can successfully log in an account in advance, and storing after obtaining a first hash value;

Acquiring a current user name and a current password input by a current user;

carrying out hash operation on the current user name and the current password to obtain a second hash value; wherein the hash algorithm based on the second hash value is the same as the hash algorithm based on the first hash value;

comparing the first hash value with the second hash value; if the first hash value is not identical to the second hash value, determining that the current login is illegal, and rejecting the current login request.

Specifically, when the target password is set, the length of the password should be not less than 8 characters, and the password is formed by mixing at least two of capital letters, lowercase letters, numbers, special characters and the like, and the target password and the target user name cannot be completely the same. Of course, the target password should be replaced regularly and the plaintext cannot be stored, so that the security level of the account can be greatly improved according to the password configuration method.

Further, the hash algorithm described above may include any one of MD5, SHA1, SHA256, SHA512, and the like.

In one embodiment, in configuring a firewall, the type of privileged user that is able to log into the intelligent substation monitoring system may be configured to: the system management privilege user, the network security privilege user and the security design privilege user, and each type of privilege user has the relevant authority of the corresponding function to be realized by the characteristic privilege user, for example, the system management privilege user usually has most of the authorities, but the system management privilege user is configured to have no authority to operate the audit record, so that the system management privilege user is prevented from modifying the audit record, and further the system management privilege user is prevented from escaping corresponding responsibility due to the changed audit result.

Therefore, the scheme realizes account allocation according to the user property and the authority separation of privileged users of equipment such as system management, network management, security audit and the like. And the account number sharing among different users is avoided, and the same account number is avoided for personnel and equipment communication, so that the safety of the intelligent substation monitoring system can be greatly improved.

In one embodiment, when the firewall is configured, the firewall may be further configured to monitor an operation performed in the current account, and when no operation is performed in a preset time period, control the current account to exit, so as to avoid hidden danger that the user forgets to exit after using, and further cause malicious use of other people. For example, the user may automatically log out after no action is detected for more than 3 minutes in account login.

In order to avoid malicious logging by a person, when the firewall realizes isolation control of the production control I and the production control II, the isolation control method can further comprise the following steps: after the login failure of the equipment is monitored, the following operations are executed:

rejecting all communications based on the unsecure transmission protocol; wherein the unsafe transmission protocol comprises: text transfer protocol FTP and Telnet protocols;

Limiting the login address of the system management privilege user to a preset safe login address;

All requests for remote management of the equipment in zone I of the production control are denied.

In order to further improve the safety of the intelligent substation monitoring system, only the ICMP protocol can be opened for the non-business request of the longitudinal authentication equipment. Specifically, after capturing the network packet flowing from the production control area ii to the production control area i, the method further includes:

judging whether the current network message is a non-service request for the longitudinal authentication equipment;

if the current network message is a non-service request, judging whether the transmission protocol of the current network message is an ICMP protocol or not;

if the message is not ICMP, the current network message is refused to be forwarded to the corresponding equipment in the production control I area.

In addition, to ensure the security of the intelligent substation monitoring system, the TCP SMALL SERVERS, UDP SMALL SERVERS, finger, HTTP SERVER, BOOTP SERVER, DNS query and other unnecessary public network services or functions can be disabled. The device policy can be further accurate to the port according to the configuration principle of 'minimization', the debugging policy is closed, and a dedicated log host is configured for each device.

When the firewall is configured for information acquisition, the firewall is mainly configured for acquiring user login success information, user exit information, user login failure information, modification strategy information, CPU utilization information, memory utilization information, power failure information, fan failure information, temperature anomaly information, network port state recovery information, access information which does not accord with a security strategy and attack warning information. The CPU utilization rate information and the memory utilization rate information adopt periodically acquired waterproof, and other information adopts a mode of triggering acquisition.

In one embodiment, in order to reduce workload of the firewall and improve processing efficiency of the firewall, abnormal devices can be prevented from being sent frequently, and the method can be implemented in the following manner:

counting the equipment in the production control II area corresponding to the network message refused to be forwarded to the production control I area in unit time;

if the number of times that the network message sent by the first device in the production control area II is refused to be forwarded to the production control area I is greater than a preset first threshold value in unit time, executing the following operations:

sending a right acquisition signal to a switch located in the production control area II;

Receiving a permission grant instruction sent by a switch positioned in a production control II area; the permission grant instruction comprises port numbers for connecting each device in the production control II area with the switch;

And determining a target port corresponding to the first equipment by using the permission grant instruction, and controlling a switch positioned in a production control II area to close the target port.

In this embodiment, when each network message is processed, statistics may be further performed on the devices in the production control area ii that send the network message, and statistics is performed on which devices send the network message that is refused to be forwarded to the production control area i, when a device frequently sends the network message in a short time, and each time the network message sent is refused to be forwarded to the production control area i, for example, the first threshold is 3 times, and in 30 minutes, the number of times that the network message sent by the device a in the production control area ii is refused to be forwarded to the production control area i is 5 times, which indicates that there is a risk of malicious login or intrusion of the device in the production control area ii, and then the port corresponding to the device is closed by acquiring the authority of the switch in the production control area ii, so as to avoid that the device sends the network message again. Therefore, the security of the intelligent substation monitoring system is improved, the data processing capacity of the firewall is reduced, the firewall can have more memory to process other data, and the processing efficiency of the firewall is greatly improved.

As shown in fig. 2, the embodiment of the present invention further provides a firewall disposed between a production control area i and a production control area ii in the intelligent substation monitoring system; the firewall includes: the device comprises a configuration module 201, a report Wen Zhuaqu module 202, a comparison and judgment module 203 and an execution module 204;

a configuration module 201 configured to configure a white list of MAC addresses, IP addresses, and port numbers, respectively, in advance;

A message Wen Zhuaqu module 202 configured to grasp a network message flowing from the production control ii area to the production control i area;

The comparison and judgment module 203 is configured to sequentially judge whether the MAC address, the IP address and the port number of the network packet grabbed by the packet Wen Zhuaqu module 202 are respectively located in the respective corresponding whitelists configured by the configuration module 201;

And the execution module 204 is configured to refuse to forward the network message to the production control i area and execute an alarm operation representing that an abnormal request occurs when the comparison and judgment module 203 judges that the MAC address, the IP address and the port number of the network message do not all exist in the white list corresponding to the comparison and judgment module.

In one embodiment, the firewall further includes a remote message verification module configured to:

after determining that the MAC address, the IP address and the port number of the network message are all in the corresponding white list, further judging whether the network message is a remote control message or not;

If the network message is a remote control message, the network message is refused to be forwarded to the production control area I, and alarm operation is executed.

In one embodiment, the firewall further comprises a login authentication module configured to: based on a hash algorithm, carrying out hash operation on a target user name and a target password which can successfully log in an account in advance, and storing after obtaining a first hash value;

Acquiring a current user name and a current password input by a current user;

carrying out hash operation on the current user name and the current password to obtain a second hash value; wherein the hash algorithm based on the second hash value is the same as the hash algorithm based on the first hash value;

comparing the first hash value with the second hash value; if the first hash value is not identical to the second hash value, determining that the current login is illegal, and rejecting the current login request.

In one embodiment, the firewall further includes an auto-exit module configured to monitor operations performed in the current account and to control the current account to exit when no operations have been performed for a preset length of time.

In one embodiment, the firewall further includes a login failure processing module configured to perform the following operations after detecting a device login failure:

rejecting all communications based on the unsecure transmission protocol; wherein the unsafe transmission protocol comprises: text transfer protocol FTP and Telnet protocols;

Limiting the login address of the system management privilege user to a preset safe login address;

All requests for remote management of the equipment in zone I of the production control are denied.

In one embodiment, the firewall further comprises a non-service request processing module configured to:

judging whether the current network message is a non-service request for the longitudinal authentication equipment;

if the current network message is a non-service request, judging whether the transmission protocol of the current network message is an ICMP protocol or not;

if the message is not ICMP, the current network message is refused to be forwarded to the corresponding equipment in the production control I area.

In one embodiment, the firewall is further configured to:

counting the equipment in the production control II area corresponding to the network message refused to be forwarded to the production control I area in unit time;

if the number of times that the network message sent by the first device in the production control area II is refused to be forwarded to the production control area I is greater than a preset first threshold value in unit time, executing the following operations:

sending a right acquisition signal to a switch located in the production control area II;

Receiving a permission grant instruction sent by a switch positioned in a production control II area; the permission grant instruction comprises port numbers for connecting each device in the production control II area with the switch;

And determining a target port corresponding to the first equipment by using the permission grant instruction, and controlling a switch positioned in a production control II area to close the target port.

It should be noted that, since the apparatus embodiments and the method embodiments are based on the same inventive concept, the description of the apparatus embodiments can be referred to the description of the method embodiments, and the description thereof will not be repeated here.

The modules or units in the device of the embodiment of the invention can be combined, divided and deleted according to actual needs. The foregoing disclosure is illustrative of the preferred embodiments of the present invention, and is not to be construed as limiting the scope of the invention, as it is understood by those skilled in the art that all or part of the above-described embodiments may be practiced with equivalents thereof, which fall within the scope of the invention as defined by the appended claims.

Claims (9)

1. The isolation control method for the production control area I and the production control area II of the transformer substation is characterized in that the production control area I and the production control area II are two production control areas in an intelligent transformer substation monitoring system; wherein the production control zone I can control the production control zone II, and the production control zone II cannot control the production control zone I; a firewall is arranged between the production control area I and the production control area II in the intelligent substation monitoring system, and the firewall is respectively connected to the switches of the production control area I and the production control area II through network cables;

the isolation control method is applied to the firewall and comprises the following steps:

respectively configuring a white list of an MAC address, an IP address and a port number in advance;

Capturing a network message flowing from the production control area II to the production control area I;

sequentially judging whether the MAC address, the IP address and the port number of the network message are respectively positioned in the corresponding white lists;

If the MAC address, the IP address and the port number of the network message do not all exist in the corresponding white list, rejecting to forward the network message to the production control I area, and executing alarm operation representing abnormal request;

after determining that the MAC address, the IP address, and the port number of the network packet all exist in the corresponding whitelist, the method further includes:

analyzing the network message;

judging whether a remote control prefabricated instruction or a remote control execution instruction exists in the analyzed network message; the remote control prefabricated commander is used for performing functional test on equipment in the intelligent substation monitoring system, and the remote control execution commander is used for performing control execution on the equipment in the intelligent substation monitoring system;

If any one of the remote control prefabrication instruction character or the remote control execution instruction character exists in the analyzed network message, the network message is refused to be forwarded to the production control I area, and alarm information is sent to a remote signaling loop of a public measurement and control device in the intelligent substation monitoring system, so that the public measurement and control device sends an alarm of illegal network intrusion to a background monitoring system through an in-station network.

2. The insulation control method for controlling the production of the i-zone and the ii-zone of the transformer substation according to claim 1, further comprising:

based on a hash algorithm, carrying out hash operation on a target user name and a target password which can successfully log in an account in advance, and storing after obtaining a first hash value;

Acquiring a current user name and a current password input by a current user;

performing hash operation on the current user name and the current password to obtain a second hash value; wherein the hash algorithm based on the second hash value is the same as the hash algorithm based on the first hash value;

Comparing the first hash value with the second hash value; if the first hash value is not identical to the second hash value, determining that the current login is illegal, and rejecting the current login request.

3. The method for isolating and controlling the production control zone i and zone ii of a transformer substation according to claim 2, wherein the target password satisfies the following requirements:

A length of not less than 8 characters;

Is formed by mixing at least two of capital letters, lowercase letters, numbers and special characters;

The target password is not identical to the target user name;

And/or the number of the groups of groups,

The hashing algorithm includes any one of MD5, SHA1, SHA256, and SHA 512.

4. The method for controlling the isolation between the production control zone i and the production control zone ii of the transformer substation according to claim 2, further comprising, after successful login to the current account:

and monitoring the operation executed in the current account, and controlling the current account to exit when no operation is executed within a preset time length.

5. The method for controlling the isolation between the production control zone i and the production control zone ii of the substation according to claim 1, wherein the types of privileged users capable of logging into the intelligent substation monitoring system include: a system management privilege user, a network security privilege user and a security audit privilege user; each type of privileged user has the relevant authority of the type of privileged user to realize the corresponding function, but the system management privileged user does not have the right to operate the audit record.

6. The method for controlling the isolation between the production control zone i and the production control zone ii of the transformer substation according to claim 5, further comprising:

after the login failure of the equipment is monitored, the following operations are executed:

rejecting all communications based on the unsecure transmission protocol; wherein the unsecure transmission protocol includes: text transfer protocol FTP and Telnet protocols;

Limiting the login address of the system management privilege user to a preset safe login address;

And rejecting all requests for remote management of the equipment in the production control area I.

7. The method for isolating and controlling the production control i zone and the production control ii zone of the substation according to claim 1, further comprising, after capturing the network message flowing from the production control ii zone to the production control i zone:

judging whether the current network message is a non-service request for the longitudinal authentication equipment;

if the current network message is the non-service request, judging whether the transmission protocol of the current network message is ICMP protocol or not;

And if the current network message is not the ICMP protocol, refusing to forward the current network message to the corresponding equipment in the production control I area.

8. The insulation control method for controlling the production of the transformer substation according to any one of claims 1 to 7, wherein the insulation control method further comprises:

counting the equipment in the production control II area corresponding to the network message refused to be forwarded to the production control I area in unit time;

if the number of times that the network message sent by the first device in the production control area II is refused to be forwarded to the production control area I is greater than a preset first threshold value in unit time, executing the following operations:

sending a right acquisition signal to a switch located in the production control area II;

Receiving a permission grant instruction sent by a switch positioned in a production control II area; the permission grant instruction comprises port numbers for connecting each device in the production control II area with the switch;

And determining a target port corresponding to the first equipment by using the permission grant instruction, and controlling a switch positioned in a production control II area to close the target port.

9. A firewall, characterized in that the firewall is deployed between a production control area I and a production control area II in an intelligent substation monitoring system; the firewall includes: the system comprises a configuration module, a message grabbing module, a comparison judging module and an executing module;

The configuration module is configured to configure a white list of the MAC address, the IP address and the port number in advance respectively;

the message grabbing module is configured to grab network messages flowing from the production control area II to the production control area I;

The comparison judging module is configured to sequentially judge whether the MAC address, the IP address and the port number of the network message grabbed by the report Wen Zhuaqu module are respectively located in the respective corresponding whitelists configured by the configuration module;

The execution module is configured to refuse to forward the network message to the production control area I and execute alarm operation representing abnormal request occurrence when the comparison judging module judges that the MAC address, the IP address and the port number of the network message do not all exist in the corresponding white list;

The firewall is further configured to perform the following:

counting the equipment in the production control II area corresponding to the network message refused to be forwarded to the production control I area in unit time;

if the number of times that the network message sent by the first device in the production control area II is refused to be forwarded to the production control area I is greater than a preset first threshold value in unit time, executing the following operations:

sending a right acquisition signal to a switch located in the production control area II;

Receiving a permission grant instruction sent by a switch positioned in a production control II area; the permission grant instruction comprises port numbers for connecting each device in the production control II area with the switch;

And determining a target port corresponding to the first equipment by using the permission grant instruction, and controlling a switch positioned in a production control II area to close the target port.