CN106982235B - IEC 61850-based electric power industry control network intrusion detection method and system - Google Patents
IEC 61850-based electric power industry control network intrusion detection method and system Download PDFInfo
- Publication number
- CN106982235B CN106982235B CN201710425727.8A CN201710425727A CN106982235B CN 106982235 B CN106982235 B CN 106982235B CN 201710425727 A CN201710425727 A CN 201710425727A CN 106982235 B CN106982235 B CN 106982235B
- Authority
- CN
- China
- Prior art keywords
- goose
- model
- field
- detection
- smv
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 150
- 238000000034 method Methods 0.000 claims abstract description 69
- 230000008569 process Effects 0.000 claims abstract description 52
- 230000002159 abnormal effect Effects 0.000 claims abstract description 31
- 238000012360 testing method Methods 0.000 claims abstract description 10
- 206010000117 Abnormal behaviour Diseases 0.000 claims abstract description 9
- 238000012544 monitoring process Methods 0.000 claims abstract description 8
- 230000000694 effects Effects 0.000 claims abstract description 7
- 208000015181 infectious disease Diseases 0.000 claims abstract description 7
- 241000272814 Anser sp. Species 0.000 claims description 102
- 230000006399 behavior Effects 0.000 claims description 35
- 238000004891 communication Methods 0.000 claims description 27
- 230000005540 biological transmission Effects 0.000 claims description 19
- 230000011664 signaling Effects 0.000 claims description 15
- 230000009471 action Effects 0.000 claims description 14
- 238000005259 measurement Methods 0.000 claims description 10
- 230000036962 time dependent Effects 0.000 claims description 6
- 238000004458 analytical method Methods 0.000 claims description 5
- 238000013461 design Methods 0.000 claims description 4
- 238000005070 sampling Methods 0.000 claims description 4
- 238000012546 transfer Methods 0.000 claims description 4
- 230000008859 change Effects 0.000 claims description 2
- 230000001960 triggered effect Effects 0.000 claims description 2
- 239000008186 active pharmaceutical agent Substances 0.000 claims 2
- 230000005856 abnormality Effects 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 4
- 238000004519 manufacturing process Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 230000002547 anomalous effect Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 238000003889 chemical engineering Methods 0.000 description 1
- ZPUCINDJVBIVPJ-LJISPDSOSA-N cocaine Chemical compound O([C@H]1C[C@@H]2CC[C@@H](N2C)[C@H]1C(=O)OC)C(=O)C1=CC=CC=C1 ZPUCINDJVBIVPJ-LJISPDSOSA-N 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000149 penetrating effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 239000003208 petroleum Substances 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an IEC 61850-based power industry control network intrusion detection method and system, which comprises access control detection, protocol white list detection, model-based detection and multi-parameter-based detection. Among other things, access control detection may prevent malware activity and attacks attempting to communicate with the control server, especially during the initial infection phase; detecting abnormal protocol flow in a substation control layer and a process layer network of the transformer substation and giving an alarm by protocol white list detection; the abnormal behavior detection method based on the model has the potential of discovering malicious attacks or unintentional abnormalities in a station control layer and a process layer network; multi-parameter based detection identifies possible threats to industrial control systems due to internal inadvertent misuse or external malicious attacks by monitoring the most sensitive parameters of the intelligent substation. The invention is verified on a network physical test platform simulating an actual 500kV intelligent substation, and the instantaneity and the usability of the intrusion detection method are verified.
Description
Technical Field
The invention belongs to the technical field of industrial control system network information safety, and particularly relates to an IEC 61850-based electric power industrial control network intrusion detection method and system.
Background
The industrial control system is a computer-based production process control and scheduling automation system, can monitor and control on-site operating equipment, and plays an important role in industrial control systems of key infrastructures such as power, petroleum, chemical engineering and the like. As the complexity and interconnectivity of industrial control systems continues to increase, the likelihood of malicious cyber attacks also increases substantially. Industrial control networks that follow conventional communication protocols often fail to address network security threats at the beginning of design. The evolving industrial control system may be viewed as a key target of attack by a malicious attacker or an insider employee who is not satisfied with mind, and illegal access and control are achieved by using system vulnerabilities without authorization. Such intrusion may be a simple or advanced persistent attack and may compromise the safe and stable operation of the industrial control system. The industrial industry and the academic community at home and abroad attach more importance to and pay more attention to the network safety problem of the electric power industrial control system, and the network information safety problem of the electric power industrial control system becomes an engineering practical problem related to the safe, reliable and stable operation of the electric power system.
With the emergence of new information security threats, existing methods for general IT security cannot be completely compatible with an operation scene of an electric power engineering system based on the IEC61850 standard. For example, conventional IT security devices such as firewalls, Intrusion Detection Systems (IDS) are generally application-layer data that cannot account for such communications. While the IEC 62351 standard defines a framework for network security provisions based on the IEC61850 protocol, manufacturers generally do not implement proper protection for their Intelligent Electronic Devices (IEDs). Under the condition that the response speed of manufacturers is slow, how a power grid company deals with security vulnerabilities so that the security vulnerabilities can be detected and relieved, becomes a problem to be solved urgently. However, the current intrusion detection methods have not been able to solve such problems.
The currently released intrusion detection methods for power engineering systems are mainly directed to DNP3, EtherNet/IP and Modbus TCP protocols, and these Snort detection rules can identify unauthorized requests, incorrectly formatted protocol requests and responses, less used and dangerous commands, and other possible attack situations. But the research of the IEC 61850-based electric power industrial control network intrusion detection system is still in the early stage. The IEC61850 transmission protocol has been widely used in electric power engineering systems (e.g. intelligent substations). Data in the industrial control network of the intelligent substation are transmitted in a plaintext mode, so that the risk of eavesdropping, sniffing or tampering exists in information transmission. For example, an attacker may launch a man-in-the-middle attack (MITM) to sniff and collect telemetry values, remote control commands, or other remote signals. In each case, they can be tampered with and re-injected into the communication system, compromising the stability of the power engineering system or reducing the security of the system, and possibly also launching further attacks in the future. Due to the lack of a control instruction authentication mechanism in the conventional power industry system, a malicious attacker may have unauthorized access to the industrial control system, destroy the integrity and availability of information, launch fraud attacks, replay attacks and man-in-the-middle attacks, possibly cause catastrophic damage and endanger the safe operation of the system. The existing IEC 61850-based intrusion detection system has the following defects: (1) the "zero-day attack" (unknown threat or undiscovered vulnerability) cannot be effectively prevented; (2) due to the influence of Message Manufacturing Standard (MMS) and substation event (GOOSE) messages facing to a general object, most statistical analysis and detection methods generate false negatives and real attacks are missed; (3) the detection precision needs to be improved and the method cannot adapt to an actual transformer substation.
Disclosure of Invention
The purpose of the invention is as follows: in order to solve the problems in the prior art, the invention provides an IEC 61850-based electric power industry control network intrusion detection method and system.
The technical scheme is as follows: an IEC 61850-based electric power industry control network intrusion detection method comprises the following steps:
ACD access control detection: for preventing malware activity and attacks attempting to communicate with the control server during the initial infection phase; extracting a destination IP address, a source IP address, a destination MAC address or a source MAC address or a port from a captured message, comparing the destination IP address with a pre-established access control white list, and if the IP address, the MAC address or the port does not belong to the access control white list, determining the IP address, the MAC address or the port as a suspicious IP address, an MAC address or a port; if the access control white list belongs to the access control white list, the access control white list is regarded as a normal IP address, a normal MAC address or a normal port;
detecting a white list of a PWD protocol: the system is used for detecting abnormal protocol flow in a substation control layer network and a process layer network of the transformer substation and giving an alarm; the method comprises the steps of setting various protocols supported by a station control layer network and a process layer network, wherein the various protocols comprise MMS, COTP, TPKT, SNTP, GOOSE, SMV and IEEE 1588; for the station control layer network, only allowing communication services conforming to MMS, COTP, TPKT or SNTP protocols, otherwise, considering suspicious communication and generating alarm information; for the process layer network, only allowing GOOSE, SMV or IEEE 1588 traffic, otherwise, generating alarm information considering suspicious traffic;
model-based detection of MBD: the system is used for detecting malicious attacks or unexpected abnormal behaviors in a station control layer network and a process layer network; analyzing the content of the SCD file and the IEC61850 message, comparing the detected message with a normal behavior model defined by using protocol analysis, and if the condition of violating any normal behavior model occurs, generating an alarm and recording a detection result;
MPD based on multi-parameter detection: the method comprises the steps of monitoring parameters of the intelligent substation to identify threats caused by internal accidental misuse or external malicious attacks; the method comprises the steps of detecting telemetering data and remote signaling data from a station control layer network and a process layer network, identifying abnormal data through homologous comparison, and regarding the abnormal data as abnormal data when the homologous data are inconsistent; in particular to remote signaling comparison detection and remote sensing comparison detection.
Further, in the ACD access control detection, the established access control white list includes a MAC address in a data link layer, an IP address in a network layer, and an access control white list of a transport layer port.
Further, in the ACD access control detection, for the IP address, MAC address, or port considered as suspicious, a preset action is also taken, which specifically includes: sending out an alarm in an IDS mode, stopping in an IPS mode, and recording a detection result; the following formula (1):
wherein, AC ═ MACsrc,MACdst,IPsrc,IPdst,Portsrc,Portdst,ACwlRepresenting an established access control white list; MACsrc,MACdst,IPsrc,IPdst,Portsrc,PortdstRespectively representing a source MAC address and a destination MAC address, a source IP address and a destination IP address, a source port and a destination port; each host or device having a unique identity<IP,MAC>Matching; if the intelligent electronic device is not replaced by a new device, but if two or more MAC addresses correspond to the same IP addressNamely, it is determined that a spoofing attack has occurred.
Further, the model-based detection of the MBD performed on the station level network specifically includes:
in a station control layer network, establishing a normal behavior model based on ACSI or SNTP mapped to MMS, and generating an alarm and recording a detection result if any normal behavior model is violated; the normal behavior model is established as follows:
a) report service model
In the SCD file, the maximum number of instantiatable report control blocks per intelligent electronic device has been configured; the proposed report service model defines the maximum number of instantiatable report control blocks per intelligent electronic device as detection rules; if the abnormal connection requests which possibly occupy all the instantiatable report control blocks of the intelligent electronic equipment are identified, the suspicious denial of service (DoS) attack is alarmed and the detection result is recorded;
b) association service model
The associated service model defines the maximum number of connectable IEC61850 clients; if an abnormal connection request to the client is detected, generating an alarm and recording a detection result;
c) setting up a service model
The provisioning service model definition only allows IEC61850 clients to modify the provisioning, and if the definition is violated, alarm information will be issued.
d) File transfer model
The client side uses the ACSI GetFileAttributeValues service to acquire the name and the attribute of a specific file in the file storage of the server, the file transmission model defines that the IEC61850 client side can only transmit a single file, and if the definition is violated, an alarm is generated and the detection result is recorded;
e) SNTP model
In a transformer substation network, SNTP is used for realizing time synchronization through LAN communication, SNTP flow adopts a user datagram protocol at a transmission layer, in the aspect of SNTP flow, the port number of the user datagram protocol connection to an IEC61850 server is <123>, and if the port number of the SNTP flow is not <123>, an alarm is triggered and the result is stored in a log file;
f) time dependent model
Important control commands have time-dependent constraints including time interval limits and frequency limits, and if the same legitimate command is sent too frequently, the rules of trans (2) (3) are violated, in each case some alarm and log actions will be initiated:
CV(n)-CV(n-1)<T→Actions(alert,log) (2)
CV in equation (2) is a control command, n is a positive integer (n >1), and T is a limit of a time interval;
in the formula (3), F represents a frequency limit.
Further, the model-based detection of the MBD performed on the process layer network specifically includes: in a process layer network, establishing the normal behavior model based on GOOSE and SMV protocol specifications, and if any normal behavior model is violated, generating an alarm and recording a detection result; GOOSE APDU has twelve fields as gocbRef, timeAllowedToLive, datSet, goID, t, StNum, SqNum, test, confRev, ndsCom, numDateSetEntries and allData; according to IEC 61850-9-2, SMV datagram adopts ISO/IEC 8802-3 in data link layer; the SV APDU has five fields of svID, smpCnt, confRev, smpSynch and seqData, and the normal behavior model is defined as follows:
a) destination address model
Configuring a destination ISO/IEC 8802-3 multicast address for transmitting GOOSE/SMV in an SCD file < Communication > → < sub network > → < connected AP >; the destination address fields of GOOSE and SMV messages start with four octets 01-0C-CD-01 and 01-0C-CD-04, respectively. The destination addresses of GOOSE and SMV are as in formulas (4) and (5):
in formula (4), P is a message captured in the process layer network, and PGOOSERepresenting a GOOSE message, and DstAField representing the value of a destination address field in an ISO/IEC 8802-3 frame format;
p in formula (5)SMVRepresenting an SMV message;
b) TPID field model
The 2 octets of the tag protocol identifier field show the ethernet type allocated for the 802.1Q ethernet encoded frame; the value of the TPID field in the GOOSE/SMV message should be 0x8100, i.e.
Wherein TPIDField represents the value of the TPID field, and PGOOSE/SMVRepresenting GOOSE or SMV messages;
c) EtherType field model
The EtherType field 2 bytes of ISO/IEC 8802-3 are registered by the IEEE Authority, and the assigned EtherType values for GOOSE and SMV are 0x88B8 and 0x88BA, respectively, equation (7) (8):
wherein EthTField is the value of the EtherType field;
d) priority domain model
Defining the priority values of GOOSE and SMV messages, the default value of GOOSE/SMV is 4, and the priority values should be configured in the SCD file from 0 to 7, that is, equation (9):
PrioField in formula (9) is the value of the user priority field;
e) APPID field model
Each GOOSE/SMV control block has a unique APPID in the SCD file, the 2 octets of the APPID field of the GOOSE message are 4-bit hexadecimal [0000-3FFF ], and the field of the SMV message is [4000-7FFF ], as in equations (10) and (11):
f) length model
The length field 2 octets of the GOOSE/SMV message specifies the total number of bytes in the frame starting from APPID to APDU, which is equal to 8+ m, where m is the length of the APDU, m <1492, the length field model is as follows (12):
where Length field is the value of the Length field;
the length of the goID field in the GOOSE APDU is less than or equal to 65 bytes, i.e. equation (13),
wherein LenGoIDField is the length of the goID field;
g) TimeAllowedToLive field model
The timeAllowedToLive field in the GOOSE APDU shall be double MaxTime; "MaxTime" is configured in the SCD file as <5000>, < Communication > → < subnet > → < connecticut ap > → < GSE > → < MaxTime >; if no GOOSE data packet exists within 10000ms, sending a communication interruption alarm;
h) mark field model
In the GOOSE tag field model, tag values of the gocbRef, timeAllowedToLive, datSet, goID, t, StNum, SqNum, test, confRev, ndsCom, and numdatset fields of the GOOSE packet are 0x80,0x81,0x82,0x83,0x84,0x85, 0x86, 0x87, 0x88, 0x89, and 0x8 a. In the SMV label field model, label values of svID, smpCnt, confRev and smpSynch fields of an SMV message are respectively 0x80,0x82,0x83 and 0x 85;
i) SmpCnt field model
The smpCnt field model specifies the value of a counter, which is incremented each time a new sample of the analog value is sampled; when the sampling rate of the merging unit MU is 4000Hz, wherein 80 samples/cycle, the values of smpCnt are in the range of [0,3999], maintaining the correct order, i.e. equation (14),
wherein SmpCField is the value of the smpCnt field;
j) correlation model
According to the actual SCD configuration of the intelligent substation, the APPID field, equal to the last two octets of the destination address field, is defined as the relevant domain model, i.e. equation (15):
wherein DstAField (P)5,6The last two octets representing the destination address field;
the type of the gocbRef field in the GOOSE APDU is a string including the logical device LD name, the logical node LN name, the function constraint FC, and the control block CB name, i.e., LD/LN $ FC $ CB; the datSet field in the GOOSE APDU includes the LD name, the LN name, and the data set DS name, i.e., LD/LN $ DS; the default value of the goID field in the GOOSE APDU is similar to the default value of the gocb reference field, i.e. LD/LN $ CB; the LD/LN value in the gcbRef field matches the LD/LN value in the dataSet field; the control block name in the gocbRef field matches the control block name in the goID field; gocbRef: PM5001APIGO/LLN0$ GO $ gocb1, dataSet: PM5001APIGO/LLN0$ dsGOOSE1, goID: PM5001APIGO/LLN0.gocb1, the corresponding associated dictionary model is as follows (16):
wherein GocbField, DatSField, and GoIDfield represent the gocbRef, dataSet, and goID fields, respectively;
the change of the state quantity StNum and the sequence number SqNum in the GOOSE APDU strictly obeys the associated behavior pattern; when the value of datSet in the transmitted GOOSE message changes, the value of StNum will increase, which will result in the value of SqNum being set to zero; when the value of StNum is not changed, the value of SqNum will increment for each GOOSE transmission, but it will roll over to 0 at its maximum value SqNummax 4294967295:
StNum (GP) in the formula (17)i) And SqNum (GP)i) Respectively representing StNum and SqNum values of the ith GOOSE message;
k) flow-based model
According to the service captured from the actual substation scene, the service-based model defines the upper limit and the lower limit threshold of the per-second message transmission rate PPS, the per-second transmission byte size BPS, the message length LoP and the message size SoP as the normal flow behavior, as shown in formula (18):
wherein PPSminAnd PPSmaxRepresenting PPSLower and upper threshold values.
Further, the remote signaling comparison detection specifically comprises: in the IEC61850 intelligent substation, intelligent electronic equipment in a process layer network sends remote signaling data to intelligent electronic equipment in a bay layer by adopting a GOOSE message, and receives a tripping/closing instruction from a protection or measurement and control device; the remote signaling comparison detection identifies abnormal events by comparing GOOSE messages with associated MMS messages; and if the input signal of the GOOSE message for protecting the intelligent electronic equipment in the process layer network is inconsistent with the MMS message of the associated signal report from the station control layer network, abnormal alarm is generated.
Further, the telemetry comparison detection specifically comprises: in an IEC61850 intelligent substation, a merging unit MU has a sampling value model and sends SV information to a protection measurement and control device, and the telemetering comparison detection comprises two rules:
a) range detection rules
The sampled values have an upper boundary value and a lower boundary value, and if the measured values are outside the expected range, an alarm is issued, equation (19):
where smv (I), I — I, U, represents different sample values, current I and voltage U; [ SMV (i)min-e(i),SMV(i)max+e(i)]Representing the range between the upper and lower boundaries, e (i) is the measurement tolerance, which is configured according to the design and operating specifications of the substation under normal operating conditions, the bus voltage of the 500(330) kV substation being set at 90% and 110% nominal voltage at the lower boundary.
b) Consistency detection rules
The duplicated intelligent electronic devices in the bay level are configured into groups A and B, receive the same MU sample values from the associated current transformer CT/voltage transformer VT, detect inconsistencies between the configured merging unit SMV parameters and the MMS of the associated plurality of protection devices, telemetrically compare the parameters including voltage, current and differential current, and alarm an anomaly if a consistency detection rule is violated.
The invention also provides an IEC 61850-based electric power industry control network intrusion detection system, which comprises:
the ACD access control detection module: this module is used to prevent malware activity and attacks attempting to communicate with the control server during the initial infection phase; detecting through a pre-established MAC address in a data link layer, an IP address in a network layer and an access control white list of a port of a transmission layer, extracting a target IP address, a source IP address, a target MAC address or a port from a captured message, comparing the target MAC address with the established access control white list, and if the IP address, the MAC address or the port does not belong to the access control white list, considering the target MAC address or the port as a suspicious IP address, an MAC address or a port, and adopting a preset action by the module; if the access control white list belongs to the access control white list, the access control white list is regarded as a normal IP address, a normal MAC address or a normal port;
PWD agreement white list detection module: the module is used for detecting abnormal protocol flow in a substation control layer network and a process layer network of the transformer substation and giving an alarm; various protocols supported by a station control layer network and a process layer network are set, a protocol white list is established for detection, and the various protocols comprise MMS, COTP, TPKT, SNTP, GOOSE, SMV and IEEE 1588; for the station control layer network, the module only allows communication services conforming to MMS, COTP, TPKT or SNTP protocols, otherwise, the module considers suspicious communication and generates alarm information; for the process layer network, the module only allows GOOSE, SMV or IEEE 1588 traffic, otherwise, the module generates alarm information considering suspicious traffic;
MBD model-based detection module: the module is used for detecting malicious attacks or unexpected abnormal behaviors in a station control layer network and a process layer network; analyzing the content of the SCD file and the IEC61850 message, comparing the detected message with a normal behavior model defined by using protocol analysis, and if the condition of violating any normal behavior model occurs, generating an alarm and recording a detection result;
MPD multi-parameter based detection module: the module is used for identifying threats caused by internal accidental misuse or external malicious attacks by monitoring parameters of the intelligent substation; the method comprises the steps of detecting telemetering data and remote signaling data from a station control layer network and a process layer network, identifying abnormal data through homologous comparison, and regarding the abnormal data as abnormal data when the homologous data are inconsistent; the remote sensing device specifically comprises a remote signaling comparison detection module and a remote sensing comparison detection module.
Further, the ACD access control detection module is to take a preset action specifically as follows: sending out an alarm in an IDS mode, stopping in an IPS mode, and recording a detection result; the following formula (1):
wherein, AC ═ MACsrc,MACdst,IPsrc,IPdst,Portsrc,Portdst,ACwlRepresenting an established access control white list; MACsrc,MACdst,IPsrc,IPdst,Portsrc,PortdstRespectively representing a source MAC address and a destination MAC address, a source IP address and a destination IP address, a source port and a destination port; each host or device having a unique identity<IP,MAC>Matching; if the intelligent electronic device is not replaced by a new device, but if two or more MAC addresses correspond to the same IP address, the module judges that a spoofing attack occurs.
Has the advantages that: the invention improves the network security of the industrial control system based on the IEC61850 protocol, provides the industrial control network intrusion detection method and system based on the IEC61850, integrates the power service knowledge, the protocol specification and the logic behavior, and is a comprehensive and effective solution capable of relieving various network attacks. The invention includes access control detection, protocol white list detection, model-based detection, and multi-parameter based detection. Among other things, access control detection may prevent malware activity and attacks attempting to communicate with the control server, especially during the initial infection phase; detecting abnormal protocol flow in a substation control layer and a process layer network of the transformer substation and giving an alarm by protocol white list detection; the abnormal behavior detection method based on the model has the potential of discovering malicious attacks or unintentional abnormalities in a station control layer and a process layer network; multi-parameter based detection identifies possible threats to industrial control systems due to internal inadvertent misuse or external malicious attacks by monitoring the most sensitive parameters of the intelligent substation. The invention is verified on a network physical test platform simulating an actual 500kV intelligent substation, and the instantaneity and the usability of the intrusion detection method are verified.
Drawings
FIG. 1 is a flow chart of the present invention;
FIG. 2 is a flow chart of the remote signaling comparison detection of the present invention;
FIG. 3 is a flowchart of the consistency detection in the present invention.
Detailed Description
The following describes embodiments of the present invention in detail with reference to the accompanying drawings;
as shown in fig. 1, the method for detecting the intrusion of the power industry control network based on IEC61850 includes:
ACD access control detection: for preventing malware activity and attacks attempting to communicate with the control server during the initial infection phase; establishing an MAC address in a data link layer, an IP address in a network layer and an access control white list of a port of a transmission layer, and if any address or port is not in the corresponding white list, taking a preset action;
detecting a white list of a PWD protocol: the system is used for detecting abnormal protocol flow in a substation control layer network and a process layer network of the transformer substation and giving an alarm; setting various protocols supported by a station control layer network and a process layer network, and establishing a protocol white list, wherein the various protocols comprise MMS, COTP, TPKT, SNTP, GOOSE, SMV and IEEE 1588; for the station control layer network, only allowing communication services conforming to MMS, COTP, TPKT or SNTP normal protocols, otherwise, considering suspicious communication and generating alarm information; for the process layer network, only allowing normal traffic of GOOSE, SMV or IEEE 1588, otherwise, generating alarm information considering suspicious traffic;
model-based detection of MBD: the system is used for detecting malicious attacks or unexpected abnormal behaviors in a station control layer network and a process layer network; analyzing an SCD (substation configuration description) file and normal IEC61850 message content, defining a normal behavior model by using deep protocol analysis, and comparing a detected message with the normal behavior model to construct a detection model to identify abnormal deviation;
MPD based on multi-parameter detection: the method is used for identifying threats caused by internal accidental misuse or external malicious attacks by monitoring the most sensitive parameters of the intelligent substation; the method comprises the steps of detecting telemetering and telesignaling data from a station control layer network and a process layer network, identifying abnormity, specifically, comparing and detecting telesignaling and comparing and detecting telemetering.
Meanwhile, the invention also provides a system capable of realizing the IEC 61850-based intrusion detection method for the power industry control network, which comprises the following steps:
the ACD access control detection module: this module is used to prevent malware activity and attacks attempting to communicate with the control server during the initial infection phase; the method comprises the steps that detection is carried out by establishing an MAC address in a data link layer, an IP address in a network layer and an access control white list of a port of a transmission layer, and if any address or port is not in the corresponding white list, the module takes a preset action;
PWD agreement white list detection module: the module is used for detecting abnormal protocol flow in a substation control layer network and a process layer network of the transformer substation and giving an alarm; various protocols supported by a station control layer network and a process layer network are set, a protocol white list is established for detection, and the various protocols comprise MMS, COTP, TPKT, SNTP, GOOSE, SMV and IEEE 1588; for the station control layer network, the module only allows communication services conforming to MMS, COTP, TPKT or SNTP normal protocols, otherwise, the module considers suspicious communication and generates alarm information; for the process layer network, the module only allows the normal flow of GOOSE, SMV or IEEE 1588, otherwise, the module is regarded as suspicious flow and generates alarm information;
MBD model-based detection module: the module is used for detecting malicious attacks or unexpected abnormal behaviors in a station control layer network and a process layer network; analyzing the SCD file and the content of a normal IEC61850 message, using a deep protocol to analyze and define a normal behavior model, comparing the detected message with the normal behavior model, and constructing a detection model to identify abnormal deviation;
MPD multi-parameter based detection module: the module is used for identifying threats caused by internal inadvertent misuse or external malicious attacks by monitoring the most sensitive parameters of the intelligent substation; the method is used for identifying abnormality by detecting telemetering and telesignaling data from a station control layer network and a process layer network, and specifically comprises a telesignaling comparison detection module and a telemetering comparison detection module.
The following describes in detail the detection processes in the method of the present invention, and also the implementation processes of the detection modules in the system of the present invention:
(1) ACD access control detection
ACD is an access control white list policy that includes Media Access Control (MAC) addresses in the data link layer, IP addresses in the network layer, and ports in the transport layer. The TCP port of IEC61850 flow is <102 >. If any address or port is not on the corresponding white list, the IDS will take a preset action. For example, an alarm is issued in an IDS (Intrusion Detection System) mode, a block is issued in an IPS (Intrusion Prevention System) mode, and a Detection result is recorded. The following formula (1):
here, AC ═ MACsrc,MACdst,IPsrc,IPdst,Portsrc,Portdst,ACwlRepresenting the corresponding set of whitelists. MACsrc,MACdst,IPsrc,IPdst,Portsrc,PortdstRepresenting source and destination MACs, source and destination IPs, and source and destination ports.
Each host or device in the secondary system of the intelligent substation has a unique < IP, MAC > match. If the IED device is not replaced by a new device, but corresponds to the same IP address from two or more MAC addresses, this means that a spoofing attack may occur.
(2) PWD protocol whitelist detection
Protocol white list detection references layers 2-7 of the Open Systems Interconnection (OSI) model, handling various protocols of the intelligent substation network, such as MMS, COTP, TPKT, Simple Network Time Protocol (SNTP), GOOSE, SMV, and IEEE 1588. A typical IEC61850 based substation network comprises a site control layer network and a process layer network. For a network of the site-controlled layer, the IDS may be set to only allow communication traffic that conforms to the normal protocol, MMS/COTP/TPKT/SNTP, etc. For the process layer network, the IDS only allows the normal traffic of GOOSE/SV/IEEE 1588 and the like. In different cases, the IDS may be set to support other specific protocols. For example, when the IDS is deployed in the intelligent substation process layer network, only the GOOSE/SV/IEEE 1588 traffic is allowed, otherwise the alarm information is generated as suspicious traffic.
(3) Model-based detection of MBD
The model-based detection method analyzes the contents of the SCD file and the normal IEC61850 message, defines a normal behavior model by using deep protocol analysis, and compares the detected message with a correct behavior model to identify abnormal deviation. The abnormal behavior detection method based on the model has the potential of detecting unknown attacks. Compared to traditional IT networks, industrial control networks in intelligent substations have different characteristics, such as regular flow and predictable behaviour patterns, which may simplify the behaviour model. The proposed MBD has the potential to discover malicious attacks or unintentional anomalies in both the station level and the process level networks.
1) MBD for station control layer network
In a site-controlled layer network, abnormal behavior detection is based on ACSI or SNTP mapped to MMS. The detection model is defined as follows,
a) report service model
In the SCD file, the maximum number of instantiatable reporting control blocks per IED has been configured. The proposed reporting service model defines the maximum number of instantiatable reporting control blocks per IED as detection rules. If the MBD identifies abnormal connection requests that may occupy all instantiatable report control blocks of the IED, a suspected denial of service (DoS) attack is alerted and the detection results are recorded.
b) Association service model
The proposed association service model defines the maximum number of connectable IEC61850 clients. And if the MBD detects an abnormal connection request to the client, generating an alarm and recording a detection result.
c) Setting up a service model
The proposed provisioning service model definition only allows IEC61850 clients to modify the provisioning. When this model is violated, the MBD will issue an alarm message.
d) File transfer model
The ACSI GetFile service is used by clients to transfer the content of a file from a server to a client. The client uses the ACSI getfileattribute values service to obtain the name and attributes of a particular file in the server file store. The file transmission model defines that an IEC61850 client can only transmit a single file. If this rule is violated, it will generate an alarm and record the detection result.
e) SNTP model
In a substation network, SNTP is used to achieve time synchronization through LAN communication. SNTP traffic uses User Datagram Protocol (UDP) at the transport layer. In terms of SNTP traffic, the port number of the UDP connection to the IEC61850 server should be <123 >. If the port number of the SNTP traffic is not <123>, the MBD will trigger an alarm and save the result in a log file.
f) Time dependent model
Important control commands have time-dependent constraints, such as time interval limits and frequency limits. If the same legitimate command is sent too frequently, the following rules may be violated, as in equations (2) (3). In each case, the IDS will initiate some action (alerts and logs).
CV(n)-CV(n-1)<T→Actions(alert,log) (2)
CV in equation (2) is a control command, n is a positive integer (n >1), and T is a limit of a time interval.
In the formula (3), F represents a frequency limit.
2) MBD of process layer
In the process layer network, model detection is based on GOOSE and SMV protocol specifications. A GOOSE APDU has twelve fields, such as gocbRef (control block reference), timeAllowedToLive, datSet (data set reference), goid (GOOSE id), t (event timestamp), StNum (state number), SqNum (test identifier), test (test bit), confRev (configuration revision), ndsCom (debug required), numdatset entries (number of data set entries), and allData. According to IEC 61850-9-2, SMV datagrams are in ISO/IEC 8802-3 in the data link layer, similar to GOOSE datagrams. The SV APDU has five fields such as svID (SMV control block ID), smpCnt (sample counter), confRev (configuration revision), smpSynch (synchronization adopted), and seqData (data sequence). The partial detection model is defined as follows:
a) destination address model
The destination ISO/IEC 8802-3 multicast address is configured in the SCD file (< Communication > → < subnet > → < connected ap >) for transporting GOOSE/SMV. The destination address fields (6 octets) of GOOSE and SMV messages start with four octets (01-0C-CD-01) and (01-0C-CD-04), respectively. The destination address models of GOOSE and SMV are (4) and (5), i.e.:
in formula (4), P is a message captured in the process layer network, and PGOOSERepresenting a GOOSE message and DstAField representing the value of the destination address field in the ISO/IEC 8802-3 frame format.
P in formula (5)SMVRepresenting an SMV message.
b) TPID field model
The Tag Protocol Identifier (TPID) field (2 octets) shows the ethernet type assigned for the 802.1Q ethernet encoded frame. The value of the TPID field in the GOOSE/SMV message should be 0x8100, i.e.
Wherein TPIDField represents the value of the TPID field, and PGOOSE/SMVRepresenting GOOSE or SMV messages.
c) EtherType field model
The EtherType field (2 bytes) of ISO/IEC 8802-3 is registered by the IEEE Authority. The assigned EtherType values for GOOSE and SMV are 0x88B8 and 0x88BA, respectively, i.e., equation (7) (8):
where EthTField is the value of the EtherType field.
d) Priority domain model
The priority field (3-bit) model defines the priority values of GOOSE and SMV packets. GOOSE/SMV has a default value of 4, and is also configured in the SCD file. The priority value should be from 0 to 7, i.e. equation (9):
PrioField in equation (9) is the value of the user priority field.
e) APPID field model
Each GOOSE/SMV control block has a unique APPID in the SCD file. The APPID field (2 octets) of the GOOSE message should be 4-bit hexadecimal, i.e. [0000-3FFF ], and the field of the SMV message should be [4000-7FFF ]. The detection model is shown in the formulas (10) and (11),
f) length model
The length field (2 octets) of the GOOSE/SMV message specifies the total number of bytes in the frame starting from APPID to APDU, which is equal to 8+ m (m is the length of the APDU, m < 1492). The length field model is as in equation (12),
where longfield is the value of the length field.
The length of the goID field in the GOOSE APDU is less than or equal to 65 bytes, i.e. equation (13),
where LenGoIDField is the length of the goID field.
g) TimeAllowedToLive field model
The timeAllowedToLive field in the GOOSE APDU shall be double MaxTime. "MaxTime" is configured in the SCD file as <5000> (< Communication > → < subnet > → < connectitedap > → < GSE > → < MaxTime >). This detection mode will send a communication interruption alarm if there are no GOOSE packets within 10000 ms.
h) Mark field model
In the GOOSE tag field model, tag values of the gocbRef, timeAllowedToLive, datSet, goID, t, StNum, SqNum, test, confRev, ndsCom, and numdatset fields of the GOOSE packet are 0x80,0x81,0x82,0x83,0x84,0x85, 0x86, 0x87, 0x88, 0x89, and 0x8 a. In the SMV label field model, label values of the fields of the svID, smpCnt, confRev and smpSynch of the SMV message are 0x80,0x82,0x83 and 0x85 respectively.
i) SmpCnt field model
The smpCnt field model specifies the value of a counter that is incremented each time a new sample of the analog value is sampled. When the sample rate of the Merging Unit (MU) is 4000Hz (80 samples/cycle), the values of smpCnt should be kept in the correct order within the range of [0,3999], i.e. equation (14),
where SmpCField is the value of the smpCnt field.
j) Correlation model
The APPID field is equal to the last two octets of the destination address field according to the actual SCD configuration of the intelligent substation. It can be defined as a correlation domain model, equation (15),
wherein DstAField (P)5,6Representing the last two octets of the destination address field.
The type of the gocbRef field in the GOOSE APDU is a string including a Logical Device (LD) name, a Logical Node (LN) name, a Function Constraint (FC), and a Control Block (CB) name, i.e., LD/LN $ FC $ CB. The datSet field in the GOOSE APDU includes the LD name, the LN name, and the Data Set (DS) name, i.e., LD/LN $ DS. The default value of the goID field in the GOOSE APDU is similar to the default value of the gocb reference field, i.e., LD/LN $ CB. The LD/LN value in the gcbRef field matches the LD/LN value in the dataSet field. The control block name in the gocbRef field matches the control block name in the goID field. For example, gocbRef: PM5001APIGO/LLN0$ GO $ gocb1, dataSet: PM5001APIGO/LLN0$ dsGOOSE1, goID: PM5001APIGO/LLN0. gocb1. The corresponding associated dictionary model is as in equation (16),
wherein GocbField, DatSField, and GoIDfield denote the gocbRef, dataSet, and goID fields, respectively.
The changes in the number of states (StNum) and sequence number (SqNum) in GOOSE APDUs strictly adhere to the associated behavior pattern. When the value of datSet in the GOOSE message sent changes, the value of StNum will increase, which will result in the value of SqNum being set to zero. When the value of StNum is not changed, the value of SqNum will increment for each GOOSE transmission, but it will roll over to 0 at its maximum value (SqNummax 4294967295).
StNum (GP) in the formula (17)i) And SqNum (GP)i) Respectively representing StNum and SqNum values of the ith GOOSE message.
k) Flow-based model
According to the service captured from the actual substation scene, the service-based model defines the upper and lower threshold values of the per-second message transmission rate (PPS), the per-second transmission byte size (BPS), the message length (LoP) and the message size (SoP) as normal traffic behaviors. The flow detection model is expressed by equation (18),
wherein PPSminAnd PPSmaxRepresenting lower and upper thresholds for PPS.
Behavior outside of these protocol models is considered anomalous and suspicious. If any of the above models is violated, the MBD will generate an alarm and record the detection results.
(4) MPD multi-parameter based detection
The core idea of multi-parameter based detection is to identify possible threats to the industrial control system due to internal unintentional misuse or external malicious attacks by monitoring the most sensitive parameters of the intelligent substation. These multidimensional parameters are relevant to the safe and stable operation of intelligent substations, such as telemetry and telemetry data from station level and process level networks. And a multi-parameter detection strategy is provided from the service knowledge and the operation experience of the intelligent substation, such as comparison of key switch signals and key analog signals.
1) Remote signaling comparison detection rules
In the IEC61850 intelligent substation, an intelligent terminal in a process level network sends remote signaling data to IEDs in bay levels by adopting GOOSE messages, and receives tripping/closing instructions from a protection or measurement and control device. As shown in fig. 2, the proposed telemetry comparison detection rule identifies exceptional events by comparing GOOSE messages with associated MMS messages. For example, if an incoming signal of a protection IED (GOOSE message) in the process level network and an associated signal report (MMS message) from the station level network do not coincide, an abnormal alarm will occur.
2) Telemetry comparison detection rules
In an IEC61850 intelligent substation, a Merging Unit (MU) has a sample value model and sends SV messages to protection measurement and control devices. The telemetry comparison detection rule contains two categories:
a) range detection rules
Typically the sampled values have an upper boundary value and a lower boundary value (e.g. current (I) and voltage (U)). If the measured value is outside the expected range, an alarm is issued, equation (19),
where smv (i), i — I, U, represent different sample values, such as current and voltage; [ SMV (i)min-e(i),SMV(i)max+e(i)]Representing the range between the upper and lower boundaries, e (i) is the measurement tolerance. In the normal stateIn the operational case, the upper and lower boundaries are configured according to the design and operational specifications of the substation. For example, the bus voltage upper and lower bounds of a 500(330) kV substation are set to 90% and 110% rated voltages. From the point of view of safe operation of the industrial control system, such suspicious phenomena should be noticed and resolved by the operators in the substation as long as the measured values are outside the expected range. Thus, the proposed range detection rules can identify anomalous events caused by measurement errors or malicious attacks.
b) Consistency detection rules
In a practical case, the dualized configured IEDs (groups a and B) in the bay level receive the same MU sample values from the associated current/voltage transformers (CT/VT). As shown in fig. 3, the proposed conformance detection rules are used to detect inconsistencies between the configured merging unit SMV parameters and the MMS of the associated plurality of protection devices (e.g. line protection a/B, bus protection a/B and transformer protection a/B). Parameters for telemetry comparison include voltage and current, and also include differential current, i.e., the differential current in the two sets of protection MMS messages is compared. If the consistency detection rule is violated, an exception alarm will occur. The IEC 61850-based power industry control network intrusion detection method and system provided by the invention can form a logic network boundary in a digital substation, wherein the logic network boundary comprises an IEC 61850-related communication safety area. The next step to ensure that defense in depth is to establish a supervision mechanism in the security zone that can detect vulnerabilities and failed security controls, such as an attacker penetrating a misconfigured firewall, or bypassing the firewall altogether to launch an attack by a computer that an engineer has connected directly to the substation lan and is infected with malware. Once an intruder establishes a presence at the target substation network, scanning from the primary network to intentionally attempting to obtain a response from the IED; or cause a particular command to be executed; automatic or manual actions will be initiated that are not prevented by the border firewall. Therefore, the intrusion detection system aiming at the IEC61850 is designed to discover suspicious abnormal bewildering behaviors possibly existing in the electric power engineering system and improve the safety of the electric power engineering system based on the IEC61850 protocol.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Claims (6)
1. An IEC 61850-based electric power industry control network intrusion detection method is characterized by comprising the following steps:
ACD access control detection: for preventing malware activity and attacks attempting to communicate with the control server during the initial infection phase; extracting a destination IP address, a source IP address, a destination MAC address or a source MAC address or a port from a captured message, comparing the destination IP address with a pre-established access control white list, and if the IP address, the MAC address or the port does not belong to the access control white list, determining the IP address, the MAC address or the port as a suspicious IP address, an MAC address or a port; if the access control white list belongs to the access control white list, the access control white list is regarded as a normal IP address, a normal MAC address or a normal port;
detecting a white list of a PWD protocol: the system is used for detecting abnormal protocol flow in a substation control layer network and a process layer network of the transformer substation and giving an alarm; the method comprises the steps of setting various protocols supported by a station control layer network and a process layer network, wherein the various protocols comprise MMS, COTP, TPKT, SNTP, GOOSE, SMV and IEEE 1588; for the station control layer network, only allowing communication services conforming to MMS, COTP, TPKT or SNTP protocols, otherwise, considering suspicious communication and generating alarm information; for the process layer network, only allowing GOOSE, SMV or IEEE 1588 traffic, otherwise, generating alarm information considering suspicious traffic;
model-based detection of MBD: the system is used for detecting malicious attacks or unexpected abnormal behaviors in a station control layer network and a process layer network; analyzing the content of the SCD file and the IEC61850 message, comparing the detected message with a normal behavior model defined by using protocol analysis, and if the condition of violating any normal behavior model occurs, generating an alarm and recording a detection result;
MPD based on multi-parameter detection: the method comprises the steps of monitoring parameters of the intelligent substation to identify threats caused by internal accidental misuse or external malicious attacks; the method comprises the steps of detecting telemetering data and remote signaling data from a station control layer network and a process layer network, identifying abnormal data through homologous comparison, and regarding the abnormal data as abnormal data when the homologous data are inconsistent; specifically, remote signaling comparison detection and remote sensing comparison detection are carried out;
the model-based detection of the MBD on the station control layer network specifically comprises the following steps:
in a station control layer network, establishing a normal behavior model based on ACSI or SNTP mapped to MMS, and generating an alarm and recording a detection result if any normal behavior model is violated; the normal behavior model is established as follows:
a) report service model
In the SCD file, the maximum number of instantiatable report control blocks per intelligent electronic device has been configured; the proposed report service model defines the maximum number of instantiatable report control blocks per intelligent electronic device as detection rules; if the abnormal connection requests which possibly occupy all the instantiatable report control blocks of the intelligent electronic equipment are identified, the suspicious denial of service (DoS) attack is alarmed and the detection result is recorded;
b) association service model
The associated service model defines the maximum number of connectable IEC61850 clients; if an abnormal connection request to the client is detected, generating an alarm and recording a detection result;
c) setting up a service model
The provisioning service model definition only allows the IEC61850 client to modify the provisioning, and if the definition is violated, an alarm message will be sent;
d) file transfer model
The ACSIGetFile service is used by a client for transmitting the content of a file from a server to the client, the client acquires the name and the attribute of a specific file in the file storage of the server by using the ACSI GetFileAttributeValues service, a file transmission model defines that the IEC61850 client can only transmit a single file, and if the definition is violated, an alarm is generated and the detection result is recorded;
e) SNTP model
In a transformer substation network, SNTP is used for realizing time synchronization through LAN communication, SNTP flow adopts a user datagram protocol at a transmission layer, in the aspect of SNTP flow, the port number of the user datagram protocol connection to an IEC61850 server is <123>, and if the port number of the SNTP flow is not <123>, an alarm is triggered and the result is stored in a log file;
f) time dependent model
Important control commands have time-dependent constraints including time interval limits and frequency limits, and if the same legitimate command is sent too frequently, the rules of trans (2) (3) are violated, in each case some alarm and log actions will be initiated:
CV(n)-CV(n-1)<T→Actions(alert,log) (2)
CV in equation (2) is a control command, n is a positive integer (n >1), and T is a limit of a time interval;
in the formula (3), F represents a frequency limit.
2. The IEC61850 based power industry control network intrusion detection method according to claim 1, wherein in the ACD access control detection, the established access control white list comprises MAC addresses in data link layer, IP addresses in network layer and access control white list of transport layer ports.
3. The IEC61850 based power industry control network intrusion detection method according to claim 1, wherein in the ACD access control detection, for the IP address, MAC address or port deemed suspicious, a preset action is further taken, which specifically is: sending out an alarm in an IDS mode, stopping in an IPS mode, and recording a detection result; the following formula (1):
wherein, AC ═ MACsrc,MACdst,IPsrc,IPdst,Portsrc,Portdst,ACwlRepresenting an established access control white list; MACsrc,MACdst,IPsrc,IPdst,Portsrc,PortdstRespectively representing a source MAC address and a destination MAC address, a source IP address and a destination IP address, a source port and a destination port; each host or device having a unique identity<IP,MAC>Matching; if the intelligent electronic equipment is not replaced by a new device, but if two or more MAC addresses correspond to the same IP address, the cheating attack is judged to occur.
4. The IEC 61850-based power industry control network intrusion detection method according to claim 1, wherein the MBD model-based detection on the process level network specifically comprises: in a process layer network, establishing the normal behavior model based on GOOSE and SMV protocol specifications, and if any normal behavior model is violated, generating an alarm and recording a detection result; GOOSE APDU has twelve fields as gocbRef, timeAllowedToLive, datSet, goID, t, StNum, SqNum, test, confRev, ndsCom, numDateSetEntries and allData; according to IEC 61850-9-2, SMV datagram adopts ISO/IEC 8802-3 in data link layer; the SV APDU has five fields of svID, smpCnt, confRev, smpSynch and seqData, and the normal behavior model is defined as follows:
a) destination address model
Configuring a destination ISO/IEC 8802-3 multicast address for transmitting GOOSE/SMV in an SCD file < Communication > → < sub network > → < connected AP >; the destination address fields of the GOOSE message and the SMV message start with four octets 01-0C-CD-01 and 01-0C-CD-04, respectively; the destination addresses of GOOSE and SMV are as in formulas (4) and (5):
in formula (4), P is a message captured in the process layer network, and PGOOSERepresenting a GOOSE message, and DstAField representing the value of a destination address field in an ISO/IEC 8802-3 frame format;
p in formula (5)SMVRepresenting an SMV message;
b) TPID field model
The 2 octets of the tag protocol identifier field show the ethernet type allocated for the 802.1Q ethernet encoded frame; the value of the TPID field in the GOOSE/SMV message should be 0x8100, i.e.
Wherein TPIDField represents the value of the TPID field, and PGOOSE/SMVRepresenting GOOSE or SMV messages;
c) EtherType field model
The EtherType field 2 bytes of ISO/IEC 8802-3 are registered by the IEEE Authority, and the assigned EtherType values for GOOSE and SMV are 0x88B8 and 0x88BA, respectively, equation (7) (8):
wherein EthTField is the value of the EtherType field;
d) priority domain model
Defining the priority values of GOOSE and SMV messages, the default value of GOOSE/SMV is 4, and the priority values should be configured in the SCD file from 0 to 7, that is, equation (9):
PrioField in formula (9) is the value of the user priority field;
e) APPID field model
Each GOOSE/SMV control block has a unique APPID in the SCD file, the 2 octets of the APPID field of the GOOSE message are 4-bit hexadecimal [0000-3FFF ], and the field of the SMV message is [4000-7FFF ], as in equations (10) and (11):
f) length model
The length field 2 octets of the GOOSE/SMV message specifies the total number of bytes in the frame starting from APPID to APDU, which is equal to 8+ m, where m is the length of the APDU, m <1492, the length field model is as follows (12):
where Length field is the value of the Length field;
the length of the goID field in the GOOSE APDU is less than or equal to 65 bytes, i.e. equation (13),
wherein LenGoIDField is the length of the goID field;
g) TimeAllowedToLive field model
The timeAllowedToLive field in the GOOSE APDU shall be double MaxTime; "MaxTime" is configured in the SCD file as <5000>, < Communication > → < subnet > → < connecticut ap > → < GSE > → < MaxTime >; if no GOOSE data packet exists within 10000ms, sending a communication interruption alarm;
h) mark field model
In the GOOSE tag field model, tag values of gocbRef, timeallowedtollive, datSet, goID, t, StNum, SqNum, test, confRev, ndsCom and numdatset fields of the GOOSE packet are 0x80,0x81,0x82,0x83,0x84,0x85, 0x86, 0x87, 0x88, 0x89 and 0x8 a; in the SMV label field model, label values of svID, smpCnt, confRev and smpSynch fields of an SMV message are respectively 0x80,0x82,0x83 and 0x 85;
i) SmpCnt field model
The smpCnt field model specifies the value of a counter, which is incremented each time a new sample of the analog value is sampled; when the sampling rate of the merging unit MU is 4000Hz, wherein 80 samples/cycle, the values of smpCnt are in the range of [0,3999], maintaining the correct order, i.e. equation (14),
wherein SmpCField is the value of the smpCnt field;
j) correlation model
According to the actual SCD configuration of the intelligent substation, the APPID field, equal to the last two octets of the destination address field, is defined as the relevant domain model, i.e. equation (15):
wherein DstAField (P)5,6The last two octets representing the destination address field;
the type of the gocbRef field in the GOOSE APDU is a string including the logical device LD name, the logical node LN name, the function constraint FC, and the control block CB name, i.e., LD/LN $ FC $ CB; the datSet field in the GOOSE APDU includes the LD name, the LN name, and the data set DS name, i.e., LD/LN $ DS; the default value of the goID field in the GOOSE APDU is similar to the default value of the gocb reference field, i.e. LD/LN $ CB; the LD/LN value in the gcbRef field matches the LD/LN value in the dataSet field; the control block name in the gocbRef field matches the control block name in the goID field; gocbRef: PM5001APIGO/LLN0$ GO $ gocb1, dataSet: PM5001APIGO/LLN0$ dsGOOSE1, goID: PM5001APIGO/LLN0.gocb1, the corresponding associated dictionary model is as follows (16):
wherein GocbField, DatSField, and GoIDfield represent the gocbRef, dataSet, and goID fields, respectively;
the change of the state quantity StNum and the sequence number SqNum in the GOOSE APDU strictly obeys the associated behavior pattern; when the value of datSet in the transmitted GOOSE message changes, the value of StNum will increase, which will result in the value of SqNum being set to zero; when the value of StNum is not changed, the value of SqNum will increment for each GOOSE transmission, but it will roll over to 0 at its maximum value SqNummax 4294967295:
StNum (GP) in the formula (17)i) And SqNum (GP)i) Respectively representing StNum and SqNum values of the ith GOOSE message;
k) flow-based model
According to the service captured from the actual substation scene, the service-based model defines the upper limit and the lower limit threshold of the per-second message transmission rate PPS, the per-second transmission byte size BPS, the message length LoP and the message size SoP as the normal flow behavior, as shown in formula (18):
wherein PPSminAnd PPSmaxRepresenting lower and upper thresholds for PPS.
5. The IEC61850 based power industry control network intrusion detection method according to claim 1, wherein the remote signaling comparison detection specifically comprises: in the IEC61850 intelligent substation, intelligent electronic equipment in a process layer network sends remote signaling data to intelligent electronic equipment in a bay layer by adopting a GOOSE message, and receives a tripping/closing instruction from a protection or measurement and control device; the remote signaling comparison detection identifies abnormal events by comparing GOOSE messages with associated MMS messages; and if the input signal of the GOOSE message for protecting the intelligent electronic equipment in the process layer network is inconsistent with the MMS message of the associated signal report from the station control layer network, abnormal alarm is generated.
6. The IEC61850 based power industry control network intrusion detection method according to claim 1, wherein the telemetry comparison detection specifically is: in an IEC61850 intelligent substation, a merging unit MU has a sampling value model and sends SV information to a protection measurement and control device, and the telemetering comparison detection comprises two rules:
a) range detection rules
The sampled values have an upper boundary value and a lower boundary value, and if the measured values are outside the expected range, an alarm is issued, equation (19):
where smv (I), I — I, U, represents different sample values, current I and voltage U; [ SMV (i)min-e(i),SMV(i)max+e(i)]Representing the range between the upper and lower boundaries, e (i) is the measurement tolerance, the upper and lower boundaries being configured according to the design and operating specifications of the substation under normal operating conditions, the bus voltage of the 500(330) kV substation being set at 90% and 110% rated voltage;
b) consistency detection rules
The duplicated intelligent electronic devices in the bay level are configured into groups A and B, receive the same MU sample values from the associated current transformer CT/voltage transformer VT, detect inconsistencies between the configured merging unit SMV parameters and the MMS of the associated plurality of protection devices, telemetrically compare the parameters including voltage, current and differential current, and alarm an anomaly if a consistency detection rule is violated.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710425727.8A CN106982235B (en) | 2017-06-08 | 2017-06-08 | IEC 61850-based electric power industry control network intrusion detection method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710425727.8A CN106982235B (en) | 2017-06-08 | 2017-06-08 | IEC 61850-based electric power industry control network intrusion detection method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106982235A CN106982235A (en) | 2017-07-25 |
CN106982235B true CN106982235B (en) | 2021-01-26 |
Family
ID=59344823
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710425727.8A Active CN106982235B (en) | 2017-06-08 | 2017-06-08 | IEC 61850-based electric power industry control network intrusion detection method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106982235B (en) |
Families Citing this family (32)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107483514A (en) * | 2017-10-13 | 2017-12-15 | 北京知道创宇信息技术有限公司 | Attack monitoring device and smart machine |
CN107733907B (en) * | 2017-10-25 | 2020-06-02 | 国家电网公司 | Dynamic protection method and device |
CN109962881A (en) * | 2017-12-22 | 2019-07-02 | 北京安天网络安全技术有限公司 | Intrusion detection method, device and system based on industrial control system |
CN108282482B (en) * | 2018-01-30 | 2020-12-01 | 电子科技大学 | SVM-based IEC60870-5-104 abnormal flow detection method |
CN108848118B (en) * | 2018-03-29 | 2021-09-10 | 杭州海兴电力科技股份有限公司 | Communication method, power distribution and utilization integrated communication equipment and system |
CN110401624A (en) * | 2018-04-25 | 2019-11-01 | 全球能源互联网研究院有限公司 | The detection method and system of source net G system mutual message exception |
CN109862028B (en) * | 2019-03-04 | 2021-03-12 | 北京国网富达科技发展有限责任公司 | Data security access system |
CN110086776A (en) * | 2019-03-22 | 2019-08-02 | 国网河南省电力公司经济技术研究院 | Intelligent substation Network Intrusion Detection System and detection method based on deep learning |
CN109889552A (en) * | 2019-04-18 | 2019-06-14 | 南瑞集团有限公司 | Power marketing terminal abnormal flux monitoring method, system and Electric Power Marketing System |
CN110768946A (en) * | 2019-08-13 | 2020-02-07 | 中国电力科学研究院有限公司 | Industrial control network intrusion detection system and method based on bloom filter |
CN110909811B (en) * | 2019-11-28 | 2022-10-18 | 国网湖南省电力有限公司 | OCSVM (online charging management system) -based power grid abnormal behavior detection and analysis method and system |
CN111049828B (en) * | 2019-12-13 | 2021-05-07 | 国网浙江省电力有限公司信息通信分公司 | Network attack detection and response method and system |
CN111245858A (en) * | 2020-01-19 | 2020-06-05 | 世纪龙信息网络有限责任公司 | Network flow interception method, system, device, computer equipment and storage medium |
WO2021177899A1 (en) * | 2020-03-05 | 2021-09-10 | Singapore University Of Technology And Design | Power system security enhancement |
CN111478925B (en) * | 2020-05-21 | 2022-12-06 | 四川英得赛克科技有限公司 | Port scanning detection method and system applied to industrial control environment |
CN111614674B (en) * | 2020-05-21 | 2022-12-06 | 四川英得赛克科技有限公司 | Abnormal access behavior detection method, system, medium and equipment thereof |
CN111901291B (en) * | 2020-06-03 | 2022-03-22 | 中国科学院信息工程研究所 | Network intrusion detection method and device |
CN111401976B (en) * | 2020-06-08 | 2020-09-04 | 腾讯科技(深圳)有限公司 | Abnormal behavior detection method, device, equipment and storage medium |
CN113958377B (en) * | 2020-07-03 | 2023-04-07 | 东方电气股份有限公司 | Real-time online monitoring system and method for network security of steam turbine |
CN112073326B (en) * | 2020-07-30 | 2023-05-12 | 许继集团有限公司 | Intelligent substation process layer network data flow control method |
CN114079576B (en) * | 2020-08-18 | 2024-06-11 | 奇安信科技集团股份有限公司 | Security defense method, security defense device, electronic equipment and medium |
CN112702333B (en) * | 2020-12-21 | 2023-03-24 | 英赛克科技(北京)有限公司 | Data security detection method and device |
CN114826631B (en) * | 2021-01-27 | 2024-03-15 | 南京南瑞继保电气有限公司 | Substation firewall configuration method |
CN113221103B (en) * | 2021-05-08 | 2022-09-20 | 山东英信计算机技术有限公司 | Container safety protection method, system and medium |
CN113315777B (en) * | 2021-06-03 | 2021-12-07 | 珠海市鸿瑞信息技术股份有限公司 | Intelligent operation and maintenance monitoring system based on power protocol operation |
CN113824724B (en) * | 2021-09-24 | 2023-09-22 | 山东能士信息科技有限公司 | Method and device for judging tampered sensor data of intelligent substation and storage medium |
CN114124478B (en) * | 2021-11-08 | 2023-05-09 | 湖南大学 | Method and system for detecting abnormal industrial control flow of power system |
CN114374528A (en) * | 2021-11-24 | 2022-04-19 | 河南中裕广恒科技股份有限公司 | Data security detection method and device, electronic equipment and medium |
CN114338096B (en) * | 2021-12-10 | 2023-11-17 | 南京南瑞继保电气有限公司 | Configuration method of process layer isolation device |
CN114697081B (en) * | 2022-02-28 | 2024-05-07 | 国网江苏省电力有限公司淮安供电分公司 | Intrusion detection method and system based on IEC61850 SV message running situation model |
CN115190139A (en) * | 2022-03-28 | 2022-10-14 | 北京慧能分享科技有限公司 | Multi-protocol-based load balancing energy big data acquisition system and method |
CN116094760B (en) * | 2022-12-05 | 2024-06-25 | 金川集团镍钴有限公司 | Data transmission method of cross-forward isolation device based on message dictionary |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105204487A (en) * | 2014-12-26 | 2015-12-30 | 北京邮电大学 | Intrusion detection method and intrusion detection system for industrial control system based on communication model |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103296757B (en) * | 2013-05-21 | 2014-09-03 | 国家电网公司 | Multi-parameter identification based secondary system fault diagnosing method for intelligent substation |
WO2015169392A1 (en) * | 2014-05-09 | 2015-11-12 | Abb Technology Ltd | A method for providing status information of a channel's health condition in a communications network |
CN105549418B (en) * | 2015-12-07 | 2019-01-22 | 国网安徽省电力公司蚌埠供电公司 | The SCD of intelligent substation communicates debugging system |
CN105375638B (en) * | 2015-12-08 | 2018-04-10 | 国网浙江省电力公司绍兴供电公司 | Secondary system of intelligent substation Real-time Alarm analytical equipment and method |
-
2017
- 2017-06-08 CN CN201710425727.8A patent/CN106982235B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105204487A (en) * | 2014-12-26 | 2015-12-30 | 北京邮电大学 | Intrusion detection method and intrusion detection system for industrial control system based on communication model |
Also Published As
Publication number | Publication date |
---|---|
CN106982235A (en) | 2017-07-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106982235B (en) | IEC 61850-based electric power industry control network intrusion detection method and system | |
Yang et al. | Multidimensional intrusion detection system for IEC 61850-based SCADA networks | |
Yang et al. | Intrusion detection system for IEC 60870-5-104 based SCADA networks | |
EP2721801B1 (en) | Security measures for the smart grid | |
CN107493265B (en) | A kind of network security monitoring method towards industrial control system | |
Yang et al. | Multiattribute SCADA-specific intrusion detection system for power networks | |
Zhang et al. | Power system reliability evaluation with SCADA cybersecurity considerations | |
CN108063753A (en) | A kind of information safety monitoring method and system | |
Hadeli et al. | Leveraging determinism in industrial control systems for advanced anomaly detection and reliable security configuration | |
CN108809970B (en) | Safety protection method of intelligent home security gateway | |
KR101206095B1 (en) | Intelligent Electric Device, network system including the device and the protecting method for the network | |
KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
CN214306527U (en) | Gas pipe network scheduling monitoring network safety system | |
WO2019181258A1 (en) | Network probe and method of processing message | |
CN101728869A (en) | Power station automation system data network security monitoring method | |
KR100947211B1 (en) | System for active security surveillance | |
KR102001812B1 (en) | Apparatus and method of making whitelist for communication among devices using k-means algorithm | |
Yang et al. | Intrusion detection system for IEC 61850 based smart substations | |
McLaughlin et al. | Secure communications in smart grid: Networking and protocols | |
Dolezilek et al. | Cybersecurity based on IEC 62351 and IEC 62443 for IEC 61850 systems | |
Feng et al. | Snort improvement on profinet RT for industrial control system intrusion detection | |
Matoušek et al. | Increasing visibility of iec 104 communication in the smart grid | |
Czechowski et al. | Cyber security in communication of SCADA systems using IEC 61850 | |
Waagsnes et al. | Intrusion Detection System Test Framework for SCADA Systems. | |
US9298175B2 (en) | Method for detecting abnormal traffic on control system protocol |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |