[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN113958377B - Real-time online monitoring system and method for network security of steam turbine - Google Patents

Real-time online monitoring system and method for network security of steam turbine Download PDF

Info

Publication number
CN113958377B
CN113958377B CN202010635451.8A CN202010635451A CN113958377B CN 113958377 B CN113958377 B CN 113958377B CN 202010635451 A CN202010635451 A CN 202010635451A CN 113958377 B CN113958377 B CN 113958377B
Authority
CN
China
Prior art keywords
dpu
network
control
control unit
steam turbine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010635451.8A
Other languages
Chinese (zh)
Other versions
CN113958377A (en
Inventor
袁晓舒
桑梓
刘丝丝
杨波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dongfang Electric Co ltd
Original Assignee
Dongfang Electric Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dongfang Electric Co ltd filed Critical Dongfang Electric Co ltd
Priority to CN202010635451.8A priority Critical patent/CN113958377B/en
Publication of CN113958377A publication Critical patent/CN113958377A/en
Application granted granted Critical
Publication of CN113958377B publication Critical patent/CN113958377B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • FMECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
    • F01MACHINES OR ENGINES IN GENERAL; ENGINE PLANTS IN GENERAL; STEAM ENGINES
    • F01DNON-POSITIVE DISPLACEMENT MACHINES OR ENGINES, e.g. STEAM TURBINES
    • F01D21/00Shutting-down of machines or engines, e.g. in emergency; Regulating, controlling, or safety means not otherwise provided for
    • F01D21/003Arrangements for testing or measuring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mechanical Engineering (AREA)
  • Testing And Monitoring For Control Systems (AREA)

Abstract

The invention belongs to the technical field of steam turbine network security protection, and particularly relates to a real-time online monitoring method and a system for steam turbine network security, which comprise a comprehensive analysis module, a control unit monitoring module and a network flow monitoring module, wherein real-time and analog data are synchronously acquired through mirror image data acquisition and based on an active monitoring algorithm, and the real-time online monitoring for the steam turbine network security is realized by combining network data abnormity with the combined analysis of the network data abnormity and the system data abnormity through a network data acquisition step, a network data abnormity analysis step, a system operation result monitoring step, an association analysis step and a comprehensive analysis step.

Description

Real-time online monitoring system and method for network security of steam turbine
Technical Field
The invention belongs to the technical field of steam turbine network security protection, and particularly relates to a real-time online monitoring method and system for steam turbine network security.
Background
In the thermal power generation process, a steam turbine is one of the main control targets. The steam turbine control and protection system realizes the control and protection functions of the steam turbine and mainly comprises a steam turbine control system and a steam turbine protection system. The steam turbine control system specifically refers to a steam turbine control unit of a Distributed Control System (DCS) of a power plant and a digital electro-hydraulic control system (DEH) of the steam turbine, and the steam turbine protection system specifically refers to a steam turbine Emergency Trip System (ETS) and a steam turbine safety monitoring system (TSI).
The main function of the steam turbine control system is to collect the operation parameters (pressure, temperature, rotating speed, power, etc.) of the steam turbine and control the opening of the steam inlet valve (main steam valve and regulating valve) of the steam turbine, so as to ensure that the steam turbine operates under the given parameters; the main function of the turbine protection system is to detect whether the operating parameters (rotation speed, vibration, oil pressure, temperature, etc.) of the turbine exceed the limit values, and close the steam inlet valve of the turbine in time when the operating parameters exceed the limit values, so as to ensure the safe shutdown of the turbine in an uncontrolled state.
In the prior art, an integrated DCS is widely adopted to cover all functions of a DCS steam turbine control unit, a DEH and an ETS, the integrated DCS is mainly composed of a DPU control unit and an I/O card, main control logic of a steam turbine runs in the DPU control unit, and the I/O card realizes input and output of physical signals corresponding to the control logic in the DPU.
At present, a steam turbine control protection system mainly adopts a digital control technology based on a computer technology and a network communication technology, the reliability and the instantaneity of system operation are ensured through special software and hardware design, the probability of system failure is reduced, the safety design of the system is insufficient, and particularly, the software design level has vulnerability risks.
With the continuous development of industrial internet technology, an industrial control system is no longer a physically isolated and isolated system, and increasingly severe network security risks become problems to be faced by a steam turbine control protection system. Once the network attack is suffered, the steam turbine control protection system has the possibility of system failure and system runaway, and can further change the operating state of the steam turbine, thereby causing serious production safety accidents. Particularly, the integrated DCS which adopts the same model and is communicated with the network has the possibility that the control system and the protection system are paralyzed and failed at the same time.
The main current method for judging whether a turbine control protection system is attacked by a network attack is based on analysis of network flow and monitoring software implanted into a control system, and the two methods mainly have the following problems:
1. the method based on the network flow analysis lacks the analysis of the self state of the control system, can not effectively prove whether the control protection system is really out of control under the network attack, and simultaneously has the false alarm phenomenon to mislead field workers to implement improper emergency response plans, so the application difficulty in the actual engineering is larger;
2. although the method of embedding the monitoring software can make up the defects of the network flow analysis method, new software needs to be added into the control system and the original configuration needs to be modified, and if the control system manufacturer is not matched, the method can hardly be realized in engineering implementation. In addition, the method of using the implanted monitoring software independently cannot be distinguished effectively.
Therefore, it is necessary to adopt a new monitoring method of the control system and combine with network flow monitoring to realize a comprehensive monitoring and analyzing method which has practical engineering value and is easy to implement on the basis of the unchanged software and hardware structure of the existing turbine control and protection system, and focus on network security incidents which may cause turbine security accidents.
Disclosure of Invention
The invention aims to solve the problems in the prior art, and provides a method for comprehensively monitoring the network safety of a steam turbine control and protection system by combining a mature network flow acquisition method on the basis of not implanting other software programs into the original steam turbine control and protection system, so that a serious network safety event causing adverse effects on the normal operation of a steam turbine can be found, and system faults and the non-serious network safety event caused by non-network safety can be effectively distinguished.
In order to achieve the above object, the steam turbine network security real-time online monitoring system according to the technical scheme of the present invention is characterized in that: the system comprises a comprehensive analysis module, a control unit monitoring module and a network flow monitoring module, wherein the network flow monitoring module is accessed to a system network, performs mirror image acquisition on an Ethernet flow data packet of a steam turbine control protection system in the system network and analyzes a network abnormal event;
the steam turbine control protection system in the system network comprises a plurality of field control stations, each field control station comprises a DPU (distributed processing unit) control unit, and a control unit monitoring module is connected with the DPU control stations and used for acquiring a DPU control single operation result;
the system network simultaneously sends random numbers to the DPU control unit and the DPU simulation unit in each operation period to trigger the DPU control unit and the DPU simulation unit to synchronously perform real-time operation and simulation operation; the control unit monitoring module is used for obtaining the real-time operation result of the DPU control unit and the simulation operation result of the DPU simulation unit, and comparing and analyzing the real-time operation result and the simulation operation result to obtain the abnormal event of the DPU control unit;
and the comprehensive analysis module collects the network abnormal events and the DPU control unit abnormal events to perform correlation analysis.
The field control station comprises a DPU control unit, a control network and a physical I/O interface of a monitored steam turbine control protection system, wherein a control unit monitoring module is connected to the control network through the physical I/O interface and is connected to the system network through the DPU control unit; the physical I/O interface comprises an input type I/O card and an output type I/O card; and the control unit monitoring module acquires the operation result of the DPU control unit through a physical I/O interface and a control network.
The system network is also connected with a plurality of engineer stations and operator stations, and the engineer stations and the operator stations acquire or generate instructions to DPU control units in the field control stations through the system network.
Correspondingly, the invention also provides a technical scheme of a monitoring method corresponding to the system, in particular to a real-time online monitoring method for the network security of the steam turbine, which is characterized by comprising the following steps:
acquiring network data, namely acquiring an Ethernet flow data packet of a steam turbine control protection system by a network flow acquisition method based on a switch mirroring technology;
analyzing the network data abnormity, namely analyzing the known network attack characteristics and the network protocol characteristics in the Ethernet traffic data packet based on a rule matching method combining a black list and a white list of a rule set; when any one or more messages in the Ethernet flow data packet accord with any rule in the rule matching method, reporting and recording a network abnormal event;
the method comprises the following steps of monitoring a system operation result, wherein a monitored steam turbine control protection system is accessed through a physical I/O interface, different random numbers of each operation period are transmitted to a DPU (digital data processing unit) control unit of the monitored steam turbine control protection system through the physical I/O interface by adopting an active monitoring algorithm, and then a real-time operation result of the DPU control unit in a normal working environment and a reference operation result of the DPU control unit in an ideal simulation environment are acquired through the physical I/O interface of a target system; comparing the real-time operation result with a standard operation result obtained when the DPU control unit operates in a standard simulation environment by the same control logic or control algorithm in a normal working state, judging that the DPU control unit is abnormal if the comparison error exceeds an artificially set error threshold, and recording and reporting an abnormal event of the DPU;
a correlation analysis step of performing correlation analysis on the network abnormal event in the network data abnormal analysis step and the DPU abnormal event in the system operation result monitoring step based on a time axis through an independent comprehensive analysis module/device/system, specifically, on the basis of a time point of occurrence of the network abnormal event, correspondingly checking the DPU abnormal event in a plurality of minutes thereafter for correlation, and on the basis of the time point of occurrence of the DPU abnormal event, correspondingly checking the network abnormal event in a plurality of minutes before for correlation; the two analysis strategies run simultaneously, and the network security event or the abnormal information of the control unit is guaranteed not to be reported in a missing mode.
A comprehensive analysis step, namely judging whether the network abnormal events and the network safety events corresponding to the DPU abnormal events can affect the safety of the steam turbine body or not according to the analysis result of the correlation analysis step; the comprehensive analysis results have various conditions, and under different conditions, the influence of the network attack on the steam turbine is different, so different emergency response plans should be formulated.
In the system operation result monitoring step, a random number x (t) is generated by a random number generator in each operation period and is sent to a DPU (digital power unit) of the monitored steam turbine control protection system and a DPU simulation unit which is identical to the control logic or control algorithm of the DPU control unit of the monitored steam turbine control protection system, so that the DPU control unit and the DPU simulation unit operate according to the random number x (t) in each operation period, and a real-time operation result of the DPU control unit in a normal working environment and a reference operation result of the DPU simulation unit in a standard simulation environment are acquired through the physical I/O interface.
Specifically, when the DPU control unit of the monitored steam turbine control protection system receives the random number x (t) in an operation cycle, the DPU control unit operates according to the control logic or control algorithm in the system to generate the check function
Figure BDA0002568544720000041
Similarly, when the DPU simulation unit receives the random number x (t) in an operation cycle, it generates a check function G (x) according to the same control logic or control algorithm as the DPU control unit; if the check function of the DPU control unit->
Figure BDA0002568544720000042
The error value between the calibration function G (x) and the DPU simulation unit exceeds a predetermined error threshold value delta, i.e. < >>
Figure BDA0002568544720000043
An abnormality of the controller is determined, wherein the check function G (x) is a non-converging linear function, i.e. satisfies the probability->
Figure BDA0002568544720000044
x (t) = rand (seed, t), which is a pseudo random number generator based on random number seed and time, conforming to a certain distribution。
Further, when a failure fault occurs in a DPU control unit of the monitored steam turbine control protection system and the physical I/O interface is set to output hold, the DPU failure means that the control logic/algorithm in the DPU cannot be normally executed, and at this time, the calculation of the check function G (x) is stopped, in this case, if the physical I/O output is not held, u =0 is meant, and if the output of the physical I/O interface is held, it means that the currently output check function result G (x (t)) is actually the operation result G (x (t-1)) of the operation cycle before the DPU control unit fails;
i.e. the error value
Figure BDA0002568544720000045
Since the two adjacent generation values x (t) and x (t-1) of the random number generator are effectively identified to satisfy the requirement that the difference value reaches the threshold epsilon, namely, the mathematical meaning of | x (t) -x (t-1) | > epsilon (epsilon is a minimum value, the physical meaning is the minimum resolution of the system), and the check function G (x) is a non-convergence linear function, then | G (x (t) -G (x (t-1)) | = | G (x (t) -x (t-1)) | > G (epsilon), considering that the check function implemented in the control and protection system of the monitored steam turbine is the check function implemented in the control and protection system of the monitored steam turbine
Figure BDA0002568544720000051
And almost the same as the original check function, therefore, when the error value error is greater than the set error threshold value delta, namely error is greater than delta, the DPU control unit of the monitored steam turbine control protection system is judged to be abnormal.
When the control logic is tampered with due to the fault of the monitored turbine control protection system, the check function generated by the DPU control unit of the monitored turbine control protection system in one operation cycle exists
Figure BDA0002568544720000052
Error in the check function G (x) generated in the same operating cycle as the corresponding DPU simulation unit>
Figure BDA0002568544720000053
Greater than monitoredDeviation threshold xi, i.e. [ in ] of steam turbine control and protection system and standard simulation system>
Figure BDA0002568544720000054
Where ξ > δ and δ = G (ε) are error thresholds, i.e.
Figure BDA0002568544720000055
And when the difference is larger than a set threshold value delta, determining that the DPU of the monitored steam turbine control protection system is abnormal, wherein the physical meaning of xi refers to the deviation of the same algorithm in the implementation of two different physical systems, specifically, due to the difference in hardware and software and the noise of a physical I/O signal, the control logic calculation result in the monitoring system may deviate from the control logic calculation result in the DPU of the target system.
I.e. when ξ > δ, the error
Figure BDA0002568544720000056
And if so, judging that the control unit of the target system fails.
The Ethernet flow data packet comprises data messages and control instruction messages among all engineer stations, operator stations and DPU control units in the steam turbine control protection system.
The data messages comprise collected data sent by the DPU control units to the engineer station and/or the operator station and data exchange among the DPU control units.
The control instruction message refers to a specific message which is issued by the engineer station and the operator station to the DPU control unit and has a control function, wherein the specific message comprises restart, configuration modification and control logic downloading instructions.
The known network attack characteristics refer to specific network messages which are disclosed and definitely damaged, and rules are set for the messages in a blacklist mode.
The network protocol features refer to a specific network protocol with definite keywords and identification features used by a steam turbine control protection system manufacturer, and possibly have an equipment authentication function, and the messages are set with rules in a white list mode.
Compared with the prior art, the technical scheme of the invention utilizes the original control logic or the newly added control logic of the steam turbine control protection system to realize the state monitoring of the steam turbine control protection system under the conditions of not changing the hardware of the original system and not implanting other software programs into the original system.
The network security incident is analyzed only through the network flow, the severity of the network security incident cannot be distinguished in detail, and therefore the emergency response plan cannot be refined, and the effect of the scheme in actual field application is poor. According to the technical scheme, the control unit based on physical signals is additionally arranged on the basis of the original network flow analysis, so that general network security events and serious network security events which possibly affect the safety of the steam turbine body can be effectively distinguished, and the emergency response scheme designed based on the method has guiding significance for power plant operators.
Compared with the technology of implanting other software or requiring the original factory to provide a data interface, the technical scheme of the invention has lower modification difficulty on the field control protection system, can be applied to products of a plurality of control system manufacturers and has higher project realizability. Meanwhile, compared with monitoring software running in the control unit, the method utilizes a control logic configuration method necessary for the control system, has certain confusion, and makes it difficult for hackers to distinguish the control logic for controlling the steam turbine from the control logic for checking, so that the possibility of being attacked by a network is low. And an active monitoring algorithm is adopted, random numbers are sent through normal system operation, normal system work and corresponding analog system synchronous simulation work are triggered at the same time, and meanwhile a real-time operation result and a reference operation result are obtained, so that the abnormity of the DPU can be found rapidly in real time, and problem points can be checked and found in time.
Drawings
The foregoing and following detailed description of the invention will be apparent when read in conjunction with the following drawings, in which:
FIG. 1 is a schematic structural diagram of a preferred embodiment of the on-line monitoring system of the present invention;
FIG. 2 is a logic diagram of a preferred embodiment of the on-line monitoring method of the present invention.
Detailed Description
The technical solutions for achieving the objects of the present invention are further illustrated by the following specific examples, and it should be noted that the technical solutions claimed in the present invention include, but are not limited to, the following examples.
Example 1
As a specific embodiment of the steam turbine network security real-time online monitoring system, as shown in fig. 1, the steam turbine network security real-time online monitoring system specifically disclosed in this embodiment includes a comprehensive analysis module, a control unit monitoring module, and a network traffic monitoring module that is connected to a system network, performs mirror image acquisition on an ethernet traffic data packet of a steam turbine control protection system in the system network, and analyzes a network abnormal event.
The network flow monitoring module collects the full network communication flow in the network by accessing a system network switch mirror image port of a target system. When the target system is a dual-network redundant structure, two exchanger mirror ports of the dual-network are accessed at the same time, and all the flow in the two networks is collected; in order to ensure that the network traffic monitoring module does not interfere with the target system, it may be considered to add an isolation device between the network traffic monitoring module and the target system to ensure that the traffic at the mirror port is transmitted to the network traffic monitoring module in a one-way manner.
The steam turbine control protection system in the system network comprises a plurality of field control stations, each field control station comprises a DPU (distributed processing unit) control unit, and a control unit monitoring module is connected with each field control station and used for acquiring a DPU control single operation result; the system network simultaneously sends random numbers to the DPU control unit and the DPU simulation unit in each operation period to trigger the DPU control unit and the DPU simulation unit to synchronously perform real-time operation and simulation operation; and the control unit monitoring module acquires the real-time operation result of the DPU control unit and the simulation operation result of the DPU simulation unit, and compares and analyzes the real-time operation result and the simulation operation result to obtain the abnormal event of the DPU control unit.
And the comprehensive analysis module acquires the network abnormal events and the DPU control unit abnormal events for correlation analysis. The comprehensive analysis module can be considered to adopt an independent high-performance device/system, and can also be considered to be integrated with the network flow monitoring module and the control unit monitoring module in the same high-performance device/system, and preferably, the comprehensive analysis module provides a human-machine interaction interface (HMI) for field operation personnel of the power plant, is used for displaying a network safety comprehensive analysis result, and can check abnormal event records reported by the network flow monitoring module or the control unit monitoring module. And the function of managing the network flow monitoring module or the control unit monitoring module is also provided.
Namely, the system is composed of a network flow monitoring module, a control unit monitoring module and a comprehensive analysis module 3.
Further, the field control station comprises a DPU control unit, a control network and a physical I/O interface of the monitored steam turbine control protection system, wherein the control unit monitoring module is connected to the control network through the physical I/O interface and is connected to the system network through the DPU control unit; the physical I/O interface comprises an input type I/O card and an output type I/O card; and the control unit monitoring module acquires the operation result of the DPU control unit through a physical I/O interface and a control network. That is, the control unit monitoring module utilizes the idle channels of the input type I/O card and the output type I/O card of the target system, and generally requires that the corresponding I/O card is an analog input or output card, preferably, the signal range of the I/O card includes but is not limited to ± 10V DC voltage signal, ± 5V DC voltage signal, 0-10V DC voltage signal, 1-5V DC voltage signal, 4-20mA current signal, 0-20mA current signal, etc., no other switching module/device/system should be connected in series between the control unit monitoring module and the IO card of the target system, and meanwhile, a cable conforming to the national standard related to the turbine control protection system is adopted to ensure that the measured noise and the signal delay are small enough.
Preferably, the system network is further connected with a plurality of engineer stations and operator stations, and the engineer stations and the operator stations acquire or generate instructions from the DPU control units in the field control stations through the system network.
Example 2
Correspondingly, as a specific implementation scheme of the real-time online monitoring method for the network security of the steam turbine, the embodiment specifically discloses a method comprising a network data acquisition step, a network data anomaly analysis step, a system operation result monitoring step, an association analysis step and a comprehensive analysis step, specifically:
the network data acquisition step is to acquire an Ethernet flow data packet of the steam turbine control protection system by a network flow acquisition method based on a switch mirroring technology; the method for acquiring the Ethernet flow of the steam turbine control protection system by using the network flow acquisition method based on the exchanger mirror image technology does not influence and tamper the data of the system, and the acquired flow completely covers data messages and control instruction messages among all engineer stations, operator stations and DPU control units in the steam turbine control protection system. The data message mainly refers to collected data sent by the DPU control unit to the engineer station and the operator station, and data exchange among the multiple DPU control units. The control instruction message mainly refers to a specific message with a control function, which is issued by the engineer station and the operator station to the DPU control unit, and includes but is not limited to restart, configuration modification, control logic downloading and the like.
The network data anomaly analysis step is to analyze the known network attack characteristics and the network protocol characteristics in the Ethernet traffic data packet based on a rule matching method combining a black list and a white list of a rule set; when any one or more messages in the Ethernet flow data packet accord with any rule in the rule matching method, reporting and recording a network abnormal event; known network attack characteristics mainly refer to specific network messages which are disclosed and are definitely harmful to the specific network messages, the messages set rules in a blacklist mode, and network protocol characteristics mainly refer to specific network protocols used by manufacturers of steam turbine control protection systems, and the protocols have definite keywords and identification characteristics and possibly have the function of equipment authentication. The messages are set with rules in a white list mode, and when any one or more messages in the collected network flow accords with any rule in the set rule set, network abnormal events are reported and recorded.
The system operation result monitoring step comprises the steps of accessing a monitored steam turbine control protection system through a physical I/O interface, transmitting different random numbers of each operation period to a DPU (digital power unit) control unit of the monitored steam turbine control protection system through the physical I/O interface by adopting an active monitoring algorithm, and acquiring a real-time operation result of the DPU control unit in a normal working environment and a reference operation result of the DPU control unit in an ideal simulation environment through the physical I/O interface of a target system; comparing the real-time operation result with a standard operation result obtained when the DPU control unit operates in a standard simulation environment by the same control logic or control algorithm in a normal working state, judging that the DPU control unit is abnormal if the comparison error exceeds an artificially set error threshold, and recording and reporting an abnormal event of the DPU; the active monitoring algorithm is characterized in that different random numbers of each operation period are transmitted to the DPU control unit by using an input type I/O card of the monitored turbine control protection system, and the operation result of the DPU control unit is collected by using an output type I/O card of the monitored turbine control protection system.
The correlation analysis step is to perform correlation analysis on the network abnormal event in the network data abnormal analysis step and the DPU abnormal event in the system operation result monitoring step based on a time axis through an independent comprehensive analysis module/device/system, and specifically:
1. correspondingly checking DPU abnormal events in a plurality of minutes after the network abnormal event occurs and associating the DPU abnormal events on the basis of the time point of the network abnormal event;
2. and correspondingly correlating the network abnormal events within a plurality of minutes before the check on the basis of the time point of the DPU abnormal event.
The two analysis strategies run simultaneously, and the network security event or the abnormal information of the control unit is guaranteed not to be reported in a missing mode.
The comprehensive analysis step is to judge whether the network abnormal events and the network safety events corresponding to the DPU abnormal events can affect the safety of the steam turbine body or not according to the analysis result of the correlation analysis step; the comprehensive analysis results have various conditions, and under different conditions, the influence of the network attack on the steam turbine is different, so different emergency response plans should be formulated.
Preferably, in the system operation result monitoring step, a random number x (t) is generated by the random number generator in each operation period and is sent to the DPU control unit of the monitored turbine control protection system and the DPU simulation unit that is identical to the control logic or control algorithm of the DPU control unit of the monitored turbine control protection system, so that the DPU control unit and the DPU simulation unit operate according to the random number x (t) in each operation period, and the real-time operation result of the DPU control unit in a normal working environment and the reference operation result of the DPU simulation unit in a standard simulation environment are acquired through the physical I/O interface.
Specifically, when the DPU control unit of the monitored steam turbine control protection system receives the random number x (t) in an operation cycle, the DPU control unit operates according to the control logic or control algorithm in the system to generate the check function
Figure BDA0002568544720000091
Similarly, when the DPU simulation unit receives the random number x (t) in an operation cycle, it generates a check function G (x) according to the same control logic or control algorithm as the DPU control unit; if the check function of the DPU control unit->
Figure BDA0002568544720000101
The error value between the calibration function G (x) and the DPU simulation unit exceeds a predetermined error threshold value delta, i.e. < >>
Figure BDA0002568544720000102
Then the controller is judged to be abnormal, wherein the check function G (x) is a non-convergence linear function, namely fullFoot probability>
Figure BDA0002568544720000103
And x (t) = rand (seed, t), which is a pseudo random number generator based on a random number seed and time, conforming to a specific distribution.
Further, when a failure fault occurs in a DPU control unit of the monitored steam turbine control protection system and the physical I/O interface is set to output hold, the DPU failure means that the control logic/algorithm in the DPU cannot be normally executed, and at this time, the calculation of the check function G (x) is stopped, in this case, if the physical I/O output is not held, u =0 is meant, and if the output of the physical I/O interface is held, it means that the currently output check function result G (x (t)) is actually the operation result G (x (t-1)) of the operation cycle before the DPU control unit fails;
i.e. the error value
Figure BDA0002568544720000104
Since the two adjacent generation values x (t) and x (t-1) of the random number generator are effectively identified to satisfy the requirement that the difference reaches the threshold epsilon, i.e., the mathematical meaning of | x (t) -x (t-1) | > epsilon (epsilon is a minimum value, the physical meaning of which is the minimum resolution of the system), and the check function G (x) is a non-convergent linear function, then | G (x (t) -G (x (t-1)) | = | G (x (t) -x (t-1)) | > G (epsilon), considering the check function implemented in the control and protection system of the monitored steam turbine
Figure BDA0002568544720000105
And almost consistent with the original check function, therefore, when the error value error is greater than the set error threshold value delta, namely error is greater than delta, the DPU control unit of the monitored steam turbine control protection system is judged to be abnormal.
When the control logic is tampered with due to the fault of the monitored turbine control protection system, the check function generated by the DPU control unit of the monitored turbine control protection system in one operation cycle exists
Figure BDA0002568544720000106
The error between the check function G (x) generated in the same operating cycle as the corresponding DPU simulation unit->
Figure BDA0002568544720000107
Is greater than a deviation threshold value xi of the control protection system and the standard simulation system of the monitored steam turbine, namely->
Figure BDA0002568544720000108
Where ξ > δ and δ = G (ε) are error thresholds, i.e.
Figure BDA0002568544720000109
And when the difference is larger than a set threshold value delta, determining that the DPU of the monitored steam turbine control protection system is abnormal, wherein the physical meaning of xi refers to the deviation of the same algorithm in the implementation of two different physical systems, specifically, due to the difference in hardware and software and the noise of a physical I/O signal, the control logic calculation result in the monitoring system may deviate from the control logic calculation result in the DPU of the target system.
I.e. when ξ > δ, the error
Figure BDA0002568544720000111
And if so, judging that the control unit of the target system fails.
As described above, an example of the results of a practical application is given here in the form of a table (Table 1)
TABLE 1
Figure BDA0002568544720000112
That is, in the actual operation, the results of the anomaly analysis of the network data and the results of the system operation do not correspond to table 1:
when the network anomaly analysis shows that the system is abnormal and the system operation result monitoring shows that the system is normal, the system can be judged to have no anomaly but network data errors caused by network data or instruction errors, at the moment, the system can be judged to be a general network safety accident, the emergency plan can be set to be that a unit keeps normal operation, and a system network, an engineer station and an operator station are checked without stopping for checking;
when the network abnormity analysis shows normal and the system operation result monitoring shows abnormity, the system can be judged to be in fault or attacked, and the 'control system fault' processing is required to be installed at the moment;
when the network anomaly analysis and the system operation result monitoring both show anomalies, a serious network safety accident can be determined, shutdown maintenance is required, and the control protection system of the steam turbine is thoroughly checked.

Claims (10)

1. The utility model provides a real-time on-line monitoring system of steam turbine network security which characterized in that: the system comprises a comprehensive analysis module, a control unit monitoring module and a network flow monitoring module, wherein the network flow monitoring module is accessed to a system network, performs mirror image acquisition on an Ethernet flow data packet of a steam turbine control protection system in the system network and analyzes a network abnormal event;
the steam turbine control protection system in the system network comprises a plurality of field control stations, each field control station comprises a DPU (distributed processing unit) control unit, and the control unit monitoring module is connected with the DPU control stations and used for acquiring operation results of the DPU control units;
the system network simultaneously sends random numbers to the DPU control unit and the DPU simulation unit in each operation period to trigger the DPU control unit and the DPU simulation unit to synchronously perform real-time operation and simulation operation; the real-time operation result of the DPU control unit and the simulation operation result of the DPU simulation unit are obtained through the control unit monitoring module and are compared and analyzed to obtain an abnormal event of the DPU control unit;
and the comprehensive analysis module collects the network abnormal events and the DPU control unit abnormal events to perform correlation analysis.
2. The real-time online monitoring system for the network security of the steam turbine according to claim 1, characterized in that: the field control station comprises a DPU control unit, a control network and a physical I/O interface of a monitored steam turbine control protection system, wherein a control unit monitoring module is connected to the control network through the physical I/O interface and is connected to the system network through the DPU control unit; the physical I/O interface comprises an input type I/O card and an output type I/O card; the control unit monitoring module acquires the operation result of the DPU control unit through a physical I/O interface and a control network; the system network is also connected with a plurality of engineer stations and operator stations, and the engineer stations and the operator stations acquire or generate instructions to DPU control units in the field control stations through the system network.
3. A real-time online monitoring method for network security of a steam turbine is characterized by comprising the following steps:
acquiring network data, namely acquiring an Ethernet flow data packet of a steam turbine control protection system by a network flow acquisition method based on a switch mirroring technology;
analyzing the network data abnormity, namely analyzing the known network attack characteristics and the network protocol characteristics in the Ethernet traffic data packet based on a rule matching method combining a black list and a white list of a rule set; when any one or more messages in the Ethernet flow data packet accord with any rule in the rule matching method, reporting and recording a network abnormal event;
the method comprises the following steps of monitoring a system operation result, wherein a monitored steam turbine control protection system is accessed through a physical I/O interface, different random numbers of each operation period are transmitted to a DPU (digital data processing unit) control unit of the monitored steam turbine control protection system through the physical I/O interface by adopting an active monitoring algorithm, and then a real-time operation result of the DPU control unit in a normal working environment and a reference operation result of the DPU control unit in an ideal simulation environment are acquired through the physical I/O interface of a target system; comparing the real-time operation result with a standard operation result obtained when the DPU control unit operates in a standard simulation environment by the same control logic or control algorithm in a normal working state, judging that the DPU control unit is abnormal if the comparison error exceeds an artificially set error threshold, and recording and reporting an abnormal event of the DPU;
a correlation analysis step of performing correlation analysis on the network abnormal event in the network data abnormal event analysis step and the DPU abnormal event in the system operation result monitoring step based on a time axis, specifically, performing correlation on the DPU abnormal event detected within a plurality of minutes after the network abnormal event is detected correspondingly on the basis of the time point of occurrence of the network abnormal event, and performing correlation on the network abnormal event detected within a plurality of minutes before the network abnormal event is detected correspondingly on the basis of the time point of occurrence of the DPU abnormal event;
and a comprehensive analysis step, namely judging whether the network abnormal events and the network safety events corresponding to the DPU abnormal events influence the safety of the steam turbine body or not according to the analysis result of the correlation analysis step.
4. The real-time online monitoring method for the network security of the steam turbine according to claim 3, characterized in that: in the system operation result monitoring step, a random number x (t) is generated by a random number generator in each operation period and is sent to a DPU (digital power unit) of the monitored steam turbine control protection system and a DPU simulation unit which is identical to the control logic or control algorithm of the DPU control unit of the monitored steam turbine control protection system, so that the DPU control unit and the DPU simulation unit operate according to the random number x (t) in each operation period, and a real-time operation result of the DPU control unit in a normal working environment and a reference operation result of the DPU simulation unit in a standard simulation environment are acquired through the physical I/O interface.
5. The real-time online monitoring method for the network security of the steam turbine according to claim 4, characterized in that: when the DPU control unit of the monitored steam turbine control protection system receives the random number x (t) in an operation period, the DPU control unit operates and generates the random number according to the control logic or the control algorithm in the systemCheck function
Figure QLYQS_1
Similarly, when the DPU simulation unit receives the random number x (t) in an operation cycle, it generates a check function G (x) according to the same control logic or control algorithm as the DPU control unit; if the check function of the DPU control unit->
Figure QLYQS_2
The deviation from the check function G (x) of the DPU simulation unit exceeds a predetermined deviation threshold delta, i.e. <' > in >>
Figure QLYQS_3
An abnormality of the controller is determined, wherein the check function G (x) is a non-converging linear function, i.e. satisfies the probability->
Figure QLYQS_4
And x (t) = rand (seed, t), which is a pseudo random number generator based on random number seed and time, conforming to a certain distribution.
6. The real-time online monitoring method for the network security of the steam turbine according to claim 5, characterized in that: when the DPU control unit of the monitored steam turbine control protection system has a failure fault and the physical I/O interface is set to output and keep, the calculation of the check function G (x) is stopped at the moment, and the currently output check function result G (x (t)) is actually the operation result G (x (t-1)) of the previous operation period when the DPU control unit fails;
i.e. the error value
Figure QLYQS_5
Because the two adjacent generation values x (t) and x (t-1) of the random number generator are effectively identified, the requirement that the difference value reaches a threshold value epsilon is required to be met, namely | x (t) -x (t-1) | > epsilon, and the check function G (x) is a non-convergence linear function, if | G (x (t) -G (x (t-1)) | = | G (x (t) -x (t-1)) | > G (epsilon), and therefore when the error value error is greater than a set error threshold value delta, namely error is greater than delta, the DPU control unit of the monitored steam turbine control protection system is judged to be abnormal.
7. The real-time online monitoring method for the network security of the steam turbine according to claim 5 or 6, characterized in that: when the control logic is tampered with due to the fault of the monitored turbine control protection system, the DPU control unit of the monitored turbine control protection system generates a check function in an operation period
Figure QLYQS_6
The error between the check function G (x) generated in the same operating cycle as the corresponding DPU simulation unit->
Figure QLYQS_7
Is greater than a deviation threshold value xi of the control protection system and the standard simulation system of the monitored steam turbine, namely->
Figure QLYQS_8
Where ξ > δ and δ = G (ε) are error thresholds, i.e.
Figure QLYQS_9
And if the difference is larger than the set threshold value delta, determining that the DPU control unit of the monitored steam turbine control protection system is abnormal.
8. The real-time online monitoring method for the network security of the steam turbine according to claim 3, characterized in that: the Ethernet flow data packet comprises data messages and control instruction messages among all engineer stations, operator stations and DPU control units in the steam turbine control protection system;
the data message comprises collected data sent by the DPU control units to an engineer station and/or an operator station and data exchange among the DPU control units;
the control instruction message refers to a specific message which is issued by the engineer station and the operator station to the DPU control unit and has a control function, wherein the specific message comprises restart, configuration modification and control logic downloading instructions.
9. The real-time online monitoring method for the network security of the steam turbine according to claim 3 or 8, characterized in that: the known network attack characteristics refer to specific network messages which are disclosed and definitely damaged, and rules are set for the messages in a blacklist mode.
10. The real-time online monitoring method for the network security of the steam turbine according to claim 3 or 8, characterized in that: the network protocol characteristics refer to a specific network protocol which is used by a steam turbine control protection system manufacturer and has definite keywords and identification characteristics, the specific network protocol has an equipment authentication function, and the messages are set with rules in a white list mode.
CN202010635451.8A 2020-07-03 2020-07-03 Real-time online monitoring system and method for network security of steam turbine Active CN113958377B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010635451.8A CN113958377B (en) 2020-07-03 2020-07-03 Real-time online monitoring system and method for network security of steam turbine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010635451.8A CN113958377B (en) 2020-07-03 2020-07-03 Real-time online monitoring system and method for network security of steam turbine

Publications (2)

Publication Number Publication Date
CN113958377A CN113958377A (en) 2022-01-21
CN113958377B true CN113958377B (en) 2023-04-07

Family

ID=79459145

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010635451.8A Active CN113958377B (en) 2020-07-03 2020-07-03 Real-time online monitoring system and method for network security of steam turbine

Country Status (1)

Country Link
CN (1) CN113958377B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116861164A (en) * 2023-05-08 2023-10-10 华电电力科学研究院有限公司 Turbine operation fault monitoring system

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014090025A1 (en) * 2012-12-11 2014-06-19 国网上海市电力公司 On-line and off-line integrated analysis and testing method for smart substation
CN104965499A (en) * 2015-07-01 2015-10-07 山东泰安金恒电气有限公司 High-and-low-voltage cabinet long-distance programmed control system and method
CN105021925A (en) * 2015-07-15 2015-11-04 深圳市双合电气股份有限公司 Cement industry-based electric power supervision system and method
CN105939353A (en) * 2016-06-10 2016-09-14 北京数盾信息科技有限公司 Security management and information feedback system based on GDOI protocol
CN106959685A (en) * 2017-03-31 2017-07-18 中国东方电气集团有限公司 A kind of system and method for the steam turbine DEH control system leak test based on RT LAB technologies
CN106982235A (en) * 2017-06-08 2017-07-25 江苏省电力试验研究院有限公司 A kind of power industry control network inbreak detection method and system based on IEC 61850
CN208858418U (en) * 2018-05-29 2019-05-14 华电章丘发电有限公司 A kind of Protection System of Turbin
CN110011869A (en) * 2012-06-06 2019-07-12 丛林网络公司 Control device, method and computer readable storage medium
CN110138812A (en) * 2019-07-11 2019-08-16 南昌诺汇医药科技有限公司 Network Safety Analysis system
CN110456779A (en) * 2019-08-26 2019-11-15 鄂尔多斯市君正能源化工有限公司热电分公司 A kind of DCS system exception monitoring apparatus
CN110674479A (en) * 2019-09-29 2020-01-10 武汉极意网络科技有限公司 Abnormal behavior data real-time processing method, device, equipment and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9503470B2 (en) * 2002-12-24 2016-11-22 Fred Herz Patents, LLC Distributed agent based model for security monitoring and response
US9405900B2 (en) * 2013-03-13 2016-08-02 General Electric Company Intelligent cyberphysical intrusion detection and prevention systems and methods for industrial control systems
JP2015173406A (en) * 2014-03-12 2015-10-01 株式会社東芝 Analysis system, analysis device, and analysis program

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110011869A (en) * 2012-06-06 2019-07-12 丛林网络公司 Control device, method and computer readable storage medium
WO2014090025A1 (en) * 2012-12-11 2014-06-19 国网上海市电力公司 On-line and off-line integrated analysis and testing method for smart substation
CN104965499A (en) * 2015-07-01 2015-10-07 山东泰安金恒电气有限公司 High-and-low-voltage cabinet long-distance programmed control system and method
CN105021925A (en) * 2015-07-15 2015-11-04 深圳市双合电气股份有限公司 Cement industry-based electric power supervision system and method
CN105939353A (en) * 2016-06-10 2016-09-14 北京数盾信息科技有限公司 Security management and information feedback system based on GDOI protocol
CN106959685A (en) * 2017-03-31 2017-07-18 中国东方电气集团有限公司 A kind of system and method for the steam turbine DEH control system leak test based on RT LAB technologies
CN106982235A (en) * 2017-06-08 2017-07-25 江苏省电力试验研究院有限公司 A kind of power industry control network inbreak detection method and system based on IEC 61850
CN208858418U (en) * 2018-05-29 2019-05-14 华电章丘发电有限公司 A kind of Protection System of Turbin
CN110138812A (en) * 2019-07-11 2019-08-16 南昌诺汇医药科技有限公司 Network Safety Analysis system
CN110456779A (en) * 2019-08-26 2019-11-15 鄂尔多斯市君正能源化工有限公司热电分公司 A kind of DCS system exception monitoring apparatus
CN110674479A (en) * 2019-09-29 2020-01-10 武汉极意网络科技有限公司 Abnormal behavior data real-time processing method, device, equipment and storage medium

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
桑梓.基于信息物理融合的汽轮机数字电液控制系统信息安全仿真测试方法研究.东方电气评论.2018,(第02期),全文. *
蒋东翔等.电站热力系统远程在线监测与诊断网络系统.清华大学学报(自然科学版).2000,(第02期),全文. *
蒋祖跃.秦山核电厂反应堆保护系统及其相关设备数字化改造规划和实施策略.原子能科学技术.2008,(第01期),全文. *
邹志励.核电数字化系统与汽轮机侧通讯设计和测试的研究.中国优秀硕士学位论文全文数据库信息科技辑.2018,(第6期),全文. *
魏岩.浅谈发电厂DCS网络的安全管理.科技视界.2019,(第06期),全文. *

Also Published As

Publication number Publication date
CN113958377A (en) 2022-01-21

Similar Documents

Publication Publication Date Title
EP3101581B1 (en) Security system for industrial control infrastructure using dynamic signatures
EP3101491B1 (en) Security system for industrial control infrastructure
JP6302283B2 (en) Intelligent cyber-physical intrusion detection and prevention system and method for industrial control systems
Morris et al. Industrial control system traffic data sets for intrusion detection research
Liu et al. Intruders in the grid
CN111556083B (en) Network attack physical side and information side collaborative source tracing device of power grid information physical system
Parvania et al. Hybrid control network intrusion detection systems for automated power distribution systems
CN101555806B (en) Classification alarm and identification auxiliary method of real-time production parameters of power plant
EP3101586A1 (en) Active response security system for industrial control infrastructure
Settanni et al. Protecting cyber physical production systems using anomaly detection to enable self-adaptation
US10574671B2 (en) Method for monitoring security in an automation network, and automation network
CN105939334A (en) Anomaly detection in industrial communications networks
CN113671909A (en) Safety monitoring system and method for steel industrial control equipment
CN111273174A (en) Motor group fault early warning method and device
US20230164156A1 (en) Detection of abnormal events
CN113958377B (en) Real-time online monitoring system and method for network security of steam turbine
CN113882908B (en) Steam turbine network safety off-line monitoring system and method based on passive monitoring algorithm
Kaewnukultorn et al. Smart PV Inverter Cyberattack Detection Using Hardware-in-the-Loop Test Facility
US11595409B2 (en) Method for monitoring an industrial network
Kolosok et al. Cyber resilience of SCADA at the level of energy facilities
CN106199403B (en) A kind of protection system in heat power engineering status monitoring and diagnostic method
Syrotkina et al. Mathematical Methods for Detecting and Localizing Failures in Complex Hardware/Software Systems
Wang et al. Intrusion detection model of SCADA using graphical features
CN111146863A (en) Power safety detection method for transformer substation
de Moura et al. Non-IP Industrial Networks: An Agnostic Anomaly Detection System

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20220620

Address after: 610000 18 West core road, hi-tech West District, Chengdu, Sichuan

Applicant after: DONGFANG ELECTRIC Co.,Ltd.

Address before: 610036 Shu Han Road, Jinniu District, Chengdu, Sichuan Province, No. 333

Applicant before: DONGFANG ELECTRIC Corp.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant