CN-122001652-A - Substation control layer network protection method and system

Abstract

A method and a system for protecting a substation control layer network comprise the steps of setting a VLAN up-down penetration scheme and a VLAN local deployment scheme in a communication framework between a substation control layer and spacer layer equipment, setting a VLAN division scheme according to voltage levels in the communication framework between the spacer layer equipment and a VLAN division scheme according to release/subscription equipment, optimizing and combining the VLAN division scheme according to a security index, a configuration index and a VLAN ID resource utilization index to obtain alternative network protection frameworks, carrying out simulation on each alternative network protection framework, executing conflict detection, and taking the alternative network protection frameworks subjected to conflict detection as optimal network protection frameworks to conduct the substation control layer network protection. The invention adopts VLAN division to improve the network security of the substation control layer, minimizes the attack surface to effectively inhibit known or unknown network threats, and minimizes the fault area to provide deterministic guarantee for key business and guarantee the network security.

Inventors

• YANG GUI
• LIU WENDE
• FU DONG
• HU JIONG
• JIANG JUN
• ZHANG LONG
• LI JINCHAO
• LIU GANG
• ZHENG HAO
• SU YI
• HAN LIANG

Assignees

• 北京四方继保工程技术有限公司
• 北京四方继保自动化股份有限公司

Dates

Publication Date

20260508

Application Date

20260206

Claims (10)

1. 1. A substation control layer network protection method is characterized in that communication between substation control layer network devices comprises communication between a station control layer and a spacer layer device and communication between spacer layer devices, and the method comprises the following steps: setting a VLAN up-down communication scheme and a VLAN local deployment scheme in a communication architecture between the station control layer and the spacer layer equipment; Setting a VLAN division scheme according to voltage levels and a VLAN division scheme according to publish/subscribe equipment in a communication architecture between spacer layer equipment; According to the safety index, the configuration index and the VLAN ID resource utilization index, optimizing and combining the VLAN division scheme to obtain an alternative network protection architecture; performing analog simulation on each alternative network protection architecture, and executing conflict detection; And taking the alternative network protection architecture for conflict detection as an optimal network protection architecture to perform station-control layer network protection.
2. 2. The method for protecting a network of a substation control layer of a transformer substation according to claim 1, wherein, The VLAN up-down communication scheme comprises that each spacer layer device independently divides a VLAN and is directly communicated with a monitoring background and a gateway machine, a cascading port of an interval switch sends a message to a central switch with a VLAN label, the central switch divides the VLAN according to the VLAN label carried by the message and sends the monitoring background and the gateway machine, and the gateway machine and the monitoring background use a default VLAN 1 to communicate with the spacer layer device.
3. 3. The method for protecting a network of a substation control layer of a transformer substation according to claim 1, wherein, The VLAN local deployment scheme comprises that each interval switch distinguishes equipment access ports and cascade ports, each equipment access port is configured with an independent VLAN to a cascade port, the cascade ports comprise equipment access port VLANs of the switch, the cascade ports do not have VLAN tags to send messages to a central switch, the central switch distinguishes network shutdown and monitoring background ports and non-network shutdown and non-monitoring background ports, and the non-network shutdown and non-monitoring background ports are configured with independent VLAN to a gateway machine and monitoring background ports.
4. 4. The method for protecting a network of a substation control layer of a transformer substation according to claim 1, wherein, The VLAN division scheme according to the voltage class comprises the steps of controlling the GOOSE message in the corresponding voltage class according to the voltage class through the VLAN division scheme, and adopting different VLAN IDs for each voltage class.
5. 5. The method for protecting a network of a substation control layer of a transformer substation according to claim 1, wherein, Limiting GOOSE messages between measurement and control devices in a VLAN configuration mode, and adopting unified VLAN ID values, wherein the unified VLAN ID values are not repeated with default VLANs and other VLANs.
6. 6. The method for protecting a network of a substation control layer of a transformer substation according to claim 1, wherein, The safety index is the number of different VLAN divided by the equipment with different safety levels, the configuration index is the complexity of the total number of VLAN to be configured and the mapping relation of port-VLAN, and the VLAN ID resource utilization index is the compactness of the used VLAN ID numerical range.
7. 7. The method for protecting a network of a substation control layer of a transformer substation according to claim 1, wherein, The conflict detection comprises VLAN ID conflict detection, GOOSE subscription relation connectivity detection based on a substation system configuration description file and network single point fault detection.
8. 8. A substation control layer network protection system for implementing a substation control layer network protection method according to any one of claims 1 to 7, comprising: The VLAN division scheme module is used for setting a VLAN up-down penetration scheme and a VLAN local deployment scheme in a communication architecture between the station control layer and the spacer layer equipment; The alternative scheme module is used for optimizing and combining the VLAN division scheme to obtain an alternative network protection architecture according to the security index, the configuration index and the VLAN ID resource utilization index; The scheme optimizing module is used for carrying out analog simulation on each alternative network protection architecture, carrying out conflict detection, and carrying out station control layer network protection by taking the alternative network protection architecture subjected to conflict detection as an optimal network protection architecture.
9. 9. A terminal comprises a processor and a storage medium, and is characterized in that: The storage medium is used for storing instructions; The processor being operative according to the instructions to perform the steps of the method according to any one of claims 1-7.
10. 10. Computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the steps of the method according to any of claims 1-7.

Description

Substation control layer network protection method and system Technical Field The invention belongs to the technical field of power system automation, and particularly relates to a substation control layer network protection method and system of a transformer substation. Background With the continuous development of communication technology, network security problems are increasingly prominent, network security vulnerabilities in 2023 global power industry are up to 4500, and network security attack incidents in 2024 are increased by 70% compared with the last year. The network station control layer deployment of the current transformer station control layer mainly comprises a network shutdown and monitoring background, and the spacer layer deployment mainly comprises a measurement and control device, a protection device and the like. The substation control layer network is used as a core of substation production large-area automation service communication, and the network safety importance is obvious. By adding the network security management device and other equipment, the discovered network anomalies can be discovered and isolated only, and cannot be prevented, but the network security management system is adopted, so that the security of the device body is realized, and service communication cannot be realized in a short period of time by adopting encryption transmission and other modes. Under the existing condition of the current substation control layer network, how to improve the security of the substation control layer network is an urgent need to improve the network security. In the prior art, when the device sends an extra-long frame abnormal message, the target MAC address changes randomly, and the sent target MAC address cannot be guaranteed to be a fixed value, so that various conditions of unicast, multicast and broadcast are possible. The current station control layer network equipment commonly adopts a default VLAN1 to realize the communication of all station control layer equipment, a learning mechanism of a TCP/IP protocol is used for guaranteeing that messages are transmitted between two equipment which are mutually communicated, when the equipment sends abnormal messages, the abnormal messages can attack all the equipment, the equipment cannot work normally, and the like, under the station control layer network scene of a transformer substation, the VLAN is not used for isolating the equipment, and the problem that the abnormal messages between the equipment interfere with other non-communication equipment is solved. Disclosure of Invention In order to solve the defects in the prior art, the invention provides a substation control layer network protection method for improving the security of the substation control layer network by adopting a VLAN division mode, minimizing an attack surface to effectively inhibit known or unknown network threats, and minimizing a fault area to provide deterministic guarantee for key services and guarantee network security. The invention adopts the following technical scheme. The invention provides a substation control layer network protection method, wherein communication between substation control layer network devices comprises communication between a substation control layer and spacer layer devices and communication between spacer layer devices; The method comprises the following steps: setting a VLAN up-down penetration scheme and a VLAN local deployment scheme in a communication framework between a station control layer and spacer layer equipment, setting a VLAN division scheme according to voltage levels and a VLAN division scheme according to publish/subscribe equipment in the communication framework between the spacer layer equipment, optimizing and combining the VLAN division scheme according to a security index, a configuration index and a VLAN ID resource utilization index to obtain alternative network protection frameworks, carrying out simulation on each alternative network protection framework, executing conflict detection, and carrying out station control layer network protection by taking the alternative network protection frameworks detected by the conflict as optimal network protection frameworks. The VLAN up-down communication scheme comprises that each spacer layer device independently divides a VLAN and is directly communicated with a monitoring background and a gateway machine, a cascading port of an interval switch sends a message to a central switch with a VLAN label, the central switch divides the VLAN according to the VLAN label carried by the message and sends the monitoring background and the gateway machine, and the gateway machine and the monitoring background use a default VLAN 1 to communicate with the spacer layer device. The VLAN local deployment scheme comprises that each interval switch distinguishes equipment access ports and cascade ports, each equipment access port is configured with an independent VLAN to a cascade