高速铁路信号系统网络安全与统一管控

Analysis of Network Security for Chinese High-Speed Railway Signal Systems and Proposal of Unified Security Control

为了保障我国高速铁路信号系统的网络安全,从高速铁路信号系统的整体架构出发,对系统所面临的网络安全问题进行了全面的分析,涵盖了分散自律调度集中系统、列车运行控制系统、集中监测系统和GSM-R无线通信系统等.在此基础上,提出了基于软件定义网络(SDN)的高速铁路信号系统网络安全统一管控方案,把分散自律调度集中网络、信号安全数据网和集中监测网络通过软件定义的方式进行管控和隔离,实现了对网络流量的精细控制和统一管理,利用逻辑上统一的控制器实现全局的设备注册管理、安全通信访问控制和网络数据的追踪溯源,从而提高了网络的安全性,减小了网络管理的复杂性.通过分析可知,本文所提出的架构具有逻辑集中管控、统一安全策略、网络可编程等特点,相对于分散管理的网络更适用于高铁信号系统专网的网络安全管理,可以解决我国高速铁路信号系统不同安全等级网络互联和复杂网络安全管控的问题.

In order to ensure the network security of China＇s high-speed railway signal system, the network security issues including the central traffic control （CTC） system, train control system, centralized signal monitoring system and the GSM-R system were analyzed generally. Subsequently a unified network security control and management strategy was proposed based on the software-defined networking （SDN） architecture. The centralized management and unified security policies are achieved in one physical network, and the original control logics between sub-networks including CTC network, train control network and centralized signal monitoring network are all software-defined in the control plane, which enables the finer and unified control of the whole network. Using the logically centralized controller, the unified device register control, communication control and packet traceability are all achieved, thus improving the network security and reducing the management complexity. According to the analysis, the proposed architecture is centrally managed, network programmable and unified of the security policy. The proposed strategy is better than the distributed control network for the managementof China＇s high-speed railway signal system network security and can solve the complex management of networks＇ intereonnection of different security levels.