摘要
非国网资产管控的厂站接入电力调度数据网,安全管控难度较大,如被攻击设备接入,只需获知可达的目的IP,其产生的非法流量就可以攻击到调度数据网中的任意设备节点,造成严重的安全隐患。针对这一问题,文中提出了一种改进的双向转发检测(bidirectional forwarding detection,BFD)接入认证技术,通过BFD协议认证结果控制网络设备接口动作,在物理层实现对风险设备的隔离。在实验室环境下对该方法和传统认证方法进行了测试验证,结果表明与传统认证方法相比,文中方法在减少硬件成本的同时,具备更高的安全性和更灵活的并发处理方式,且降低了链路故障的业务恢复时间。该方法已在国家电网有限公司高速同步网中部署应用,其实用效果亦证明了该方法的有效性。
It is difficult to control the security of plants and stations whose assets are not belonged to the State Grid Corporation of China when they are connected to the power dispatching data network.If the attacked equipment is connected,the illegal traffic generated by them can attack any device node in the dispatching data network so long as knowing the destination IP,causing serious security risks.To solve this problem,an improved bidirectional forwarding detection(BFD)access authentication technology is proposed in this paper.The BFD protocol authentication results control the network equipment interface actions,and the isolation of risk equipment is realized at the physical layer.The method and the traditional authentication method are tested and verified in the laboratory environment.The results show that compared with the traditional authentication method,the method in this paper has higher security,more flexible concurrent processing mode,and reduced the business recovery time of link failure while reducing the hardware cost.This method has been deployed and applied in the high-speed synchronous network of State Grid Corporation of China,and its effectiveness has also been proved.
作者
胡婷
王善祥
李芹
黄鑫
裴培
何晓阳
HU Ting;WANG Shanxiang;LI Qin;HUANG Xin;PEI Pei;HE Xiaoyang(Nari Group Corporation/State Grid Electric Power Research Institute,Nanjing 211106,Jiangsu Province,China;State Grid Jiangsu Electric Power Co.,Ltd.,Nanjing 210024,Jiangsu Province,China)
出处
《电力信息与通信技术》
2023年第6期66-72,共7页
Electric Power Information and Communication Technology
基金
国家电网有限公司总部科技项目资助“调度数据网智能运维与测试关键技术研究与应用”(5100-202040329A-0-0-00)。
关键词
调度数据网
设备接入认证
BFD
dispatching data network
equipment access authentication
BFD
