输气管道SCADA系统网络安全策略探索与实现——以中俄东线天然气管道工程为例  被引量：12

作　　者：张世斌[1] 贾立东[1] 魏义昕 史威[1] 王健[2] ZHANG Shibin;JIA Lidong;WEI Yixin;SHI Wei;WANG Jian(Production Department,PetroChina Pipeline Company;Technical Service Center,PetroChina Pipeline Company)

机构地区：[1]中国石油管道公司生产处 [2]中国石油管道公司技术服务中心

出　　处：《油气储运》2020年第6期685-691,共7页Oil & Gas Storage and Transportation

基　　金：中国石油天然气集团有限公司重大专项资助项目“油气管道线路及站场感知技术研究”,2019E-2002。

摘　　要：为了保证输气管道站场SCADA系统网络的本质安全及可靠运行,落实《中华人民共和国网络安全法》等法律法规要求,在输气管道SCADA控制系统建设过程中,设计并实施了网络安全防护方案,从边界隔离、站场网络审计、防火墙阻断、网闸控制、态势感知平台综合分析等方面进行安全管控。利用相关设备的网络流量审计、隔离、分析功能,结合失陷分析、威胁情报分析、异常行为分析、未知威胁分析、网络异常分析、域名异常分析、攻击威胁特征分析、隐蔽通道分析以及丰富的整体安全分析报告功能,可有效检测外部攻击、外连威胁、内部非法连接、网络会话模式异常等安全威胁,是对传统安全防御系统的完善与提升。该策略为从站场到控制中心一体化的网络安全监控方案,系统采用独立网络传输,满足了不同系统之间数据通信的防护和监测要求,实现了跨国控制系统之间的访问控制,同时满足国家等保测评、网络安全法及行业安全规范的管理规定。(图3,参30)For the intrinsic safety and reliable operation of the SCADA system network of gas pipeline stations and the implementation of laws and regulations such as the People’s Republic of China cyber security law,the network security protection scheme was designed and implemented during the construction of the SCADA control system of gas pipeline to ensure the safety control from boundary isolation,station network audit,firewall blocking,gatekeeper control,comprehensive analysis of situation awareness platform,etc.By virtue of the network audit,isolation and analysis functions of relevant equipment,combined with fall analysis,threat intelligence analysis,abnormal behavior analysis,unknown threat analysis,network anomaly analysis,domain name anomaly analysis,attack threat feature analysis,covert channel analysis and the rich overall security analysis and reporting functions,security threats such as external attacks,external threats,internal illegal connections,abnormal network session modes,etc.can be effectively detected.It is a perfection and improvement of the traditional security defense system and an integrated network security monitoring scheme from the station to the control center.The system adopts independent network transmission,which meets the protection and monitoring requirements of data communication between different systems,allows the access control between transnational control systems,and conforms to the management regulations of the national classified security protection evaluation,network security laws and industry security standards.(3 Figures,30 References)

关 键 词：SCADA系统网络安全 流量审计 工控协议 态势感知 安全防护 

分 类 号：TN915.08[电子电信—通信与信息系统]