调度与变电站通信安全防护技术  被引量：14

作　　者：刘刚[1] 许艾 徐延明[1] 李维[1] LIU Gang;XU Ai;XU Yanming;LI Wei(Beijing Sifang Automation Co.,Ltd.,Beijing 100085,China;Beijing Sifang Jibao Engineering Technology Co.,Ltd.,Beijing 100085,China)

机构地区：[1]北京四方继保自动化股份有限公司,北京100085 [2]北京四方继保工程技术有限公司,北京100085

出　　处：《南方电网技术》2021年第5期64-71,共8页Southern Power System Technology

摘　　要：目前,调度与变电站之间的通信主要由电力纵向加密认证装置来防护,调度与变电站两端的电力纵向加密认证装置可保护两端数据传输的机密性和完整性,然而调度与变电站之间的通信协议IEC 60870-5-104(简称IEC 104)并没有相应的安全机制,协议数据在调度的加密装置前与变电站的加密装置后容易被伪造、篡改、重放及窃取,存在一定的安全风险。因此,本文在IEC104协议的基础上扩展协议安全域,从协议层面解决调度到变电站的通信安全问题。标识密码算法SM9为该目标的实现提供了算法支撑,根据算法特征与协议特点,本文对协议进行少许的扩展即可实现协议的安全性。本文的亮点为:1)基于标识密码算法实现了调度与变电站的安全通信,与其他文献基于数字证书的安全通信有着本质的区别,没有证书管理等复杂事项;2)实现了调度主站到变电站通信的端到端安全认证;3)通过标识密码算法解决了协议的安全隐患,实现了调度与变电站的双向身份认证及通信数据的机密性、完整性、不可抵赖性。At present,the communication between dispatching and substation is mainly protected by the power vertical encryption authentication device.The power vertical encryption authentication device at both ends of the dispatching and substation can protect the confidentiality and integrity of data transmission at both ends.However,the communication protocol IEC 60870-5-104(IEC104)between dispatching and substation does not have a corresponding security mechanism.The protocol data is easy to be forged,tampered,replayed and stolen before the encryption device of the dispatch and after the encryption device of the substation,which poses certain security risks.Therefore,this paper extends the protocol security domain on the basis of IEC 104 protocol,and solves the problem of communication security between dispatch and substation from the protocol level.The identity-based cryptographic algorithm SM9 provides algorithmic support to achieve this goal.According to the characteristics of the algorithm and the protocol,the security of the protocol can be realized by a little extension of the protocol in this paper.The highlights of this paper are as followes:1)based on the identity-based cryptographic algorithm the security communication between dispatching and substation is achieved,which is fundamentally different from the digital certificate based security communication in other documents,without certificate management and other complicated matters;2)the end-to-end security authentication of the communication between the dispatching master station and the substation is achieved;3)the security hidden dangers of the protocol are solved through the identity-based cryptographic algorithm,and the two-way identity authentication between the dispatching and the substation and the confidentiality,integrity and non-repudiation of the communication data are realized.

关 键 词：协议安全 变电站安全 身份认证 标识密码算法SM9 通信安全 

分 类 号：TM76[电气工程—电力系统及自动化]