SMV (sampled measured value) network attack grading detection method applicable to digital substation bay level

Abstract

The invention discloses an SMV (sampled measured value) network attack grading detection method applicable to a digital substation bay level. The method includes steps of packet decryption, packet filtering, packet analysis, MAC (media access control) address abnormity detection, specification-based intrusion detection and historical event based data detection and further includes a final step that final detection results are classified and written into normal event logs and alarm logs and stored after abnormality evident acquisition, abnormal evaluation index calculation is performed according to intrusion data, and alarm and intrusion data and abnormal evaluation indexes are sent to a master station or local alarm display is performed. The SMV network attack grading detection method applicable to the digital substation bay level has advantages that by arrangement of various indicators for abnormal states including MAC address abnormality, SMV bad data, data packet logic detection, data traffic threshold abnormality, primary failure similarity, network attack similarity, uploading SMV faking, uploading SMV tampering and the like, intrusion forms and possible intrusion positions can be determined conveniently and quickly, and dispatch side operation monitoring personnel can be informed conveniently and quickly.

Description

technical field [0001] The invention relates to a method for hierarchical detection of network attacks on SMV messages of digital substations under the interval layer, and belongs to the field of power system information security. Background technique [0002] The original sampling message of SMV (Sampled Measured Values) is a true reflection of the operation of the primary side equipment in the power system; substations have high requirements for real-time transmission of SMV (no more than 4ms), and currently MU (Merging Unit) often does not add any information to SMV Security protection measures, so there is a high possibility of false data injection attacks; protection SMV messages are maliciously tampered with and replayed, which may cause the relay protection system to malfunction or refuse to operate, leading to major security accidents; measurement and control SMV messages, It is the main basis for the SCADA / EMS state estimation of the data acquisition and monitoring ...

AI Technical Summary

Problems solved by technology

[0002] The original sampling message of SMV (Sampled Measured Values) is a true reflection of the operation of the primary side equipment in the power system; substations have high requirements for real-time transmission of SMV (no more than 4ms), and currently MU (Merging Unit) often does not add any information to SMV Security protection measures, so there is a high possibility of false data injection attacks; protection SMV messages are maliciously tampered with and replayed, which may cause the relay protection system to malfunction or refuse to operate, leading to major security accidents; measurement and control SMV messages, It is the main basis for the SCADA / EMS state estimation of the data acquisition and monitoring system of the control center. It is maliciously tampered with and replayed, which may cause SCADA / EMS to make wrong or even dangerous decisions

Images