A method and system for full-link penetration testing of critical grid equipment
By conducting layered analysis and full-link penetration testing of key power grid equipment, a modular vulnerability resource pool was constructed, which solved the problem of insufficient detection capabilities in traditional technologies and enabled systematic detection and efficient penetration testing of power grid network security.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CHINA ELECTRIC POWER RESEARCH INSTITUTE CO LTD
- Filing Date
- 2026-02-03
- Publication Date
- 2026-06-05
AI Technical Summary
Traditional power grid network security vulnerability mining techniques are insufficient to meet the complex and ever-changing network security situation and cannot detect potential network security threats in a timely manner. In particular, they lack detection capabilities and are not comprehensive in the face of new types of network attacks.
A full-link penetration testing approach is adopted to conduct layered analysis of key power grid equipment, construct a full-link vulnerability module resource pool, and realize cross-level penetration testing by modularly encapsulating high-risk vulnerability modules, simulating complex attack paths, and identifying potential threats.
It enables a systematic review of the power grid attack surface, improves detection capabilities, can discover deep and interconnected security threats, respond to complex and new attacks, and improves testing efficiency and accuracy.
Smart Images

Figure CN122160101A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of power information security technology, specifically to a full-link penetration testing method and system for key power grid equipment. Background Technology
[0002] With the continuous development and increasing intelligence of power systems, key power grid equipment plays a crucial role in ensuring the safe and stable operation of the power grid. It undertakes important tasks such as data acquisition, transmission, analysis, and control, and is the foundation for achieving intelligent operation and management of the power grid. However, with the widespread application of information technology in the power sector, the power grid faces increasingly severe cybersecurity threats, and various cyberattack methods are constantly emerging, posing a significant challenge to the safe operation of key power grid equipment.
[0003] Traditional power grid network security vulnerability mining technologies are mostly focused on single devices or local scenarios, which is difficult to meet the needs of the current complex and ever-changing network security situation. When facing new network attacks, they often have problems such as insufficient detection capabilities and incomplete vulnerability mining, and cannot detect potential network security threats in a timely manner. Summary of the Invention
[0004] To overcome the above-mentioned technical problems, the present invention provides a full-link penetration testing method and system for key power grid equipment.
[0005] On one hand, the present invention provides a full-link penetration testing method for key power grid equipment, comprising: A layered analysis of network security was conducted on the network links of critical power grid equipment to identify potential threat sources for each network layer corresponding to the critical equipment. Based on the potential threat sources of key equipment corresponding to each network layer, a pre-built full-link vulnerability module resource pool is invoked to conduct full-link penetration testing of key power grid equipment; The network layers include the master layer, communication layer, and terminal layer; the full-link vulnerability module resource pool is obtained by modularly encapsulating the vulnerability exploitation chain information formed by high-risk vulnerability modules between each network layer; the high-risk vulnerability modules are selected based on modular penetration testing of different services on the corresponding key devices of each network layer.
[0006] Optionally, the process for determining the high-risk vulnerability module includes: By performing combined scanning, vulnerability matching, and interactive testing on the operating systems of key devices at each network layer, a full-link association model of vulnerability ports, services, and service versions is constructed. By using a full-link vulnerability port-service-service version association model, modular penetration testing is conducted on different services on key devices at each network layer. High-risk vulnerability modules are then selected from the test results based on preset verification indicators.
[0007] Optionally, the process of constructing the association model of the entire vulnerability port-service-service version includes: Port information for each network layer is obtained by performing a combined scan of the operating systems of key devices at each network layer. The port information is matched with a preset vulnerability signature database to determine exploitable vulnerabilities and the vulnerability-port association. Interactive testing is performed on key devices at each network layer using the exploitable vulnerabilities and the vulnerability-port association to determine the backend service and service version of the port corresponding to the exploitable vulnerability, and to construct a full-link vulnerability port-service-service version association model. The association model includes the configuration parameters, interaction processes, and security vulnerability information of each service.
[0008] Optionally, the modular penetration test includes: Based on the association model of the full-link vulnerability port-service-service version, target vulnerability modules for different services on key devices at each network layer are matched in the pre-built vulnerability module library, and the target vulnerability modules are used to perform modular penetration testing on the corresponding services. The vulnerability module library is constructed for key equipment corresponding to each network layer of the power grid, and includes vulnerability exploitation modules, attack payloads, and auxiliary modules.
[0009] Optionally, the potential threat sources for the key equipment corresponding to the master station layer include: master station operating system vulnerabilities, master station malware injection, and master station database vulnerabilities; the full-link vulnerability module resource pool includes master station operating system vulnerability modules, master station database vulnerability modules, master station malware injection modules, and master station session hijacking modules; the step of calling the pre-built full-link vulnerability module resource pool to perform full-link penetration testing of key power grid equipment based on the potential threat sources for key equipment corresponding to each network layer includes: By exploiting vulnerabilities in the main site's operating system, an escalation attack was launched against the main site's operating system to gain administrator privileges and then implant a backdoor program. The system exploits a vulnerability in the main site's database to illegally access the main site's database in order to tamper with measurement data or scheduling instructions. The malicious software injection module of the main station is used to forge and issue false control commands to the main station in order to interfere with the power grid fault diagnosis and self-healing decision-making process. The master station session hijacking module is used to intercept communication data between the master station and the terminal, thereby disrupting the normal decision-making process of the master station.
[0010] Optionally, the potential threat sources for the critical equipment corresponding to the communication layer include communication packet cracking risks and switch DDoS attack risks; the full-link vulnerability module resource pool includes ARP spoofing modules, switch port vulnerability modules, and DDoS attack modules; the step of calling the pre-built full-link vulnerability module resource pool to conduct full-link penetration testing of critical power grid equipment based on the potential threat sources for critical equipment corresponding to each network layer includes: By using an ARP spoofing module to construct a man-in-the-middle attack environment, the system can monitor and crack the communication packets transmitted by the switch in the communication layer, thereby tampering with uplink measurement data and forging downlink control commands. By exploiting a vulnerability in a switch port, bypass access to the communication layer is achieved. A DDoS attack module is then invoked to launch a traffic attack on the communication link of the communication layer, thereby blocking the communication channel between the master station and the terminal.
[0011] Optionally, the potential threat sources for the critical equipment corresponding to the terminal layer include malicious attacks on terminal functions, malicious control of terminal communication, and illegal exploitation of terminal ports; the end-to-end vulnerability module resource pool includes terminal operating system vulnerability exploitation modules, terminal operating system kernel vulnerability modules, and terminal memory operation vulnerability modules; the step of calling the pre-built end-to-end vulnerability module resource pool to perform end-to-end penetration testing of critical power grid equipment based on the potential threat sources for critical equipment corresponding to each network layer includes: The system calls upon the terminal operating system vulnerability exploitation module to attack the normal functioning of the terminal, thereby preventing the terminal from collecting and feeding back data normally. By exploiting a vulnerability in the terminal's operating system kernel, the attacker can disrupt the terminal's internal communication module and sever the communication link between the terminal and the main station. This attack exploits a terminal memory manipulation vulnerability to compromise the network memory of a terminal device, thereby tampering with configuration parameters and operating policies within that memory.
[0012] On the other hand, the present invention also provides a full-link penetration testing system for key power grid equipment, comprising: The hierarchical analysis unit is used to perform hierarchical analysis of network links of key power grid equipment to identify potential threat sources for each network layer corresponding to the key equipment. The penetration testing unit is used to perform full-link penetration testing on key power grid equipment by calling a pre-built full-link vulnerability module resource pool based on the potential threat sources of key equipment corresponding to each network layer. The network layers include the master layer, communication layer, and terminal layer; the full-link vulnerability module resource pool is obtained by modularly encapsulating the vulnerability exploitation chain information formed by high-risk vulnerability modules between each network layer; the high-risk vulnerability modules are selected based on modular penetration testing of different services on the corresponding key devices of each network layer.
[0013] On the other hand, the present invention also provides an electronic device, comprising: at least one processor and a memory; the memory and the processor are connected via a bus; The memory is used to store one or more programs; When the one or more programs are executed by the at least one processor, the method described in any of the foregoing is implemented.
[0014] On the other hand, the present invention also provides a readable storage medium having an executable program stored thereon, wherein when the executable program is executed, it implements the method described in any one of the above.
[0015] Compared with the prior art, the beneficial effects of the present invention are as follows: This invention provides a full-link penetration testing method and system for critical power grid equipment. By performing layered network security analysis on the network links of critical power grid equipment, it identifies the potential threat sources corresponding to each network layer of critical equipment. The power grid is abstracted into logical layers such as the master station layer, communication layer, and terminal layer, and correlation analysis is performed. This breaks through the limitations of isolated testing, enabling threat identification to expand from "points" to "lines" and "surfaces," achieving a systematic review of the power grid attack surface and laying a structured analytical foundation for subsequent comprehensive penetration testing.
[0016] This invention utilizes a pre-built end-to-end vulnerability module resource pool to perform end-to-end penetration testing on critical power grid equipment. This resource pool is obtained by modularly encapsulating the vulnerability exploitation chain information formed by high-risk vulnerability modules across various network layers. By integrating high-risk vulnerability modules from various layers through the pre-built resource pool, end-to-end vulnerability discovery is achieved. Furthermore, by encapsulating vulnerability exploitation chain information across layers within the resource pool, on the one hand, modular encapsulation enables the standardization and systematic accumulation of testing tools and knowledge, improving detection capabilities; on the other hand, it can simulate novel attack paths that penetrate across devices and layer by layer, allowing tests to reproduce and verify complex chain attack scenarios. This significantly improves the ability to discover deep-seated and interconnected security threats, enabling the response to complex and novel attacks on the power grid. Modular invocation also improves testing efficiency and uncovers potential security threats throughout the entire power grid chain. Attached Figure Description
[0017] Figure 1 This is a flowchart illustrating a full-link penetration testing method for key power grid equipment according to the present invention. Figure 2 A schematic diagram of an example of a KMCEPG network attack process, which is an example of the present invention; Figure 3 This is a schematic diagram illustrating an example of an attack and penetration test of the KMCEPG on the main / subsite side of the present invention. Figure 4A schematic diagram illustrating an attack and penetration of the KMCEPG communication layer, as an example of the present invention; Figure 5 This is a schematic diagram illustrating an example of attacking and penetrating a terminal-side KMCEPG according to the present invention. Figure 6 A schematic diagram of an attack experiment environment built as an example of the present invention; Figure 7 This is a block diagram of an electronic device according to the present invention. Detailed Implementation
[0018] The specific embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.
[0019] Example 1 This invention provides a full-link penetration testing method for key power grid equipment, as illustrated in the schematic diagram below. Figure 1 As shown, the method includes: Step S110: Perform a layered analysis of network security for the network links of key power grid equipment to determine the potential threat sources for each network layer corresponding to the key equipment. Step S120: Based on the potential threat sources of key devices corresponding to each network layer, call the pre-built full-link vulnerability module resource pool to conduct full-link penetration testing of key power grid devices; The network layers include the master layer, communication layer, and terminal layer; the full-link vulnerability module resource pool is obtained by modularly encapsulating the vulnerability exploitation chain information formed by high-risk vulnerability modules between each network layer; the high-risk vulnerability modules are selected based on modular penetration testing of different services on the corresponding key devices of each network layer.
[0020] In this example implementation, the key power grid equipment can be the Key Measurement and Control Equipment of Power Grid (KMCEPG). KMCEPG equipment is distributed across various parts of the power grid, including the master / substation side, the channel side, and the terminal side, playing a core role in ensuring the safe and stable operation of the power grid. Its operation begins with a layered analysis of the network security of the complete data flow path embedded in the key power grid equipment, i.e., the network link. Specifically, the layered analysis covers all stages through which data flows from the acquisition end to the control end, dividing the equipment into a master station layer (master / substation side), a communication layer (communication side), and a terminal layer (terminal side) based on the functional role and physical distribution of the equipment. The master station / substation KMCEPG in the master station layer primarily runs Linux operating systems (such as CentOS and Ubuntu) and customized embedded operating systems, along with relational databases such as MySQL and Oracle. The communication side deploys measurement and transmission equipment such as industrial switches and routers. The terminal KMCEPG (such as smart meters, feeder terminals (FTUs), and distribution terminals (DTUs) generally use the VxWorks real-time operating system. By conducting in-depth analysis of the hardware and software architecture, open services, and inherent security vulnerabilities of key devices at each network layer, potential threat sources for these devices at each network layer can be systematically identified. For example, the master station layer faces risks such as unauthorized exploitation of operating system vulnerabilities leading to privilege escalation or system control, injection of Trojans or malware, and unauthorized exploitation of database vulnerabilities leading to sensitive data leakage or service paralysis; the communication layer faces risks such as communication packets being eavesdropped on / cracked, and switches being subjected to DDoS attacks leading to performance paralysis; the terminal layer faces risks such as malicious attacks on device functions leading to abnormal shutdowns, malicious control of communications, and unauthorized use of ports to implant malware. This panoramic and structured threat modeling provides a precise roadmap for subsequently constructing targeted attack processes.
[0021] After identifying the threat sources at each layer, the core operation of this method involves calling a pre-built end-to-end vulnerability module resource pool to conduct end-to-end penetration testing on key power grid equipment based on the potential threat sources of critical devices corresponding to each network layer. The end-to-end vulnerability module resource pool is constructed by modularly encapsulating the vulnerability exploitation chain information formed by high-risk vulnerability modules across different network layers. The high-risk vulnerability modules are effective attack payloads verified through practical application, selected from modular penetration tests of different services on critical devices corresponding to each network layer. Each module in the resource pool represents a reproducible successful attack capability on a specific service. More importantly, these modules are logically associated and encapsulated according to the possible transition paths in actual attacks (e.g., gaining a foothold by exploiting terminal vulnerabilities, moving laterally through communication protocol weaknesses, and ultimately attacking the main station database), forming a standardized exploitation chain describing multi-step, cross-layer attacks. In actual testing, testers or the system intelligently select vulnerability exploitation chain modules from the resource pool based on the threat map obtained from the first step of layered analysis. These modules match the current test target (such as the main station operating system, communication switch, or terminal device) and attack scenario. This simulates real and complex attack paths that attackers might take, executing continuous penetration testing from the periphery to the core, across layers. This method not only verifies the vulnerability of individual devices but also profoundly reveals systemic and chain-like security risks arising from trust transfer and business dependencies between devices. It significantly enhances the ability to detect, verify, and defend against new types of network attacks with strong concealment and complex paths, especially advanced persistent threats (APTs). This effectively solves the fundamental problems of insufficient detection capabilities and incomplete vulnerability discovery in existing penetration testing methods when facing complex new power grid situations.
[0022] In some example implementations, the process of identifying the high-risk vulnerability module includes: By performing combined scanning, vulnerability matching, and interactive testing on the operating systems of key devices at each network layer, a full-link association model of vulnerability ports, services, and service versions is constructed. By using a full-link vulnerability port-service-service version association model, modular penetration testing is conducted on different services on key devices at each network layer. High-risk vulnerability modules are then selected from the test results based on preset verification indicators.
[0023] In this example implementation, the identification of high-risk vulnerability modules is a systematic and standardized key preliminary step, ensuring the effectiveness, high availability, and engineering practicality of the content in the full-link vulnerability module resource pool. This process first involves combined scanning, vulnerability matching, and interactive testing of the operating systems of key devices at each network layer to construct a full-link vulnerability port-service-service version association model. Specifically, combined scanning refers to constructing an isolated test environment using a direct network cable connection and employing a combination of strategies such as SYN semi-open scanning, version detection, and script scanning based on the Nmap tool. Technical parameter thresholds are set, such as a scan timeout of 30 seconds per port, concurrent connections ≤ 50, and a scan range covering all ports from 1 to 65535 and all TCP / UDP protocols, to conduct a deep vulnerability scan of the target KMCEPG operating system to comprehensively discover potential risky ports. Vulnerability matching involves comparing the port information obtained from the scan with a preset vulnerability signature database to accurately extract exploitable vulnerabilities (including vulnerability number, severity level, and exploitation conditions) and open port information of the KMCEPG operating system, and structurally recording the relationship between vulnerabilities and ports. Interactive testing involves further probing to confirm the specific services running behind these ports and their precise versions. Through this series of operations, a precise end-to-end vulnerability port-service-service version association model is ultimately constructed. This model clearly depicts "which specific version of the service is running on which port of which device at which level of the power grid," transforming fragmented security information into a structured knowledge system to define the criteria for subsequent steps.
[0024] After establishing a precise three-dimensional "port-service-version" relationship model, modular penetration testing is conducted on different services on key devices at each network layer using the end-to-end vulnerability port-service-service version relationship model. Modular penetration testing involves calling a modular penetration testing framework (such as the Metasploit Framework) to match corresponding penetration modules (including exploit modules, payload modules, and auxiliary modules) from a pre-built vulnerability module library based on each "service-version" pair identified in the model. This allows for targeted modular penetration testing of the target service, including service vulnerability verification, privilege escalation attempts, and payload delivery testing. Test quality control is implemented using designer-defined technical parameter thresholds, such as setting a vulnerability module adaptation success rate threshold of ≥70% and a single module execution timeout of ≤15 minutes. After testing, high-risk vulnerability modules are selected from the test results based on preset verification indicators. These preset indicators are crucial for determining module usability, including vulnerability exploitation success rate analysis (target vulnerability exploitation success rate / total attempts ≥60%) and payload execution effectiveness verification (payload execution success rate ≥80%). Modules that consistently meet or exceed preset performance metrics during testing are identified as high-risk vulnerability modules. This rigorous selection mechanism ensures that all modules ultimately selected for the resource pool have undergone real-world testing, possess high availability and stable attack capabilities, providing core technical support for building an efficient and reliable end-to-end attack and penetration process.
[0025] In some example implementations, the process of constructing the full-link vulnerability port-service-service version association model includes: Port information for each network layer is obtained by performing a combined scan of the operating systems of key devices at each network layer. The port information is matched with a preset vulnerability signature database to determine exploitable vulnerabilities and the vulnerability-port association. Interactive testing is performed on key devices at each network layer using the exploitable vulnerabilities and the vulnerability-port association to determine the backend service and service version of the port corresponding to the exploitable vulnerability, and to construct a full-link vulnerability port-service-service version association model. The association model includes the configuration parameters, interaction processes, and security vulnerability information of each service.
[0026] In this example implementation, constructing an accurate and reliable end-to-end vulnerability port-service-service version association model is the foundation for implementing high-quality modular penetration testing and subsequent precise attacks. The construction of this model is a progressively deeper and more detailed process. First, in the information collection phase, port information for each network layer is obtained by performing a combined scan of the operating systems of key devices at each network layer. This step uses a direct network cable connection to connect the KMCEPG to the test host, creating a clean test environment. The Nmap tool is then used to perform the aforementioned combined strategy scan, ensuring a comprehensive discovery of all open, filtered, or closed port states and their protocol types (TCP / UDP) on all layers of devices, including the main server, communication switches, and terminal devices, forming an initial port list covering the entire link. After obtaining the raw port information, the risk association phase begins, where the port information is matched against a pre-set vulnerability signature database to determine exploitable vulnerabilities and the vulnerability-port association. The pre-set vulnerability signature database integrates general vulnerability databases (such as CVE) and knowledge of vulnerabilities specific to power industrial control systems. The system compares the scanned port numbers (e.g., TCP ports such as 21 (FTP service), 23 (Telnet service), 6000 (X Window service), and 6005 (industrial control protocol port)) and protocol types with a signature database. When the matching rate reaches a certain threshold (e.g., ≥85%), it can associate the vulnerability with a specific vulnerability number, severity level, and exploitation conditions, thus achieving a mapping from "port" to "vulnerability." Simultaneously, the system structurally records the relationships between vulnerabilities and ports, forming a preliminary risk knowledge base and providing clear targets for subsequent in-depth analysis.
[0027] To further improve targeting accuracy down to the service level, service verification and modeling are required. This involves interactive testing of critical devices at each network layer using the exploitable vulnerabilities and their associated port relationships to determine the background services and service versions corresponding to the exploitable vulnerabilities. By sending specific probe requests and analyzing responses to identified high-risk ports, the running background services can be precisely located, and their service versions, down to the minor version number, can be confirmed, establishing a three-dimensional "port-service-version" association model. Ultimately, a full-link vulnerability port-service-service version association model is constructed. This association model is not only a static list but also a dynamic knowledge base, including configuration parameters, interaction processes, and security vulnerabilities for each service. For example, it may not only record "a terminal device is running VxWorks Telnet service v5.5 on port 23," but also associate and record the service's default authentication method, known buffer overflow points, and other security vulnerabilities, as well as the interaction processes between services. This multi-dimensional correlation model, which extends from "port" to "vulnerability" and then to "service-version-configuration-interaction," provides indispensable contextual intelligence for achieving the leap from broad-spectrum scanning to precision strikes, and is an important manifestation of the scientific nature and effectiveness of the entire methodology.
[0028] In some example implementations, the modular penetration test includes: Based on the association model of the full-link vulnerability port-service-service version, target vulnerability modules for different services on key devices at each network layer are matched in the pre-built vulnerability module library, and the target vulnerability modules are used to perform modular penetration testing on the corresponding services. The vulnerability module library is constructed for key equipment corresponding to each network layer of the power grid, and includes vulnerability exploitation modules, attack payloads, and auxiliary modules.
[0029] In this example implementation, modular penetration testing is the core operational step that transforms the preliminary layered analysis into actual vulnerability verification and attack capability acquisition. Its efficiency and success rate rely on standardized execution processes and a rich resource library. This process closely relies on the pre-built full-link vulnerability port-service-service version association model. Based on this model, the testing system can accurately identify the attack target, such as a specific version of a network management service running on a certain open port of a switch in the communication layer. Based on the accurate target information, the penetration test enters the automated weapon matching stage, that is, based on the full-link vulnerability port-service-service version association model, it matches the target vulnerability modules for different services on the corresponding key devices at each network layer from the vulnerability module library. The vulnerability module library is a professional weapon library customized and expanded specifically for the power grid industrial control environment. It is a collection of vulnerability exploitation modules, attack payloads, and auxiliary modules built for the corresponding key devices at each network layer of the power grid. It not only includes modules of a general framework, but also integrates special attack modules for power industrial control protocols (such as IEC 61850, Modbus), industrial real-time operating systems (such as VxWorks, embedded Linux), and power-specific software. The system uses "service type + precise version number" as the core search criteria. Through vulnerability module matching, it automatically filters out the target vulnerability module with the highest matching degree from the database. For example, it selects a dedicated exploit module targeting "command injection in a specific version of the web management interface of a certain industrial switch model." After a successful match, it enters the standardized verification and execution phase, using the target vulnerability module to perform modular penetration testing on the corresponding service. The testing process follows a standardized protocol: loading the selected vulnerability exploit module, configuring parameters such as the target IP address, port number, and service version, selecting an appropriate attack payload, and then launching an attack attempt. The entire execution process is strictly monitored and recorded, forming a standardized penetration test log, including module name, execution parameters, return code, and trigger status. This modular testing based on precise intelligence matching transforms penetration actions into repeatable, measurable, and auditable standardized operational units, greatly improving testing efficiency and the credibility of results. It also provides a solid and reliable data source and technical basis for subsequent steps to select highly available vulnerability modules and build a vulnerability module resource pool that can be directly used for full-chain attack penetration.
[0030] In some example implementations, the potential threat sources for the critical equipment corresponding to the master station layer include: master station operating system vulnerabilities, master station malware injection, and master station database vulnerabilities; the end-to-end vulnerability module resource pool includes master station operating system vulnerability modules, master station database vulnerability modules, master station malware injection modules, and master station session hijacking modules; the step of calling the pre-built end-to-end vulnerability module resource pool to perform end-to-end penetration testing of the critical power grid equipment based on the potential threat sources for the critical equipment corresponding to each network layer includes: By exploiting vulnerabilities in the main site's operating system, an escalation attack was launched against the main site's operating system to gain administrator privileges and then implant a backdoor program. The system exploits a vulnerability in the main site's database to illegally access the main site's database in order to tamper with measurement data or scheduling instructions. The malicious software injection module of the main station is used to forge and issue false control commands to the main station in order to interfere with the power grid fault diagnosis and self-healing decision-making process. The master station session hijacking module is used to intercept communication data between the master station and the terminal, thereby disrupting the normal decision-making process of the master station.
[0031] In this example implementation, when conducting a full-link penetration test targeting the main site layer, the test is conducted based on the unique threat profile and preset attack scenarios of this layer. According to the conclusions of the layered analysis, the potential threat sources for critical devices corresponding to the main site layer mainly include: main site operating system vulnerabilities (such as kernel vulnerabilities or application-layer vulnerabilities leading to privilege escalation or system control), main site malware injection (implanting Trojans or ransomware through malicious code injection or supply chain attacks), and main site database vulnerabilities (such as configuration defects or SQL injection leading to data leakage or service paralysis). To effectively verify and simulate the above threats, the full-link vulnerability module resource pool specifically encapsulates and reserves corresponding attack capability modules, such as a main site operating system vulnerability module for Linux / Windows systems, a main site database vulnerability module for Oracle / MySQL, a main site malware injection module for implanting backdoors, and a main site session hijacking module for hijacking communication sessions.
[0032] Based on the precise threat-attack module mapping relationship described above, a series of targeted attack operations were performed on the KMCEPG penetration test of the main station / substation side, with core verification indicators set such as privilege acquisition success rate ≥70%, data tampering effective time ≤5 seconds, and session hijacking success rate ≥65%. First, the main station operating system vulnerability module was used to perform privilege escalation attacks on the main station's operating system, obtaining administrator privileges and then implanting a backdoor program. This simulated an attacker using a kernel-level vulnerability to obtain root / administrator privileges, subsequently implanting a persistent backdoor program, laying the foundation for long-term infiltration and control of the core system. Second, the main station database vulnerability module was used to illegally access the main station's database to tamper with measurement data or scheduling instructions. For example, a man-in-the-middle attack was implemented using a vulnerability in the Oracle database TNS listener, or an SQL injection vulnerability was used to illegally access the database, tampering with core data such as measurement data and scheduling instructions, leading to misjudgments in power system scheduling. Next, the main station malware injection module was used to forge and issue false control instructions to the main station, interfering with the power grid fault diagnosis and self-healing decision-making process. After gaining control of the system, attackers used this module to forge and issue false control commands, interfering with the power grid fault diagnosis and self-healing decision-making process, prolonging fault recovery time, and expanding the scope of the accident's impact. Finally, the master station session hijacking module intercepted communication data between the master station and the terminal, disrupting the master station's normal decision-making chain. Through TCP session hijacking or HTTP session forgery techniques, communication data between the master station and the terminal was intercepted, disrupting the normal decision-making chain between the master station and the substation. This series of targeted and in-depth penetration tests at the master station layer comprehensively verified all-round and deep-level security risks, from system-level permissions to upper-level application data, from internal data integrity to the credibility of external commands.
[0033] In some example implementations, the potential threat sources for the communication layer corresponding to critical equipment include communication packet cracking risks and switch DDoS attack risks; the end-to-end vulnerability module resource pool includes ARP spoofing modules, switch port vulnerability modules, and DDoS attack modules; the step of calling the pre-built end-to-end vulnerability module resource pool to perform end-to-end penetration testing of critical power grid equipment based on the potential threat sources for each network layer corresponding to critical equipment includes: By using an ARP spoofing module to construct a man-in-the-middle attack environment, the system can monitor and crack the communication packets transmitted by the switch in the communication layer, thereby tampering with uplink measurement data and forging downlink control commands. By exploiting a vulnerability in a switch port, bypass access to the communication layer is achieved. A DDoS attack module is then invoked to launch a traffic attack on the communication link of the communication layer, thereby blocking the communication channel between the master station and the terminal.
[0034] In this example implementation, the focus of the full-link penetration test on the communication layer is on the threats inherent in the network channel infrastructure itself, aiming to verify whether the confidentiality, integrity, and availability of data transmission can be compromised. Based on the layered analysis, the core potential threats to critical devices at the communication layer lie in the risk of communication packet cracking (eavesdropping and cracking based on ARP spoofing and traffic sniffing techniques) and the risk of DDoS attacks on switches (distributed denial-of-service attacks launched via botnets). To simulate these attacks, the full-link vulnerability module resource pool provides corresponding tool modules, such as an ARP spoofing module for traffic hijacking, a switch port vulnerability module for unauthorized access exploiting switch management or service vulnerabilities, and a DDoS attack module for launching traffic flooding attacks. Based on this, the penetration test of the KMCEPG on the communication side is specifically divided into two typical attack modes, with core verification indicators set such as a packet eavesdropping / cracking success rate ≥80% and a DDoS attack communication interruption duration ≥15 minutes. The first mode utilizes the ARP spoofing module to construct a man-in-the-middle attack environment, eavesdropping on and cracking communication packets transmitted by the switches at the communication layer, tampering with uplink measurement data, and forging downlink control commands. Attackers use ARP spoofing and traffic forwarding modules to construct a man-in-the-middle attack environment, eavesdropping on and cracking plaintext / weakly encrypted communication messages transmitted by switches, tampering with uplink measurement data (such as current and voltage acquisition values), and forging downlink control commands (such as switch opening and closing commands), causing the power grid dispatching system to make misjudgments. The second mode involves using a switch port vulnerability module to bypass access at the communication layer, calling a DDoS attack module to launch a traffic attack on the communication link at the communication layer, thereby blocking the communication channel between the master station and the terminal. After bypassing access through the switch port vulnerability module, the attacker calls a DDoS attack module (such as UDP Flood, SYN Flood) to launch a traffic attack on the communication link, blocking the communication channel between the master station and the terminal, causing communication interruption, preventing the terminal from responding to the master station's dispatching decisions in real time, reducing the system's self-healing efficiency, and expanding the scope of the accident's impact. This test profoundly verifies the extreme vulnerability of communication networks when subjected to targeted eavesdropping, tampering, and availability attacks.
[0035] In some example implementations, the potential threat sources for the critical equipment corresponding to the terminal layer include malicious attacks on terminal functions, malicious control of terminal communication, and illegal exploitation of terminal ports; the end-to-end vulnerability module resource pool includes terminal operating system vulnerability exploitation modules, terminal operating system kernel vulnerability modules, and terminal memory operation vulnerability modules; the step of calling the pre-built end-to-end vulnerability module resource pool to perform end-to-end penetration testing of critical power grid equipment based on the potential threat sources for critical equipment corresponding to each network layer includes: The system calls upon the terminal operating system vulnerability exploitation module to attack the normal functioning of the terminal, thereby preventing the terminal from collecting and feeding back data normally. By exploiting a vulnerability in the terminal's operating system kernel, the attacker can disrupt the terminal's internal communication module and sever the communication link between the terminal and the main station. This attack exploits a terminal memory manipulation vulnerability to compromise the network memory of a terminal device, thereby tampering with configuration parameters and operating policies within that memory.
[0036] In this example implementation, when conducting a full-link penetration test on the terminal layer, the aim is to verify the comprehensive security of the terminal devices at the forefront of the power grid, in a complex deployment environment with a large number of devices, from hardware functionality to software logic. Based on the layered analysis, the potential threat sources for key devices at the terminal layer mainly include malicious attacks on terminal functions (targeting core control functions such as data acquisition and instruction execution), malicious control of terminal communication (hijacking or tampering with communication links based on communication protocol vulnerabilities), and illegal exploitation of terminal ports (implanting malicious programs through open debugging ports and communication ports). To verify these risks, the full-link vulnerability module resource pool integrates specialized modules for real-time operating systems such as VxWorks and embedded devices, such as terminal operating system vulnerability exploitation modules, terminal operating system kernel vulnerability modules, and terminal memory operation vulnerability modules. Based on the above correspondence between threats and attack modules, a comprehensive attack penetration test of the terminal-side KMCEPG is specifically performed in three dimensions, with core verification indicators set such as a device function anomaly trigger success rate ≥75%, a communication link disconnection success rate ≥85%, and a memory parameter tampering effect time ≤2 seconds. First, the terminal operating system vulnerability exploitation module is invoked to attack the normal operation functions of the terminal, preventing the terminal from collecting and feeding back data normally. For example, exploiting operating system vulnerabilities can attack the normal operating functions of a device. This includes using process hijacking to force the device to repeatedly restart, or using a screen-locking payload to lock the main control interface, preventing the device from collecting and feeding back data normally. Secondly, exploiting terminal operating system kernel vulnerabilities can attack the terminal's internal communication modules to sever the communication link between the terminal and the master station. The attack does not interfere with the network externally, but rather originates from within the terminal's operating system. Using VxWorks system kernel vulnerabilities, attacks can be made on the communication modules within the terminal (e.g., compromising the IEC 61850 protocol stack, disabling serial communication), severing the communication link between the terminal and the master station, rendering it unable to respond to power grid dispatch decisions. Finally, exploiting terminal memory manipulation vulnerabilities can attack the network memory of the terminal device to tamper with configuration parameters and operating policies. Key parameters such as the terminal device's settings and operating policies reside in memory. Exploiting memory manipulation vulnerabilities (such as buffer overflow exploits) can attack the device's network memory, tampering with configuration parameters (such as sampling period, communication address) and operating policies (such as fault judgment thresholds), causing the terminal device to malfunction and unable to accurately execute control commands issued by the master station. This type of attack deceives the device at the lowest level of the system, causing it to make completely wrong judgments or perform dangerous operations based on corrupted memory data, making the harm both direct and insidious.
[0037] For example, such as Figure 2 The image shows an example of a KMCEPG network attack process, which includes the following steps: (1) Connect the KMCEPG system to the test host using a direct network cable connection. Perform a comprehensive Nmap vulnerability scan of the KMCEPG operating system on the test host. Using a direct network cable connection ensures a stable and reliable connection between the test host and KMCEPG, providing a solid foundation for subsequent vulnerability scanning. Use the Nmap tool installed on the test host to perform a comprehensive and in-depth scan of the KMCEPG operating system. With its powerful functions and rich scanning options, Nmap can quickly and accurately discover open ports, running services, and potential vulnerability information on the target device, providing important clues and evidence for subsequent penetration testing.
[0038] (2) Nmap vulnerability scanning process based on step (1). Obtain KMCEPG operating system vulnerabilities and exploitable ports, such as TCP ports 21, 23, 6000, and 6005. Record the obtained ports to provide a foundation for further vulnerability discovery. After completing the Nmap vulnerability scan, perform a detailed analysis of the scan results to extract vulnerability information and exploitable ports in the KMCEPG operating system. For example, the common port 21 is usually used for FTP services and may have file upload and download vulnerabilities; port 23 is used for Telnet services and may have weak passwords or brute-force attack risks; ports such as 6000 and 6005 may be related to specific applications or services and may also have security vulnerabilities. Accurately record these port information to establish a port information database, providing clear targets and directions for further in-depth vulnerability discovery.
[0039] (3) Based on the network vulnerability ports obtained in step (2), conduct in-depth mining to obtain the services corresponding to the KMCEPG operating system vulnerability ports. Record the services corresponding to the obtained vulnerability ports to provide a foundation for further vulnerability mining. For the vulnerability ports obtained in step (2), use professional vulnerability mining tools and techniques to conduct in-depth analysis of the services corresponding to each port. By simulating different attack scenarios and testing various input parameters, try to trigger the vulnerabilities existing in the services to obtain more detailed vulnerability information, such as the type, severity, and exploitation conditions of the vulnerabilities. At the same time, accurately record the service information corresponding to each vulnerability port to improve the vulnerability information database and provide a more comprehensive and accurate basis for subsequent penetration testing and security protection.
[0040] (4) Modular Penetration. Based on the services corresponding to the vulnerable ports obtained in step (3), modular penetration testing is performed on the obtained vulnerable port services using modular monitoring tools (such as Metasploit), providing a foundation for further vulnerability discovery. A modular penetration strategy is adopted, and the corresponding penetration modules are selected from the modular monitoring tools (such as Metasploit) according to the service characteristics corresponding to the vulnerable ports obtained in step (3). Metasploit integrates a large number of verified penetration modules, each of which is optimized for specific vulnerabilities or services, enabling efficient penetration attacks. By using these modular tools, targeted penetration testing is conducted on the target services to verify the exploitability of vulnerabilities and obtain more system information and privileges, providing strong support for further in-depth vulnerability discovery and attack implementation.
[0041] (5) Based on the modular monitoring in step (4), obtain the vulnerability modules corresponding to the KMCEPG operating system vulnerability port service, providing a foundation for further network attacks. After completing the modular penetration, conduct in-depth analysis of the penetration results and extract the vulnerability modules corresponding to the KMCEPG operating system vulnerability port service. These vulnerability modules are the weak links that attackers can exploit. Through detailed study of these modules, we can understand the exploitation methods and attack paths of the vulnerabilities, providing key technical support for carrying out more in-depth network attacks. At the same time, organize and record this vulnerability module information to establish a vulnerability module library for reference and analysis in subsequent security assessments and protection work.
[0042] (6) Perform attacks and penetration tests on the KMCEPG on the main / subsite side, such as... Figure 3As shown, exploiting vulnerabilities in the device's operating system (e.g., substation n1, where n1 is the substation number): An attacker can exploit an overflow vulnerability in the substation server's operating system to construct malicious data packets and send them to the target server. When the server processes these malicious data packets, buffer overflows and other issues can hijack the server's execution flow, allowing the attacker to gain device privileges. After gaining privileges, the attacker uses the server's Telnet port to send forged trust authorization information to the remote control workstation. Upon receiving the forged trust authorization information, the remote control workstation may mistakenly believe it comes from legitimate authorization, thus allowing the attacker to perform illegal operations. The attacker can then tamper with the power grid's measurement data, such as modifying critical data like voltage and current, causing the master station to misjudge the overall operation of the power grid. Under normal power grid conditions, the master station may misjudge a power grid fault, issuing a series of erroneous load shedding commands, leading to a major power outage; or, under power grid fault conditions, it may misjudge the power grid's operation as good, failing to take any measures, causing the power grid to miss the best time to mitigate the damage, resulting in the fault escalating and causing a power outage. Furthermore, based on this vulnerability, attackers can also forge power grid control commands, directly issuing load shedding commands to substations or terminals under normal power grid operation, causing local or large-scale power outages; or intercept control commands issued by the power grid under power grid fault conditions, further amplifying the power grid fault and triggering more serious power outages.
[0043] Main station injection of Trojan programs or malicious control software: Attackers exploit vulnerabilities in critical main / substation equipment to inject Trojan programs or malicious control software into the devices. These malicious programs are highly stealthy and difficult to detect. Once implanted, they can launch attacks at any time during device operation. For example, Trojan programs or malicious control software can be used to remotely tamper with power grid measurement data, causing misjudgments by the power grid; or to forge and issue control commands, interfering with the normal operation of the power grid and potentially triggering large-scale power outages.
[0044] Database vulnerability attack (e.g., substation 1): Some monitoring hosts and communication gateways at the substation have Oracle databases installed. Attackers can exploit vulnerabilities in Oracle for penetration attacks. This vulnerability allows attackers to send abnormal data to a remote "TNS Listener" component without providing a username / password. By sending carefully crafted abnormal data, attackers can redirect data from the legitimate "TNS Listener" component of the database server to a system controlled by the attacker, causing a man-in-the-middle attack, session hijacking, or denial-of-service attack between the remote component database and the legitimate database. Man-in-the-middle attacks allow attackers to steal and tamper with sensitive information in the database; session hijacking allows attackers to impersonate legitimate users and perform illegal operations; denial-of-service attacks can prevent the database from providing normal services, affecting the power grid's data storage and management functions.
[0045] (7) Attack and penetrate the KMCEPG on the communication side, such as... Figure 4 As shown, switch 1 is under a DDoS attack, causing a communication interruption between it, the load control terminal 1, and the master station. Switch n2 (n2 is the switch number) is monitored and its communication packets are parsed. The attacker exploits vulnerabilities on the communication side to monitor and parse the communication packets. After obtaining the communication packets through methods such as wiretapping and wireless interception, the attacker uses techniques such as password cracking and protocol analysis to obtain the encryption method of the packets, the uploaded measurement data, and the issued control commands. The attacker tampers with the uploaded measurement data, such as modifying voltage and current data to make them inconsistent with the actual values, thus causing the system to misjudge. The system makes decisions and controls based on the incorrect measurement data, which may lead to a power outage. The attacker also forges control commands issued by the master station and substations, causing terminal devices to receive incorrect commands and perform actions that are incompatible with the power grid's operating status, such as failing to activate when required or failing to disconnect loads when required, thereby causing a power outage.
[0046] DDoS Attacks: The principle of a DDoS attack is to simultaneously use multiple switches to send a large number of useless requests to the target network. These useless requests consume network channel resources, causing network congestion and blocking normal communication channels. This prevents normal measurement data from being uploaded, and the master station cannot obtain accurate power grid operation data, thus making it impossible to make correct predictions about the overall power grid operation. During system failures, the master station cannot detect power grid faults in a timely manner and fails to take any measures, leading to the escalation of the fault. In addition, DDoS attacks will also prevent the timely issuance of control commands by the master station and slave stations, and the terminals cannot respond to power grid control policies in a timely manner to handle the fault, further expanding the scope of the accident and causing a major power outage.
[0047] (8) Perform attacks and penetration on the terminal-side KMCEPG, such as... Figure 5 As shown, the attack device operates by exploiting vulnerabilities in critical equipment to compromise certain operational functions from within the operating system. For example, while the critical equipment is running normally, attackers can send specific malicious commands or exploit software vulnerabilities, such as attacking the functions of the control terminal 2, causing it to malfunction, such as forcing the equipment to restart, resulting in equipment interruption and affecting the acquisition and transmission of power grid data; or they can lock the keyboard of the main control operating system, preventing operators from operating and controlling the equipment normally, posing a serious threat to the safe and stable operation of the power grid.
[0048] Disabling Communication Ports: By exploiting a vulnerability in the KMCEPG operating system, attackers can disable KMCEPG's communication ports from within the operating system (e.g., disabling the communication port of the control terminal 1), causing communication interruption between control terminal 1, substation 1, and the master station, thus gaining control of control terminal 1. Communication ports are the channels for data transmission between devices and between devices and substations / master stations. Disabling them will block communication between devices, causing abnormal communication transmission. For example, smart meters may be unable to upload collected data to substations, and substations may be unable to issue control commands to terminal devices, resulting in the failure of power grid monitoring and control functions.
[0049] Attackers can obtain and modify system data by exploiting ports of critical devices to acquire system memory-related files. This allows them to access critical memory data, code, device parameters, and operational strategies. Modifying this data, such as altering the configuration parameters of load control terminal n3 (n3 being the load control terminal number), can compromise system memory. Setting incorrect parameters for critical control equipment can cause damage or malfunctions. Forging voltage and current data can also disrupt the normal operation of critical control equipment. In severe cases, these malicious operations can trigger DC faults, jeopardizing the safe and stable operation of the power grid.
[0050] Discovering as many potential cybersecurity vulnerabilities as possible within the normal operating conditions of the power grid is crucial for ensuring its safe and stable operation. This invention, from a holistic perspective of power grid network security defense, addresses the shortcomings of existing power grid network security vulnerability discovery technologies by proposing a method for constructing a full-link network penetration testing process for key power grid measurement and control equipment. This method further enhances the levels of power grid network vulnerability discovery, intrusion testing, network security defense, and safe and stable operation, possessing strong engineering practical value. This invention opens up a highly innovative and forward-looking technical path in the field of power grid equipment intrusion testing and vulnerability discovery. Under traditional technical frameworks, intrusion testing and vulnerability discovery methods are often limited to single links or specific equipment types, making it difficult to fully address the inherent complexity and high diversity of power grid systems. The method constructed in this invention, however, takes a systemic perspective from the entire link, implementing comprehensive and multi-layered deep penetration attacks on key power grid measurement and control equipment (KMCEPG).
[0051] This invention, from a holistic perspective of power grid network security defense, proposes a systematic solution to address the shortcomings of existing technologies. The solution follows a core logic of "layered analysis - vulnerability discovery - module acquisition - precise penetration," with the following specific implementation steps: First, a layered network security risk analysis is conducted on the key measurement and control equipment (KMCEPG) on the power grid master / substation side, channel side, and terminal side to identify weak points in security protection at each stage. Second, a comprehensive vulnerability scan is performed on the KMCEPG operating system to accurately identify exploitable vulnerabilities, open ports, and other key security risks. Third, based on the discovered exploitable vulnerabilities and ports, corresponding system services are matched, and then targeted system vulnerability modules are extracted through the adaptation and invocation of modular penetration tools. Through a series of standardized steps (including combined scanning, vulnerability matching, service identification, and modular penetration testing), a pre-integrated full-link vulnerability module resource pool is constructed, incorporating cross-layer attack chain knowledge. This resource pool consists of high-risk vulnerability modules that have undergone rigorous validity verification. Crucially, these modules encapsulate vulnerability exploitation chain information capable of simulating a continuous attack path initiated by an attacker from a certain layer and gradually penetrating to the core layer. Ultimately, by intelligently invoking the modular attack chains encapsulated in the resource pool based on the prior threat map, a full-link penetration test can be executed across all layers of the main station, communication, and terminal. This means leveraging previously discovered vulnerability resources and modules to implement precise full-link penetration attacks. Specifically, targeted penetration tests are launched against the operating system and database of the KMCEPG on the main / sub-station side; man-in-the-middle and DDoS attacks are conducted against the KMCEPG on the communication side; and penetration verification is performed on the terminal-side KMCEPG focusing on core dimensions such as normal operation, communication links, and network memory. This invention clearly proposes a full-link network penetration process construction scheme covering key measurement and control equipment on the main / sub-station, channel, and terminal sides of the power grid, providing a standardized penetration testing framework for the field of power information security. Based on this method, researchers can systematically conduct intrusion process verification tests on key measurement and control equipment of the power grid, deeply explore potential network security vulnerabilities, provide a scientific basis for the formulation of subsequent targeted protection measures, and effectively improve the network security defense capabilities and overall security level of the power grid, ensuring the safe and stable operation of the power grid system. This has significant practical value and application significance.
[0052] Verification test (1) Setting up the attack verification environment: To effectively enhance the power grid's ability to resist cyberattacks and to deeply explore more hidden vulnerabilities in key power grid measurement and control equipment, this invention, based on the risk analysis results and a carefully constructed attack process, has established a system... Figure 6 The attack test environment shown is specifically designed to verify attacks on critical control devices of the terminal.
[0053] The attack experiment verification environment is mainly composed of four closely linked parts: an RTDS power grid simulation system, a load simulation device, a stability control system, and a network attack host. The RTDS power grid simulation system, with its advanced simulation technology, can accurately simulate the real operating state of the power grid, providing a highly realistic power grid operating environment for the entire experiment and ensuring the reliability and practicality of the experimental results. The load simulation device, through precise simulation algorithms, realistically reproduces the load conditions of the power grid during actual operation, providing load data consistent with reality. The stability control system consists of two core parts: a master / slave station control system and a load control terminal. This system has powerful data processing and command sending capabilities, enabling in-depth analysis of key information such as collected voltage, current, and flow, and issuing precise commands to the load simulation device based on the analysis results, thereby achieving stable control of the power grid's operating state. The network attack host, as the core device for launching the attack, is equipped with advanced attack tools and techniques, capable of launching targeted network attacks against the distributed stability control device to verify the device's security and stability in the face of network attacks.
[0054] (2) Attack verification: 1) Conventional Functional Attacks On-site, the control device was connected to the attacking host via Ethernet 1 using a direct network cable connection. Port scanning was performed on the corresponding network card's IP address, and a remote connection to the control device was established using telnet with an empty password.
[0055] ① Keyboard lock attack on the main control operating system: After infiltrating the stability control device, use Xshell5 (Free for Home / School) software to launch an attack on the main control module of the VxWorks operating system. Simply type the command "td tkeyProcess" in the programming interface.
[0056] ② Stabilization device restart attack: After infiltrating the control device, VMware Workstation is used to perform a device restart attack. The attack mainly consists of two steps: ① Enter the command "tscmsServer" in the programming interface; ② Enter the command "td tscmsServer" in the programming interface.
[0057] 2) Information channel attack: After infiltrating the stability control device, typing the command "td tNetTask" on the main operating interface will launch an attack on the device's communication ports. A successful attack will shut down all communication ports of the stability control device.
[0058] 3) Network memory attack: To connect to the control device, first, the Telnet remote login port is compromised; then, the root password is used to compromise the memory system of the control device; after successfully compromising the memory system, the data in the memory system is modified.
[0059] (3) Attack Result Analysis 1) Conventional Functional Attacks When an attack is launched on the functional modules of the load control terminal, its functions will be severely affected, resulting in the main control keyboard being locked and the system frequently restarting, verifying that the load control terminal has functional protection vulnerabilities.
[0060] By implementing a keyboard lock attack on the main control operating system, operators will be unable to set or adjust parameters of the stability control device when it is first put into operation, rendering it inoperable and affecting power grid planning. In emergency situations requiring debugging or operation via the main control module, operators will be unable to promptly adjust the stability control device, causing the power grid to miss crucial opportunities to mitigate the damage, expanding the scope of the fault, and potentially leading to power outages.
[0061] A device restart attack can render the power grid's stability control system ineffective during the restart period, impacting its safe and stable operation. During this time, the system is unable to collect power grid operation data or receive and execute commands from the higher-level dispatch system. This can amplify the impact of accidents and cause significant economic losses during fault and emergency control periods.
[0062] 2) Information channel attack After an attack was launched on the information channel of the stability control device, the device displayed messages such as "port connection failed" and "unable to access target host." This verified that the control terminal equipment had a vulnerability in its information channel protection.
[0063] During actual power grid operation, attackers can shut down all communication ports of the power grid control devices, blocking communication between devices and between the devices and the main control station. This prevents data collected by the terminals from being uploaded to the main station, hindering the main station's ability to promptly perceive the power grid's operational status. Furthermore, the main station's control commands cannot be promptly sent to the terminals, rendering them unable to respond. This ultimately leads to power grid malfunctions, jeopardizing the safe and stable operation of the power grid.
[0064] 3) Network memory attack Once an attacker attacks the device's memory, they can arbitrarily modify its memory data, verifying a vulnerability in the network memory protection of the terminal stabilization device.
[0065] In actual power grid operation, attackers can exploit weak FTP password vulnerabilities to download system FTP files, study the stability control device, and obtain key memory data, code, device parameters, operating strategies, etc., and modify them, such as modifying master station / substation settings; or directly forging voltage, current and other data, disrupting the normal operation of the stability control device, and in severe cases, causing power outage accidents.
[0066] The attack results analysis of the above examples show that the method of the present invention can successfully and systematically uncover deep and substantial security vulnerabilities in terminal devices in core dimensions such as functionality, communication, and memory, fully demonstrating the powerful effectiveness and practical value of the method in improving the network security defense capabilities of the power grid.
[0067] The method proposed in this invention has strong versatility and engineering practical value. It adopts a modular and standardized design concept and can be widely applied to attack penetration and vulnerability mining of key measurement and control equipment at all levels of the power grid. It does not require the purchase of expensive and complex equipment and is easy to promote and apply in the power industry.
[0068] Key measurement and control equipment in the power grid is fundamental to achieving intelligent operation and management of the power grid. However, with the widespread application of information technology in the power sector, the power grid faces increasingly severe cybersecurity threats, and various cyberattack methods are constantly emerging. Traditional power grid cybersecurity vulnerability mining techniques are mostly concentrated on single devices or localized scenarios. When facing new types of cyberattacks, they often suffer from insufficient detection capabilities and incomplete vulnerability mining, failing to promptly discover and prevent potential cybersecurity threats and making it difficult to meet the needs of the current complex and ever-changing cybersecurity landscape. Therefore, researching a comprehensive and efficient method for constructing a full-link network penetration testing process for key power grid measurement and control equipment has urgent practical needs and significant theoretical and practical implications.
[0069] In recent years, research on power grid network attacks has focused on two main areas. First, it has concentrated on vulnerability discovery techniques in the KMCEPG (Knowledge, Machinery, Electronics, and Electronics) system, identifying security vulnerabilities in equipment and communication links through scanning, detection, and risk assessment. Second, it has explored attack path analysis and defense strategy optimization, proposing protection schemes based on simulation testing and intrusion detection, providing theoretical support and technical references for improving the power grid's resilience. However, existing research largely focuses on attack defense for single devices or localized scenarios, making it difficult to fully adapt to the actual needs of KMCEPG's multi-sided collaborative protection.
[0070] The "Method for Constructing a Full-Link Network Penetration Process for Key Measurement and Control Equipment in Power Grids" proposed in this invention opens up a highly innovative and forward-looking technical path for the field of intrusion testing and vulnerability discovery in power grid equipment. Under traditional technical frameworks, intrusion testing and vulnerability discovery methods are often limited to a single link or specific equipment type, making it difficult to fully address the inherent complexity and high diversity of power grid systems. The method constructed in this invention, however, takes a systemic perspective from the entire link, implementing comprehensive and multi-layered deep penetration attacks on key measurement and control equipment (KMCEPG) in power grids. Specifically, on the master / slave side, this invention focuses on the KMCEPG's operating system and database, simulating possible hacker attack methods to conduct penetration testing and deeply analyze its potential security weaknesses; for the communication-side KMCEPG, this invention initiates man-in-the-middle attacks and distributed denial-of-service (DDoS) attacks to accurately assess its security protection capabilities in complex network environments; for the terminal-side KMCEPG, this invention not only simulates attacks on its normal functions but also delves into the communication channel and network memory levels to comprehensively uncover potential security vulnerabilities. This comprehensive and multi-layered attack and penetration approach enables a more complete and precise discovery of security vulnerabilities in different operational stages and functional modules of power grid equipment. For example, during the attack and penetration of the terminal-side KMCEPG, detailed analysis at the communication channel and data memory levels successfully uncovered numerous security risks previously overlooked due to technical limitations, providing invaluable references for the security protection of power grid equipment. This innovative technical approach and methodology provides richer and more precise evidence for the subsequent construction of a security assessment system and the formulation of protection strategies for power grid equipment, powerfully promoting the continuous innovation and development of power grid network security technology.
[0071] This invention addresses the construction and defense verification of a systematic attack process across the entire power grid chain, from the main station to communication to the terminal. It can deeply analyze the network security risks in each link of the power grid, comprehensively uncover potential network security vulnerabilities, and provide a strong basis for formulating effective network security protection strategies. This will effectively improve the network security defense capabilities of the power grid, ensure the safe and stable operation of the power grid, and provide reliable power security for the sustainable development of society and the economy.
[0072] This invention provides a comprehensive and in-depth risk analysis of key measurement and control equipment at all levels of the power grid. Through systematic research, it was discovered that the operating systems and databases of the master / slave stations not only suffer from conventional vulnerabilities but also face the risk of being injected with advanced threats such as Trojans and malware. Information channels are vulnerable to unauthorized interception and parsing of messages during data transmission, as well as DDoS attacks. The functional modules, communication links, and memory management of terminal devices all present potential risks of attack. Furthermore, a series of rigorous attack penetration experiments fully validated the accuracy and reliability of the aforementioned risk analysis. This research not only provides a solid theoretical foundation for risk analysis of other industrial control equipment in the power grid but also possesses significant reference value, contributing to improving the overall security level of the power grid's industrial control system.
[0073] This invention starts with the operating system and database of the KMCEPG on the main / sub-site side to conduct targeted attack penetration testing; it launches man-in-the-middle and DDoS attacks on the communication-side KMCEPG to simulate real network attack scenarios; and it conducts comprehensive attack penetration on the normal functions, communication, and network memory of the terminal KMCEPG. This comprehensive and meticulous attack penetration strategy provides a new approach and direction for subsequent intrusion testing and vulnerability discovery of power grid equipment, helping to break through the limitations of traditional technologies and improve the comprehensiveness and accuracy of power grid equipment security testing.
[0074] This invention innovatively proposes a complete set of intrusion process construction methods applicable to critical measurement and control equipment at all levels of the power grid. Based on this method, attack penetration and vulnerability discovery work can be carried out on critical measurement and control equipment at the master station / substation layer, communication layer, and terminal layer of the power grid. Compared with other similar methods, the method proposed in this invention has stronger versatility and can be widely applied to attack penetration and vulnerability discovery scenarios of critical equipment at all levels of the power grid, demonstrating significant engineering practicality and providing strong technical support for power grid network security assurance.
[0075] Example 2 Based on the same inventive concept, this invention also provides a full-link penetration testing system for key power grid equipment, comprising: The hierarchical analysis unit is used to perform hierarchical analysis of network links of key power grid equipment to identify potential threat sources for each network layer corresponding to the key equipment. The penetration testing unit is used to perform full-link penetration testing on key power grid equipment by calling a pre-built full-link vulnerability module resource pool based on the potential threat sources of key equipment corresponding to each network layer. The network layers include the master layer, communication layer, and terminal layer; the full-link vulnerability module resource pool is obtained by modularly encapsulating the vulnerability exploitation chain information formed by high-risk vulnerability modules between each network layer; the high-risk vulnerability modules are selected based on modular penetration testing of different services on the corresponding key devices of each network layer.
[0076] In one possible implementation, a high-risk vulnerability module determination unit is also included, which includes: The association model construction subunit constructs an association model of the entire link vulnerability port-service-service version by performing combined scanning, vulnerability matching and interactive testing on the operating systems of key devices corresponding to each network layer. The modular testing subunit utilizes a full-link vulnerability port-service-service version association model to perform modular penetration testing on different services on key devices at each network layer, and selects high-risk vulnerability modules from the test results based on preset verification indicators.
[0077] In one possible implementation, the association model building subunit is specifically used for: Port information for each network layer is obtained by performing a combined scan of the operating systems of key devices at each network layer. The port information is matched with a preset vulnerability signature database to determine exploitable vulnerabilities and the vulnerability-port association. Interactive testing is performed on key devices at each network layer using the exploitable vulnerabilities and the vulnerability-port association to determine the backend service and service version of the port corresponding to the exploitable vulnerability, and to construct a full-link vulnerability port-service-service version association model. The association model includes the configuration parameters, interaction processes, and security vulnerability information of each service.
[0078] In one possible implementation, the modular test subunit is specifically used for: Based on the association model of the full-link vulnerability port-service-service version, target vulnerability modules for different services on key devices at each network layer are matched in the pre-built vulnerability module library, and the target vulnerability modules are used to perform modular penetration testing on the corresponding services. The vulnerability module library is constructed for key equipment corresponding to each network layer of the power grid, and includes vulnerability exploitation modules, attack payloads, and auxiliary modules.
[0079] In one possible implementation, the potential threat sources for the key devices corresponding to the main site layer include: main site operating system vulnerabilities, main site malware injection, and main site database vulnerabilities; the full-link vulnerability module resource pool includes a main site operating system vulnerability module, a main site database vulnerability module, a main site malware injection module, and a main site session hijacking module; the penetration testing unit includes: a main site testing subunit, which is used for: By exploiting vulnerabilities in the main site's operating system, an escalation attack was launched against the main site's operating system to gain administrator privileges and then implant a backdoor program. The system exploits a vulnerability in the main site's database to illegally access the main site's database in order to tamper with measurement data or scheduling instructions. The malicious software injection module of the main station is used to forge and issue false control commands to the main station in order to interfere with the power grid fault diagnosis and self-healing decision-making process. The master station session hijacking module is used to intercept communication data between the master station and the terminal, thereby disrupting the normal decision-making process of the master station.
[0080] In one possible implementation, the potential threat sources for the critical devices corresponding to the communication layer include communication packet cracking risks and switch DDoS attack risks; the end-to-end vulnerability module resource pool includes ARP spoofing modules, switch port vulnerability modules, and DDoS attack modules; the penetration testing unit includes a communication layer testing subunit, which is used for: By using an ARP spoofing module to construct a man-in-the-middle attack environment, the system can monitor and crack the communication packets transmitted by the switch in the communication layer, thereby tampering with uplink measurement data and forging downlink control commands. By exploiting a vulnerability in a switch port, bypass access to the communication layer is achieved. A DDoS attack module is then invoked to launch a traffic attack on the communication link of the communication layer, thereby blocking the communication channel between the master station and the terminal.
[0081] In one possible implementation, the potential threat sources for the critical devices corresponding to the terminal layer include malicious attacks on terminal functions, malicious control of terminal communications, and illegal exploitation of terminal ports; the end-to-end vulnerability module resource pool includes terminal operating system vulnerability exploitation modules, terminal operating system kernel vulnerability modules, and terminal memory operation vulnerability modules; the penetration testing unit includes a terminal testing subunit, which is used for: The system calls upon the terminal operating system vulnerability exploitation module to attack the normal functioning of the terminal, thereby preventing the terminal from collecting and feeding back data normally. By exploiting a vulnerability in the terminal's operating system kernel, the attacker can disrupt the terminal's internal communication module and sever the communication link between the terminal and the main station. This attack exploits a terminal memory manipulation vulnerability to compromise the network memory of a terminal device, thereby tampering with configuration parameters and operating policies within that memory.
[0082] Example 3 like Figure 7 As shown, the present invention also provides an electronic device, which may be a computer device, a microcontroller device, a smart mobile device, etc. The electronic device in this embodiment may include a processor, a memory, a transceiver component, etc. The memory, processor, and transceiver component are connected via a bus; the memory can be used to store executable programs, and an exemplary executable program may include instructions; the processor is used to execute the instructions stored in the memory. The memory can also be used to store data, which can be accessed and / or modified when instructions are executed.
[0083] The processor may be a Central Processing Unit (CPU), or it may be other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. It is the computing and control core of the terminal, and it is suitable for implementing one or more instructions. Specifically, it is suitable for loading and executing one or more instructions in the storage medium to realize the corresponding method flow or corresponding function, so as to realize the steps of the full-link penetration testing method for key power grid equipment in the above embodiments.
[0084] Example 4 Based on the same inventive concept, this invention also provides a readable storage medium, specifically an electronic device readable storage medium (Memory). An electronic device readable storage medium is a memory device within an electronic device used to store programs and data. It is understood that the storage medium here can include both built-in storage media within the electronic device and extended storage media supported by the electronic device. The storage medium provides storage space, which stores the terminal's operating system. Furthermore, this storage space also stores one or more instructions suitable for loading and execution by a processor. These instructions can be one or more executable programs (including program code). It should be noted that the storage medium here can be high-speed RAM or non-volatile memory, such as at least one disk storage device. Loading and executing one or more instructions stored in the storage medium by the processor can implement the steps of the full-link penetration testing method for key power grid equipment in the above embodiments.
[0085] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0086] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0087] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0088] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0089] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit its scope of protection. Although the present invention has been described in detail with reference to the above embodiments, those skilled in the art should understand that after reading the present invention, they can still make various changes, modifications or equivalent substitutions to the specific implementation methods of the application, but these changes, modifications or equivalent substitutions are all within the scope of protection of the claims pending approval.
Claims
1. A full-link penetration testing method for key power grid equipment, characterized in that, include: A layered analysis of network security was conducted on the network links of critical power grid equipment to identify potential threat sources for each network layer corresponding to the critical equipment. Based on the potential threat sources of key equipment corresponding to each network layer, a pre-built full-link vulnerability module resource pool is invoked to conduct full-link penetration testing of key power grid equipment; Each network layer includes the master station layer, the communication layer, and the terminal layer; the full-link vulnerability module resource pool is obtained by modularly encapsulating the vulnerability exploitation chain information formed by high-risk vulnerability modules between each network layer. The high-risk vulnerability modules were selected based on modular penetration testing of different services on key devices at each network layer.
2. The method according to claim 1, characterized in that, The process for identifying the high-risk vulnerability module includes: By performing combined scanning, vulnerability matching, and interactive testing on the operating systems of key devices at each network layer, a full-link association model of vulnerability ports, services, and service versions is constructed. By using a full-link vulnerability port-service-service version association model, modular penetration testing is conducted on different services on key devices at each network layer. High-risk vulnerability modules are then selected from the test results based on preset verification indicators.
3. The method according to claim 2, characterized in that, The process of constructing the association model of the entire vulnerability port-service-service version includes: Port information for each network layer is obtained by performing a combined scan of the operating systems of key devices at each network layer. The port information is matched with a preset vulnerability signature database to determine exploitable vulnerabilities and the vulnerability-port association. Interactive testing is performed on key devices at each network layer using the exploitable vulnerabilities and the vulnerability-port association to determine the backend service and service version of the port corresponding to the exploitable vulnerability, and to construct a full-link vulnerability port-service-service version association model. The association model includes the configuration parameters, interaction processes, and security vulnerability information of each service.
4. The method according to claim 3, characterized in that, The modular penetration test includes: Based on the association model of the full-link vulnerability port-service-service version, target vulnerability modules for different services on key devices at each network layer are matched in the pre-built vulnerability module library, and the target vulnerability modules are used to perform modular penetration testing on the corresponding services. The vulnerability module library is constructed for key equipment corresponding to each network layer of the power grid, and includes vulnerability exploitation modules, attack payloads, and auxiliary modules.
5. The method according to claim 1, characterized in that, The potential threat sources for the key equipment corresponding to the master station layer include: master station operating system vulnerabilities, master station malware injection, and master station database vulnerabilities; the full-link vulnerability module resource pool includes master station operating system vulnerability modules, master station database vulnerability modules, master station malware injection modules, and master station session hijacking modules; the full-link penetration testing of key power grid equipment based on the potential threat sources for key equipment corresponding to each network layer, by calling the pre-built full-link vulnerability module resource pool, includes: By exploiting vulnerabilities in the main site's operating system, an escalation attack was launched against the main site's operating system to gain administrator privileges and then implant a backdoor program. The system exploits a vulnerability in the main site's database to illegally access the main site's database in order to tamper with measurement data or scheduling instructions. The malicious software injection module of the main station is used to forge and issue false control commands to the main station in order to interfere with the power grid fault diagnosis and self-healing decision-making process. The master station session hijacking module is used to intercept communication data between the master station and the terminal, thereby disrupting the normal decision-making process of the master station.
6. The method according to claim 1, characterized in that, The potential threat sources for the key equipment corresponding to the communication layer include communication packet cracking risks and switch DDoS attack risks; the full-link vulnerability module resource pool includes ARP spoofing modules, switch port vulnerability modules, and DDoS attack modules; the full-link penetration testing of key power grid equipment based on the potential threat sources for each network layer and the pre-built full-link vulnerability module resource pool includes: By using an ARP spoofing module to construct a man-in-the-middle attack environment, the system can monitor and crack the communication packets transmitted by the switch in the communication layer, thereby tampering with uplink measurement data and forging downlink control commands. By exploiting a vulnerability in a switch port, bypass access to the communication layer is achieved. A DDoS attack module is then invoked to launch a traffic attack on the communication link of the communication layer, thereby blocking the communication channel between the master station and the terminal.
7. The method according to claim 1, characterized in that, The potential threat sources for the critical equipment corresponding to the terminal layer include malicious attacks on terminal functions, malicious control of terminal communication, and illegal exploitation of terminal ports; the end-to-end vulnerability module resource pool includes terminal operating system vulnerability exploitation modules, terminal operating system kernel vulnerability modules, and terminal memory operation vulnerability modules; the end-to-end penetration testing of critical power grid equipment based on the potential threat sources for critical equipment corresponding to each network layer, by calling the pre-built end-to-end vulnerability module resource pool, includes: The system calls upon the terminal operating system vulnerability exploitation module to attack the normal functioning of the terminal, thereby preventing the terminal from collecting and feeding back data normally. By exploiting a vulnerability in the terminal's operating system kernel, the attacker can disrupt the terminal's internal communication module and sever the communication link between the terminal and the main station. This attack exploits a terminal memory manipulation vulnerability to compromise the network memory of a terminal device, thereby tampering with configuration parameters and operating policies within that memory.
8. A full-link penetration testing system for key power grid equipment, characterized in that, include: The hierarchical analysis unit is used to perform hierarchical analysis of network links of key power grid equipment to identify potential threat sources for each network layer corresponding to the key equipment. The penetration testing unit is used to perform full-link penetration testing on key power grid equipment by calling a pre-built full-link vulnerability module resource pool based on the potential threat sources of key equipment corresponding to each network layer. Each network layer includes the master station layer, the communication layer, and the terminal layer; the full-link vulnerability module resource pool is obtained by modularly encapsulating the vulnerability exploitation chain information formed by high-risk vulnerability modules between each network layer. The high-risk vulnerability modules were selected based on modular penetration testing of different services on key devices at each network layer.
9. An electronic device, characterized in that, include: At least one processor and memory; The memory and processor are connected via a bus; The memory is used to store one or more programs; When the one or more programs are executed by the at least one processor, the method as described in any one of claims 1 to 7 is implemented.
10. A readable storage medium, characterized in that, It contains an executable program, which, when executed, implements the method as described in any one of claims 1 to 7.