A power grid network security situation assessment system and method based on big data analysis

The power grid network security situation assessment system, which uses big data analysis, combines power grid operation status and network security incident data to dynamically adjust risk weights. This solves the problems of staticity and disconnect from traditional assessment systems, and achieves accurate situational awareness security situation assessment and resource allocation.

CN122288366APending Publication Date: 2026-06-26INFORMATION & TELECOMM COMPANY SICHUAN ELECTRIC POWER

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
INFORMATION & TELECOMM COMPANY SICHUAN ELECTRIC POWER
Filing Date
2026-03-11
Publication Date
2026-06-26

AI Technical Summary

Technical Problem

Traditional power grid network security situation assessment systems cannot dynamically respond to changes in the physical operating status of the power system, resulting in assessment results that are out of sync with the real-time operating needs of the power grid. They are unable to effectively identify key threats and configure defense resources, and lack business sensitivity and timeliness.

Method used

A power grid network security situation assessment system based on big data analysis is adopted. Real-time data is obtained through the power grid operation status perception module, combined with the security event collection module and asset information database. The system uses the operation urgency coefficient calculation module and dynamic risk assessment engine to dynamically adjust risk weights and achieve situation-aware security situation assessment.

Benefits of technology

It enables dynamic response to cybersecurity situation assessment, dynamically adjusts risk weights based on power grid operation status, improves the timeliness and business guidance significance of assessment results, ensures accurate allocation of security defense resources, and enhances monitoring and analysis efficiency.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122288366A_ABST
    Figure CN122288366A_ABST
Patent Text Reader

Abstract

This application discloses a power grid network security situation assessment system and method based on big data analysis. The method involves receiving network security event data and operational urgency coefficients; for each network security event, querying an asset information database based on its included IP address to determine the corresponding asset function category; assigning a basic risk value to the network security event based on the asset function category; querying a preset dynamic weight mapping table based on the currently received operational urgency coefficient to obtain a dynamic adjustment factor corresponding to the asset function category; multiplying the basic risk value by the dynamic adjustment factor to obtain the final dynamic risk value of the network security event; aggregating the final dynamic risk values ​​of all network security events to calculate a dynamic security situation score; and outputting and displaying the dynamic security situation score and a list of high-risk events whose final dynamic risk value exceeds a preset threshold. This application improves the efficiency of power grid network security situation assessment.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of security assessment technology, and in particular to a power grid network security situation assessment system and method based on big data analysis. Background Technology

[0002] Traditional power grid network security situation assessment systems primarily rely on the collection, aggregation, and static rule analysis of cybersecurity events. Their assessment models are typically independent of the actual physical operating state of the power system. These systems often treat the network as a relatively closed technical domain, scoring and ranking various security events using preset, fixed threat weights to form an overall security situation assessment. While this method can reflect the activity level of network threats, its assessment dimensions are singular, failing to consider the power grid's essential nature as a cyber-physical system. This results in a significant gap between its output and the real-time security requirements of the power grid.

[0003] The drawbacks of existing technologies are primarily reflected in the static and lagging nature of the assessment results. Because the risk weight parameters in the assessment model are pre-set and remain unchanged over a long period, the system cannot perceive the dynamic changes in the power grid's operating conditions. Whether the power grid is in a period of light load and stability, or in a highly stressed and vulnerable period such as peak summer demand, critical equipment maintenance, or post-fault recovery, its capacity and tolerance to the same network threat vary drastically, but traditional static assessment models cannot distinguish between these. This leads to redundant alarms for a large number of low-to-medium risk events when the power grid is stable, diverting maintenance efforts; while when the power grid is vulnerable, it cannot effectively highlight potential cascading failures in production control network attacks from a massive number of events, resulting in assessment results lacking necessary business sensitivity and timeliness.

[0004] Furthermore, existing technologies lack in-depth correlation and contextualized interpretation of the business impact of cybersecurity incidents. While traditional methods can identify the technical characteristics of attacks and target IPs, they struggle to automatically and accurately correlate the target's specific function and criticality within the power production business process. They also cannot quantify the level of physical consequences a successful cyberattack might trigger under the current power grid operating conditions. This leads to security operation and maintenance decisions often being based on purely technical threat levels, failing to directly link them to core production objectives such as "ensuring power supply reliability" and "maintaining power grid stability." Consequently, the allocation of security defense resources may deviate from the most pressing needs of actual business risks, making it difficult to support a proactive defense system that is preventative and coordinated with power grid operational risks.

[0005] To address the aforementioned issues, there is an urgent need in this field for an assessment technology that can break down cyber-physical barriers and deeply integrate real-time power grid operation status with network security monitoring data. This technology would enable the perception and assessment of network security situation to dynamically respond to changes in the physical operational vulnerabilities of the power system, thereby achieving a fundamental shift in risk assessment from static and universal to dynamic and context-aware, and providing accurate and timely decision-making basis for integrated power grid security protection. Summary of the Invention

[0006] To address the shortcomings of existing technologies, this application provides a power grid network security situation assessment system and method based on big data analysis.

[0007] Firstly, this application provides a power grid network security situation assessment system based on big data analysis, comprising: The power grid operation status sensing module is used to obtain power grid operation status data from the energy management system and dispatch logs; The security incident acquisition module is used to acquire network security incident data from the security information and incident management system; An asset information database is used to store the mapping relationship between the IP addresses of network assets and their functions. The operation urgency coefficient calculation module is connected to the power grid operation status sensing module. It is used to receive the power grid operation status data, quantify multiple indicators in the power grid operation status data into sub-scores, and calculate an operation urgency coefficient with a value range of [0,1] by using a weighted fusion algorithm to calculate all sub-scores. The dynamic risk assessment engine is connected to the security event acquisition module, the asset information database, and the operational urgency coefficient calculation module, respectively. The dynamic risk assessment engine is used for: Receive the network security incident data and the operational urgency coefficient; For each cybersecurity incident, the asset information database is queried based on the IP address it contains to determine the asset function classification corresponding to the incident; Based on the asset function classification, assign a basic risk value to the cybersecurity incident; Based on the currently received operational urgency coefficient, query the preset dynamic weight mapping table to obtain the dynamic adjustment factor corresponding to the asset function classification; Multiplying the base risk value by the dynamic adjustment factor yields the final dynamic risk value of the cybersecurity incident. The final dynamic risk values ​​of all cybersecurity incidents are aggregated to calculate a dynamic security posture score. The situation display module is connected to the dynamic risk assessment engine and is used to output and display the dynamic security situation score and a list of high-risk events whose final dynamic risk value exceeds a preset threshold.

[0008] Preferably, the power grid operation status data includes key section power flow values, total system load values, system N-1 check status, and preset keywords identified from the dispatch log text obtained from the energy management system.

[0009] Preferably, the urgency coefficient calculation module is specifically used for: A predefined weight is assigned to each of the key section power flow value, total system load value, system N-1 check status, and preset keywords; The power flow value and total system load value at the key section are compared with preset threshold intervals, and corresponding sub-scores are assigned according to the interval in which they are located. The N-1 verification status of the system and the identified preset keywords are converted into Boolean values ​​as sub-scores; All sub-fractions are weighted and summed according to their corresponding predefined weights to obtain the initial coefficients; The initial coefficients are smoothed and limited using a preset function to output the running urgency coefficient.

[0010] Preferably, the preset dynamic weight mapping table stores the correspondence between different operational urgency coefficient intervals and different asset function classifications, and presets a dynamic adjustment factor for each set of correspondences.

[0011] Preferably, the asset function classification defined in the preset dynamic weight mapping table includes at least production control assets and management information assets; wherein, the dynamic adjustment factor corresponding to the production control assets increases as the operational urgency coefficient increases, and the dynamic adjustment factor corresponding to the management information assets decreases as the operational urgency coefficient increases.

[0012] Preferably, the asset function classification in the asset information database is based on the role of network assets in power grid operations.

[0013] Preferably, when calculating the dynamic security posture score, the dynamic risk assessment engine is further used to: Multiple cybersecurity incidents originating from the same attack source and targeting the same asset function within a preset time window are aggregated to generate a single aggregated security incident. The final dynamic risk value of the aggregated security event is calculated based on the product of the sum of the basic risk values ​​of the multiple cybersecurity events it contains and the dynamic adjustment factor.

[0014] Preferably, the dynamic risk assessment engine is also used to receive external threat intelligence data; When it is determined that the source IP of a network security incident exists in the blacklist of the threat intelligence data, it is necessary to multiply it by a threat intelligence correction factor greater than 1 when calculating its final dynamic risk value.

[0015] Preferably, it also includes a strategy simulation module, which connects the dynamic risk assessment engine and the operational urgency coefficient calculation module; The strategy simulation module is used for: Receive simulated power grid operating status data sequences; The operation urgency coefficient calculation module is driven to generate the corresponding simulated operation urgency coefficient sequence; The dynamic risk assessment engine is driven to calculate a simulated dynamic security posture score sequence based on the simulated urgency coefficient sequence and a set of simulated network security event data. Output a correlation analysis report between the simulated operational urgency coefficient sequence and the simulated dynamic security situation score sequence.

[0016] Secondly, this application provides a method for assessing the cybersecurity situation of power grid networks based on big data analysis, including the following steps: Obtain power grid operation status data from the energy management system and dispatch logs; Obtain cybersecurity incident data from the security information and incident management system; The mapping relationship between the IP addresses of storage network assets and the functions of the assets; The system receives the power grid operation status data, quantifies multiple indicators in the power grid operation status data into sub-scores, and calculates all sub-scores into an operation urgency coefficient with a value range of [0,1] using a weighted fusion algorithm. Receive the network security incident data and the operational urgency coefficient; For each cybersecurity incident, the asset information database is queried based on the IP address it contains to determine the asset function classification corresponding to the incident; Based on the asset function classification, assign a basic risk value to the cybersecurity incident; Based on the currently received operational urgency coefficient, query the preset dynamic weight mapping table to obtain the dynamic adjustment factor corresponding to the asset function classification; Multiplying the base risk value by the dynamic adjustment factor yields the final dynamic risk value of the cybersecurity incident. The final dynamic risk values ​​of all cybersecurity incidents are aggregated to calculate a dynamic security posture score. Output and display the dynamic security situation score and the list of high-risk events whose final dynamic risk value exceeds a preset threshold.

[0017] In summary, this application includes at least one of the following beneficial technical effects: 1. This application provides a power grid network security situation assessment system based on big data analysis. By introducing a core dynamic variable, the system quantifies the tension and vulnerability of power grid operation in real time and uses this as the core basis for adjusting the risk value of network security incidents. This enables the system to automatically perceive the power grid's operating conditions and dynamically adjust the risk weights of different functional assets when facing network threats. The assessment results are no longer isolated from business operations but closely follow changes in the physical state of the power grid. It automatically strengthens warnings about threats to critical production control when the power grid is vulnerable, and reasonably suppresses non-critical alarms during stable periods. This gives the situation awareness true "contextual awareness" capabilities, making the output results more timely and providing business guidance. 2. A precise mapping between network IP addresses and the specific functions of assets in power grid operations is established through a pre-built asset information database. When a security incident occurs, it can automatically identify the business function category to which the attack target belongs and assign a corresponding basic risk value. Combined with a dynamic weight mapping table, it can differentiate and adjust the risk amplification or reduction coefficients of different business function assets according to the current urgency of power grid operation. This ensures that the final risk value of the security incident directly reflects its potential impact level on the current specific business operation environment, transforming abstract network security threats into concrete and understandable business operation risks, and providing a direct basis for the precise deployment of defense resources. 3. The dynamic security situation score and high-risk event list output by this system are not only a summary of technical alarms, but also decision support information that integrates the real-time operation risk background of the power grid. This enables security management personnel to formulate and adjust defense strategies based on "what are the most important business risks faced under the current power grid conditions", so as to achieve synergistic linkage between network security protection and power safety and stable operation. 4. By automatically recalibrating the weight of events through dynamic adjustment factors and intelligently aggregating them in conjunction with dimensions such as attack source, time window, and target asset, redundant alarm interference against non-core assets during non-critical periods is effectively reduced. At the same time, the introduction of external threat intelligence data for correction further improves the accuracy of risk identification. This enables security operations personnel to quickly focus on security events that pose a substantial high risk to critical business operations under specific power grid operation conditions from a complex array of events, significantly improving monitoring and analysis efficiency. Attached Figure Description

[0018] To more clearly illustrate the technical solutions of the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0019] Figure 1 This is a schematic diagram of a power grid network security situation assessment system based on big data analysis, according to an embodiment of this application.

[0020] Figure 2 This is a flowchart of a method for assessing the cybersecurity situation of a power grid based on big data analysis, as described in this application. Detailed Implementation

[0021] The following is in conjunction with the appendix Figure 1-2 This application will be described in further detail.

[0022] Example 1 This application discloses a power grid network security situation assessment system based on big data analysis.

[0023] Reference Figure 1 A power grid network security situation assessment system based on big data analysis includes: The power grid operation status sensing module is used to obtain power grid operation status data from the energy management system and dispatch logs; The security incident acquisition module is used to acquire network security incident data from the security information and incident management system; An asset information database is used to store the mapping relationship between the IP addresses of network assets and their functions. The operation urgency coefficient calculation module is connected to the power grid operation status sensing module. It is used to receive the power grid operation status data, quantify multiple indicators in the power grid operation status data into sub-scores, and calculate an operation urgency coefficient with a value range of [0,1] by using a weighted fusion algorithm to calculate all sub-scores. The dynamic risk assessment engine is connected to the security event acquisition module, the asset information database, and the operational urgency coefficient calculation module, respectively. The dynamic risk assessment engine is used for: Receive the network security incident data and the operational urgency coefficient; For each cybersecurity incident, the asset information database is queried based on the IP address it contains to determine the asset function classification corresponding to the incident; Based on the asset function classification, assign a basic risk value to the cybersecurity incident; Based on the currently received operational urgency coefficient, query the preset dynamic weight mapping table to obtain the dynamic adjustment factor corresponding to the asset function classification; Multiplying the base risk value by the dynamic adjustment factor yields the final dynamic risk value of the cybersecurity incident. The final dynamic risk values ​​of all cybersecurity incidents are aggregated to calculate a dynamic security posture score. The situation display module is connected to the dynamic risk assessment engine and is used to output and display the dynamic security situation score and a list of high-risk events whose final dynamic risk value exceeds a preset threshold.

[0024] Specifically, the power grid operation status perception module and the security event acquisition module constitute the system's heterogeneous data input sources, respectively acquiring power grid operation status data reflecting the physical operational stress of the power grid and cybersecurity event data reflecting cyberspace threats. The asset information database provides a crucial mapping relationship between network identifiers (IPs) and business roles (asset functions), serving as the basis for subsequent risk business-oriented classification. The core function of the operation urgency coefficient calculation module is to aggregate multi-dimensional, heterogeneous power grid operation indicators into a unified, quantified operation urgency coefficient, which is the core bridge data connecting the power grid physical state and cybersecurity assessment. The dynamic risk assessment engine is the system's intelligent processing center, receiving all the above data and executing key logic: First, it uses the asset information database to classify raw security events according to their business impact; then, it introduces the dynamic variable of the operation urgency coefficient, and through querying a preset mapping table, it modulates the basic risk values ​​of various events in real time, thereby obtaining the final dynamic risk value strongly correlated with the current state of the power grid; finally, it aggregates the data to form an overall situational score. The situational display module is responsible for visually outputting the processing results. By using the urgency coefficient as an intermediate variable, the weight parameters of the cybersecurity risk assessment model are dynamically and adaptively adjusted, enabling the assessment results to sensitively reflect the operational status of the power grid and solving the problem of the disconnect between the traditional static assessment model and the actual power production.

[0025] Furthermore, the power grid operation status perception module is used to acquire power grid operation status data from the energy management system and dispatch logs. Specifically, it involves collecting key parameters and text information reflecting the physical health and stress level of the power grid from the energy management system, wide-area measurement system, and dispatcher operation logs in the power production control area in real time or near real time through standardized data interfaces or log parsers. The energy management system provides quantitative telemetry data and status signals such as power flow values ​​of key transmission sections, total system load, bus voltage, line current carrying capacity, and N-1 static security verification results; the dispatch logs contain natural language text entered by dispatchers, recording special operating arrangements or abnormal events. The role of this module is to break down data barriers between cyber-physical systems, providing crucial power grid operation context for network security assessment, enabling security analysis to perceive whether the power grid is in a "stable," "alert," or "emergency" physical state.

[0026] The security incident acquisition module is used to obtain network security incident data from the security information and incident management system. Specifically, it continuously aggregates standardized alarms and logs generated by various network security devices such as network intrusion detection systems, firewalls, endpoint detection and response systems, and vulnerability scanners through methods such as syslog, SIEM API, or message queues. Each network security incident data entry includes at least the following fields: incident timestamp, source IP address, destination IP address, incident type, protocol, and threat level. This module provides a raw observation data stream of cyberspace threat activities, serving as the input basis for situational assessment.

[0027] The asset information database stores the mapping relationship between the IP addresses of network assets and their functions. Specifically, it refers to a pre-built and continuously maintained configuration management database or asset list that establishes the association between addressable devices (identified by IP addresses) in cyberspace and their functional roles in power production and management. For example, a specific IP address may be mapped to "SCADA front-end server", "500kV substation control layer switch", "relay protection device", or "marketing system web server".

[0028] The urgency coefficient calculation module, connected to the power grid operation status sensing module, receives power grid operation status data, quantifies multiple indicators in the data into sub-scores, and calculates an urgency coefficient with a value between [0,1] using a weighted fusion algorithm. Specifically, this module incorporates a set of quantization rules and a fusion algorithm. The quantization rules preset multiple threshold intervals (e.g., "normal," "warning," "emergency") for each operation indicator (e.g., cross-sectional power flow, total system load), mapping real-time values ​​to corresponding intervals and assigning a sub-score (e.g., 0.2, 0.6, 0.9). For text logs, fixed scores are assigned through keyword matching (e.g., "special inspection," "power supply guarantee"). The fusion algorithm assigns predefined weights to each indicator's sub-score and performs a weighted sum to obtain an initial urgency value. Finally, it normalizes and limits the value using a preset smoothing function (e.g., an S-shaped function) to output the final urgency coefficient. By creating a unified, computable scalar to comprehensively characterize the real-time vulnerability of the power grid, a higher coefficient indicates a weaker ability of the power grid to withstand additional disturbances.

[0029] The dynamic risk assessment engine, which connects the security event acquisition module, the asset information database, and the operational urgency coefficient calculation module, is the core processing and decision-making unit of the system. It receives and correlates data streams from three directions: the original security event stream, asset function mapping relationships, and real-time operational urgency coefficients. Its internal logic enables the transformation from static risk assessment to dynamic, scenario-aware assessment.

[0030] The dynamic risk assessment engine is used to receive the network security incident data and the operational urgency coefficient; this is the input of the engine, which aligns and correlates discrete network attack events with continuous power grid operation status representations in time and space, preparing a data foundation for subsequent contextual analysis.

[0031] For each cybersecurity incident, the asset information database is queried based on its contained IP address to determine the corresponding asset function category. Specifically, the engine parses the source or destination IP of each security incident, retrieves the asset information database, and obtains the business role tag corresponding to that IP, such as "Production Control - Data Acquisition" or "Management Information - Office". This step completes the first risk translation from the technical layer to the business layer, concretizing a "TCP 445 port scan" as a "port scan of the production control server", allowing its potential harm to be initially distinguished based on asset function.

[0032] Specifically, based on the asset function classification, a basic risk value is assigned to each cybersecurity incident. This means that, according to a pre-defined risk knowledge base, an initial, static risk score is assigned to each "event type-asset function" combination. For example, the basic risk value for "vulnerability scanning" targeting "production control servers" might be "70" (high risk), while the basic risk value for "office terminals" might be "30" (medium risk). This basic risk value reflects the threat level of the incident within a general, routine risk assessment framework.

[0033] The core of this scheme for dynamic assessment lies in the following step: Based on the currently received operational urgency coefficient, a pre-defined dynamic weight mapping table is consulted to obtain the dynamic adjustment factor corresponding to the asset function classification. The dynamic weight mapping table is a predefined strategy table that establishes a mapping relationship between different numerical ranges of the operational urgency coefficient (OCC) (e.g., [0, 0.4] relaxed, [0.4, 0.7] normal, [0.7, 1.0] tense) and the risk weight amplification or reduction coefficients (i.e., dynamic adjustment factors) required for different asset function classifications. For example, when OCC > 0.7, the mapping table specifies an adjustment factor of 2.5 for "production control" assets and 0.6 for "management information" assets. This step introduces the power grid operating status as a dynamic modulation variable for risk weights, allowing the same safety event to have different assessment weights under different power grid conditions.

[0034] The final dynamic risk value of the cybersecurity incident is obtained by multiplying the basic risk value by the dynamic adjustment factor; this is the specific calculation of risk quantification modulation. Through multiplication, the basic risk value is dynamically modulated by the business scenario represented by the operational urgency coefficient. For example, in a scan of an RTU, the basic risk value is 70. If the current power grid is stable (OCC=0.3, adjustment factor=1.0), the final risk value remains 70; if the power grid is in an emergency power supply state (OCC=0.9, adjustment factor=3.0), the final risk value jumps to 210. This calculation allows the risk value to respond sensitively and non-linearly to changes in the physical state of the power grid.

[0035] Specifically, the engine aggregates the final dynamic risk values ​​of all cybersecurity events to calculate a dynamic security posture score. Within a preset time window, the engine performs aggregation operations on all dynamically modulated final dynamic risk values, such as summing, taking the maximum value, or calculating a weighted average, to generate a single quantitative score representing the current overall cybersecurity posture. This score not only reflects the activity level of cyber threats but also inherently implies the current power grid's resilience and sensitivity to cyber threats, serving as a situational awareness posture indicator.

[0036] The situation display module, connected to the dynamic risk assessment engine, outputs and displays the dynamic security situation score and a list of high-risk events whose final dynamic risk value exceeds a preset threshold. Specifically, it uses a visual dashboard, large screen, or alarm terminal to comprehensively display the dynamic security situation score, real-time operational urgency coefficient, and sorted and filtered details of high-risk events in the form of curves, dashboards, topology diagrams, and lists. The display module presents the OCC curve and the situation score curve side-by-side, intuitively revealing their relationship and clearly indicating which asset function and current OCC level led to the increased risk level of the high-risk event. This enables security operations personnel to understand risk priorities based on the power grid business status, achieving a leap from "seeing alarms" to "understanding business risks."

[0037] The working process and principle of this application are as follows: First, the power grid operation status perception module obtains power grid operation status data from the energy management system and dispatch logs, while the security event acquisition module obtains network security event data from the security information and event management system. Next, the operation urgency coefficient calculation module receives the power grid operation status data, quantifies its multiple indicators into sub-scores, and calculates the operation urgency coefficient using a weighted fusion algorithm. Simultaneously, the dynamic risk assessment engine receives network security event data and, for each event, queries the asset information database based on its IP address to determine the asset function classification and assigns a basic risk value. Then, the engine queries the dynamic weight mapping table based on the real-time received operation urgency coefficient to obtain the corresponding dynamic adjustment factor, multiplies the basic risk value by the dynamic adjustment factor to obtain the final dynamic risk value for each event. Afterward, the engine aggregates all final dynamic risk values ​​to calculate a dynamic security situation score. Finally, the situation display module outputs and displays the score and a list of high-risk events exceeding the threshold. Through the above process, the system achieves deep coupling and dynamic linkage between network security risk perception and the physical operation status of the power grid, ensuring that the security situation assessment results always serve the core business objective of "ensuring the safe and stable operation of the power grid."

[0038] For example, the power grid operation status data includes key section power flow values, total system load values, system N-1 check status, and preset keywords identified from the dispatch log text obtained from the energy management system.

[0039] Specifically, the power flow value at critical sections and the total system load are key quantitative indicators reflecting the real-time load and stability margin of the power grid; the system N-1 check status is an important binary state indicator for judging the strength of the power grid's structure; and preset keywords identified from the dispatch logs (such as "power supply guarantee" and "special inspection") represent the qualitative judgments and work arrangements made by dispatchers based on experience. The combination of these data ensures that the calculation of the operational urgency coefficient considers both objective electrical measurements and subjective human dispatch intentions, thus more comprehensively depicting the true level of tension in power grid operation. For example, even if electrical measurement indicators are normal, frequent "special inspection" orders may indicate hidden risks, requiring increased system vigilance. Alternative technical measures include adding other indicators reflecting the power grid status, such as voltage stability margin and spinning reserve capacity.

[0040] For example, the urgency coefficient calculation module is specifically used for: A predefined weight is assigned to each of the key section power flow value, total system load value, system N-1 check status, and preset keywords; The power flow value and total system load value at the key section are compared with preset threshold intervals, and corresponding sub-scores are assigned according to the interval in which they are located. The N-1 verification status of the system and the identified preset keywords are converted into Boolean values ​​as sub-scores; All sub-fractions are weighted and summed according to their corresponding predefined weights to obtain the initial coefficients; The initial coefficients are smoothed and limited using a preset function to output the running urgency coefficient.

[0041] Specifically, firstly, predefined weights are assigned to different indicators, reflecting the differences in their contribution to the "urgency" of the power grid. For example, the weight of failing the N-1 check is usually much higher than that of a single section under heavy load. Secondly, for continuous measurement indicators, discretization and normalization of continuous quantities are achieved by comparing them with preset threshold intervals and assigning sub-scores; for status and text data, they are directly converted into scores. Next, multi-source information is fused through weighted summation to obtain initial coefficients. Finally, a preset function (such as the sigmoid function or a piecewise linear function) is used for processing, which serves two purposes: firstly, to smooth the transition and avoid abrupt changes in coefficients; and secondly, to limit the results to the range [0,1]. The key algorithm formula can be exemplified as: OCC_initial = ∑(Wi Si), where Wi is the predefined weight of the i-th indicator, and Si is its corresponding sub-score. OCC = f(OCC_initial), where f() is the smoothing limiting function. For example, set the sub-score of a certain cross-section to 0.2 for the normal power flow interval, 0.6 for the warning interval, and 0.9 for the emergency interval; 0 for passing the N-1 check and 1 for failing. If the current cross-section is in the warning interval (S1=0.6, W1=0.3) and fails the N-1 check (S2=1, W2=0.5), then the initial coefficient is 0.6. 0.3+1 0.5 = 0.68, and after function processing, the output OCC = 0.75. This calculation process is the first and crucial step in realizing dynamic assessment in this invention, and its output OCC value directly determines the adjustment mode of subsequent risk assessment.

[0042] For example, the preset dynamic weight mapping table stores the correspondence between different operational urgency coefficient intervals and different asset function classifications, and presets a dynamic adjustment factor for each set of correspondences.

[0043] Specifically, the dynamic weight mapping table establishes the mapping rules from the Operational Urgency Coefficient (OCC) to the risk weight adjustment strategy. It divides continuous OCC values ​​into several intervals (e.g., [0, 0.3] for lenient, [0.3, 0.7] for normal, and [0.7, 1.0] for tense), and pre-sets an adjustment factor for different asset function categories within each interval. This design enables the risk assessment strategy to respond to changes in grid status in a segmented and non-linear manner, serving as the concrete carrier of business logic. For example, the mapping table can specify that when OCC ∈ [0.7, 1.0], the adjustment factor for "data acquisition and monitoring server" is 3.0, and the adjustment factor for "office terminal" is 0.5. This means that during periods of grid stress, the risk of production control threats is significantly amplified, while the relative importance of office network threats is reduced. The content of this table needs to be pre-defined by grid security experts based on business experience and risk assessment, serving as the rule base for the system's intelligent decision-making.

[0044] For example, the asset function classification defined in the preset dynamic weight mapping table includes at least production control assets and management information assets; wherein, the dynamic adjustment factor corresponding to the production control assets increases as the operational urgency coefficient increases, and the dynamic adjustment factor corresponding to the management information assets decreases as the operational urgency coefficient increases.

[0045] Specifically, classifying asset functions into at least "production control" and "management information" categories is based on the core principle of "safety first, power supply guarantee" in power grid operations. The technical effect is that when power grid operations are more urgent (OCC increases), the system automatically shifts the focus of security assessments towards assets and threats that may directly affect power production and control, as these threats may cause more severe physical consequences at this time. Conversely, the risk assessment of threats to management information assets may be relatively weakened to avoid generating a flood of disruptive alarms at critical moments. This asymmetric, target-specific dynamic adjustment is the innovation of this solution compared to static assessment methods that treat all threats "equally." It ensures that limited cybersecurity operation and maintenance attention resources are accurately deployed to the most critical defense positions at critical moments.

[0046] For example, the asset function classification in the asset information database is based on the role of network assets in power grid operations.

[0047] Specifically, mapping IP addresses to specific business roles such as "SCADA / EMS" (Supervisory Control and Data Acquisition Server), "Remote Terminal Unit" (RTU), "Protection Device," and "Office Terminal" is a crucial step in transforming raw technical alarms into risk events with business implications. For example, a port scan can have drastically different potential impacts on an "office terminal" and a "remote terminal unit." This classification serves as the direct basis for subsequent basic risk value assignment and dynamic weighting. Alternative technical approaches include adopting finer-grained classifications, such as differentiating between substation RTUs of different voltage levels, or adding new asset categories such as "metering terminals" and "distributed energy gateways" to adapt to the continuous development of the power grid.

[0048] For example, when calculating the dynamic security posture score, the dynamic risk assessment engine is further used to: Multiple cybersecurity incidents originating from the same attack source and targeting the same asset function within a preset time window are aggregated to generate a single aggregated security incident. The final dynamic risk value of the aggregated security event is calculated based on the product of the sum of the basic risk values ​​of the multiple cybersecurity events it contains and the dynamic adjustment factor.

[0049] Specifically, in real-world cyberattacks, attackers often launch multiple probing attacks within a short period. Evaluating and displaying each individual event separately would result in a lengthy and distracting alert list. By aggregating attacks by source, target, and time window, a series of related low-level events can be merged into a higher-level "attack activity" event. The final dynamic risk value is calculated by first aggregating the basic risks, then applying a unified dynamic adjustment factor. For example, if the same IP launches 10 vulnerability scans against a specific RTU within 5 minutes (each with a basic risk value of 1), without aggregation, 10 "medium-risk" alerts would be displayed. After aggregation, a single aggregated event is generated, with a sum of basic risk values ​​of 10. If the current OCC is high, resulting in an adjustment factor of 3, the final dynamic risk value is 30, potentially classifying it as a "high-risk" event. This significantly improves the efficiency of identifying high-risk attack activities and the operability of alerts.

[0050] Furthermore, the situation display module is also connected to the operation urgency coefficient calculation module, which is used to display the curve of the operation urgency coefficient changing over time and the curve of the dynamic security situation score changing over time side by side in the same visualization interface.

[0051] Specifically, displaying the OCC curve alongside the situation score curve allows operators to visually observe the correlation between the two. For example, when the OCC curve spikes due to a load surge or equipment failure, it can be simultaneously observed whether the situation score curve also rises accordingly, even if the number of safety events may not increase significantly. This directly demonstrates the effectiveness of the system's dynamic weight adjustment mechanism. This visualization helps safety administrators understand "why the risk has increased at this time," enabling them to make decisions not only based on the safety event itself but also on a deep understanding of the overall operational risks of the power grid, achieving a leap from "seeing alarms" to "understanding risks."

[0052] For example, the dynamic risk assessment engine is also used to receive external threat intelligence data; When it is determined that the source IP of a network security incident exists in the blacklist of the threat intelligence data, it is necessary to multiply it by a threat intelligence correction factor greater than 1 when calculating its final dynamic risk value.

[0053] Specifically, threat intelligence data, such as known malicious IP address databases and indicators of Advanced Persistent Threat (APT) groups, provides contextual information beyond local detection. For attacks originating from known malicious sources, even if the attack methods appear ordinary, their true intent and potential harm may be greater. By multiplying the final dynamic risk value by a correction factor greater than 1 (e.g., 1.5), the risk of such events can be "weighted." This step, based on dynamic adjustment factor modulation, achieves a dual enhancement of "Internal State (OCC) modulation" and "External Intelligence Correction." For example, a scan from an ordinary IP has its risk value increased when OCC=0.9; while the same scan from a known APT group's IP will have its risk value multiplied by the increased risk value by the threat intelligence correction factor, thus being marked as a highest priority event. This enhances the system's ability to respond to advanced threats.

[0054] For example, it also includes a strategy simulation module, which connects the dynamic risk assessment engine and the operational urgency coefficient calculation module; The strategy simulation module is used for: Receive simulated power grid operating status data sequences; The operation urgency coefficient calculation module is driven to generate the corresponding simulated operation urgency coefficient sequence; The dynamic risk assessment engine is driven to calculate a simulated dynamic security posture score sequence based on the simulated urgency coefficient sequence and a set of simulated network security event data. Output a correlation analysis report between the simulated operational urgency coefficient sequence and the simulated dynamic security situation score sequence.

[0055] Specifically, the strategy simulation module uses simulated data to reproduce the system's complete workflow under preset scenarios. First, it can evaluate and optimize the dynamic weight mapping table by observing whether the changes in the situational score caused by a given set of attack events under different simulated OCC sequences meet the expectations of security experts, thus adjusting the adjustment factors in the mapping table. Second, it can conduct attack and defense drills and contingency plan simulations. For example, it can simulate the system's response and alarm status when encountering a specific network attack during the peak summer season with high OCC, helping operations and maintenance personnel familiarize themselves with the response procedures in advance. Finally, the generated correlation analysis report can quantitatively demonstrate the effectiveness of the strategy. This module embodies the system's closed-loop design philosophy, enabling not only real-time online evaluation but also iterative optimization of its core decision-making logic offline, giving the system the ability to continuously evolve.

[0056] Example 2 This application also discloses a method for assessing the cybersecurity situation of power grid networks based on big data analysis.

[0057] Reference Figure 2A method for assessing the cybersecurity situation of power grid networks based on big data analysis includes the following steps: Obtain power grid operation status data from the energy management system and dispatch logs; Obtain cybersecurity incident data from the security information and incident management system; The mapping relationship between the IP addresses of storage network assets and the functions of the assets; The system receives the power grid operation status data, quantifies multiple indicators in the power grid operation status data into sub-scores, and calculates all sub-scores into an operation urgency coefficient with a value range of [0,1] using a weighted fusion algorithm. Receive the network security incident data and the operational urgency coefficient; For each cybersecurity incident, the asset information database is queried based on the IP address it contains to determine the asset function classification corresponding to the incident; Based on the asset function classification, assign a basic risk value to the cybersecurity incident; Based on the currently received operational urgency coefficient, query the preset dynamic weight mapping table to obtain the dynamic adjustment factor corresponding to the asset function classification; Multiplying the base risk value by the dynamic adjustment factor yields the final dynamic risk value of the cybersecurity incident. The final dynamic risk values ​​of all cybersecurity incidents are aggregated to calculate a dynamic security posture score. Output and display the dynamic security situation score and the list of high-risk events whose final dynamic risk value exceeds a preset threshold.

[0058] The above content is merely an example and illustration of the concept of the present invention. Those skilled in the art can make various modifications or additions to the specific embodiments described or use similar methods to replace them, as long as they do not deviate from the concept of the invention, they should all fall within the protection scope of the present invention.

[0059] In the description of this specification, references to terms such as "an embodiment," "example," "specific example," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of the invention. In this specification, illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples.

[0060] The preferred embodiments of the present invention disclosed above are merely illustrative of the invention. These preferred embodiments do not exhaustively describe all details, nor do they limit the invention to any specific implementation. Clearly, many modifications and variations can be made based on the content of this specification. This specification selects and specifically describes these embodiments to better explain the principles and practical applications of the invention, thereby enabling those skilled in the art to better understand and utilize the invention.

Claims

1. A power grid network security situation assessment system based on big data analysis, characterized in that, include: The power grid operation status sensing module is used to obtain power grid operation status data from the energy management system and dispatch logs; The security incident acquisition module is used to acquire network security incident data from the security information and incident management system; An asset information database is used to store the mapping relationship between the IP addresses of network assets and their functions. The operation urgency coefficient calculation module is connected to the power grid operation status sensing module. It is used to receive the power grid operation status data, quantify multiple indicators in the power grid operation status data into sub-scores, and calculate an operation urgency coefficient with a value range of [0,1] by using a weighted fusion algorithm to calculate all sub-scores. The dynamic risk assessment engine is connected to the security event acquisition module, the asset information database, and the operational urgency coefficient calculation module, respectively. The dynamic risk assessment engine is used for: Receive the network security incident data and the operational urgency coefficient; For each cybersecurity incident, the asset information database is queried based on the IP address it contains to determine the asset function classification corresponding to the incident; Based on the asset function classification, assign a basic risk value to the cybersecurity incident; Based on the currently received operational urgency coefficient, query the preset dynamic weight mapping table to obtain the dynamic adjustment factor corresponding to the asset function classification; Multiplying the base risk value by the dynamic adjustment factor yields the final dynamic risk value of the cybersecurity incident. The final dynamic risk values ​​of all cybersecurity incidents are aggregated to calculate a dynamic security posture score. The situation display module is connected to the dynamic risk assessment engine and is used to output and display the dynamic security situation score and a list of high-risk events whose final dynamic risk value exceeds a preset threshold.

2. The power grid network security situation assessment system based on big data analysis according to claim 1, characterized in that, The power grid operation status data includes key section power flow values, total system load values, system N-1 check status, and preset keywords identified from the dispatch log text obtained from the energy management system.

3. The power grid network security situation assessment system based on big data analysis according to claim 2, characterized in that, The urgency coefficient calculation module is specifically used for: A predefined weight is assigned to each of the key section power flow value, total system load value, system N-1 check status, and preset keywords; The power flow value and total system load value at the key section are compared with preset threshold intervals, and corresponding sub-scores are assigned according to the interval in which they are located. The N-1 verification status of the system and the identified preset keywords are converted into Boolean values ​​as sub-scores; All sub-fractions are weighted and summed according to their corresponding predefined weights to obtain the initial coefficients; The initial coefficients are smoothed and limited using a preset function to output the running urgency coefficient.

4. The power grid network security situation assessment system based on big data analysis according to claim 1, characterized in that, The preset dynamic weight mapping table stores the correspondence between different operational urgency coefficient ranges and different asset function classifications, and presets a dynamic adjustment factor for each set of correspondences.

5. The power grid network security situation assessment system based on big data analysis according to claim 4, characterized in that, The asset function classification defined in the preset dynamic weight mapping table includes at least production control assets and management information assets; wherein, the dynamic adjustment factor corresponding to the production control assets increases as the operational urgency coefficient increases, and the dynamic adjustment factor corresponding to the management information assets decreases as the operational urgency coefficient increases.

6. The power grid network security situation assessment system based on big data analysis according to claim 1, characterized in that, The asset function classification in the asset information database is based on the role of network assets in power grid operations.

7. The power grid network security situation assessment system based on big data analysis according to claim 1, characterized in that, The dynamic risk assessment engine, when calculating the dynamic security posture score, is also used for: Multiple cybersecurity incidents originating from the same attack source and targeting the same asset function within a preset time window are aggregated to generate a single aggregated security incident. The final dynamic risk value of the aggregated security event is calculated based on the product of the sum of the basic risk values ​​of the multiple cybersecurity events it contains and the dynamic adjustment factor.

8. A power grid network security situation assessment system based on big data analysis according to claim 1, characterized in that, The dynamic risk assessment engine is also used to receive external threat intelligence data; When it is determined that the source IP of a network security incident exists in the blacklist of the threat intelligence data, it is necessary to multiply it by a threat intelligence correction factor greater than 1 when calculating its final dynamic risk value.

9. The power grid network security situation assessment system based on big data analysis according to claim 1, characterized in that, It also includes a strategy simulation module, which connects the dynamic risk assessment engine and the operational urgency coefficient calculation module; The strategy simulation module is used for: Receive simulated power grid operating status data sequences; The operation urgency coefficient calculation module is driven to generate the corresponding simulated operation urgency coefficient sequence; The dynamic risk assessment engine is driven to calculate a simulated dynamic security posture score sequence based on the simulated urgency coefficient sequence and a set of simulated network security event data. Output a correlation analysis report between the simulated operational urgency coefficient sequence and the simulated dynamic security situation score sequence.

10. A method for assessing the cybersecurity situation of a power grid based on big data analysis, applied to the power grid cybersecurity situation assessment system based on big data analysis as described in any one of claims 1-9, characterized in that, Includes the following steps: Obtain power grid operation status data from the energy management system and dispatch logs; Obtain cybersecurity incident data from the security information and incident management system; The mapping relationship between the IP addresses of storage network assets and the functions of the assets; The system receives the power grid operation status data, quantifies multiple indicators in the power grid operation status data into sub-scores, and calculates all sub-scores into an operation urgency coefficient with a value range of [0,1] using a weighted fusion algorithm. Receive the network security incident data and the operational urgency coefficient; For each cybersecurity incident, the asset information database is queried based on the IP address it contains to determine the asset function classification corresponding to the incident; Based on the asset function classification, assign a basic risk value to the cybersecurity incident; Based on the currently received operational urgency coefficient, query the preset dynamic weight mapping table to obtain the dynamic adjustment factor corresponding to the asset function classification; Multiplying the base risk value by the dynamic adjustment factor yields the final dynamic risk value of the cybersecurity incident. The final dynamic risk values ​​of all cybersecurity incidents are aggregated to calculate a dynamic security posture score. Output and display the dynamic security situation score and the list of high-risk events whose final dynamic risk value exceeds a preset threshold.