Rtu physical intrusion prevention method, device, system and storage medium
By deploying intrusion detection modules and two-factor authentication on RTU devices, generating alarm signals of different levels, and implementing automated network isolation in the central monitoring system, the problem of weak physical layer protection of RTU devices is solved, and the security response speed and protection level of RTU devices are improved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SUPCON TECH CO LTD
- Filing Date
- 2025-12-31
- Publication Date
- 2026-07-14
AI Technical Summary
Existing RTU devices have weak physical protection and lack real-time accurate detection and immediate response mechanisms, making it difficult to block attack paths in a timely manner. The protection links are fragmented and lack a closed-loop linkage, which makes it impossible to effectively curb the lateral spread of attacks.
An intrusion detection module is used to identify physical intrusion behavior through industrial cameras. Combined with two-factor authentication of RFID and personal identification codes, different levels of alarm signals are generated and uploaded to the central monitoring system through RTU devices to achieve automated identity verification and network isolation, thus building a defense-in-depth closed loop from the physical layer to the network layer.
It enables real-time conversion from physical intrusion to network isolation, improves the security response speed and protection level of RTU devices, reduces false alarm rate, and ensures accurate differentiation between legitimate operation and maintenance and illegal intrusion, as well as the rigor of security recovery operations.
Smart Images

Figure CN122394826A_ABST
Abstract
Description
Technical Field
[0001] This application belongs to the field of industrial control system security protection technology, specifically relating to an RTU physical intrusion protection method, device, system and storage medium. Background Technology
[0002] In modern industrial control systems, Remote Terminal Units (RTUs) are a crucial link connecting field devices with Supervisory Control and Data Acquisition (SCADA) systems. RTUs are typically responsible for acquiring field signals, executing control commands, and exchanging data with the control center via communication networks, serving as a vital bridge between the field layer and the dispatch layer. In industries such as power, oil and gas, petrochemicals, water utilities, and mining, a large number of RTU devices are deployed in geographically remote, harsh environments with infrequent personnel inspections. These locations often lack continuous physical security protection, and any damage or unauthorized operation could lead to serious security risks to the control system.
[0003] Currently, existing technologies for RTU security primarily focus on the network and communication encryption layers, such as VPNs, leased line encryption, and whitelist access control. While these technologies provide some protection at the transmission link level, they lack effective monitoring and response mechanisms for intrusions at the physical layer. Once attackers directly access the RTU device on-site, existing protection methods struggle to detect or block the attack path in a timely manner. In other words, strong network protection but weak physical protection is a common security weakness in current RTU systems. For example, patent CN202310055792.1 discloses a physical intrusion detection and defense system for industrial control systems. This system achieves intrusion protection through a three-part system of physical information collection, detection, and defense. Its core defense lies in interrupting abnormal network data transmission. However, this solution does not combine physical intrusion detection with personnel authentication, making it unable to distinguish between legitimate maintenance operations and illegal intrusions. It is prone to generating numerous false alarms and lacks a dedicated linkage response mechanism for RTU devices, resulting in insufficient targeted defense.
[0004] Other RTU protection solutions generally have the following drawbacks: 1. Fragmented protection links: Anti-theft solutions, network security solutions, and control security solutions are independent of each other, failing to form a coherent protection system that covers the entire attack chain of "physical contact → local operation → network penetration".
[0005] 2. Passive and delayed response: Existing methods are mostly post-event tracing (such as theft prevention) or post-event detection (such as network intrusion analysis). They lack the ability to intervene in a timely and proactive manner during the "critical window period" when attackers carry out physical operations, and cannot achieve real-time blocking of attacks.
[0006] 3. Lack of a closed-loop linkage: There is a lack of automated linkage mechanisms between physical layer anomalies (such as unauthorized opening of cabinets) and control layer security policies (such as network isolation). Physical alarms and network security responses belong to different systems, resulting in slow emergency response and an inability to effectively curb the lateral spread of attacks.
[0007] Therefore, there is an urgent need for a physical intrusion protection solution that can accurately detect physical intrusion behavior of RTU devices in real time, make on-site identity determination immediately, and form an automatic and reliable closed-loop linkage with industrial control network security systems. Summary of the Invention
[0008] In view of the above-mentioned shortcomings and deficiencies of the prior art, this application provides an RTU physical intrusion protection method, device, system and storage medium, which aims to realize real-time detection, automatic verification, active alarm and linkage isolation with the network layer of physical intrusion behavior, build a defense-in-depth closed loop from the physical layer to the network layer and improve the overall security level of RTU devices.
[0009] To achieve the above objectives, this application adopts the following technical solution: an RTU physical intrusion prevention method, characterized in that it includes: S1: The intrusion detection module detects physical intrusion behavior of the RTU on the field protection side and generates an intrusion signal; S2: In response to the intrusion signal, initiate the authentication process and start a countdown; S3: Obtain the authentication result and countdown status. If the authentication is successful within the countdown, a low-risk alarm signal is generated. If the authentication fails or the timeout occurs, a high-risk alarm signal is generated and the alarm signal is uploaded through the RTU device. S4: The monitoring system on the central protection side receives the alarm signal and initiates an on-site audit request; if it is identified as a high-risk alarm signal, it simultaneously sends a disconnect command to the network switching device to cut off the network connection of the corresponding RTU. S5: The monitoring system responds to the on-site audit security confirmation signal and sends a recovery command to the network switching device to restore the network connection of the corresponding RTU.
[0010] Furthermore, the intrusion detection module is an industrial camera, and the physical intrusion behavior includes personnel entering the preset monitoring area of the RTU cabinet or the RTU cabinet door being opened.
[0011] Furthermore, when the intrusion detection module detects physical intrusion behavior of the RTU on the field protection side, it records the local log and simultaneously collects the intrusion video on site.
[0012] Furthermore, the identity verification process is a two-factor authentication, which includes RFID authentication and personal identification code authentication.
[0013] Furthermore, the alarm signal includes identification information associated with the intrusion signal.
[0014] Furthermore, after the monitoring system initiates an on-site audit request, it obtains the identification information from the alarm signal and simultaneously retrieves the RTU's local logs and intrusion videos for manual auditing.
[0015] Furthermore, for high-risk alarm signals, a command to allow network recovery can only be generated after receiving security confirmation signals from at least two administrators through the on-site review.
[0016] This application also discloses another embodiment, an RTU physical intrusion prevention device, characterized in that it includes: Intrusion detection module: used to detect physical intrusion behavior of RTU on the field protection side and generate intrusion signals; Authentication module: Used to respond to intrusion signals, initiate the authentication process, and set a countdown. Alarm module: Used to generate alarm signals of different levels based on the authentication result, and upload the alarm signals through the RTU device; Alarm processing module: Used to receive alarm signals and initiate on-site audit requests; Network isolation module: In response to high-risk alarm signals, it sends a disconnect command to the network switching device to cut off the network connection of the corresponding RTU; in response to on-site audit security confirmation signals, it sends a recovery command to the network switching device to restore the network connection of the corresponding RTU.
[0017] This application also discloses an RTU physical intrusion prevention system, including: One or more processors; Computer-readable storage medium for storing one or more programs. Wherein, when the one or more programs are executed by the one or more processors, the one or more processors implement the steps of the method according to any one of claims 1 to 7.
[0018] This application also discloses a computer-readable storage medium storing a computer program that, when executed by a processor, implements the steps of the method according to any one of claims 1 to 7.
[0019] The beneficial effects of this application are: 1. Through a fully automated process of "on-site perception - automatic adjudication - real-time reporting - central linkage", physical layer intrusion events are transformed into network layer isolation actions. This achieves a fundamental shift from "passive tracing and post-event remediation" to "proactive detection and real-time blocking", cutting off the attacker's subsequent network penetration path at the initial stage of physical contact with the device, and building a full-link closed-loop protection for industrial control systems.
[0020] 2. By deploying a physical intrusion detection module on the RTU side, the system can detect physical intrusions and actively block them from entering the network. Furthermore, through real-time automatic authentication of physical intrusions, high-risk alarm signals can quickly trigger network isolation, thereby improving the response speed for physical intrusion protection.
[0021] 3. By using two-factor authentication and countdown configuration, it accurately distinguishes between legitimate operation and maintenance and illegal intrusion, significantly reducing the false alarm rate. At the same time, the hierarchical response strategy balances security protection and normal operation and maintenance efficiency. Combined with the high-risk alarm dual-approval recovery mechanism, it provides complete evidence for incident verification and ensures the rigor of recovery operations, meeting the requirements of industrial security traceability and compliance. Attached Figure Description
[0022] This application is described with reference to the following figures: Figure 1 The system architecture diagram of the RTU physical intrusion prevention method of this application is shown; Figure 2 The flowchart of the physical intrusion prevention method for RTU in this application is shown; Figure 3 The flowchart for generating alarm signals in this application is shown. Detailed Implementation
[0023] To better explain and facilitate understanding of the present invention, it is described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described below are merely illustrative of the invention and not intended to limit it. Furthermore, it should be noted that, unless otherwise specified, the embodiments and features described in this application can be combined with each other; for ease of description, only the parts relevant to the invention are shown in the accompanying drawings.
[0024] As the background technology indicates, RTUs (Remote Terminal Units), as the core hub connecting industrial field devices and control centers, are widely used in critical infrastructure sectors such as power, oil and gas, water conservancy, and mining, undertaking the core functions of data acquisition, command execution, and information transmission. These devices are often deployed in geographically remote, harsh environments with low personnel inspection frequency, and their physical security directly affects the stable operation of the entire industrial control system. Attackers can use physical intrusion behaviors such as illegally opening RTU cabinets or gaining close contact with the equipment to tamper with equipment configurations, implant malicious programs, or even use the RTU as a springboard to penetrate upper-level SCADA systems, causing major security incidents such as production interruptions and data leaks. Therefore, RTU physical intrusion protection has become an urgent need in the field of industrial control security.
[0025] To address the aforementioned problems, this application provides an RTU physical intrusion prevention method, apparatus, system, and storage medium, aiming to achieve automated, real-time closed-loop protection from physical layer anomaly detection to network layer proactive isolation, thereby enhancing the defense-in-depth capabilities of RTU devices. The architecture diagram of this embodiment is shown below. Figure 1 As shown, it includes an RTU deployed on the field protection side, an RTU field protection device (RTUSecureGuard, or RSG for short), an intrusion detection module for detecting physical intrusion behavior of the RTU, an RTU control center protection device (RTUSecureController, or RSC for short) deployed on the central protection side, a monitoring system of the host computer (such as SCADA software), and a video server (NVR) for storing on-site intrusion behavior video.
[0026] Specific methods, such as Figure 2 As shown, it includes: S1: The intrusion detection module detects physical intrusion behavior of the RTU on the field protection side and generates an intrusion signal. The intrusion detection module is an industrial camera, and the physical intrusion behavior includes personnel entering a preset monitoring area of the RTU cabinet or the RTU cabinet door being opened. The industrial camera deployed on the field protection side collects real-time data on the preset monitoring area of the RTU cabinet, such as a rectangular or fan-shaped area 0.5 to 2 meters from the front of the cabinet. Using AI algorithms, it identifies moving targets within the monitoring area, filters out other non-human interference, and only identifies personnel intrusion behavior, generating an intrusion signal. Further, in other embodiments, the intrusion detection module can be an infrared sensor, a magnetic door switch, or a microwave radar to detect physical intrusion behavior such as the preset monitoring area or the RTU cabinet door being opened. Through the physical intrusion module, utilizing environmentally robust intelligent visual perception, complex physical intrusion scenarios are transformed into structured, programmable digital event signals, providing accurate and reliable triggering basis for subsequent automatic identity verification and achieving non-contact, all-weather intrusion detection.
[0027] Furthermore, when the intrusion detection module detects a physical intrusion of an RTU on the field protection side, it records local logs and simultaneously acquires intrusion video from the field. After detecting an intrusion signal, the intrusion detection module automatically generates an identifier to identify the intrusion signal. For example, the intrusion signal may contain an identifier that includes the intrusion signal generation time and the number of the compromised RTU: 20251212-12:00:00-RTU001, clearly identifying the time and location of the physical intrusion of the RTU. Simultaneously, it records the intrusion in the local logs, facilitating manual review of the intrusion by management personnel. At the same time, the intrusion detection module simultaneously acquires intrusion video from the field, associates it with a high intrusion signal identifier, and transmits the intrusion video to the video server (NVR) on the central protection side for storage.
[0028] S2: In response to the intrusion signal, initiate the authentication process and start a countdown. The authentication process is a two-factor authentication, which includes RFID authentication and personal identification code authentication.
[0029] When the RTU (Remote Protective Unit) field-side protection device (RSG) receives an intrusion signal, it triggers the internal authentication module, initiating the authentication process. This authentication is a two-factor authentication combining RFID authentication and personal identification code (PIN) authentication, strictly following the order of RFID first, then PIN. First, the RFID reader reads the identification information from the card, combining it with a pre-set PIN associated with that information, such as a personal password or PIN. Through this sequential two-factor authentication, different PINs are preset for different RFID tags, enabling differentiated authentication for different individuals. This also avoids the vulnerability of simple authentication methods to cracking.
[0030] Furthermore, while the authentication module initiates the authentication process, a countdown timer is simultaneously started. The default countdown time is 1 minute, which can be customized by the user. If authentication is not completed or fails within the preset countdown, the authentication process exits, the countdown stops, and a result indicating authentication failure is generated. If dual verification using RFID and personal identification codes is completed within the countdown, a result indicating successful authentication is generated. By combining a strict sequential two-factor authentication mechanism with a countdown timer, the RTU physical intrusion behavior is authenticated and adjudicated within a limited time, providing a basis for generating high-risk / low-risk signals for subsequent physical intrusion behaviors, thereby achieving the crucial transition from passive alarm to active adjudication of RTU physical intrusion.
[0031] S3: Obtain the authentication result and countdown status. If authentication is successful within the countdown, a low-risk alarm signal is generated; if authentication fails or times out, a high-risk alarm signal is generated and uploaded via the RTU device. The authentication result and countdown status are as follows: Figure 3 As shown, if authentication is not completed before the countdown ends, or if authentication fails within the specified time, a high-risk intrusion signal is generated. If authentication is completed before the countdown ends, the physical intrusion into the RTU is determined to be a legitimate intrusion, such as normal equipment maintenance, and a low-risk intrusion signal is generated. Through the authentication and alarm modules of the RTU field-side protection device RSG, physical intrusion behaviors are promptly adjudicated, enabling rapid response within a short time after a physical intrusion occurs. This achieves a fundamental shift from "passive tracing and post-incident remediation" to "proactive detection and real-time blocking."
[0032] After generating an alarm signal, the RSG outputs the alarm signal to the RTU through an I / O interface or communication protocol (such as Modbus, IEC104, etc.), converting the alarm signal into a standard industrial communication protocol and transmitting it using existing industrial communication channels. This achieves non-intrusive and compatible transmission of physical intrusion signals without requiring network modifications.
[0033] S4: The monitoring system on the central protection side receives the alarm signal and initiates an on-site review request. If the alarm signal is identified as high-risk, it simultaneously sends a disconnect command to the network switching device to cut off the network connection of the corresponding RTU. The monitoring system, such as the SCADA system, listens for alarm signals from the RTU and initiates an alarm review request on the system interface for the alarm signal. The request is displayed on the system interface, prompting personnel to manually review and confirm the alarm signal to determine whether it is normal system maintenance or an intrusion.
[0034] Furthermore, this alarm signal is a low-risk alarm signal. The intrusion into the RTU, which utilized two-factor authentication via RFID and personal identification numbers, is considered a normal intrusion. Therefore, the monitoring system generates a low-priority review request for this alarm signal and displays a notification on the system interface, such as a pop-up or sound alert, prompting reviewers to confirm the low-risk alarm signal. At this stage, only administrators need to review the pop-up during their downtime to verify if any unauthorized intrusion activity is detected in the generated low-risk alarm signal; a rapid response to the low-risk alarm signal is not required.
[0035] For high-risk alarm signals, after confirming the intrusion time, the monitoring system quickly initiates a high-priority audit request, which is prominently displayed in the monitoring system, requiring prompt action from the administrator. Simultaneously, the RTU control center protection device RSC shuts down the corresponding RTU network port on the switch via SNMP commands or the 802.1x port control protocol, proactively cutting off potential attack paths. Effectively utilizing existing industrial control system communication ports, without requiring network modifications, it can quickly shut down network interfaces under illegal intrusion while distinguishing between illegal intrusion and normal operation and maintenance, isolating intrusion activities and preventing the spread of faults.
[0036] The alarm signal contains identification information associated with the intrusion signal. The intrusion signal records an identifier including the intrusion signal generation time and the number of the compromised RTU. During the alarm signal generation process, the RSG simultaneously generates identification information associated with this identifier, transforming the alarm signal from a simple status report into an index containing information that can link to the intrusion signal. After the monitoring system initiates an on-site audit request, the identification information in the alarm signal can quickly index the specific event of the intrusion and the information of the compromised RTU. Furthermore, the on-site intrusion video synchronously collected by the intrusion detection module when the physical intrusion occurs is synchronously correlated with the local physical intrusion log recorded by the RSG, ensuring the integrity of the evidence chain for the physical intrusion and facilitating investigation and confirmation by management personnel.
[0037] Furthermore, for high-risk alarm signals, the RTU control center protection device RSC quickly shuts down the network port of the corresponding RTU on the switch. A dual-user verification mechanism is also implemented; network recovery permission is only generated after both administrators have confirmed the security status. This dual-user verification mechanism can be configured for simultaneous verification by two administrators at the same level. Each administrator submits a verification request through the monitoring system interface, retrieving the RTU intrusion video and local RTU logs for verification. After confirming that the intrusion risk has been eliminated, they submit a verification confirmation signal. After both administrators submit their verification confirmation signals, a final verification security confirmation signal is generated.
[0038] In another implementation, the dual-person review mechanism is a two-tiered review process with one person reviewing and another approving. When a high-risk alarm signal is triggered, a review request is initiated on the monitoring system interface. The first-level administrator retrieves the intrusion video and logs in the review interface, checks the RTU status, and, after confirming that the intrusion risk has been eliminated, submits the review request. Once approved, a network recovery request is requested and sent to the second-level administrator for a second review of the high-risk alarm signal. The second-level administrator has higher review authority. After reviewing the intrusion video and logs, they also need to review the necessity of RTU network recovery. Furthermore, for high-risk physical intrusions, they need to confirm whether on-site investigation is required. If on-site investigation is necessary, the on-site investigators check the status of the on-site RTU and determine if an intrusion risk exists. If the risk has been identified, the matter can be resolved using the RTU field-side protection device RSC on the field protection side, eliminating the RTU intrusion risk. After finally confirming that the risk has been eliminated and RTU network recovery can proceed, a second-level approval is obtained, ultimately generating a security confirmation signal. The dual-person review mechanism effectively prevents network anomalies caused by single-person negligence or misjudgment, ensuring the security of network recovery.
[0039] S5: The monitoring system responds to the on-site audit security confirmation signal and sends a recovery command to the network switching device to restore the network connection of the corresponding RTU.
[0040] Low-risk alarm signals only generate an audit request and do not affect the network connection of the RTU, so network recovery is not required. For high-risk alarm signals, after approval by two people, an audit security confirmation signal is generated. The RSC sends a recovery command to the network switching device through the interface, restoring the network port of the corresponding RTU on the switch. The RSG synchronously returns to standby state, and the system enters the next monitoring cycle.
[0041] In summary, the beneficial effects of the method of the present invention are as follows: 1. Through a fully automated process of "on-site perception - automatic adjudication - real-time reporting - central linkage", physical layer intrusion events are transformed into network layer isolation actions. This achieves a fundamental shift from "passive tracing and post-event remediation" to "proactive detection and real-time blocking", cutting off the attacker's subsequent network penetration path at the initial stage of physical contact with the device, and building a full-link closed-loop protection for industrial control systems.
[0042] 2. By deploying a physical intrusion detection module on the RTU side, the system can detect physical intrusions and proactively block them from entering the network. Furthermore, through real-time automatic authentication of physical intrusions, it can quickly determine the level of danger of the intrusion when it occurs. For high-risk alarm signals, it can quickly trigger network isolation, thereby improving the response speed of physical intrusion protection.
[0043] 3. By using two-factor authentication and countdown configuration, it accurately distinguishes between legitimate operation and maintenance and illegal intrusion, significantly reducing the false alarm rate. At the same time, the hierarchical response strategy balances security protection and normal operation and maintenance efficiency. Combined with the high-risk alarm dual-approval recovery mechanism, it provides complete evidence for incident verification and ensures the rigor of recovery operations, meeting the requirements of industrial security traceability and compliance.
[0044] 4. The RSG outputs the alarm signal to the RTU through the I / O interface or communication protocol (such as Modbus, IEC104, etc.), converting the alarm signal into a standard industrial communication protocol and transmitting it using the existing industrial communication channel. This achieves non-intrusive and compatible transmission of physical intrusion signals without the need to modify the network.
[0045] Another embodiment of the present invention provides an RTU physical intrusion protection device, comprising: Intrusion detection module: used to detect physical intrusion behavior of RTU on the field protection side and generate intrusion signals; Authentication module: Used to respond to intrusion signals, initiate the authentication process, and set a countdown. Alarm module: Used to generate alarm signals of different levels based on the authentication result, and upload the alarm signals through the RTU device; Alarm processing module: Used to receive alarm signals and initiate on-site audit requests; Network isolation module: In response to high-risk alarm signals, it sends a disconnect command to the network switching device to cut off the network connection of the corresponding RTU; in response to on-site audit security confirmation signals, it sends a recovery command to the network switching device to restore the network connection of the corresponding RTU.
[0046] This device constructs a complete protection system through modular design, specifically including five core components: intrusion detection module, authentication module, alarm module, alarm processing module, and network isolation module, realizing closed-loop management of the entire process from intrusion detection to network recovery. The system comprises several modules: an intrusion detection module deployed on the field protection side, which accurately detects physical intrusion behaviors such as personnel entering the pre-set monitoring area of the RTU cabinet and the cabinet door being opened, and generates intrusion signals in real time; an authentication module linked with the intrusion detection module, which automatically initiates the authentication process and countdown upon responding to an intrusion signal, providing crucial evidence for distinguishing between legitimate maintenance and illegal intrusion; an alarm module generating low-risk and high-risk alarm signals based on the authentication results, which are then uploaded through the RTU device, achieving non-intrusive and compatible transmission of physical intrusion signals without requiring network modifications; an alarm processing module deployed on the central protection side, which immediately initiates a field audit request upon receiving an alarm signal, providing support for administrator verification; and a network isolation module that quickly responds to high-risk alarm signals, sending a disconnect command to the network switching device to cut off the network connection of the corresponding RTU, blocking the attack penetration path at the source, and simultaneously sending a recovery command to restore the RTU network connection upon receiving a security confirmation signal from the field audit. This device, through the coordinated operation of its various modules, constructs a fully automated process of "on-site perception - automatic adjudication - real-time reporting - central linkage," achieving accurate detection, hierarchical response, and security control of RTU physical intrusions. It effectively reduces the false alarm rate, balances security protection with normal operation and maintenance efficiency, and ensures the rigor of high-risk operations. It meets the security compliance and traceability requirements of the industrial control field, is adaptable to complex industrial scenarios such as remote sites and harsh environments, and has extremely high practicality and reliability.
[0047] A third embodiment of the present invention provides a container restart and self-healing system, comprising: One or more processors; Computer-readable storage medium for storing one or more programs. Wherein, when the one or more programs are executed by the one or more processors, the one or more processors implement the steps of the method according to any one of claims 1 to 7.
[0048] A fourth embodiment of the present invention provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the steps of the method according to any one of claims 1 to 7.
[0049] It should be noted that any reference numerals placed between parentheses in the claims should not be construed as limiting the claims. The word "comprising" does not exclude the presence of components or steps not listed in the claims. The words "a" or "an" preceding a component do not exclude the presence of a plurality of such components. The invention can be implemented by means of hardware comprising several different components and by means of a suitably programmed computer. The use of the terms first, second, third, etc., is for convenience only and does not indicate any order. These terms can be understood as part of the component names.
[0050] Furthermore, it should be noted that in the description of this specification, the terms "one embodiment," "some embodiments," "embodiment," "example," "specific example," or "some examples," etc., refer to specific features, structures, materials, or characteristics described in connection with that embodiment or example, which are included in at least one embodiment or example of the present invention. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Moreover, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples. Furthermore, without contradiction, those skilled in the art can combine and integrate the different embodiments or examples described in this specification, as well as the features of different embodiments or examples.
[0051] Although preferred embodiments of the invention have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the claims should be interpreted to include both the preferred embodiments and all changes and modifications falling within the scope of the invention.
[0052] Obviously, those skilled in the art can make various modifications and variations to this invention without departing from its spirit and scope. Therefore, if these modifications and variations fall within the scope of the claims of this invention and their equivalents, then this invention should also include these modifications and variations.
Claims
1. A physical intrusion prevention method for RTUs, characterized in that, include: S1: The intrusion detection module detects physical intrusion behavior of the RTU on the field protection side and generates an intrusion signal; S2: In response to the intrusion signal, initiate the authentication process and start a countdown; S3: Obtain the authentication result and countdown status. If the authentication is successful within the countdown, a low-risk alarm signal is generated. If the authentication fails or the timeout occurs, a high-risk alarm signal is generated and the alarm signal is uploaded through the RTU device. S4: The monitoring system on the central protection side receives the alarm signal and initiates an on-site audit request; if it is identified as a high-risk alarm signal, it simultaneously sends a disconnect command to the network switching device to cut off the network connection of the corresponding RTU. S5: The monitoring system responds to the on-site audit security confirmation signal and sends a recovery command to the network switching device to restore the network connection of the corresponding RTU.
2. The method according to claim 1, characterized in that, The intrusion detection module is an industrial camera, and the physical intrusion behavior includes personnel entering the preset monitoring area of the RTU cabinet or the RTU cabinet door being opened.
3. The method according to claim 2, characterized in that, When the intrusion detection module detects physical intrusion behavior of the RTU on the field protection side, it records the local log and simultaneously collects the intrusion video on site.
4. The method according to claim 1, characterized in that, The identity verification process is a two-factor authentication, which includes RFID authentication and personal identification code authentication.
5. The method according to claim 1, characterized in that, The alarm signal contains identification information associated with the intrusion signal.
6. The method according to claim 5, characterized in that, After the monitoring system initiates an on-site audit request, it obtains the identification information from the alarm signal and simultaneously retrieves the RTU's local logs and intrusion videos for manual auditing.
7. The method according to claim 6, characterized in that, For high-risk alarm signals, a command to allow network recovery can only be generated after receiving security confirmation signals from at least two administrators through the on-site verification.
8. An RTU physical intrusion protection device, characterized in that, include: Intrusion detection module: used to detect physical intrusion behavior of RTU on the field protection side and generate intrusion signals; Authentication module: Used to respond to intrusion signals, initiate the authentication process, and set a countdown. Alarm module: Used to generate alarm signals of different levels based on the authentication result, and upload the alarm signals through the RTU device; Alarm processing module: Used to receive alarm signals and initiate on-site audit requests; Network isolation module: In response to high-risk alarm signals, it sends a disconnect command to the network switching device to cut off the network connection of the corresponding RTU; In response to the on-site audit security confirmation signal, a recovery command is sent to the network switching equipment to restore the network connection of the corresponding RTU.
9. An RTU physical intrusion prevention system, characterized in that, include: One or more processors; Computer-readable storage medium for storing one or more programs. Wherein, when the one or more programs are executed by the one or more processors, the one or more processors implement the steps of the method according to any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, implements the steps of the method according to any one of claims 1 to 7.