资源目录
压缩包内文档预览:(预览前20页/共57页)
编号:34425906
类型:共享资源
大小:1.06MB
格式:RAR
上传时间:2019-12-26
上传人:遗****
认证信息
个人认证
刘**(实名认证)
湖北
IP属地:湖北
40
积分
- 关 键 词:
-
110kv降压变电站电气一次设计
董小虎
110
kv
降压
变电站
电气
一次
设计
- 资源描述:
-
110kv降压变电站电气一次设计 董小虎,110kv降压变电站电气一次设计,董小虎,110,kv,降压,变电站,电气,一次,设计
- 内容简介:
-
教研室教研室主任批准日期 华北电力大学科技学院毕业设计(论文)任务书 院系 专业 班、学生 一、毕业设计(论文)课题 110kV 降压变电站电气一次系统设计 二、毕业设计(论文)工作自 年 月 日起至 年 月 日止三、毕业设计(论文)进行地点: 华 北 电 力 大 学 科 技 学 院 四、毕业设计(论文)的内容要求;原始资料数据和参考资料: 设计任务:1. 主变容量及台数选择。2. 电气主接线设计。 (1#图纸1张)3. 短路电流计算。 (附C语言相关程序)4. 一次电气设备选择。5. 屋内外配电装置设计。(2#图纸34张)6. 总平面布置。 (1#图纸1张) 设计成果:1. 设计说明书、短路电流计算书及程序、设备表各一份。2. 图纸56张。 原始资料:1. 变电站类型:地方降压变电站2. 电压等级:110356 KV3. 负荷情况 35kV侧:最大 22 MW,最小 14 MW,Tmax=5800h,cosj=0.85 6kV侧:最大 16 MW,最小 10 MW,Tmax=6000h,cosj=0.85 负荷性质:工农业生产及城乡生活用电4. 出线回路: 110kV侧 2回(架空线) LGJ-300/35km 35kV侧 4回(架空线) 6kV侧 10回(其中电缆4回)5. 系统情况: (1) 系统经双回路给变电站供电。 (2) 系统110kV母线短路容量为2800MVA。 (3) 系统110kV母线电压满足常调压要求。6. 气象条件: (1) 最高气温40,最低气温30,年平均气温20 (2) 土壤电阻率 P 250 欧米 (3) 当地雷暴日:40日/年7. 根据需要,可自行补充其它有关资料 参考资料1. 发电厂电气部分课程设计参考资料. 天津大学。2. 电力工程设计手册(册). 西北、东北电力设计院。3. 发电厂、变电所电气接线和布置. 东北电力设计院。负责指导教师 商 淼 指 导 教 师 商 淼 接受设计论文任务开始执行日期 学生签名 华北电力大学科技学院毕 业 设 计(论 文)开 题 报 告学生姓名: 董小虎 班级: 电气07k6 所在系别: 电力工程系 所在专业:电气工程及其自动化设计(论文)题目:110kv降压变电站电气一次设计指导教师: 商淼 年 月 日 毕 业 设 计(论 文)开 题 报 告一、结合毕业设计(论文)课题情况,根据所查阅的文献资料,每人撰写不低于2000字的文献综述。(另附)二、本课题要研究或解决的问题和拟采用的研究手段(途径):110kV降压变电所电气一次系统设计的主要内容有:变电所主接线方案的确定,主变压器的选择,短路电流计算,电气设备的选择,防雷与接地系统设计,屋内外配电装置和总平面布置等。完成电气主接线图,电气总平面布置图,防雷接地图,配电装置断面图等设计图。研究手段:(1)主接线的选择根据设备特点、进出线回路数、负荷性质等条件确定,并同时满足运行可靠、灵活、节约投资等要求。(2)主变压器要根据负荷的要求选择其台数、容量、型号、冷却方式等。(3)短路电流的计算依据电气主接线图,制定短路计算等值网络图,拟订必要的短路计算点,用实用计算法计算出选择电气设备所需的各组短路电流。(4)主要电气设备按正常工作条件进行选择,并按短路状态来校验热稳定和动稳定,包括各电压等级的母线、绝缘子、断路器、隔离开关、电压及电流互感器等。三、指导教师意见:1 对“文献综述”的评语: 2对学生前期工作情况的评价(包括确定的研究方法、手段是否合理等方面):指导教师: 年 月 日110kV降压变电站电气一次系统设计一、前言本次毕业设计的内容为110kV降压变电所电气一次初步设计。根据变电所设计的基本原理,务求掌握常规变电所的电气一次系统的原理及设计过程。变电站是电力系统中变换电压、接受和分配电能、控制电力的流向和调整电压的电力设施,它通过其变压器将各级电压的电网联系起来。我国电力系统的变电站大致分为四大类:升压变电站,主网变电站,二次变电站,配电站。3我国电力工业的技术水平和管理水平正在逐步提高,对变电所的设计提出了更高的要求,更需要我们提高知识理解应用水平,认真对待。本次设计为110KV降压变电所,电压等级为110KV、35KV、6KV。通过查阅文献,进行论述,提出我的设计思路和具体设计内容,以便于为设计工作提供有理可据的参考价值。通过查阅变电站设计规程,了解变电站设计的一般过程及相关的设计规程,明白了自己设计一个变电站的设计内容,清楚设计任务。如:电气主接线设计,短路计算,设备的选择,防雷接地等。二、变电站设计思路:110KV变电站的设计首先需要选择可靠性高的设备,通过优化设计,来实现系统安全、经济、可靠的运行,8以下就110KV变电站的设计思路进行了分析,介绍如下:在变电站设计中,尤其重要的是主接线的设计。变电所电气主接线应根据5-10年电力系统发展规划进行设计,必须从全局出发,统筹兼顾,根据待设计变电所在系统中的地位、进出线回路数、负荷情况、工程特点、周围环境条件等,确定合理的设计方案。1随着电网建设的不断完善,电气设备可靠性的不断提高,变电站主接线将向简化方向发展。简化主接线后不但不会降低变电站的可靠性和灵活性,在某种程度上反而能够提高可靠性和灵活性。减化主接线还具有如下优点:减少设备数量、减少占地面积、减少建设投资和降低运行维护费用。11确定好主接线后,采用Microsoft Visio 进行绘图。然后根据电力工程设计手册选择合适的导体和电气设备,包括短路器、隔离开关、电压互感器、电流互感器、母线、引接线等。断路器选择中涉及到:(1)种类和型式的选择。高压断路器按绝缘介质分少油、多油、空气、真空、SF6等型式。(2)额定电压和电流选择。(3)开断电流的选择。它是表征断路器完成最基本开断电流功能的重要参数。不仅要求断路器可靠的灭弧,而且要求断路器不重燃,以限制操作过电压倍数。(4)短路开合电流的选择。它是表征高压断路器在一些特殊情况下开断短路电流的特性参数。隔离开关与断路器配套使用,不能用来接通和断开负荷电流和短路电流。主要用作隔离电压、倒闸操作、分合小电流。其额定电压、电流的选择及短路动、热稳定的校验与断路器基本相同。互感器是电力系统中测量仪表、继电保护获取电气一次回路信息的传感器。分电压和电流互感器。其选择依据有:(1)种类和型式。(2)一次额定电压、电流(电压互感器涉及到二次额定电压)。(3)额定容量和准确级。(4)动、热稳定校验。接着进行详细技术经济比较,确定最优方案。最后进行一些防雷、接地、电气总平面布置和配电装置的设计。2三、设计中应注意的问题1.变压器的布置问题高层、超高层、群体建筑物内的变配电所的变压器一般采用干式变压器(也可采用油浸式)其布置方式有将变压器与低压开关连成一排布置和把两者分开布置,在分开布置中有变压器与低压开关柜间有隔墙和无隔墙之分,可利用钢网栏杆作安全隔离(如重庆市经济管理干部学院和我校的配电所就是这样布置的)到底采用囝5种方式。5这与布置变压器的空间大小、甲方管理方法、运行人员经验和当地供电局的规定,以及变压器的常规要求有关。另外还要充分考虑变压器的运输路线和运辕方法、日后维护以及变压器所要求的环境温度、通风条件等问题。132.断路器选择与短路电流计算问题在低压配电系统中用作保护电器的有断路器和熔断器两种。7目前我们使用最多的是断路器,用它来作配电线路的短路保护和过载保护。但是,在选用低压断路器时存在不少问题,其中突出的问题是没有进行短路电流计算。配电线路短路保护电器的分断能力应大于安装处的预期短路电流。选择断路器应先计算其出口端的短路电流,但有的设计者却没有进行短路电流计算,所选短路器的极限短路分断能力不够,不能切断短路故障电流。153.母线导体的选择问题根据导体和电器选择设计技术规定(SDGJl486)的要求,对配电装置母线导体的选择,主要是根据工程的具体情况,按其工作电流,导体允许载流量,临界电晕电压下允许的最小导体截面f或外径)和短路状态下的动、热稳定等条件进行选择,并按环境温度、海拔高度、日照,污秽情况及导体刚度等进行校核。因此,我国目前设计的变电所和电厂升压站中,35千伏及以上配电装置的母线导体均选用钢芯铝绞线或管导体。12但近来有些设计人员在母线导体选择中,片面考虑“美观 或节约场地,而忽略了导体选择的基本原则,不分工作电流大小、电压等级及使用场台,一律选用铝锰合金管作为母线导体。4对一般220kV屋外配电装置,管型母线困受允许挠度等条件的限制,要求最小选用 10090的铝锰台金管,其允许传送的功率可达620MVA。而在实际变电所工程中,主变容量一般为两台或三台12OMVA,进、出线线路导线也多为一根LGJ-40050 。3在这种条件下,若将母线选用一根LGJ-60050,其允许传输功率约为264MVA,再考虑到配电装置母线工作电流的分散性,故在技术上是完全可以满足要求的(必要时尚可选用一根LGJ-500G5导线),而在经济上,选用LF21Y-10090比选用一根LGJ-4OO50要增加母线导体材料费约1O万元,增加有色金属消耗量约4.4吨。因此,对一般变电所22OkV屋外配电装置的母线选用软导线较合适。104.电缆型号与截面的选择中常见问题1)电缆选型:YJV型交联聚乙烯电缆和w型聚氯乙烯电缆,是工程建设中普遍选用的两种电缆。YJV型交联电缆与w 型电缆相比,虽然价格略贵,但具有外径小、重量轻、载流量大、寿命长(YJV型电缆寿命可长达40a,而w型电缆为20a)等显著优点,故在工程设计中应尽量选用YJV型交联聚乙烯电缆,逐步淘汰w型聚氯乙烯电缆。62)电缆截面选择:电缆作为导体的一种,其截面选择应满足规范强制性条文GB 50054-95第2.2.2条有关选择导体截面应符合的四点要求,而我们设计选用的电缆截面有时却不符合该条规范中第一、第二点的要求。14此外,电缆截面的选择还需适当考虑备用设备的用电和新增设备的用电。四、 总结本次毕业设计将是对我四年学习的一次综合测试。通过这次设计工作,我掌握了变电站设计的过程,了解了一些需要注意的问题,使电气知识得到巩固和加深,逐步提高了解决问题的能力。同时,我还熟练掌握了Visio制图的方法。通过查阅电力工程设计手册等参考书,提高了阅读分析能力。此次设计还使我明白在我国国民经济快速增长的情况下,需要密切结合我国的实际条件,从电力系统的全局着眼,瞻前顾后,需要设计出一系列的符合我国各个地区的用以供电的变电站,用以协调各专业系统和各阶段有关的各项工作,以求取得最佳技术经济的综合效益。五、参考文献1李梅兰,李丽娇.发电厂变电所毕业设计指导书M,中国电力出版社,20082电力工程设计手册(第三册)M,上海人民出版社3熊信银.发电厂电气部分M,中国电力出版社,20044草绳敏.电力系统课程设计及毕业设计参考资料M,水利电力出版社,1995 5电力工程设计手册M,东北西北电力设计院6雷振山.中小型变电所实用设计手册M,中国水利水电出版社,20007黄纯华.发电厂电气部分课程设计参考资料M, 19988中华人民共和国国家经济贸易委员会。DT/T5218-2005220KV-500KV变电所设计规程M.北京:中国电力出版社,20059陈艳.220KV变电所设计方案J,攀枝花学院学报,2005.410李逢亮.对220KV变电所设计中几个问题的分析J,湖南电力技术,199111陈月娥.有关220KV变电站设计思路的分析J,电力建设12林建康.大型变电所设计体会J,福建建筑,200313彭代军.对大型建筑中变电所设计的几个问题探讨J,重庆师专学报,1998年14刘永波.浅谈变电所设计中存在的问题J,建筑设计与规划15张赫.变电所设计中常见问题分析J,公用工程设计华 北 电 力 大 学 科 技 学 院毕 业 设 计(论 文)附 件外 文 文 献 翻 译学 号: 071901010737 姓 名: 董小虎 所在系别: 电力工程系 专业班级: 电气07K6 指导教师: 商淼 原文标题:A Retrofit Network Transaction Data Logger and Intrusion Detection System for Transmission and Distribution Substations2011 年 月 日 网络交易记录仪,入侵检测系统的传输,配电变电站的改造摘要SCADA系统广泛应用于发电、分配、传输控制系统。NERC CIP 002-009同时需要大量电力供应商网络资产维护重要的物理电子系统。输电及配电变电站包含网络重要资产包括远程终端单元(RTU),智能电子设备(IED)继电器等,相量测量单元(PMU)和相量数据集中器(PDC)。变电站网络资产是分离的关键,在电子防盗距离使用防火墙。本文为解决方案进行了数据改变,进行串行通信为纺织和DNP3网络设备提供了依据。改造现有的数据记录器允许控制系统更新记录日志,在基于网络入侵检测时以支持变电站网络交易。基于入侵检测,支持一个变电站来防守网络安全中多个重叠层次的安全,被用来保护关键网络的资产。数据监测器是一种嵌入式的翻新设备,它抓住了,时间,加密,并将其存储在交通网络中。网络流量转发到现有网络。此外,在统计的入侵检测算法网络设备的优势数据记录器架构支持基于签名的使用。关键词SCADA系统网络安全,过程控制系统,网络安全,数据记录,入侵检测。 1.简介 全国电力可靠性协会(NERC),对于重要的基础设施保护(CIP)的标准002到009需要的设施及其他实体,在一个电子关键网络资产的安全范围内。电子安全周界必须可以承受脆弱性的分析,使用访问控制技术,包括系统,以监视和记录电子安全边界访问。联邦能源监督管理委员会(FERC)要求负责散装输电的实体,坚持自然环境研究理事会总督察的002至009标准。没有这样的调控存在及配电系统其它关键基础设施,如在美国水处理和分布,油气分布。电周界安全将减少非法网络渗透的威胁,但是,所有与电子系统有关的的SCADA电子安全范围仍然是一个威胁,原因在这些系统缺乏验证功能。此外,缺乏认证过程控制系统通信协议意味着,如果一攻击者渗透到电子安全边界他将能够注入虚假和错误的命令回复到没有的过程控制系统检测。现有的远程终端设备和智能电子设备,它使用串行通信,在输配电变电站发现不支持的数据网络交易记录。为了提供一个变电站的入侵检测系统的串行通信数据记录器是必需的。本文文件中,一SCADA数据记录器结构改造开发捕捉和记录使用Modbus ASCII,MODBUS RTU通信,并在DNP3网络通信智能电子装置(IED)或远程终端装置(RTU)的边缘。SCADA数据采集器的改造已已开发运行在嵌入式平台,作为改造设备的使用,或连接到一个IED,RTU或运行在PC平台上。由此产生的数据记录可以被一个变电站的入侵检测系统,检测到非法网络,渗透到变电站通信系统和侦查非法的假命令和响应注入变电站通信系统。本文机构中有一节讨论有关的工程,一个数据记录,需要讨论与SCADA控制系统在入侵检测时,在各级的SCADA网络,说明了SCADA数据采集器的结构改造,其中经验结果是从一个数据记录器实现的,变电站的入侵检测应用,是探讨数据记录器的有关改造。最后,文章结尾讨论今后的工作和结论。 2 相关作品 在第一部分中作者提出了一个鉴证架构,它可以用来捕捉化验分析SCADA控制系统的通信。在Chandia的体系结构,在三个级别的数据采集收集和转发流量数据仓库存储和前景做了分析。第1级代理收集通信和控制系统的主节点。第2级代理收集在中间的交通在网络中的位置。最后,3级代理收集从下游节点通信业务,如RTU和IED。第1级,2和3采集网络的网络流量和创建简介数据包,是根据预定义的配置集规则。每个大纲包含时间和地点所需的鉴证分析。在这一级大纲提出了数据仓库的数据包这是设在上游的网络。数据仓库分析每个数据包,并创建一个概要数据签名,这是一起要存储的概要。支持基于数据仓库存储的数据查询。所有的数据仓库之间的通信和这一级发生在一个孤立的侧通道网络。与这一级和数据提出的架构仓库是无法描述的,位于水平位置三级下游。第三级代理是最相似我们的数据记录器的架构,它收集在下游节点通信。做未指定的确切位置,预期的行为,或架构的第3级。我们的数据记录器架构提供了一个位置,行为和一个一级代理3架构的解决方案。 一些IED的SCADA控制系统和RTU厂商提供数据记录器的功能。控制微系统公司提供的数据记录二个SCADA系统RTU设备功能,SCADAPack350和SCADAPack357。这些数据记录功能允许用户连接到外部存储RTU,记录过程数据。从RTU的数据记录器功能不支持网络记录事务发送。其他厂商历史记录的数据提供物理系统参数。OSI PI是一种流行的历史产品。再次,控制系统不提供网络交易数据记录。Snort是基于开放源代码网络入侵的规则检测工具。Snort的收集和记录网络流量,分析网络流量违反规则的搜索和可疑活动时会警告管理员。Snort是通常用于监视以太网和TCP/ IP协议通讯流量。规则集也已Snort的开发,使监测和分析MODBUS通信主节点之间的交通和RTU/IED。这样的实现可以被用在主节点在足够的处理资源,可用于运行Snort。 RTU和的IED通常不必处理功率或存储功能,支持Snort。我们的数据记录器的目的是成为一个低成本解决方案,在RTU数据/ 的IED水平。 3 SCADA系统概述 SCADA控制系统是分布式网络物理系统。图1显示了一个示例,电传输SCADA控制系统。智能电子设备(IED)连接到传感器和执行器的接口将直接使用电传输系统。IED,如保护继电器,储存演算控制参数和执行代码(如梯形逻辑或C程序),直接控制子电路在传输系统。变速箱故障导致自动保护反应,如打开断路器。连续监测保护继电器关键参数。如果测量参数达到预先设定水平,将采取控制继电器行动。继电器控制参数和附断路器形成一个反馈控制回路。SCADA系统还支持监控和数据采集。 SCADA系统包括一个主终端单元(MTU)的连接通过一个IED的通信链路。IED的MTU调查定期读取控制物理量等系统的电压和电流。此信息显示在人机界面(HMI)去让感知和控制。人机界面使调度员的互动与物理过程。例如,一个调度可能会打开一个断路器岛上电路或关闭在系统重新启动断路器。该的MTU,的IED,通信链路,人机界面,和调度第二监事组成一个反馈控制回路。 SCADA系统中的通信链路组成两部分组成:通讯媒介,通信协议。沟通媒介一般包括无线或有线网络。有线网络可能使用租用线路,以太网,串口电缆,光纤电缆。无线网络可能使用的标准化如IEEE802.11,ZigBee的通信系统,和无线HART。也可以使用无线链路专有的实现。最后,无线链路可能包括远程解决方案。有许多标准的SCADA沟通,包括现场总线,EtherIP, Profibus总线,MODBUS与分布式网络协议版本3(DNP3)。一个与所有这些共同的安全漏洞通信协议是,他们不包括密码认证,这意味着,RTU和MTU的无法验证的命令起源和分别反应。 4 SCADA系统的攻击 有3个主要威胁到过程控制系统;响应注射,命令注射,和拒绝服务。 响应注入攻击注入虚假反应控制系统。由于依靠反馈控制系统控制回路的物理过程的监测数据,然后制定控制决策,保护的完整性从物理过程传感器测量时关键。虚假响应注射可用于黑客造成控制算法和经营者或调度作出误导决策。服务(DOS)拒绝攻击,试图打破通信链路和远程终端之间的主终端或人机界面。破坏或主终端之间的通信链路人机界面和远程终端突破反馈控制回路,使过程控制不可能的。 DOS攻击采取多种形式。很多DOS攻击试图压倒硬件或软件其中一个网络终端,使其不再响应。其他DOS攻击发送不合时宜或非法网络造成数据包在一个远程设备的网络错误和导致远程设备没有响应。SCADA系统的攻击可能来自多个在控制点系统网络。首先,攻击可能推出通过外部网络连接。在这种情况下,攻击者通过网络接口的网络渗透到访问控制系统网络。这种攻击包括通过连接到互联网或渗透渗透通过拨号连接。第二,攻击者可以透过SCADA系统的通信链接连接的MTU和IED。里夫斯和莫里斯讨论如何发现并连接到一使用专用的SCADA电台形成到IED的MTU通信链路(如在图1 diagramed)然后注入假反应和拒绝服务攻击的网络流量。最后,攻击可能来自一个内幕物理或电子进入SCADA系统。在这种情况下,攻击者通过网络可以注入命令和响应通常隔绝外部连接,或攻击者可以直接连接到控制系统设备前发起攻击。 5 SCADA网络的数据记录 SCADA控制系统中的数据记录器应监测并记录所有的通讯流量和的MTU及IED。图1显示了SCADA控制系统添加的数据记录器的改造。这组数据的位置记录器将捕获所有网络通信与中提到的攻击部分的错误!参考未找到源.反应注射攻击可能来自一个已经侵入攻击者通信链路的MTU及IED之间。该数据记录仪主机上运行的人机界面,如图1将捕获所有网络通信等相关响应注入攻击。命令注入攻击可能来自一个企业通过网络渗透从网际网路或一个内部。命令注入攻击可能来自攻击者也已之间的渗透和通信链路的MTU IED。数据记录器固定在图1中的的IED将捕获所有网络通信与这样的命令相关注入攻击。由各自的记录数据记录器,网络流量与否定针对MTU和的IED也将服务攻击。 图2提供了体系结构概述SCADA数据采集器作为SCADA控制范围内使用系统。数据记录器是与硬件建设抽象层来支持在虚拟的实施机上的HMI PC主机和嵌入式系统。图2a显示了嵌入式系统的版本的数据记录器实现使用现场可编程门阵列(FPGA)集成电路(IC)的连接到一外部小型闪存卡。图2b显示了虚拟机版本的数据记录器。在这个版本中,数据记录器被实现为Linux进程在运行虚拟机在同一台计算机的主机的人机界面。虚拟机数据记录器的结果存储在主机PC的硬盘驱动器,而不是一个紧凑的闪存卡。每个数据记录器版本包含两个RS- 232通用异步接收发送器(UART),以监测和远期使用Modbus ASCII,Modbus协议的RTU,和DNP3链路层协议数据单元(LPDU)。对于嵌入式系统版本,微控制器进程从一个UART和转发接收的字节数向其他UART字节。双向通信支持。该微控制器还执行链路层的软件和实际关闭LPDU到数据记录器。对于虚拟机版本一个物理的RS -232端口用于连接到的MTU。虚拟串行端口用于连接人机界面虚拟机的运行数据记录器的过程。该虚拟机网络数据记录器进程以同样的方式交易,嵌入式系统版本。数据记录器每接收一个字节转发从一个UART立即向其他UART。当在链路层检测到它已经占据整个LPDU时,LPDU返回到应用层的日志记录。这提供了一个数据记录器显着改善架构,捕获整个LPDU前转发LPDU的附加RTU或IED。 数据记录器存储在一个紧凑的闪存事务卡为嵌入式版本和硬盘驱动器虚拟机版本。每个记录交易包括LPDU加上72字节对日志信息的。该时间标记率(TTM)的措施,因为时间已过12:00A.M(格林尼治标准时间)2009年1月1日。时间标记是8个字节,它提供了空间支持585K时间标记多年来,在与微秒的精度存储。我们使用的HMAC- SHA256的,需要32个字节。暂且是32个字节,长度相匹配的关键。最大尺寸一个Modbus ASCII码是513字节LPDU,最大一个Modbus RTU的LPDU的大小为256字节,一个DNP3 LPDU最大大小为292字节。因此,记录的版本将在583,328,364字节分别。在实践中是比最通常的SCADA LPDU要小得多。数据记录器可作为一个输入传感器入侵检测系统。主动分析可用于搜索入侵签名交易。这可能通过解析完成事务和比较签名事务的事务以前归类为无效或非法的行为。记录交易数据可以拿来当系统联机以支持系统的工程,岗位保障事件分析和广泛的入侵检测系统。未分配MODBUS或DNP3地址用于不执行命令。这些命令告诉数据记录仪获取单个交易或超过规定的期限内所有交易时间。数据完整性是由所有的时间标记存放前交易,通过存储与一HMAC交易,并通过连接到一个随机数交易前,交易的HMAC计算。当读取存储交易数据记录仪验证检索到的交易前的HMAC返回检索交易。数据记录使用AES加密交易计数器模式防止未经授权的个人读取记录内容。这是很重要的数据记录器,以保护密钥用于加密和HMAC产生。目前,数据记录器存储加密密钥内存。一个新的密钥存储和分配方案没有发展作为这一努力的一部分。许多作者提出安全密钥存储和分配方案为SCADA系统4- 8。 6 实验结果 数据记录仪进行了验证,在密西西比州立大学的SCADA安全实验室。该实验室包含实验室规模的操作控制系统,包括天然气管道,工业风机,传送带带,水塔,石油/天然气储存罐和一个网络连接到PLC在实验室规模的变电所。数据记录仪在嵌入式系统中进行了测试模式并在SCADA安全实验室的虚拟机模式。SCADA控制系统的正常运作与数据记录器的改造添加到系统中。对于每个数据记录器模式时,控制系统启动和允许为10-15分钟一班以证明人机界面能够不断监视系统。此外,所有的控制操作可为每个操作员控制系统运作,所有被认为正常。延迟测量,无论是嵌入式系统的数据记录器和虚拟机床数据记录器,以进行的MODBUSASCII码,MODBUS RTU通信,通信及DNP3。 潜伏期测量从一个测试发送LDPUs,电脑配置了2个UART,如图3所示。UART的数据记录器被装到测试电脑的UART。LPDU从测试PC发送环回到数据记录器,返回后流测试PC所表现的,如图3虚线。时间测量当LPDU启动的第一个字节被发送到在测试电脑的UART输出例程。时间测量停止时,第一个字节是从收到测试PC的第二个UART的。 图4显示了延时的测量结果。延时测量采取的UART配置为9600 bps,8个数据位,没有停止位,奇偶平等。延时比较图表对于有虚拟机的数据记录仪,嵌入式系统的数据记录器,一个没有用于控制数据记录器环回系统。 图5显示了交易的长度介于10 LPDU和250字节(典型的交易长度为Modubs和DNP3 LPDU)。该组的平均延时测试长度为43.6,最大延时48毫秒MS的150字节LPDU和最低延时40MS的30和100字节LPDU。延迟的变化不取决于LPDU交易的长度。 6 变电站的入侵检测 在上述许多可以检测到攻击,由Snort的入侵检测系统等基于签名决定。例如,两个虚假反应注入方式证实,在密歇根州立大学的SCADA安全实验室根据IDS的签名可检测到。在第一案3一个攻击穿透可作为从器件的无线网络和连续来源随机数据。当攻击者侦测到的命令通道命令无线网络停止,随机数据流发送一个虚假的响应,然后命令回复发送随机数据。这样,网络上的有效命令不能发送。根据IDS的一个签名可以被编程为警报,如果它检测超过最大持续传输时间越大,需要发送最长的DNP3或MODBUS。第二个反应注射假利用了竞赛条件注入虚假的反应。在这种情况下,作为命令攻击者要穿透MODBUS或DNP3主传输网络和监控。一个签名的IDS能够进行编程,如果两个相同的反应,命令将进行检测。基于签名的IDS算法可以运行在数据记录器的CPU改造中,以提供了一个统一改造传统的串行捕获系统,SCADA网络扫描可捕获网络交易和交易从网络到相关的非法入侵。例如,在基于以太网的系统一恶意可能注入虚假RTU的命令来改变设定点。这些命令非常类似于有效的命令。IDS的签名可以用于检测无效设置例如命令的命令,这将设定点高于或低于特定阈值。但是,它是更难以创造一个IDS的签名,一个恶意变化报警设定点到其他法律价值。重放攻击是同样困难的签名用IDS来检测。 统计IDS可以用来区分网络活动可分为正常和不正常。要测试统计入侵检测系统在SCADA控制系统的有效性,在密歇根州立大学的SCADA控制系统安全实验室网络上的虚假反应注射了一套利用制定了一个系统。一个神经网络进行归类为正常或不正常的网络交易。从神经网络的IDS检测结果训练针对配水注入攻击的回应控制系统表现出乐观的结果。是的IDS可以检测错误的反应注射侵犯正常蓄水位的趋势97的时间。同样IDS可以接受实验,以监测的异常趋势电压,电流,频率预计将有类似的准确率。 一个充满希望的未来的研究方向是本扩大了神经网络的输入功能,包括在参数和物理参数趋势有两个项目从基于IDS日志的签名。由此产生的的IDS将有更高的精确度和支持更为广泛的网络攻击的检测。 8 结论 数据记录器的改造,本文介绍储存和转发 Modbus ASCII模式,Modbus协议的RTU,最小的延迟在DNP3链路层协议数据单元(LPDU)。实验结果表明,延时数据记录器可以被用来作为对现有设备改造SCADA控制系统。数据记录器的时间,加密,加密标志和所有捕获LPDU提供一个防篡改LPDU存储和平台支持后事故分析。一种使用方法,变电站改造为基础的,由签名数据记录仪和统计的入侵检测系统提供。变电站法证数据记录和入侵检测,支持在深度防御的状态中多个重叠的安全层,来保护关键网络资产。参考文献1 R. Chandia,J .Gonzalez,. T .Kilpatrick, M .Papa, S.Shenoi. Security Strategies for SCADA Networks.Pages117-131. Springer Boston. 2007.2 B .Caswell, J .Bealeand, J. C Foster, and J. Faircloth,“Snort2.0 Intrusion Detection,” Syngress, Feb. 2003.3 B. Reaves, T. Morris. Discovery, Infiltration, andDenial of Service in a Process Control SystemWireless Network. IEEE eCrime ResearchersSummit. October 20-21, 2009. Tacoma, WA4 C. Beaver, D. Gallup, W. Neumann, and M.Torgerson. Key Management for SCADA.Cryptography Information Systems SecurityDepartment. Sandia National Laboratories. March2002.5 O. Pal, S. Saiwan, P. Jain, Z. Saquib, D. Patel.Cryptographic Key Management for SCADASystem: An Architectural Framework. InternationalConference on Advances in Computing, Control, andTelecommunication Technologies. 2009.6 R. Dawson, C. Boyd, E. Dawson, J. Manuel, G.Nieto. SKMA A Key Management Architecture forSCADA Systems. Fourth Australasian InformationSecurity Workshop (AISW-NetSec). 2006.7 S. Lee, D. Choi, C. Park, and S. Kim. An EfficientKey Management Scheme for Secure SCADACommunication. Proceedings of World Academy ofScience, Engineering And Technology. Volume 35November 2008.8 L. Pitre-Cambacds, P. Sitbon. Cryptographic KeyManagement for SCADA Systems, Issues andPerspectives. Proceedings of the 2008 InternationalConference on Information Security and Assurance.2008.9 Gao, W., Morris, T., Reaves, B., Richey, D. OnSCADA Control System Command and ResponseInjection and Intrusion Detection. IEEE eCrimeResearchers Summit. October 18-20, 2010. Dallas,TX. A Retrofit Network Transaction Data Logger and Intrusion Detection System for Transmission and Distribution Substations Thomas Morris Electrical and Computer Engineering Mississippi State University Mississippi State, MS USA morris Kalyan Pavurapu Electrical and Computer Engineering Mississippi State University Mississippi State, MS USA kalyan234912 Abstract SCADA systems are widely used in electricity generation, distribution, and transmission control systems. NERC CIP 002-009 requires bulk electric providers to secure critical cyber assets electronically and physically. Transmission and distribution substations contain cyber critical assets including remote terminal units (RTU), intelligent electronic devices (IED) such as relays, phasor measurement units (PMU) and phasor data concentrators (PDC). Substation critical cyber assets are isolated in electronic security perimeters using firewalls. In this paper a retrofit data logger solution for serial communication based MODBUS and DNP3 network appliances is offered. The retrofit data logger allows existing control systems to be updated to log network transactions in support of substation based network intrusion detection. Substation based intrusion detection supports a defense in depth approach to cyber security in which multiple overlapping layers of security are used to protect critical cyber assets. The data logger is an embedded bump-in-the-wire retrofit device which captures, time stamps, cryptographically signs, encrypts, and store network traffic. Network traffic is forwarded to the existing network. Additionally, the data logger architecture supports use of signature based and statistics based intrusion detection algorithms at the network appliance edge. KeywordsSCADA Cyber Security, Process Control System Cyber Security, Data Logging, Intrusion Detection I. INTRODUCTION National Electric Reliability Council (NERC) Critical Infrastructure Protection (CIP) Standards 002 through 009 require utilities and other responsible entities to place critical cyber assets within an electronic security perimeter. The electronic security perimeters must be subjected to vulnerability analyses, use access control technologies, and include systems to monitor and log the electronic security perimeter access. The Federal Energy Regulatory Commission (FERC) requires responsible entities involved in bulk electricity transmission to adhere to the NERC CIP 002 through 009 standards. No such regulation exists for the electric distribution systems and other critical infrastructure, such as water treatment and distribution, and gas distribution, in the United States. Electronic perimeter security will minimize the threat of illicit network penetrations, however, persons with electronic access to SCADA systems within the electronic security perimeter still remain a threat due to the lack of authentication capabilities in these systems. Additionally, the lack of authentication for process control system communication protocols means that if an attacker does penetrate the electronic security perimeter he will be able to inject false commands and false responses into the process control system without detection. Existing remote terminal units and intelligent electronic devices, which use serial communication, found in transmission and distribution substations do not support data logging of network transactions. To provide a substation based intrusion detection system a serial communication data logger is required. This paper documents a retrofit SCADA data logger architecture developed to capture and log MODBUS ASCII, MODBUS RTU, and DNP3 network traffic at the Intelligent Electronic Device (IED) or Remote Terminal Unit (RTU) edge. The retrofit SCADA data logger has been developed to run on an embedded platform to support use as a retrofit device attached to an IED or RTU and to run on a PC platform. Resulting data logs can be used by a substation based intrusion detection system to detect illicit cyber penetrations of the substation communication system and to detect illicit injection of false commands and false responses into the substation communication system. The body of this paper includes a section discussing related works, a discussion of the needs for data logging and intrusion detection in SCADA control systems at various levels in the SCADA network, a description of the retrofit SCADA data logger architecture, empirical results from a data logger implementation, and a discussion of substation based intrusion detection using the retrofit data logger. Finally, the paper ends with discussion of future works and conclusions. II. RELATED WORKS In 1 Chandia et al. propose a forensic architecture which can be used to capture SCADA control system 2010 IEEE International Conference on Power and Energy (PECon2010), Nov 29 - Dec 1, 2010, Kuala Lumpur, Malaysia978-1-4244-8946-6/10/$26.00 2010 IEEE958 2communications for subsequent forensic analysis. In the Chandia architecture, agents capture data at three levels and forward collected traffic to a data warehouse for storage and future analysis. Level 1 agents collect communications to and from the control system master nodes. Level 2 agents collect traffic at intermediate locations in the network. Finally, level 3 agents collect communication traffic from downstream nodes such as RTU and IED. The level 1, 2, and 3 agents capture network traffic and create synopsis of the network packets according to a set of predefined configuration rules. Each synopsis contains a time stamp and location details required for the forensic analysis. The level agents forward the synopsis packets to the data warehouse which is located in the upstream network. The data warehouse analyzes each synopsis packet and creates a data signature, which is stored along with the synopsis. The data warehouse supports queries on the stored data. All the communications between the data warehouse and level agents occur on an isolated side channel network. The proposed architecture with level agents and data warehouse is not able to characterize the position of level agent3 in downstream. The level 3 agent is most similar to our data logger architecture in that it collects communication at downstream nodes. Chandia et al. do not specify the exact location, intended behavior, or architecture of their level 3 agents. Our data logger architecture offers a solution for the position, behavior, and architecture of a level agent 3. Some SCADA control system IED and RTU vendors offer data logger features. Control Microsystems, Inc. offers two SCADA RTU devices with data logging functionality, the SCADAPack 350 and SCADAPack 357. These data logging features allow users to connect the RTU to external storage to log process data. The data logger function does not support logging network transactions sent to and from the RTU. Other vendors offer historians for data logging physical system parameter. OSI PI historian is a popular historian product. Again, control system historians do not offer network transaction data logging. Snort is a rule based open source network intrusion detection tool 2. Snort collects and logs network traffic, analyzes network traffic searching for rule violations, and alerts the administrator of suspicious activity. Snort is commonly used to monitor Ethernet and TCP/IP communications traffic. As such, Snort has been applied to monitor control system networks higher layers, such as to monitor connections between the control system and the larger corporate network. Rule sets have also been developed to allow snort to monitor and analyze MODBUS traffic between master nodes and RTU/IED. Such implementations can be used on the master nodes where sufficient processing resources are available to run snort. RTU and IED do not typically have the processing power or the storage capabilities to support Snort. Our data logger is intended to be a low cost solution to log data at the RTU/IED level. III. SCADA SYSTEM OVERVIEW SCADA control systems are distributed cyber-physical systems. Figure 1 shows an example of an electric transmission SCADA control system. Intelligent Electronic Devices (IED) are connected to sensors and actuators to interface directly with the electric transmission system. IED, such as protection relays, store control parameters and execute algorithmic code (such as ladder logic or C programs) to directly control sub-circuits in the transmission system. Transmission faults lead to automated protection response such as opening a circuit breaker. Protection relays continuously monitor critical parameters. If measured parameters reach a pre-programmed trip level, the relay will take a control action. The relay, relay control parameters, and the attached circuit breakers form a feed back control loop. SCADA systems also support supervisory control and data acquisition. SCADA systems include a master terminal unit (MTU) connected to the IED via a communication link. The MTU polls the IED periodically to read physical quantities of the controlled system such a voltage and current. This information is displayed on a Human Machine Interface (HMI) to allow situational awareness and control. HMI allow the dispatcher to interact with the physical process. For example a dispatcher may open a breaker to island a circuit or close a breaker during system restart. The MTU, IED, communication link, HMI, and dispatcher form a second supervisory feedback control loop. Figure 1. Electric Transmission SCADA Control System The communication link in SCADA systems consists of two parts: the communication medium and communication protocols. Communication mediums generally include wireless or wired networks. Wired networks may use leased line, Ethernet, serial cable, and fiber optic cable. Wireless networks may use standardized communication systems such as IEEE 802.11, ZigBee, and WirelessHART. Wireless links may also use proprietary implementations. Finally, wireless links may include long distance solutions such as satellite and microwave. There are many standards for SCADA communication including Fieldbus, EtherIP, Profibus, MODBUS and Distributed Network Protocol version 3 (DNP3). One common security flaw with all of these communication protocols is that they do not include cryptographic authentication, which means, RTU and MTU cannot validate the origin of commands and responses respectively. IEDIEDCorporateNetworkPCPCPCinternetfirewallHMIMTUHistorianfirewallserial communication linkcontrol centersubstation=NERC CIP electronic security perimeter=data logger959 3IV. ATTACKS ON SCADA SYSTEMS There are 3 primary threats to process control systems; response injection, command injection, and denial of service. Response injection attacks inject false responses into a control system. Since control systems rely on feedback control loops which monitor physical process data before making control decisions, protecting the integrity of the sensor measurements from the physical process is critical. False response injection can be used by hackers to cause control algorithms and operators or dispatchers to make misinformed decisions. Command injection attacks inject false control commands into a control system. Control injection can be classified into 2 categories. First, human operators oversee control systems and occasionally intercede with supervisory control actions, such as opening a breaker. Hackers may attempt to inject false supervisory control actions into a control system network. Second, remote terminals and intelligent electronic devices are generally programmed to automatically monitor and control the physical process directly at a remote site. This programming takes the form of ladder logic, C code, and registers which hold key control parameters such as high and low limits gating process control actions. Hackers can use command injection attacks to overwrite ladder logic, C code, and remote terminal register settings. Denial of Service (DOS) attacks attempt to break the communication link between the remote terminal and master terminal or human machine interface. Breaking the communication link between master terminal or human machine interface and the remote terminal breaks the feedback control loop and makes process control impossible. DOS attacks take many forms. Many DOS attacks attempt to overwhelm hardware or software on one end of the network so that it is no longer responsive. Other DOS attacks send ill timed or malformed network packets which cause errors in a remote devices network stack and cause the remote device unresponsive. SCADA system attacks may originate from multiple points in the control system network. First, an attack may be launched via external network connection. In this case, the attacker penetrates network via network interface to gain access to the control system network. Such attacks include penetration via connections to the internet or penetration through dial-up connections. Second, an attacker may penetrate the SCADA the communication link connecting the MTU and IED. In 3, Reaves and Morris discuss how to discover and connect to a proprietary SCADA radio used to form the MTU to IED communication link (such as that diagramed in Figure 1) and then inject false responses and denial of service attacks into the network traffic. Finally, an attack may originate from an insider with physical or electronic access to the SCADA system. In this case, the attacker may inject commands and responses over a network ordinarily isolated from outside connections, or an attacker may connect directly to control system equipment before initiating an attack. V. DATA LOGGING IN A SCADA NETWORK SCADA control system data loggers should monitor and log all communications traffic to and from the MTU and IED. Figure 1 shows a SCADA control system with added data logger retrofits. This placement of data loggers will capture all network traffic associated with the attacks mentioned in section Error! Reference source not found. Response injection attacks may originate from an attacker which has penetrated the communication link between the MTU and IED. The data logger running on the HMI host in Figure 1 will capture all network traffic associated with such response injection attacks. Command injection attacks may originate from a penetration of the corporate network via the internet or from an insider. Command injection attacks may also originate from an attacker which has penetrated the communication link between the MTU and IED. The data logger attached to the IED in figure 1 will capture all network traffic associated with such command injection attacks. Network traffic associated with denial of service attacks against the MTU and IED will also be logged by their respective data loggers. Figure 2. Data Logger Architectures Figure 2 provides an architectural overview of the SCADA data loggers as used within a SCADA control system. The data logger was built with a hardware abstraction layer to support implementation in a virtual machine on a HMI host PC and as an embedded system. Figure 2a shows the embedded system version of the data logger implemented using a field programmable gate array (FPGA) integrated circuit (IC) attached to an external compact flash card. Figure 2b shows the virtual machine version of the data logger. In this version, the data logger is implemented as Linux process running in a virtual machine on the same PC which hosts the HMI. The virtual machine data logger results are stored on the host PCs hard disk drive rather than on a compact flash card. Each version of the data logger contains two RS-232 universal asynchronous receiver transmitters (UART) to monitor and forward MODBUS ASCII, MODBUS RTU, FPGAUARTPROCESSORUARTFPGAMTUIEDMTUHMI HOSTHMIDLVMVIRTUAL SERIAL PORTPHYSICAL SERIAL PORTa)b)960 4and DNP3 link layer protocol data units (LPDU). For the embedded system version, the microcontroller processes bytes as they are received from one UART and forwards the bytes to the other UART. Bidirectional communication is supported. The microcontroller also executes the link layer software stacks and hands off LPDU to the data logger. For the virtual machine version a single physical RS-232 port is used to connect to the MTU. A virtual serial port is used to connect the HMI to the virtual machine running the data logger process. The virtual machine data logger processes network transactions in the same manner as the embedded system version. The data logger forwards each received byte from one UART to the other UART immediately. When the link layer detects it has captured an entire LPDU, the LPDU is returned to the application layer for logging. This provides a significant improvement of data logger architectures which capture entire LPDU before forwarding LPDU to the attached RTU or IED. ?=?(?,?,?(?,?,?,?) (1) Acquired data must be pre-processed to support secure storage and time stamping for post incident analysis. Equation 1 shows a logged transaction (Tl) after preparation for storage. The original LPDU is appended with a time stamp (tLPDU) and a random nonce (n). The concatenated result is hashed with an HMAC function using key (k1). Next, the captured LPDU is concatenated with the hash result and the nonce. Next the transaction is encrypted AES counter mode. This result is stored on the compact flash card or hard disk drive. The HMAC and nonce are added to ensure data integrity. The time stamp is added to support temporal analysis for both online and offline analysis. The HMI host PC should periodically synchronize the real time clock in the data logger with real time clocks in other nodes in the control system to support correlation of data logger results from different points in the system. The frequency of time synchronization depends upon the drift of the various clocks in the system. The data logger stores transactions on a compact flash card for the embedded version and hard disk drive for the virtual machine version. Each logged transaction (Tl) include the LPDU plus 72 bytes of log information. The time stamp (tTM) measures the time elapsed since 12:00 A.M (GMT) January 1, 2009. The time stamp is 8 bytes, which provides room to support time stamps of 585K years, when stored with microsecond precision. We use HMAC-SHA256 which requires 32 bytes. The nonce is 32 bytes, matching the key length. The maximum size of a MODBUS ASCII LPDU is 513 bytes, the maximum size of a MODBUS RTU LPDU is 256 bytes, and the maximum size of a DNP3 LPDU is 292 bytes. As such, the logged versions will be 583, 328, and 364 bytes respectively. In practice SCADA LPDU are most often much smaller. Electric transmission system situational awareness algorithms poll SCADA devices every 2-4 seconds. At each 2-4 second interval there will be a command, requesting data, and a response, providing data. LPDU for all supported network protocol may be shorter than there specified maximum. Based upon the maximum transaction sizes above, the data logger can store 1.84x106 logged transactions (Tl) per gigabyte for MODBUS ASCII mode, 3.27x106 logged transactions (Tl) per gigabyte for MODBUS RTU mode, and 2.95x106 logged transactions (Tl) per gigabyte for DNP3 mode. For the 2 second polling case, the data logger can store 2.8 years of MODBUS ASCII transactions per gigabyte, 5.0 years of MODBUS RTU transactions per gigabyte, and 4.5 years of DNP3 transactions per gigabyte. For the 4 second polling case, the total number of stored LPDU increases by a factor of 2. These densities make the use of a compact flash card for the embedded system data logger feasible. The data logger running on the HMI host may monitor network transactions between the HMI and many downstream IED. As such, it may need more available storage capacity. Since, it this version runs on the HMI host PC it has access to that systems hard disk drive providing significantly more storage capacity. The data logger may serve as an input sensor for an intrusion detection system. Active analysis may be used to search transactions for intrusion signatures. This could be done by parsing transactions and comparing the transactions to signatures of transactions previously classified as invalid or illegal behavior. Logged transaction data can be fetched while the system is online to support system engineering, post incident security analysis, and system wide intrusion detection. Un-assigned MODBUS or DNP3 addresses are used to implement commands which are not forward to the IED. These commands tell the data logger to fetch a single transaction or all transactions over a prescribed period of time. Data integrity is maintained by time stamping all transactions before storing, by storing an HMAC with the transaction, and by concatenating a nonce to the transaction before calculating the transaction HMAC. When reading transactions from storage the data logger verifies the HMAC of the retrieved transaction before returning the retrieved transaction. Data logged transactions are encrypted using AES counter mode to prevent unauthorized individuals from reading logged contents. It is important for the data logger to protect the keys used for encryption and HMAC generation. Currently, the data logger stores encryption keys in RAM. A new key storage and distribution scheme was not developed as part of this effort. Many authors have proposed secure key storage and distribution schemes for SCADA systems 4-8. VI. EXPERIMENTAL RESULTS The data logger was validated in the Mississippi State University SCADA Security Laboratory. The laboratory contains laboratory scale operational control systems, including a gas pipeline, an industrial blower, a conveyor belt, a water tower, an oil/gas storage tank, and a network connection to a PLC in a laboratory scale electric 961substation. The control systems are monitored and controlled by human machine interface (HMIwhich polls remote terminal registers every secondThe data logger was tested in embedded system mode and virtual machine mode in the SCADA Security LabThe SCADA control systems functioned normally with the retrofit data logger added to the system.data logger mode, the control system was started and allowed to run for 10-15 minutes to demonstrate HMI ability to continually monitor the system. Additionally, all control actions available to an operator for each control system were executed and all functioned normally. Latency measurements were taken for MODBUS ASCII, MODBUS RTU, and DNP3 communication with both the embedded system data logger and the virtual machine data logger. Figure 3. Latency Test Set ArrangementLatency was measured by sending LDPUs from a test PC configured with 2 UARTs as shown in data logger UARTs were attached to the test PC UARTs. LPDU sent from the test PC were looped back by the data logger and returned to the test PC following the flow shown by the dashed line in Figure 3. Timewas started when the LPDU first byte was sent to the UART output routine on the test PC. Time measurement was stopped when the first byte was received from the test PCs second UART. Figure 4. Data Logger Latency Figure 4 shows the latency measurement results. latency measurements were taken with UARTs configured for 9600 bps communication, with 8 data bits, no stop bit, and odd parity. The chart compares latency for a system with a virtual machine based data logger, an Test PCData LoggerU1U2U1U2 The control systems are monitored and HMI) software every second. The data logger was tested in embedded system mode in the SCADA Security Lab. functioned normally with to the system. For each data logger mode, the control system was started and 15 minutes to demonstrate HMI ability to continually monitor the system. Additionally, all control actions available to an operator for each system were executed and all functioned Latency measurements were taken for MODBUS ASCII, MODBUS RTU, and DNP3 communication with both the embedded system data logger and the virtual cy Test Set Arrangement Latency was measured by sending LDPUs from a test PC configured with 2 UARTs as shown in Figure 3. The est PC UARTs. LPDU sent from the test PC were looped back by the data logger and returned to the test PC following the flow . Time measurement was started when the LPDU first byte was sent to the UART output routine on the test PC. Time measurement was stopped when the first byte was received from the shows the latency measurement results. All ere taken with UARTs configured for 9600 bps communication, with 8 data bits, The chart compares latency for a system with a virtual machine based data logger, an embedded system data logger, a loop back without logger for control. The loop back mode average35 mS. While the virtual machine mode averaged 41 mS and the embedded system mode averagesuggests the actual latency due to the data logger is very low. Electricity transmission and distribution SCADA systems typically poll RTU and IED every 2As such an additional latency of less than 50 mS is acceptable for electricity distribution and transmission SCADA control systems. Latency measurements did not vary significantly for the different protocol; MODBUS ASCII, MODBUS RTU, and DNP3 since the latency times are dominated by the time to capture and forward individual bytes at 9600 bps which takes approximately 1mS per byte. Figure 5 shows for LPDU transaction lengths between 10 and 250 bytes (typical transaction lengths for MODBUS and DNP3 LPDU). The latency average for the group test lengths was 43.6 mS with the maximS for 150 byte LPDU and the minimum latency of 40 mS for 30 and 100 byte LPDU. Latency variation is not dependent on LPDU transaction length.Figure 5. Latency versus LPDU LengthVII. SUBSTATION INTRUSION Many of the attacks described above can be detected by a signature based IDS such as SNORT. For example, two methods of false response injection confirmed in the MSU SCADA Security Laboratory can be detected with signature based IDS. In the first casepenetrates the wireless network as a slave and continuously streams random data. When the attacker detects a command on the command channel of the wireless network it stops streaming random data and transmits a false response to the command and then resumes transmitting random data. In this way, valid slaves on the network can not transmit. based IDS can be programmed to continuous transmissions greater than required to send the longest possible DNP3 or MODBUS transaction. The second false response injectionleverages a race condition to inject false responses. case, an attacker penetrates a MODBUS or DNP3 network and monitors master transmissions for commands. The attacker replies with a false response faster than the authentic slave. Both MODBUS and DNP3 accept the first response received as valid and disregard additional responses. A signature IDS could be Data LoggerU1U25embedded system data logger, a loop back without a data The loop back mode average latency is 35 mS. While the virtual machine mode averaged 41 mS mode averaged 40 mS. This suggests the actual latency due to the data logger is very ion and distribution SCADA systems typically poll RTU and IED every 2-4 seconds. As such an additional latency of less than 50 mS is acceptable for electricity distribution and transmission Latency measurements did not vary significantly for the different protocol; MODBUS ASCII, MODBUS RTU, and DNP3 since the latency times are dominated by the time to capture and forward individual bytes at 9600 bps which takes approximately shows for LPDU transaction lengths between 10 and 250 bytes (typical transaction lengths for MODBUS The latency average for the group test lengths was 43.6 mS with the maximum latency 48 mS for 150 byte LPDU and the minimum latency of 40 Latency variation is not on LPDU transaction length. Latency versus LPDU Length NTRUSION DETECTION Many of the attacks described above can be detected re based IDS such as SNORT. For example, two methods of false response injection confirmed in the MSU SCADA Security Laboratory can be detected with signature based IDS. In the first case 3 an attacker penetrates the wireless network as a slave and continuously streams random data. When the attacker detects a command on the command channel of the wireless network it stops streaming random data and e response to the command and then resumes transmitting random data. In this way, valid slaves on the network can not transmit. A signature to alarm if it detects continuous transmissions greater than the maximum time to send the longest possible DNP3 or MODBUS The second false response injection a race condition to inject false responses. In this case, an attacker penetrates a MODBUS or DNP3 network and monitors master transmissions for s. The attacker replies with a false response faster than the authentic slave. Both MODBUS and DNP3 accept the first response received as valid and A signature IDS could be 962 6programmed to alert if two responses to the same command were detected. Signature based IDS algorithms can be run on the retrofit data logger CPU providing a single retrofit system which captures legacy serial SCADA network transactions and scans captures network transactions for signatures related to illicit intrusions from a cyber intruder. Signature based IDS require prior knowledge of threats to develop signatures. New attacks and variants on existing attacks can be missed by signature based IDS. Also, certain attacks are difficult for a signature IDS to detect. For instance, in Et
- 温馨提示:
1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
2: 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
3.本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
人人文库网所有资源均是用户自行上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作他用。
川公网安备: 51019002004831号