阮黎翔,沈奕菲,王自成,李广华
RUAN Lixiang,SHEN Yifei,WANG Zhicheng,LI Guanghua

• 1:国网浙江省电力有限公司电力科学研究院
• 2:南京南瑞继保电气有限公司

摘要(Abstract)：

在遵循IEC 62351—3提出的加密通信和IEC 62351—4提出的身份认证技术的基础上，以IEC62351—8为理论依据开展了面向通信链路的基于角色的访问控制技术研究。该技术按照实际应用，为每个通信链路的客户端通信设备预先分配角色，以其安全通信中使用的数字证书为载体，扩展形成角色的访问令牌。服务端设备在安全通信建立过程中，从客户端设备使用的数字证书中识别、提取客户端角色，并按照服务端设备内预置的角色与权限的映射，赋予该客户端相应的访问权限，从而实现面向变电站内通信链接的基于角色的访问控制功能，达到针对IEC 61850通信的分层级、分权限访问的目的。该技术提升了电力系统设备远方操作的可控性，目前已在变电站中得到实际应用。
By following the encrypted communication proposed by IEC 62351-3 and the identity authentication technology by IEC 62351-4,the paper carries out research on role-based access control technology on the theoretical basis of IEC 62351-8. This technology preassigns a role to each client communication device in the communication link according to actual applications. It takes the digital certificate for its secure communication as a carrier to expand the access token that forms the role. The server device recognizes and extracts the role of the client from the digital certificate used by the client in secure communication and grants the client corresponding access permissions according to the preset mapping of roles and permissions to realize the role-based access control function. The purpose of hierarchical and sub-authorized access to IEC 61850 communication has been achieved. This technology improves the controllability of remote operation of power system equipment and has been applied in substations.

关键词(KeyWords)： 基于角色的访问控制;IEC 62351;网络安全
role-based access control;IEC 62351;cyber security

Abstract:

Keywords:

基金项目(Foundation): 国网浙江省电力有限公司科技项目（5211DS19002Y）

作者(Author): 阮黎翔,沈奕菲,王自成,李广华
RUAN Lixiang,SHEN Yifei,WANG Zhicheng,LI Guanghua

DOI: 10.19585/j.zjdl.202207012

参考文献(References)：

• [1]金乃正，张亮，章坚民，等.面向信息安全的广义继电保护远方操作闭环管控关键设计[J].电力系统自动化，2016,40(21):117-122.
• [2]杨继高，陶文伟，张静，等.符合IEC 62351标准的变电站原型系统关键技术[J].电力系统自动化，2015,39(14):114-119.
• [3]童晓阳.基于可信计算的广域保护与变电站通信安全防御策略[J].电力系统自动化，2011,35(20):53-58.
• [4]陶士全，王自成，李广华，等.基于IEC 62351的安全通信对站控层通信性能的影响[J].电力系统自动化，2018,42(23):155-158.
• [5]王自成，李广华，方芳，等.IEC 62351国际互操作的总结与思考[J].电力系统自动化，2019,43(5):1-7.
• [6]李广华，王自成，顾浩，等.智能变电站站内安全通信的密钥管理分析[J].湖北电力，2021,45(1):80-86.
• [7] Power systems management and associated information exchange-data and communications security-part 3:communication network and system security-profiles including TCP/IP:IEC 62351-3:2020[S].Genera:IEC,2020.
• [8] Power systems management and associated information exchange-data and communications security-part 4:security for profiles including MMS and derivatives:IEC 62351—4:2020[S].Genera:IEC,2020.
• [9] Signature authentication in the internet key exchange version 2(IKEv2)[S]:IETF RFC7427:2015.[S.l]:IETF,2015.
• [10] Transport layer security(TLS)parameters[EB/OL].[2018.01]. https：//www. iana. org/assignments/tlsparameters/tls-parameters.xhtml#tls-parameters-4
• [11] Power systems management and associated information exchange-part 8:role-based access control for power systrm management[S]:IEC 62351—8:2020.Genera:IEC,2020.
• [12] Internet X.509 public key infrastructure certificate and certificate revocation list(CRL)profile:IETF RFC 5280:2008[S].[S.l]:IETF,2008.
• [13] Rec. ITU-T X.680:2015 information technology-ASN.1:Specification of basic notation:ISO/IEC 8824—1:2015[S].Genera:IEC,2015.
• [14] Rec. ITU-T X. 690(2015),Information technologyASN. 1 encoding rules:specification of basic encoding rules(BER),canonical encoding rules(CER)and distinguished encoding rules(DER):ISO/IEC 8825-1:2015[S].Genera:IEC,2015.
• [15]张小飞，张道银，郑珞琳，等.基于机器学习算法的电力信息网络安全态势感知研究[J].电器与能效管理技术，2021(8):16-23.
• [16]张泰，杨雪，汪晓帆.基于5G配电网差动保护安全防护策略研究[J].四川电力技术，2020,43(6):60-65.
• [17]张媛.电力配电网自动化系统中网络安全防护有效性探究[J].山西电力，2020(5):31-33.
• [18]龚逊东，薛溟枫，毛晓波，等.泛在电力物联网安全风险分析及分层防护措施[J].内蒙古电力技术，2020,38(1):6-11.