本文選題：可信計(jì)算 + 安全免疫　； 參考：《工程科學(xué)與技術(shù)》2017年02期

【摘要】：電力系統(tǒng)是國家重要基礎(chǔ)設(shè)施,電網(wǎng)調(diào)度控制系統(tǒng)是現(xiàn)代大電網(wǎng)安全穩(wěn)定運(yùn)行的重要手段,也是國家級(jí)網(wǎng)絡(luò)對(duì)抗中的重點(diǎn)攻擊目標(biāo)。中國電網(wǎng)已經(jīng)全面建成了以網(wǎng)絡(luò)隔離及邊界防護(hù)為主的網(wǎng)絡(luò)安全縱深防護(hù)體系,但面對(duì)以快速演進(jìn)的惡意代碼為主要技術(shù)手段的APT攻擊,存在防護(hù)技術(shù)滯后于攻擊手段、安全功能制約于業(yè)務(wù)功能、防護(hù)措施影響控制業(yè)務(wù)實(shí)時(shí)性等問題。可信計(jì)算是一種運(yùn)算與保護(hù)并行結(jié)構(gòu)的計(jì)算模式,通過保持計(jì)算環(huán)境及計(jì)算邏輯的完整性,為計(jì)算平臺(tái)提供了對(duì)惡意代碼、非法操作的自主免疫能力�；诳尚庞�(jì)算技術(shù),建立電力監(jiān)測(cè)控制系統(tǒng)網(wǎng)絡(luò)安全免疫系統(tǒng),由控制主站系統(tǒng)電力可信計(jì)算平臺(tái)、可信網(wǎng)絡(luò)通信及可信現(xiàn)場(chǎng)測(cè)控終端構(gòu)成,覆蓋電力控制業(yè)務(wù)從現(xiàn)場(chǎng)監(jiān)測(cè)、通信、計(jì)算分析、控制指令下達(dá)與執(zhí)行全部環(huán)節(jié),為電力控制系統(tǒng)提供了一種行之有效的主動(dòng)防御機(jī)制。主站系統(tǒng)電力可信計(jì)算平臺(tái)包括作為信任根的可信密碼模塊硬件和嵌入到操作系統(tǒng)內(nèi)核的可信軟件基兩個(gè)核心組件,實(shí)現(xiàn)計(jì)算機(jī)的可信引導(dǎo),對(duì)操作系統(tǒng)及應(yīng)用程序的完整性度量、強(qiáng)制訪問控制和強(qiáng)制執(zhí)行控。電力可信計(jì)算平臺(tái)在標(biāo)準(zhǔn)的信任鏈構(gòu)建方法基礎(chǔ)上,在操作系統(tǒng)引導(dǎo)器中植入度量代碼,通過CPU實(shí)模式驅(qū)動(dòng)下的可信密碼硬件對(duì)系統(tǒng)引導(dǎo)程序代碼完整性進(jìn)行回溯度量。與當(dāng)前通用的可信計(jì)算技術(shù)實(shí)現(xiàn)方式相比,電力可信計(jì)算平臺(tái)將度量的起點(diǎn)從操作系統(tǒng)前推到操作系統(tǒng)引導(dǎo)器,從而使得系統(tǒng)安全性大幅度提升。結(jié)合電網(wǎng)調(diào)度控制系統(tǒng)中的安全標(biāo)簽機(jī)制,電力可信計(jì)算平臺(tái)對(duì)應(yīng)用進(jìn)程實(shí)現(xiàn)了融合操作系統(tǒng)層和應(yīng)用層的雙重強(qiáng)制訪問控制。結(jié)合調(diào)度數(shù)字證書系統(tǒng),實(shí)現(xiàn)了應(yīng)用程序預(yù)期值安全管理,確保預(yù)期值的真實(shí)性與權(quán)威性。電力可信計(jì)算平臺(tái)使用了計(jì)算組件中的原生安全功能,無需對(duì)業(yè)務(wù)程序、邏輯和系統(tǒng)資源進(jìn)行改動(dòng),避免了對(duì)在運(yùn)業(yè)務(wù)系統(tǒng)進(jìn)行大規(guī)模改造,在工程上切實(shí)可行。全面的測(cè)試及廣泛的工程實(shí)踐表明,電力可信計(jì)算平臺(tái)消耗系統(tǒng)資源少,運(yùn)行效率完全滿足控制業(yè)務(wù)實(shí)時(shí)性要求,對(duì)業(yè)務(wù)功能沒有任何干擾�；诳尚庞�(jì)算技術(shù)構(gòu)建的網(wǎng)絡(luò)安全免疫系統(tǒng),為電力監(jiān)測(cè)控制系統(tǒng)提供了一套高效率、高強(qiáng)度防護(hù)機(jī)制,對(duì)惡意代碼、非法操作具有主動(dòng)防御能力,同時(shí)也適用于其他業(yè)務(wù)邏輯固定、系統(tǒng)更新不頻繁、安全等級(jí)要求高的工業(yè)控制系統(tǒng)。
[Abstract]:Power system is an important infrastructure of our country. Power dispatching control system is an important means of safe and stable operation of modern large power grid, and it is also a key attack target in national network confrontation. China Power Grid has built a network security and depth protection system based on network isolation and boundary protection, but in the face of the APT attack with rapidly evolving malicious code as the main technical means, the protection technology lags behind the attack means. The safety function is restricted by the business function, and the protection measures affect the real-time performance of the control business. Trusted computing is a computing model with parallel structure of computation and protection. By maintaining the integrity of computing environment and computing logic, trusted computing provides the computing platform with autonomous immunity to malicious code and illegal operations. Based on trusted computing technology, the network security and immune system of electric power monitoring and control system is established, which is composed of power trusted computing platform of control main station system, trusted network communication and trusted field measurement and control terminal. Communication, calculation and analysis, and all the steps of issuing and executing the control instructions provide an effective active defense mechanism for the electric power control system. The power trusted computing platform of the master station system includes two core components: the trusted cryptographic module as the root of trust and the trusted software embedded into the kernel of the operating system to realize the trusted booting of the computer. Measures the integrity of operating systems and applications, mandatory access control and enforcement controls. Based on the standard method of constructing trust chain, the power trusted computing platform inserts the metric code into the operating system guide, and measures the integrity of the system booster code by the trusted cryptographic hardware driven by CPU real mode. Compared with the current implementation of trusted computing technology, the power trusted computing platform pushes the starting point of measurement from the operating system forward to the operating system guide, thus greatly improving the security of the system. Combined with the security label mechanism in the power grid dispatching control system, the power trusted computing platform realizes the dual mandatory access control of the application process by combining the operating system layer with the application layer. Combined with the dispatching digital certificate system, the security management of the expected value of the application program is realized, and the authenticity and authority of the expected value are ensured. The power trusted computing platform uses the native security function of the computing component, and does not need to modify the business program, logic and system resources, thus avoiding the large-scale transformation of the in-transit business system, which is feasible in engineering. The comprehensive test and extensive engineering practice show that the power trusted computing platform consumes less system resources, and the operation efficiency fully meets the real-time requirements of the control service, and there is no interference to the service function. The network security immune system based on trusted computing technology provides a set of high efficiency and high strength protective mechanism for electric power monitoring and control system, and has active defense ability against malicious code and illegal operation. It is also suitable for other industrial control systems with fixed business logic, infrequent system updates and high security level.
【作者單位】： 全球能源互聯(lián)網(wǎng)研究院;國家電網(wǎng)先進(jìn)計(jì)算及大數(shù)據(jù)技術(shù)實(shí)驗(yàn)室;
【基金】：國家發(fā)展與改革委員會(huì)信息安全專項(xiàng)資助項(xiàng)目 國家電網(wǎng)公司科技項(xiàng)目資助
【分類號(hào)】：TP393.08;TM73

【參考文獻(xiàn)】

相關(guān)期刊論文 前7條

1 高昆侖;趙保華;王志皓;李云鵬;安寧鈺;;全球能源互聯(lián)網(wǎng)環(huán)境下可信計(jì)算技術(shù)研究與應(yīng)用探討[J];智能電網(wǎng);2015年12期

2 ;中央電視臺(tái)實(shí)施可信制播環(huán)境建設(shè)[J];信息安全與通信保密;2015年12期

3 沈昌祥;;用可信計(jì)算構(gòu)筑網(wǎng)絡(luò)安全[J];求是;2015年20期

4 高昆侖;辛耀中;李釗;孫煒;南貴林;陶洪鑄;趙保華;;智能電網(wǎng)調(diào)度控制系統(tǒng)安全防護(hù)技術(shù)及發(fā)展[J];電力系統(tǒng)自動(dòng)化;2015年01期

5 沈昌祥;陳興蜀;;基于可信計(jì)算構(gòu)建縱深防御的信息安全保障體系[J];四川大學(xué)學(xué)報(bào)(工程科學(xué)版);2014年01期

6 馮登國;秦宇;汪丹;初曉博;;可信計(jì)算技術(shù)研究[J];計(jì)算機(jī)研究與發(fā)展;2011年08期

7 沈昌祥;張煥國;王懷民;王戟;趙波;嚴(yán)飛;余發(fā)江;張立強(qiáng);徐明迪;;可信計(jì)算的研究與發(fā)展[J];中國科學(xué):信息科學(xué);2010年02期

【共引文獻(xiàn)】

相關(guān)期刊論文 前10條

1 王志力;陳松;武建國;;大柴胡湯加味聯(lián)合穴位按摩促進(jìn)化膿性闌尾炎術(shù)后胃腸功能恢復(fù)的研究[J];現(xiàn)代中西醫(yī)結(jié)合雜志;2017年10期

2 楊大兵;;急性化膿性闌尾炎術(shù)后并發(fā)早期炎性腸梗阻診治體會(huì)[J];現(xiàn)代診斷與治療;2017年04期

3 呂廣彪;;急性化膿性闌尾炎術(shù)后并發(fā)早期炎性腸梗阻診治體會(huì)[J];基層醫(yī)學(xué)論壇;2017年05期

4 牛熊;;探討腹腔鏡闌尾切除術(shù)的手術(shù)價(jià)值[J];臨床醫(yī)藥文獻(xiàn)電子雜志;2016年55期

5 李建龍;;小切口手術(shù)治療急性化膿性闌尾炎并腹膜炎的效果[J];世界最新醫(yī)學(xué)信息文摘;2016年72期

6 吳峻國;;中西醫(yī)結(jié)合治療普外科腹部手術(shù)后早期炎性腸梗阻的臨床療效[J];國際醫(yī)藥衛(wèi)生導(dǎo)報(bào);2016年17期

7 高殿武;;腹腔鏡闌尾切除術(shù)與開腹闌尾切除術(shù)的臨床比較[J];中國繼續(xù)醫(yī)學(xué)教育;2016年23期

8 程云;吳寶強(qiáng);;腹腔鏡治療重癥闌尾炎88例效果觀察[J];交通醫(yī)學(xué);2016年04期

9 蒲晏均;青廉;徐成飛;葉華平;鄧杰文;;腹腔鏡與開腹闌尾切除術(shù)治療穿孔性闌尾炎術(shù)后感染情況比較[J];結(jié)直腸肛門外科;2016年S1期

10 艾小江;陶江濤;帥建;;腹腔鏡闌尾切除術(shù)治療急性和慢性闌尾炎的臨床效果比較[J];中國實(shí)用醫(yī)刊;2016年13期

【二級(jí)參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 張東霞;苗新;劉麗平;張焰;劉科研;;智能電網(wǎng)大數(shù)據(jù)技術(shù)發(fā)展研究[J];中國電機(jī)工程學(xué)報(bào);2015年01期

2 董朝陽;趙俊華;文福拴;薛禹勝;;從智能電網(wǎng)到能源互聯(lián)網(wǎng):基本概念與研究框架[J];電力系統(tǒng)自動(dòng)化;2014年15期

3 程戈;李聰;;可信計(jì)算環(huán)境構(gòu)建機(jī)制研究進(jìn)展[J];計(jì)算機(jī)工程與應(yīng)用;2013年13期

4 章志華;汪歡文;李健俊;胡雅軍;李瑜;毛軍捷;;基于可信計(jì)算的工業(yè)控制系統(tǒng)安全互聯(lián)模型[J];計(jì)算機(jī)應(yīng)用;2013年S1期

5 宋亞奇;周國亮;朱永利;;智能電網(wǎng)大數(shù)據(jù)處理技術(shù)現(xiàn)狀與挑戰(zhàn)[J];電網(wǎng)技術(shù);2013年04期

6 蘇璞睿;馮登國;;面向國家戰(zhàn)略需求 構(gòu)建信息安全體系[J];高科技與產(chǎn)業(yè)化;2013年02期

7 趙波;向，

本文編號(hào)：1865744