This paper introduces the problems existing in the cross-safety zone data transmission of the power secondary system in Lianyungang area, and proposes to solve such problems by establishing a cross-zone data transmission and sharing system. The structure of the current power secondary safety protection system and the data transmission characteristics of physical isolation devices are analyzed, as well as how to design and encapsulate various communication protocols for data exchange and transmission, and the cross-region application in the construction process of the Lianyungang area load forecasting system is given. Examples of data transfer and sharing.
Introduction According to the overall framework of the national electric power secondary system security protection [1] and its core ideas (safety zoning, network dedicated, horizontal isolation, vertical authentication), the entire electric power secondary system can be divided into 2 major areas and 4 safety work areas district. The production control area includes safety I area (real-time control area) and safety II area (non-controlled production area); the management information area includes safety III area (production management area) and safety IV area (management information area).
From a horizontal perspective, in order to strengthen the isolation between security zones, network security equipment of different strengths (such as hardware firewalls and dedicated forward and reverse power security isolation devices, etc.) should be used to ensure that the business systems in each security zone are protected. Effective protection. A hardware firewall is used for isolation between the security zone I and security zone II; a special power isolation device is used for isolation between the production control area (security area I and II) and the management information area (security area III and IV), and strict Restrict the flow of data; forward isolation devices must be used for one-way transmission of information from safety zones I and II to safety zone III, and reverse isolation devices must be used for one-way data transmission from safety zone III to safety zones I and II. A hardware firewall is used for isolation between security zone III and security zone IV [2].
From the perspective of communication and data transmission, the one-way transmission characteristics of physical isolation devices make cross-region data exchange must follow the data transmission method of physical isolation devices, which forces the original or new business systems to undergo corresponding transformations to adapt to security protection. requirements. Various management application systems in the management information area often need to obtain a large amount of data as support from the production control area.
In order to facilitate users to deploy new business systems in the management information area under the existing secondary security system environment, this article designed an open, platform-based data exchange system to realize heterogeneous and distributed data from different manufacturers ( Such as the exchange and integration of a large amount of file data and database data), and unified and centralized management of cross-region interactive data. On the premise of ensuring the security of cross-region data exchange between systems, it can be applied to the security protection transformation of power secondary systems. Secure data exchange between production control area and management information area
1 Cross-security zone data transmission system
1.1 Security protection horizontal architecture
The power secondary system mainly includes energy management system (EMS), electric energy collection management system (PMS), dispatcher training simulator (DTS), various measurement system master stations, Communication monitoring and management system, relay protection information management system and dispatching management information system (DMIS). According to the principle of security partitioning, the above systems except DMIS are located in the real-time control area (security I area) and non-real-time production area (security II area) of the production control area according to their functions. DMIS is located in the production management area of the management information area. Zone (Safety III Zone), thus forming the overall framework of the safety protection system (see Figure 1).
1.2 Cross-region data transmission system design
After implementing security partitioning and physical isolation, the entire data transmission process is divided into 2 parts: 1) From the internal network (Security Zone I and II) to the physical isolation device (forward) to the external network (Security Zone III), which is called Forward transmission process; 2) From the external network (security zone III) to the physical isolation device (reverse direction) to the internal network (security zones I and II), this is called the reverse transmission process. Due to the one-way transmission characteristics of physical isolation devices, forward and reverse isolation devices are equivalent to communication blocking points [3], making most network application software based on the traditional TCP/IP communication protocol unable to be directly deployed across regions. To this end, a data agent platform is set up in the security II area and security III area to encapsulate the communication process with the forward and reverse isolation devices, and exchange data through the internal and external network data agent platform. For business system users and deployers, communication There is no need to consider the communication protocol and working mechanism of the forward and reverse isolation devices, and the previous communication methods can still be used to exchange data between internal and external networks in a transparent manner [4]. See Figure 2.
Data exchange from the intranet to the external network (forward) can be divided into two categories: file transfer and database transfer. Data exchange from the external network to the internal network (reverse direction) can only be transmitted in plain text file format after encryption and authentication. From the perspective of data type, the data exchanged between internal and external networks is divided into two parts: real-time data and non-real-time data.Real-time data is mainly generated by the SCADA system, while non-real-time data comes from the intranet
Other business systems are generated. At the same time, taking into account application requirements such as mutual transfer between database data and file data, access to off-site files, and flexible data storage, the internal and external network data agency platform must meet the following requirements: 1) Unify data exchange standards and formats; 2) Internal and external network data Agent platform data synchronization; 3) Synchronization of business databases in the same security zone to the local backend library; 4) Real-time data synchronization; 5) File transfer between internal and external networks [5]; 6) Support for multiple data transmission protocols. The structure of the system software designed based on this is shown in Figure 3.
1.3 JAVA-based cross-region data transmission system
The cross-security zone data transmission system consists of two parts: the inner platform and the outer platform, all developed using the JAVA language. Due to the cross-platform nature of the JAVA language, the system supports multiple operating systems and is easy to deploy. The system is mainly composed of five parts: data access control, communication protocol agent, data unified platform, data management and isolation device crossing. Data access control provides an access mechanism to various business systems on the intranet and provides a unified data interface; the communication protocol agent provides the implementation of various communication protocols in a transparent manner and is responsible for the reception and forwarding of real-time data and non-real-time data; the data unified platform As a unified data storage platform for the data transmission system, it provides data in standard extensible markup language (XML) format for cross-region data exchange; isolation device traversal provides actual communication with forward and reverse isolation devices. The communication process is responsible for exchanging data between internal and external networks based on the data unified platform; data management provides data management and task scheduling for data access control, data communication agents, and data unified platforms.The above five modules constitute the software architecture of the entire cross-security zone data transmission system.