| To achieve integration of information flow and power flow, smart grid relies more on two-way and wide-area communication networks. The security of power communication becomes more and more important which is directly related to the smooth operation of smart grid. As the openness of power communication network improving, security issues are also increasingly prominent. And the potential security risks of power communication packets suffering from malicious tampering information theft also increase. Power communication packets include mainly three security goals that are availability, integrity and confidentiality. Availability of power communication packets means in security mechanisms to prevent attacks such as Dos that congests power communication network and makes the power communication packet unreachable. Therefore the focus, from the standpoint of power commucnication packet secure application, is to study the technology and methods suitable for the features of power communication packets to ensure their integrity and confidentialityThe security of power communication network combines with lots of information technology, such as cryptography, communication network and network information of power grid. The research of power grid security is still at a pregnant stage. State-of-the-art studies of power information security focus on applying the IT security technologies to power communication network directly, which takes large consuming time, since these information security methods are generally high computing required. Therefore common cryptographic methods are difficult to meet the power communication network that has a high real-time requirement. In order to improving efficiency and reducing time-consuming, the thesis deeply searches the application infrastructure and critical technologies of power information security, with the focus on the packet integrity and confidentiality and secret key management. The study will take as detailed objects of the GOOSE and SV packets of IEC61850 that is the most comprehensive standard in power system communication field. The main contents are as follows:1. The study of an improved HMAC authentication method used in GOOSE heartbeating packets. HMAC is suggested to safeguard GOOSE packet integrity by IEC62351 standard. But traditional HMAC authentication method directly applied in GOOSE packets is not efficient, since it doesn’t consider GOOSE packet features such as the retransmitted mechanism. An improved method of reorganizing the content sequence of GOOSE packets by moving variable contents to the packet’s end position in order to get message authentication codes efficiently is proposed. The improved method fully utilizes the same chaining values of HASH iterated procedure for the identical contents of retransmitted GOOSE packets as reusable results. Except for the first packet, the same series of retransmitted GOOSE packets can directly apply the reusable result, which saves the majority time-consuming of HMAC application in GOOSE packets.2. A novel integrity authentication method for GOOSE packet is proposed. Elaborate study finds that HMAC method is not efficient to classic message whose length is short. An authentication method of getting key and adjusted information as direct inputs of the HASH function is proposed. This proposed method takes advantage of the HASH algorithm with a secret key to increase the difficulty of offline collision attack. Moreover, GOOSE attributes of explicit length, unified message format and time factor are fully exploited to resist lengthexpanded attacks, birthday attacks and reply attacks respectively.3. A GOOSE message encryption method based on critical information is proposed. Though IEC62351 suggests no encryption algorithm to apply in GOOSE or other real-time packets due to the huge consuming time of encryption algorithm, many practical power projects still encrypt GOOSE packets to strength the security of network information. The classical Rijndael symmetric encryption algorithm is adopted as an example to discuss the consuming time of encrypting GOOSE packet by considering the secret key length, packet length and packet mode. To reduce consuming time without lowering the packet confidentiality, a GOOSE encryption method based on critical information is proposed with the combination of packet domain implication. Besides,StNum, SqNum and T of GOOSE messages, which have the time synchronization functions, are used to prevent replay attacks.4. The obstacle of applying encryption algorithm in practical sampling message is its high time-consuming that is hard to satisfy the real-time requirement of sampling data. Based on the specified character of IEC 61850-9-2LE sampling packets, the light encryption method based on TEA algorithm is proposed. The proposed method encrypts the crucial information of 9-2LE packet only, avoiding the high time-consuming by encrypting the whole packet, which lowers no the confidentiality of electrical information, the core content of 9-2LE packet. According to the communication network environment and consuming time for security algorithm allowed, the proper TEA algorithm iteration count can be chosen flexibly. Meanwhile, the CRC32 checksum of 9-2LE packet is used to ensure message integrity in the proposed method. By utilizing the discrete feature of electrical information carried by the 9-2LE packets, which means the original profiles can’t be divulged from ciphertext. ECB packet mode is suggested, which is good for the parallel algorithm.5. Secret key management suited to power information system is studied. Secret key management is the foundation of cryptographic techniques, but classical PKI key management and other methods are not fully applicable to smart grid. A key negotiation method capable of resisting middle-man attack is studied first, in the proposed method the proper key negotiation scheme can be chosen according to the information security requirements of practical smart grid environment. Furthermore, a new key management method for smart substation is proposed. The key management aims to ensure key security while keeping it simple and efficient as possible, and to satisfy technical requirements of GOOSE, SMV multicast packets, as well as station control, station and other cross-network communication covered in the IEC61850 agreement. Key generation, allocation, updating and destruction are detailed.T... |
PDF Full Text Request