| Introduction of wide area power grid interconnection and electricity market provide strong and powerful sustain for our country's economy development, but it also brings new challenges on security, reliability, and stability of power system. Based on relevant research achievements, wide area security defense is related with information, analysis, and control. Access control and interlocking of substation automation are key ways to ensure information and control reliability. This thesis emphasis on study of access control mechanism, implementation model and extended application method for interlocking in substation automation system. The work can be summarized in following points:(1) On the study and analysis of substation information model and information exchange model, the access control function demand presents multi-state properties. There are differences between subject-user model and subject-IED (Intelligent Electronic Device) model access control on using environment, privilege distribution, and authentication method. Normal access control model cannot settle substation access control management problem. Therefore, combined with role based access control (RBAC) and mandatory access control (MAC), a substation information model oriented access control (SIMOAC) is proposed. This model defined mandatory access control rules based on substation multi-level data object. A special privilege distribution and role active method have been designed via multi-level role definition. On the premise of ensure system access security, the multi-state requirement of substation access control is fully solved by SIMOAC.(2) Decompose implementation model of SIMOAC from two aspects. Firstly, PKI/PMI based authentication and authorization technology is a crucial part of our country's information security protection and gradually using in electric power industry. Therefore, a privilege distribution method based on PMI attribute certificate is proposed. Moreover, an access security agent is designed to implement authentication and privilege parsing. Secondly, IED embed operating system is the privilege enforcement place of access control, appropriate mechanisms are needed to enforce the security management. For this reason, an IED data security management method and security state-machine for access control of data object is designed. The process of activation of inner roles and dynamically generation of virtual access control is efficient way to ensure implementation. Finally, the calculation results of...
|
PDF Full Text Request