基于边界隔离与系统防护的矿井网络安全系统研究

Research on mine network security system based on boundary isolation and system protection

  • 摘要: 随着智能矿山信息基础设施不断建设推广,矿井终端设备在专网与公网间的切换为矿井网络引入信息安全隐患,需研究矿井网络隔离边界并构建系统防护手段。分析了矿井网络面临的主要风险,指出应对风险的关键是定义隔离边界、强化系统防护手段及研发特定井下设备。针对矿井网络安全防护需求,定义了经营管理网络与工业控制网络、传输网络与服务器区域、井下与井上工业控制网络三大隔离边界。提出了基于边界隔离与系统防护的矿井网络安全系统防护架构,设计了基于网络、主机、应用和数据4个子系统防护的矿井网络安全系统及相应的安全传输流程和防护思路。针对目前矿井网络安全防护主要侧重井上网络、缺少井下网络安全防护手段的情况,研发了矿用隔爆兼本安型网络接口作为井下网络安全防护设备,针对Modbus、Profibus、IEC 61850、RTSP等井下终端常用的工业协议制定了相应的防护规则。测试结果表明,该接口设备对网络攻击的平均识别率为98.8%,平均防护率为98.0%,千兆接口吞吐量不低于线速的95%,实现了井下信息安全防护功能,并保障了数据传输性能。

     

    Abstract: With the continuous construction and promotion of intelligent mining information infrastructure, the switching of mine terminal equipment between private and public networks has introduced information security risks to the mine network. It is necessary to study the isolation boundaries of the mine network and build system protection measures. The study analyzes the main risks faced by the mine network, and points out that the key to dealing with risks is to define isolation boundaries, strengthen system protection measures, and develop specific underground equipments. In response to the needs of mine network security protection, three major isolation boundaries have been defined: business management network and industrial control network, transmission network and server area, and underground industrial control network and industrial control network on the ground. A mine network security system protection architecture based on boundary isolation and system protection is proposed. A mine network security system based on network, host, application, and data subsystems protection is designed, along with corresponding security transmission processes and protection ideas. In response to the current situation where mine network security protection mainly focuses on networks on the ground and lacks underground network security protection measures, a mine explosion-proof and intrinsically safety network interface has been developed as underground network security protection equipment. Corresponding protection rules have been formulated for industrial protocols commonly used in underground terminals such as Modbus, Profibus, IEC 61850, RTSP, etc. The test results show that the average recognition rate of the interface device against network attacks is 98.8%, the average protection rate is 98.0%, and the throughput of the gigabit interface is not less than 95% of the line speed. It achieves underground information security protection function and ensures data transmission performance.

     

/

返回文章
返回