Search Images Maps Play YouTube News Gmail Drive More »
Sign in
Screen reader users: click this link for accessible mode. Accessible mode has the same essential features but works better with your reader.

Patents

  1. Advanced Patent Search
Publication numberCN104168268 A
Publication typeApplication
Application numberCN 201410355049
Publication dateNov 26, 2014
Filing dateJul 24, 2014
Priority dateJul 24, 2014
Also published asCN104168268B
Publication number201410355049.9, CN 104168268 A, CN 104168268A, CN 201410355049, CN-A-104168268, CN104168268 A, CN104168268A, CN201410355049, CN201410355049.9
Inventors谢善益, 杨强, 范颖, 杜双育, 梁成辉, 徐庆平
Applicant广东电网公司电力科学研究院, 威海欣智信息科技有限公司
Export CitationBiBTeX, EndNote, RefMan
External Links: SIPO, Espacenet
Power grid object access control device capable of realizing safety configuration and access of power grid model data
CN 104168268 A
Abstract
The invention aims at providing a power grid object access control device capable of realizing safety configuration and access of power grid model data. The device is characterized by including a layered division and security permission configuration module of the power grid model data and an access security control module; the layered division and security permission configuration module realizes layered division and security permission configuration of the power grid model data; and the access security control module realizes access security control of a power grid model. Through hierarchical organization of the power grid model according to region, sub regions, power stations and voltage levels, classification of other power grid objects such as devices, terminals and measurement devices and the like into corresponding hierarchies according to incidence relations, and combination of access permissions of system access users for the data and the hierarchical result, the device realizes access security control which is appropriate in granularity and enables security access of operation data of the whole power grid to be corresponding to a management system which is currently in effect.
Claims(9)  translated from Chinese
1.一种能够实现对电网模型数据安全配置和访问的电网对象访问控制装置,其特征在于所述装置包括:电网模型数据的分层划分及安全权限配置模块和访问安全控制模块; 所述分层划分及安全权限配置模块实现电网模型数据的分层划分及安全权限配置,包括如下内容: (11)电网模型分区初始化: 电网对象访问控制装置从OPC UA服务器获取电网模型数据,将电网模型数据中的地区、设备容器、设备、量测、量测值类型的电网模型对象按照地区间、地区与设备容器间、不同类型设备容器之间、设备容器与设备间、设备与量测间、量测与量测值间的关联关系进行层次划分; (12)异步订阅:电网对象访问控制装置向OPC UA服务器订阅监听电网模型变化事件,OPC UA服务器在其管理的电网模型发生变化时,针对异步订阅的电网模型事件变化事件,向电网对象访问控制装置提供模型变化的异步通知; (13)电网对象访问控制装置对异步订阅对应的异步通知进行响应,根据异步通知中携带的电网模型的增删改信息,动态的维护电网模型层次划分; (14)管理操作设定:指定特定的用户对不同电网模型层次分支的访问权限,支持的访问权限有“读取”、“创建”、“更改”和“删除”,对电网层次分支而言,针对下一层次的权限指定覆盖对父层次的统一权限指定; 所述访问安全控制模块实现电网模型的访问安全控制,所述访问安全控制包括如下内容: (21) OPC UA客户端、OPC UA服务器端通过协商,建立起安全通道,并对对方的身份进行了认证,设此时客户端会话被确认为“用户I”; (22) OPC UA客户端发起电网模型相关操作; (23) OPC UA服务器向电网对象访问控制装置查询用户是否具有合适的权限; (24)电网对象访问控制装置首先确认客户端所访问的UA节点对应的电网模型对象所属电网区域,然后查询客户端的身份,是否具有对目标区域的相应权限,如果拥有,则返回“允许”,否则,返回“拒绝”;并作为对步骤(23)调用的应答,向OPC UA服务器返回处理步骤结果; (25)根据步骤(24)返回结果,如果是“允许”,则执行步骤(22)请求操作,返回操作执行结果;否则直接向OPC UA客户端返回“无访问权限,操作被拒绝”; (26)作为对步骤(22)调用的应答,向OPC UA客户端返回步骤(25)处理步骤结果。 A data model enables grid security configuration and access to the grid object access control device, characterized in that said apparatus including: hierarchical classification and security permissions grid model data configuration module and access security control module; the stars layer is divided and security permissions configuration module enables tiered classification and security permissions model data grid configurations, including the following: (11) power network model partition initialization: Power grid object access control device acquires data from OPC UA server model, the grid model data The area, equipment containers, equipment, measurement, measurement value type of grid model object according to inter-regional, inter-regional and equipment container, container between different types of devices, between the device and equipment containers, equipment and measuring the amount relationship between the measured value and measurement of hierarchical division; (12) Asynchronous subscription: the grid object access control device to the OPC UA server is subscribed to monitor the grid model change events, OPC UA server changes occur in its management of the grid model for asynchronous Grid model events change event subscription to the grid object access control model changes provide asynchronous notification means; (13) the grid object access control means asynchronous asynchronous notification subscription corresponding response, based on asynchronous notification carries deletions grid model change information, maintenance of dynamic grid model hierarchical division; (14) management operations setting: specifies a particular user access to different levels of the branch of the grid model, support access there is "read", "Create", "Change" and "Delete", a branch of the grid level, the next level of privileges for the specified coverage for parent-level permissions for the specified unity; the access security control module access security control of the grid model, the access security controls include the following: (21) OPC UA client, OPC UA server through negotiation to establish a secure channel, and the other's identity authentication, provided by the client session was recognized as "user I"; (22) OPC UA client Grid model initiated related operations; (23) OPC UA server into the grid object access control device to query the user has the appropriate authority; apparatus first confirmed UA client access node grid model corresponding to the object belongs grid (24) grid object access control area, and then query the client's identity, whether the appropriate permissions on the target area, if you have, then return to "Allow", otherwise, it returns "deny"; and as a response to the step (23) call returns processing to the OPC UA server Step Result; (25) returns the result according to step (24), if it is "allowed", step (22) the requested operation and returns the results of the operation; otherwise, the server returns directly to the OPC UA client "No Access, the operation is rejected "; (26) as a response to the step (22) call, OPC UA client returns to the step (25) the results of the processing step.
2.根据权利要求1所述的电网对象访问控制装置,其特征在于:所述地区间关联关系,是指“省-市-县”这样的地区_>子地区之间的包含关系。 The grid of claim 1, wherein the object access control device, wherein: the relationship between the region refers to a region "Province - - City County" _> contains between sub-regions.
3.根据权利要求1所述的电网对象访问控制装置,其特征在于:所述设备容器是一种抽象概念,包括电厂、变电站、电压等级、间隔、线路;其中,所述电厂、变电站通常统称为厂站;所述电压等级含义为一个变电站内由具有相同电压的设备构成的一个逻辑上的设备容器;所述间隔为一个变电站内紧密连接、具有某些共同功能的部分所构成的一个逻辑上的设备容器;通常间隔根据其包含的主要设备的类型被归类为不同的间隔,包括电力出线间隔、母线间隔、主变压器间隔。 3. The grid object access control apparatus according to claim 1, characterized in that: the equipment container is an abstraction, including power plants, substations, voltage levels, spacing, line; wherein the power plants, substations are often collectively referred a logic within the interval of a substation tight junctions, have some common functions constituted part; for the plant stand; the voltage level of the meaning of a logical container for the device within a substation by a device with the same voltage configuration on a equipment containers; normally interval is classified according to the type of major equipment comprising different intervals, including power outlet space, the bus interval, the main transformer interval.
4.根据权利要求1所述的电网对象访问控制装置,其特征在于:所述地区与设备容器间关联关系,是指地区与厂站之间的包含关系。 4. The grid of claim 1, wherein the object access control device, wherein: the association between the region and the device container means containing the relationship between the region and the plant stand.
5.根据权利要求1所述的电网对象访问控制装置,其特征在于:所述设备容器间的关联关系,是指厂站包含电压等级、电压等级包含间隔以及厂站直接包含间隔这几种关联关系O 5. The grid object access control apparatus according to claim 1, characterized in that: the relationship between the container device refers factory site contains voltage level, voltage level comprises a spacer comprises a spacer and plant stand directly associated with these types of Relations O
6.根据权利要求1所述的电网对象访问控制装置,其特征在于:所述设备容器与设备间的关联关系,是指变电站、电压等级、间隔与设备之间的包含关系。 6. The grid of claim 1, wherein the object access control device, wherein: the device relationship between the container and the equipment is that contains relations substation, voltage level, interval between devices.
7.根据权利要求1所述的电网对象访问控制装置,其特征在于:所述设备与量测间的关联关系,是指设备与量测之间的包含关系。 7. The grid of claim 1, wherein the object access control device, wherein: the relationship between the device and measurement refers to the inclusion relation between the device and measurement.
8.根据权利要求1所述的电网对象访问控制装置,其特征在于:所述量测与量测值间的关联关系,是指量测与量测值之间的包含关系。 Grid objects according to claim 1, wherein the access control means, wherein: the association of the measured value and measurement between the measurement refers to the inclusion relation between the measured values.
9.根据权利要求1所述的电网对象访问控制装置,其特征在于:所述电网模型变化事件的类型包括电网对象增加、删除、电网对象间的关联关系修改。 Grid according to claim 1, wherein the object access control means, wherein: the grid model change event type grid objects include adding, deleting, relationships between objects modified grid.
Description  translated from Chinese
—种能够实现对电网模型数据安全配置和访问的电网对象访问控制装置 - Kind of model enables grid security configuration and access data grid object access control device

技术领域 Technical Field

[0001] 本发明涉及电网数据的安全访问和控制,具体来说涉及提供一种能够实现对电网模型数据安全配置和访问的电网对象访问控制装置。 [0001] The present invention relates to security access and control of the grid data, in particular to provide an electric network model data security configuration and access to the grid object access control devices.

背景技术 Background

[0002] 电力系统的生产管理通常根据电网分布的地域、电网的电压等级等特征,将电网划分成分层分块的多个子网,如按电压等级等电气特征,可以将电网划分成国调、网调、省调、地调、县调等多级调度中心;而在同一个级别,又可以按照电网分布的地域将同一级别的电网划分为多个调度中心;最终形成一套“统一调度、分层管理”的管理体系。 [0002] The production management of the power system is usually based on the geographical distribution of the grid, the grid voltage levels and other characteristics, the grid division multiple subnets block component layer, such as by voltage and other electrical characteristics, the grid can be divided into the country tune, network regulation, the provincial transfer, land transfer, county tuning of multi-level control center; and on the same level, but also according to geographical distribution grid will be the same level of Grid into multiple dispatch centers; eventually form a "unified, hierarchical management "management system.

[0003] 近年来,随着电网业务的发展和管理要求的提高,电力系统各个专业应用之间、各部门之间、上下级调度机构之间的信息共享和协作的要求越来越高。 [0003] In recent years, with the improvement of the power grid business development and management requirements between the various professional applications in power systems, among the various departments, the information sharing and collaboration among the lower dispatching agencies have become increasingly demanding. 电力控制中心需要在满足电力调度系统网络安全隔离的要求下,整合管理多级调度电网模型、数据、图形等各种信息资源,建立统一的电网运行数据中心,实现电力系统信息资源的共享,进而为电网调度生产、管理决策提供可靠的数据资源和有力的综合分析与应用手段。 Power Control Center needs to meet power dispatch system network security isolation requirements, the integration of multi-level scheduling grid management model, data, graphics and other information resources, establishment of a unified data center power grid, power system sharing information resources, and then the grid scheduling production, management decisions to provide reliable data resources and strong comprehensive analysis and application tools.

[0004] 伴随着统一的电网运行数据中心而来的,是对信息访问管控的需求。 [0004] With the unified data center network operation comes a need for control of access to information. 在建设电网运行数据中心以前,与“统一调度、分层管理”的管理体系对应,各调度中心都建立并维护着所辖电网的详细的电网模型结构参数和与运行数据,并负责相应的电网运行数据进行整体安全管控。 In the construction data network operation center before, and "unified dispatch, hierarchical management" management system corresponding to each dispatch centers have been established and maintains a detailed grid structure parameters under the jurisdiction of the grid and the operating data, and is responsible for the corresponding grid operating data overall security control. 但在电网运行数据中心中,各调度中心的的电网运行数据被整合在一起,对电网运行数据访问的安全管控则必须更为细致和灵活。 However, the data center power grid, power grid data for each dispatch center to be integrated, security management and control of the power grid data access must be more detailed and flexible.

[0005] 现有技术中,直接利用系统所基于的数据库安全访问控制对电网运行数据的访问进行管控是目前常见的方式。 [0005] The prior art, the direct use of database security access system is based on controlling access to operating data grid control is carried out common way. 通过设置用户是否对指定对象类型(或表格)、对象实例(或表格记录)的访问权限达到对指定数据访问的管控。 Whether the specified object type (or form), the object instance (or table record) access to reach the specified data access control by setting the user.

[0006] 而基于数据库的安全访问控制的缺点在于:安全控制粒度与电力系统实际不匹配,电力系统采取的分层、分区域安全管控,而数据库安全管理,如关系数据库系统,面向的是表格、表格记录;这就导致相应的安全控制实现复杂、访问控制效率低。 [0006] The disadvantage based security access control database are: security control of particle size and power system does not match the reality, take hierarchical power system, sub-regional security control, and database security management, such as relational database systems, for the table , table records; This leads to the appropriate security controls to implement complex, low access control efficiency.

[0007] 另外一种常见的安全解决方案是直接针对OPC UA服务器电网模型节点进行访问权限控制。 [0007] Another common security solution is direct access to the control grid model for OPC UA server node.

[0008] OPC:OLE for Process Control,用于过程控制的OLE。 [0008] OPC: OLE for Process Control, Process Control for OLE. 是一个工业标准,管理这个标准国际组织是OPC基金会。 Is an industry standard, the management of the International Standards Organization is OPC Foundation. OPC包括一整套接口、属性和方法的标准集,用于过程控制和制造业自动化系统。 OPC standard set includes a set of interfaces, properties and methods for process control and manufacturing automation systems.

[0009] OPC UA:0PC Unified Architecture, OPC基金会规定的用于替代OPC的新标准协议。 [0009] OPC UA: 0PC Unified Architecture, the new standard protocol for the replacement of the OPC Foundation, OPC provisions. UA为统一架构。 UA is a unified architecture.

[0010] OPC UA是一种由OPC基金会规定的、用于独立于制造厂商和平台的通信的新标准协议,特别是在过程自动化中。 [0010] OPC UA is a specified by the OPC Foundation for manufacturer-independent communication platform of the new standards and protocols, especially in process automation. OPC UA提供了一个一致的、完整的地址空间和服务模型,可用来将电网运行数据中心中的所有电网运行数据,包括电网描述数据、实时数据,报警与事件以及它们的历史信息统一到一个OPC UA服务器地址空间里,并且以用一套统一的服务为它们向外提供接口。 OPC UA provides a consistent, complete address space and service model can be used to run the data center power grids all grid operational data, including description of the data grid, real-time data, alarms and events and their history into one single OPC UA server address space, and to use a common set of services provides an interface for them outside. OPC UA还提供了一个安全模型,给出了何种安全机制可供选择和配置以满足对特定安装的安全需求。 OPC UA also provides a security model, which gives the security options and configurations to meet the security needs of a particular installation. 安全模型包括标准安全机制和参数。 Security model includes standard security mechanisms and parameters. 应用程序级的安全性依靠一个安全的通信通道,这个通信通道在应用程序会话过程中始终有效,并且保证所有被交换信息的完整性。 Application-level security relies on a secure communication channel, the communication channel in the application during the session is always active, and ensure the integrity of all the exchange of information. 当一个会话建立时,客户端和服务器应用程序协商构造一个安全通信通道并且交换表明客户端和服务器身份的软件认证书还要交换各自所能提供功能的信肩、O When a session is established, the client and server applications negotiate construct a secure communication channel and the exchange showed that the identity of the client and server software certification also exchange their letters can provide functionality shoulder, O

[0011] 直接基于OPC UA服务器电网模型节点的安全访问控制的缺点在于:以OPC UA节点为安全控制基础,对于地调电网模型OPC UA节点就达到百万数量级的电网模型而言,其安全控制粒度过细,相应的系统配置维护工作量大。 [0011] Direct disadvantage based OPC UA server security access control node grid model is: the OPC UA security control node basis, to adjust the grid model for OPC UA nodes to reach millions of magnitude of the grid model, its security control size too small, the corresponding system configuration and maintenance workload. 而且,由于不能与电网生产管理的现行管理方式匹配,在电网模型或电网调度权限发生变化时,难以自动进行安全配置迁移。 Moreover, since it can not match with the current management of production management of the grid when the grid or grid scheduling permissions model changes, it is difficult to automatically configure security migration.

发明内容 DISCLOSURE

[0012] 本发明的目的在于提供一种能够实现对电网模型数据安全配置和访问的电网对象访问控制装置,该装置能够将用户认证和授权机制与电网模型的层次划分继承,实现对电网运行数据访问的更加细致、灵活和高效的安全管控,并且该装置能够实现对整个电网运行数据的安全访问与现行管理系统的对应的、合适力度的访问控制。 [0012] The object of the present invention is to provide a data model enables grid security configuration and access to the grid object access control device which can be divided into user-level authentication and authorization mechanisms of inheritance with the grid model to realize the power grid data access to more detailed, flexible and efficient security management and control, and the device can achieve secure access to the entire network operation with existing data management system corresponding to the intensity of the appropriate access control.

[0013] 本发明的目的可通过以下的技术措施来实现: [0013] The object of the present invention can be achieved by the following technical measures to achieve:

一种能够实现对电网模型数据安全配置和访问的电网对象访问控制装置,所述装置包括: A way to achieve the grid model data security configuration and access to the grid object access control device, the apparatus comprising:

电网模型数据的分层划分及安全权限配置模块和访问安全控制模块;所述分层划分及安全权限配置模块实现电网模型数据的分层划分及安全权限配置,包括如下内容: Hierarchical classification and security permissions grid model data configuration module and access security control module; the hierarchical classification and security permissions configuration module enables tiered classification and security permissions model data grid configurations, including the following:

(11)电网模型分区初始化: (11) Power model partition initialization:

电网对象访问控制装置从OPC UA服务器获取电网模型数据,将电网模型数据中的地区、设备容器、设备、量测、量测值类型的电网模型对象按照地区间、地区与设备容器间、不同类型设备容器之间、设备容器与设备间、设备与量测间、量测与量测值间的关联关系进行层次划分; Power grid object access control device acquires data from OPC UA server model, the grid model data in the region, equipment containers, equipment, measurement, measurement value type of grid model object according to inter-regional, inter-regional and equipment container, different types between equipment container, container between devices and equipment, between equipment and measurement, measurement and relationship between the measured values hierarchical division;

所述地区间关联关系,是指“省-市-县”这样的地区_>子地区之间的包含关系; The relationship between regions, refers to a region "province - County - City" _> contains the relationship between sub-regions;

所述设备容器是一种抽象概念,包括电厂、变电站、电压等级、间隔、线路;其中,所述电厂、变电站通常统称为厂站;所述电压等级含义为一个变电站内由具有相同电压的设备构成的一个逻辑上的设备容器;所述间隔为一个变电站内紧密连接、具有某些共同功能的部分所构成的一个逻辑上的设备容器;通常间隔根据其包含的主要设备的类型被归类为不同的间隔,包括电力出线间隔、母线间隔、主变压器间隔; The equipment container is an abstraction, including power plants, substations, voltage levels, spacing, line; wherein the power plants, substations are usually referred to as the plant stand; the voltage level of meaning within a substation by a device with the same voltage apparatus constituting a logical container; said substation interval within a tight connection, some common features of the device having a logical part of the container constituted on; usually spaced according to the main device comprising the type is classified as at different intervals, including electricity qualifying interval, bus interval, the main transformer bay;

所述地区与设备容器间关联关系,是指地区与厂站之间的包含关系; The relationship between the region and the device container means containing the relationship between the region and the plant stand;

所述设备容器间的关联关系,是指厂站包含电压等级、电压等级包含间隔以及厂站直接包含间隔这几种关联关系; The relationship between the device container refers factory site contains voltage level, voltage level comprises a spacer and a plant stand directly contain these types of relationships interval;

所述设备容器与设备间的关联关系,是指变电站、电压等级、间隔与设备之间的包含关系; The device relationship between the container and the equipment is that contains relations substation, voltage level, interval between devices;

所述设备与量测间的关联关系,是指设备与量测之间的包含关系; 所述量测与量测值间的关联关系,是指量测与量测值之间的包含关系; The relationship between the device and measurement refers to the inclusion relation between the device and measurement; the amount of relationship between the measured and the measured value is containment and measurement refers to the measurement value;

(12)异步订阅:电网对象访问控制装置向OPC UA服务器订阅监听电网模型变化事件,OPC UA服务器在其管理的电网模型发生变化时,针对异步订阅的电网模型事件变化事件,向电网对象访问控制装置提供模型变化的异步通知;所关心的电网模型变化事件的类型包括电网对象增加、删除、电网对象间的关联关系修改; (12) Asynchronous Feed: Grid object access control device to the OPC UA server is subscribed to monitor the grid model change events, OPC UA server in the grid model of its management changes, the grid model for asynchronous event change event subscription to the grid object access control device provides asynchronous notification model change; the type of care model change event of grid power grid objects include adding, deleting, relationships between objects modify the grid;

(13)电网对象访问控制装置对异步订阅对应的异步通知进行响应,根据异步通知中携带的电网模型的增删改信息,动态的维护电网模型层次划分; (13) the grid object access control means asynchronous asynchronous notification subscription corresponding response, according to the additions and deletions to the information carried in asynchronous notification grid model, dynamic grid model maintenance level division;

(14)管理操作设定:指定特定的用户对不同电网模型层次分支的访问权限,支持的访问权限有“读取”、“创建”、“更改”和“删除”,对电网层次分支而言,针对下一层次的权限指定覆盖对父层次的统一权限指定; (14) management operations setting: specifies a particular user access to different levels of the branch of the grid model, support access there is "read", "Create", "Change" and "Delete" on the grid in terms of branch level Specify permissions to the next level of coverage of the unity of permissions for the specified parent level;

所述访问安全控制模块实现电网模型的访问安全控制,所述访问安全控制包括如下内容: The access security control module access security control grid model, the access security controls include the following:

(21) OPC UA客户端、OPC UA服务器端通过协商,建立起安全通道,并对对方的身份进行了认证,设此时客户端会话被确认为“用户I”; (21) OPC UA client, OPC UA server through negotiation to establish a secure channel, and each other's identity has been authenticated by the client sessions provided was recognized as "user I";

(22) OPC UA客户端发起电网模型相关操作; (22) OPC UA client initiates a grid model related operations;

(23) OPC UA服务器向电网对象访问控制装置查询用户是否具有合适的权限; (23) OPC UA server into the grid object access control device to query the user has the appropriate authority;

(24)电网对象访问控制装置首先确认客户端所访问的UA节点对应的电网模型对象所属电网区域,然后查询客户端的身份,是否具有对目标区域的相应权限,如果拥有,则返回“允许”,否则,返回“拒绝”;并作为对步骤(23)调用的应答,向OPC UA服务器返回处理步骤结果; (24) the grid object access control means first confirmed UA node client to access the corresponding grid model object belongs grid area, and then query the client's identity, whether the appropriate permissions on the target area, and if you have, then return to "Allow" Otherwise, it returns "deny"; and as a response to the step (23) calls to the OPC UA server returns the results of the processing step;

(25)根据步骤(24)返回结果,如果是“允许”,则执行步骤(22)请求操作,返回操作执行结果;否则直接向OPC UA客户端返回“无访问权限,操作被拒绝”; (25) returns the result according to step (24), if it is "allowed", step (22) the requested operation and returns the results of the operation; otherwise, the server returns directly to the OPC UA client "no access, operation was denied";

(26 )作为对步骤(22 )调用的应答,向OPC UA客户端返回步骤(25 )处理步骤结果。 (26) as a step (22) in response to calls to the OPC UA client returns to the step (25) the results of the processing step.

[0014] 本发明对比现有技术,有如下优点: [0014] The present invention comparative prior art has the following advantages:

本发明提出通过将OPC UA安全模型,特别是其中的用户认证和授权机制与电网模型的层次化划分集成,实现对电网运行数据访问的更加细致、灵活和高效的安全管控。 The present invention proposes by OPC UA security model, especially hierarchical division in which user authentication and authorization mechanisms of integration with the grid model, to achieve a more detailed data access to the power grid, flexible and efficient security management and control.

[0015] 本发明通过将电网模型按照地区_>子地区_>厂站_>电压等级按层次组织,其它电网对象,如设备、端子、量测等按照其关联关系归属到相应层级中,并将系统访问用户对数据的访问权限与这个层次结果结合,实现了将整个电网运行数据的安全访问与现行管理体系对应的、合适粒度的访问安全控制。 [0015] The present invention will be in accordance with the regional grid model _> sub-region _> plant station _> voltage level hierarchical organizations, other grid objects, such as equipment, terminals, measurement, etc. in accordance with their relationship to the appropriate hierarchy, and The system access user access to data combined with the results at this level, to achieve security of access to the entire network operation data corresponding with the current management system, the appropriate size of access security control.

附图说明 Brief Description

[0016] 图1是电网模型数据分层划分及安全权限配置的流程图; [0016] FIG. 1 is a flow chart grid model data classification and hierarchical security permissions configuration;

图2是电网模型访问安全控制策略实施的流程图; Figure 2 is a flow chart grid model access control security policy enforcement;

图3是电网模型树状结构层次划分示意图。 Figure 3 is a grid model tree level division Fig.

具体实施方式 DETAILED DESCRIPTION

[0017] 本发明提供一种能够实现如下目的的并能够实现对电网模型数据安全配置和访问的电网对象访问控制装置, 1.与电网生产管理现行管理体系对应的,电网模型地区-> 子地区-> 厂站-> 电压等级层次化组织方法。 [0017] The present invention provides a method to achieve the following objectives and enable the grid object access control device grid model data and access security configuration, 1. Current production management and grid management system corresponding to the grid model region -> sub-region -> Factory Station -> voltage level hierarchical organizational methods.

[0018] 2.利用OPC UA模型更新变化订阅、发布技术实现对电网模型层次化组织的动态维护。 [0018] 2. Using OPC UA updated model changes subscriptions, publishing technology grid model hierarchical organization of the dynamic maintenance.

[0019] 3.基于OPC UA安全模型与电网模型层次化组织相结合,而实现的运行时电网运行数据受控访问技术。 [0019] 3. The security model based OPC UA and the grid model combining hierarchical organization, and achieve runtime data grid operation controlled access techniques.

[0020] 该电网对象访问控制装置包括:电网模型数据的分层划分及安全权限配置模块和访问安全控制模块; [0020] The grid object access control apparatus including: hierarchical classification and security permissions grid model data configuration module and access security control module;

如图1所示,分层划分及安全权限配置模块实现电网模型数据的分层划分及安全权限配置,包括如下步骤: 1, hierarchical division and security permissions configuration module as shown in the grid model data classification and hierarchical security permissions configuration, comprising the steps of:

(11)电网模型分区初始化步骤:电网对象访问控制装置从OPC UA服务器获取电网模型数据,将电网模型数据中的地区、设备容器、设备、量测、量测值类型的电网模型对象按照地区间、地区与设备容器间、不同类型设备容器之间、设备容器与设备间、设备与量测间、量测与量测值间的关联关系进行层次划分; (11) Grid model initialization step Subdivision: Power grid object access control device acquires data from OPC UA server model, the grid model data in the region, equipment containers, equipment, measurement, measurement value type of model objects in accordance with inter-regional power grid , inter-regional and equipment container, container between different types of equipment, containers and equipment between devices, between the device and measurement, measurement and relationship between the measured values hierarchical division;

所述地区间关联关系,是指“省-市-县”这样的地区_>子地区之间的包含关系。 Relationship between the region refers to a region "province - County - City" _> contains between sub-regions.

[0021] 所述设备容器是一种抽象概念,包括电厂、变电站、电压等级、间隔、线路。 [0021] The equipment container is an abstraction, including power plants, substations, voltage levels, spacing, line. 其中,所述电厂、变电站通常统称为厂站。 Wherein the power plants, substations are usually referred to as the plant stand. 所述电压等级含义为一个变电站内由具有相同电压的设备构成的一个逻辑上的设备容器。 Meaning the voltage level of a logical device within the container a substation by a device having the same voltage configuration. 所述间隔为一个变电站内紧密连接、具有某些共同功能的部分所构成的一个逻辑上的设备容器。 Said logic device a container within a substation interval tight junctions, have some common features formed on the portion. 通常间隔根据其包含的主要设备的类型被归类为不同的间隔,例如电力出线间隔、母线间隔、主变压器间隔。 Interval is usually classified according to the type comprising a main device for different intervals, such as power outlet space, the bus interval, the interval of the main transformer.

[0022] 所述地区与设备容器间关联关系,是指地区与厂站之间的包含关系。 Relationship between regional and equipment containers [0022] The means include relationship between the region and the plant stand.

[0023] 所述设备容器间的关联关系,是指厂站包含电压等级、电压等级包含间隔以及厂站直接包含间隔这几种关联关系。 [0023] The relationship between the device container refers factory site contains voltage level, voltage level comprises a spacer and a plant stand directly contain these types of relationships interval.

[0024] 所述设备容器与设备间的关联关系,是指变电站、电压等级、间隔与设备之间的包含关系。 [0024] The relationship between the device and the device container is a relationship that contains the substation, voltage level, interval between devices.

[0025] 所述设备与量测间的关联关系,是指设备与量测之间的包含关系。 Relationship between the device and measurement [0025] The means include relationship between the device and measurement.

[0026] 所述量测与量测值间的关联关系,是指量测与量测值之间的包含关系。 [0026] The amount of the measured relationship between the measured value and refers to the inclusion relation measurement and measurement values.

[0027] (12)异步订阅:电网对象访问控制装置向OPC UA服务器订阅监听电网模型变化事件。 [0027] (12) Asynchronous Feed: Grid object access control device to the OPC UA server is subscribed to monitor the grid model change events.

[0028] 首先,OPC UA服务器在其管理的电网模型发生变化时,针对异步订阅的电网模型事件变化事件,向电网对象访问控制装置提供模型变化的异步通知。 [0028] First, OPC UA server in the grid model of its management changes, the grid model for asynchronous event change event subscription to the grid object access control device provides asynchronous notification model change. 为了确保电网对象访问控制装置中管理的电网对象与OPC UA服务器中的电网对象模型保持一致,电网对象访问控制装置向OPC UA服务器订阅监听电网模型变化事件,所关心的电网模型变化类型包括电网对象增加、删除、电网对象间的关联关系修改,例如一个变电站的调度权由省调下放到地调,就会导致相应的地区(省)-> 子地区(地市)-> 厂站的关联关系发生变化。 In order to ensure grid target grid object access control device management with OPC UA server object model consistent grid, power grid object access control device to the OPC UA server is subscribed to monitor the grid model change events, changes in the type of model the grid including grid objects of interest increased association amended to delete the grid between objects, for example to tune into the next provincial transfer a substation dispatcher right, it will lead to a corresponding region (province) - relationship> plants and substations -> sub-regions (cities) changes.

[0029] 按照地区_>子地区_>厂站_>电压等级_>间隔之间的包含关系,可以将电网模型从网状结构划分为图3所示树状结构层次,从而将电网模型中的设备、量测按照关联关系归属到相应的树状结构分支中,所述树状结构中地区为根节点,每个地区_>子地区_>厂站_>电压等级构成一个具体的分支;这样,设备、量测就可以根据其与设备容器及相互之间的关联关系,被归属到相应的树状结构分支中。 [0029] The area _> sub-region _> plant station _> voltage level _> contains spaced relationship between network structure can be divided into grid model from a hierarchical tree structure shown in Figure 3, which will grid model equipment, measurement in accordance with the association attributed to the appropriate branch of the tree, the tree structure is the root region, each region _> sub-region _> plant station _> voltage level constitutes a specific branch; Thus, equipment, measurement can be based on their relationship with the device and between the container is attributable to the corresponding tree branch.

[0030] 由于在一个OPC UA服务器中,每个电网模型对象对应于一个OPC UA节点,且这些OPC UA节点间会根据其所代表的电网模型对象间的关系建立起相互的关联引用,自然也就可以根据其所代表的电网模型对象而被划分到一个具体的电网模型层次分支中。 [0030] Since an OPC UA server, each grid model OPC UA object corresponds to a node, and mutual association will establish a reference grid model based on the relationship between the objects they represent between these OPC UA nodes, naturally, It can be based on the grid model objects they represent are divided into a specific grid model hierarchy branch. 因此,进过步骤(I)的划分后,所有电网模型对象对应的OPC UA节点,均被划分到一个具体的电网模型层次分支中。 So, been to step (I) division, all grid model objects corresponding OPC UA nodes are classified into a specific grid model hierarchy branch.

[0031] OPC UA服务器在其管理的电网模型发生变化时,会产生相应的模型变化描述,并向那些之前明确订阅这些变化的应用,如电网对象访问控制装置,发送所产生的模型变化描述。 [0031] OPC UA server in the grid model of its management changes, will produce a corresponding change in the model description, and to those who subscribe to these changes before clear applications such as grid object access control device, transmitting the generated model changes described. 模型变化描述,在OPC UA标准里,被称之为模型变化事件。 Model changes described in the OPC UA standard, called model change events.

[0032] (13)电网对象访问控制装置对异步订阅对应的异步通知进行响应,根据异步通知中携带的电网模型的增删改信息,动态的维护电网模型层次划分。 [0032] (13) the grid object access control means asynchronous asynchronous notification subscription corresponding response, according to the additions and deletions to the information carried in asynchronous notification grid model, dynamic grid model maintenance level division.

[0033] 所述电网对象访问控制装置和OPC UA服务器间的电网模型同步,是通过一组异步操作完成的,包括异步订阅和异步通知: [0033] grid model of the grid object access devices and control between OPC UA server synchronization is completed by a group of asynchronous operations, including asynchronous subscriptions and asynchronous notifications:

a.异步订阅,电网对象访问控制装置订阅所关心的模型变化事件 a. asynchronous subscription model means change event of interest to subscribe to the grid object access control

b.异步通知,当电网模型发生变化时,OPC UA服务器产生电网模型变化事件,并向电网对象访问控制装置发送。 b. asynchronous notification when the grid model changes, OPC UA server generates grid model change events and to send the grid object access control device. 这一操作与电网对象访问控制装置的订阅操作之间不是同步执行的,而是异步执行的。 Between this operation and the grid object access control device subscription operation is not performed synchronously, but executed asynchronously.

[0034] (14)管理操作设定步骤:指定特定的用户对不同电网模型层次分支的访问权限,支持的访问权限有“读取”、“创建”、“更改”和“删除”,对电网层次分支而言,针对下一层次的权限指定覆盖对父层次的统一权限指定,例如指定“用户I”对“XX省aa市”具有“读取、更新”权限,而对“XX省aa市XXX变电站”具有“读取”权限,则“用户I”对“xx省aa市XXX变电站”的“更新”权限被剥夺。 [0034] (14) management operations setting step: specify a specific user access to different levels of the branch of the grid model, support access there is "read", "Create", "Change" and "Delete" on the grid branch level, the designated authority for covering the next level of the parent-level unified right specifies, for example, specify "user I" to "XX Province aa city" with the "Read, Update" permission, while the "aa city XX Province XXX substation "have" read "permissions," user I "to" aa xx province city substation XXX "and" Update "Permission denied.

[0035] 如图2所示,访问安全控制模块实现电网模型的访问安全控制,所述访问安全控制包括如下步骤: [0035] 2, the access control module for security access control grid security model, the security access control comprising the steps of:

(21) OPC UA客户端、OPC UA服务器端通过协商,建立起安全通道,并对对方的身份进行了认证,设此时客户端会话被确认为“用户I”。 (21) OPC UA client, OPC UA server through negotiation to establish a secure channel, and the other's identity authentication, provided by the client session was recognized as "user I".

[0036] (22) OPC UA客户端发起电网模型相关操作。 [0036] (22) OPC UA client initiates a grid model related operations.

[0037] (23) OPC UA服务器向电网对象访问控制装置查询用户是否具有合适的权限。 [0037] (23) OPC UA server into the grid object access control device to query the user has the appropriate permissions. 比如,如果步骤(22)的相关操作为OPC UA的Browse (Nodel)操作,则检查读取(用户l,Nodel,“读取”)访问请求是否满足;如果步骤(22)的相关操作为DeleteNodes(Nodd)操作,则检查删除(用户1,Node2,“删除”)访问请求是否满足。 For example, if the step (22) related to the operation of OPC UA Browse (Nodel) operation, check read (users l, Nodel, "read") access request is satisfied; If NO in step (22) is related operations DeleteNodes (Nodd) operation, check the Delete (User 1, Node2, "delete") access request is satisfied.

[0038] (24)电网对象访问控制装置首先确认客户端所访问的UA节点对应的电网模型对象所属电网区域,然后查询客户端的身份,是否具有对目标区域的相应权限,如果拥有,则返回“允许”,否则,返回“拒绝”。 [0038] (24) of the grid object access control means first confirmed UA node client to access the corresponding grid model object belongs grid area, and then query the client's identity, whether the appropriate permissions on the target area, and if you have, then return. " Allow ", otherwise, it returns" deny. " 例如,在步骤(22)的相关操作为DeleteNodes(Nodd)操作时,查询到Node2属于” xx省dd市”,而“用户I ”不具有“删除权限”,返回拒绝。 For example, in step (22) of the relevant action is DeleteNodes (Nodd) operation, the query to Node2 belong to "xx province dd City" and "user I" does not have the "Delete permission" to return rejected.

[0039] 并作为对步骤(23)调用的应答,向OPC UA服务器返回处理步骤结果。 [0039] and as a response to the step (23) call returns to the processing step results to the OPC UA server.

[0040] (25)根据步骤(24)返回结果,如果是“允许”,则执行步骤(22)请求操作,返回操作执行结果;否则直接向OPC UA客户端返回“无访问权限,操作被拒绝”。 [0040] (25) returns the result according to step (24), if it is "allowed", step (22) the requested operation and returns the results of the operation; otherwise, the server returns directly to the OPC UA client "No Access, the operation is rejected . "

[0041] (26)作为对步骤(22)调用的应答,向OPC UA客户端返回步骤(25)处理步骤结果。 [0041] (26) as a step (22) in response to calls to the OPC UA client returns to the step (25) the results of the processing step.

[0042] 本发明的实施方式不限于此,在本发明上述基本技术思想前提下,按照本领域的普通技术知识和惯用手段对本发明内容所做出其它多种形式的修改、替换或变更,均落在本发明权利保护范围之内。 [0042] The embodiments of the present invention is not limited thereto, in the above-mentioned basic technical idea of the present invention is provided, in accordance with the general technical knowledge and customary practice in the art of the present invention to make other forms of modifications, substitutions or changes are fall within the scope of the invention as claimed.

Patent Citations
Cited PatentFiling datePublication dateApplicantTitle
CN101272051A *May 6, 2008Sep 24, 2008江苏省电力公司南京供电公司Information system integration method of electric network production control region and management information region
CN101482901A *Feb 6, 2009Jul 15, 2009中国电力科学研究院System and method for providing power data correlated service based on WAN
CN101540505A *Jan 9, 2009Sep 23, 2009南京南瑞继保电气有限公司;湖北省电力公司Building method of multistage multi-region interconnected network data model
CN101751426A *Dec 11, 2008Jun 23, 2010北京市电力公司Method and device for realizing information sharing between SCADA and GIS
CN102035210A *Jan 5, 2011Apr 27, 2011河北省电力研究院Relaxative-constraint powerless equipment optimization method for power system
CN201518429U *Oct 26, 2009Jun 30, 2010江西省电力科学研究院Electric energy qualitative data concentrator for digitalization transforming plant
US20080219186 *Mar 4, 2008Sep 11, 2008Grid Net, Inc.Energy switch router
Referenced by
Citing PatentFiling datePublication dateApplicantTitle
CN104506528A *Dec 23, 2014Apr 8, 2015国家电网公司Integrated network safety access method
CN105468689A *Nov 17, 2015Apr 6, 2016广东电网有限责任公司电力科学研究院Power grid object level authority configuration and inheritance method
Classifications
International ClassificationH02J13/00, H04L29/06
Cooperative ClassificationY04S10/40, Y04S40/24
Legal Events
DateCodeEventDescription
Nov 26, 2014C06Publication
Feb 25, 2015C53Correction of patent for invention or patent application
Feb 25, 2015CORChange of bibliographic data
Free format text: CORRECT: APPLICANT; FROM: ELECTRICAL POWER RESEARCH INSTITUTE OF GUANGDONG POWER GRID CORPORATION TO: ELECTRIC POWER RESEARCH INSTITUTE OF GUANGDONG POWER GRID CO., LTD.
Mar 4, 2015C10Entry into substantive examination
Jan 20, 2016C14Grant of patent or utility model