0 Introduction With the automation upgrade of old generating units, distributed control systems (hereinafter referred to as DCS systems) have been widely used. Real-time data from the generating units is sent to the management information system (MIS system) through a gateway. The real-time management program in the MIS system automatically collects, processes, stores, and statistically analyzes the generating unit's production data, providing a scientific basis for production command and management personnel, and enabling safe operation analysis and economic operation guidance for the generating units. Because the DCS system and the MIS system are directly connected, the MIS system poses a significant safety hazard to the DCS system. Therefore, effective isolation between the DCS system and the MIS system is essential to minimize safety issues caused by network interconnection. 1 Current Status of DCS System and MIS System Connection The DCS system for generating units 3-7 at the Matou Power Plant uses a three-bus Ethernet network. A dedicated gateway is directly connected to the MIS network, sending relevant real-time data to the MIS network through gateway software. Communication between the two networks uses Netware's IPX protocol (or TCP/IP protocol). At the MIS network acquisition station, the processing program receives real-time data and forwards it to the real-time server for sharing among users. A dedicated gateway isolates two networks with different security levels and strictly restricts the data types on the serial line through a serial port isolation program, isolating the machines at both ends of the serial line at the network layer. When one machine is compromised, the other end is not allowed to establish a network layer access path through the serial line, so from a network layer perspective, the other end is safe. However, this is by no means true "physical isolation." The machines at both ends are interconnected at the link layer. It fails to achieve physical isolation, nor is it logically isolated. Virus programs can still achieve their intrusion purpose through the serial port isolation program and link layer protocols. 2 Security Risk Analysis of MIS System to DCS System 2.1 Security Risks Existing in the Connection Between the Two Systems MIS systems are widely used in production and operation management. When the MIS system needs to obtain real-time operational information, it needs to exchange information with the DCS system. At this time, the DCS system has the following risks: a. MIS systems all use widely used operating systems that are most attacked and have relatively prominent security vulnerabilities. b. Almost all MIS networks are connected to the Internet, further increasing the possibility of attacks. c. The network bridges connecting to the DCS system all use general-purpose products, failing to adequately address the relationship between universality and security; that is, higher universality generally leads to lower security. d. On the DCS control system side, considering ease of development and application, as well as other factors, more and more general-purpose operating systems (embedded) are being used, which also increases the likelihood of being attacked by the same virus. e. From a computer hardware perspective, both systems use the same computer instruction set for their CPUs, which also increases opportunities for various attacks. 2.2 Analysis of Security Risks Using similar computers and the same operating system creates more opportunities for network attacks. Although, from a network structure perspective, the DCS system and the MIS system communicate through gateways and different network cards, from the perspective of the underlying network driver, network access is completely transparent, and network access based on this is arbitrary. In other words, the application layer of the network can only prevent programs developed by regular programmers from arbitrarily accessing computers on different network segments and with different protocols. If access is made at the underlying level, there are no restrictions; that is, as long as there is a physical connection, data exchange and access are possible. Currently, the method for acquiring real-time data in power plant DCS systems typically involves installing multiple network interface cards (NICs) in the gateway, each using different protocols to connect to the DCS system via TCP/IP and to the MIS system via IPX. This effectively provides a physical path for data transmission in hardware. However, if the gateway is attacked by malicious programs, for example, by enabling it to have routing capabilities, then the DCS and MIS systems are essentially on the same network, with no operational restrictions. Even if other programs do not maliciously damage the DCS system, network "garbage packets" can cause network communication delays or paralysis. Therefore, this bridging method poses significant security risks, fundamentally due to the use of general-purpose computers, general-purpose NICs, general-purpose network protocols, and general-purpose operating systems, and the provision of bidirectional data communication at the physical connection level. 2.3 Limitations of Firewall Technology Firewalls are important network security products, including hardware and software firewalls. Firewalls are generally classified into three types: router-based packet filtering firewalls, firewalls based on general-purpose operating systems, and firewalls based on dedicated security operating systems. Besides supporting the IP protocol, they also support common protocols such as AppleTalk, DECnet, IPX, and NETBEUI. It employs measures such as access control, packet filtering firewall filtering, application-layer proxy support for virus scanning, real-time intrusion warnings, real-time intrusion prevention, and real-time intrusion response to defend against attacks. When an intrusion occurs, the firewall can dynamically respond, adjust security policies, block malicious packets, and identify/record/prevent attempts to spoof IP addresses. Even with firewall technology, data communication remains bidirectional. Regardless of the type of protection, it is essentially a "passive defense," requiring continuous software and hardware upgrades to prevent known viruses and conventional attacks. Defense against unknown viruses is limited and lagging. Furthermore, as a bridge (or other similar device) between the DCS and MIS systems, if attacked, even if the DCS system is not directly attacked, it may increase the amount of data processed on the network, ultimately affecting the real-time data transmission of the DCS system. For power generation equipment with extremely high security requirements, any attack on the DCS system is absolutely unacceptable. Therefore, these methods always have security vulnerabilities and cannot fundamentally eliminate network security risks. 3. Security Isolation Technology Solution 3.1 Technical Principle of Dedicated Security Isolation Device The dedicated security isolation device is installed between the DCS system gateway and the MIS system, physically ensuring unidirectional data transmission and isolation. It receives real-time data from the DCS system and stores and forwards it to the MIS system. 3.2 Structure of Dedicated Security Isolation Device The dedicated security isolation device uses dual-motherboard embedded computers, each with the functions of a conventional computer. One motherboard is connected to the DCS system, and the other motherboard is connected to the MIS system, running a conventional Windows NT operating system, allowing for easy connection to both the DCS and MIS systems. A dedicated synchronous data communication transmission card is added to each computer motherboard to facilitate data communication between the two systems and to achieve unidirectional data transmission, supporting IPX and TCP/IP protocols. Figure 1 shows the hardware structure diagram of the security isolation device. A dedicated synchronous data communication transmission card, using the Hitachi HD64570 chip as its core, coupled with DMA and dual-port RAM, enables high-speed data communication with a communication rate of 4 Mbit/s. It supports communication protocols such as HDLC, SDLC, and BSC, fully meeting the real-time requirements of data communication. This communication card ensures, from a hardware perspective, that data only travels from the DCS system to the MIS system, and, in conjunction with dedicated software, completes the collection of DCS data. Because it uses unconventional general-purpose hardware and is inserted separately into the microcomputer, requiring corresponding software to complete the communication function, attackers or viruses will not affect it. Even if attacks or interference occur on the MIS system side, they will not pose a threat to the DCS system. 3.3 Installation and Commissioning of the Dedicated Security Isolation Device The dedicated security isolation device uses products specifically designed for industrial environments, ensuring long-term safe operation; the device chassis is a standard industrial control chassis, facilitating on-site installation. Figure 2 shows the network diagram after installing the dedicated security isolation device on each unit's DCS system. 4. Improvements to the Isolation Device Currently, the Matou Power Plant has installed a dedicated security isolation device between the DCS and MIS systems of units #3 to #7. Based on operational experience, the following improvement suggestions are proposed: a. Since the data acquisition station in the MIS system only receives IPX data packets, the TCP/IP protocol in the embedded computer on the DATA OUT side of the isolation device can be removed, and only the IPX protocol can be run. This can reduce attacks from the MIS system on the isolation device. b. Replace the hard drive in the embedded computer with a semiconductor disk to ensure uninterrupted operation of the security isolation device. c. The dual-motherboard embedded computer in the security isolation device can use different operating systems to minimize crosstalk between the two devices. d. Connect two gateways in one main control room to one isolation device. This avoids the difficulty of expanding the network in case of failure and relatively reduces equipment investment. e. Create an emergency recovery disk for the isolation device. In the event of a failure, operation can be restored promptly, minimizing its impact. 5. Conclusion Since its application at the Matou Power Plant, the dedicated safety isolation device has enabled rapid transmission of real-time data from the DCS system to the MIS system, and the device operates stably. On the MIS network side, various communication protocols have failed to access the DCS system. The isolation technology employed by this device achieves effective physical isolation, meeting the security protection requirements of the power plant's computer monitoring system.