OT SDN Is Certified on the Department of Defense Information Network Approved Products List

The deny-by-default and programmable circuit provisioning architecture of OT SDN decreases both cyber and operational risk for facility-related control systems (FRCS) while improving safety and reliability. By achieving the status of a DoDIN APL certification, SEL has conformed to DoD’s Security Reference Guides and Security Technical Implementation Guides for both cybersecurity and interoperability with other DoD-approved devices.

Additionally, OT SDN’s purpose-engineered approach for FRCS networks has allowed it to be tested against several challenging OT requirements, including the Advanced Cyber Industrial Control System (ACI) Tactics, Techniques, and Procedures (TTPs) for DoD industrial control systems, MITRE’s ATT&CK framework, and the zero-trust network architecture.

OT SDN meets or exceeds 22 of the 28 TTPs listed in the ACI TTPs. Having a network that immediately provides many of the ACI TTPs allows DoD to move from assessing the problem to taking action to reduce risk.

Traditional networks use features such as MAC tables, the Rapid Spanning Tree Protocol (RSTP), and cast types for many conveniences, including plug-and-play functionality. However, these features also make traditional networks vulnerable to cybersecurity threats, including MAC flooding and table poisoning, Address Resolution Protocol (ARP) spoofing, Bridge Protocol Data Unit (BPDU) attacks, and more. With OT SDN, all network flows and backup paths are specifically defined in the controller and the vulnerable technology of MAC tables and RSTP is removed. In addition, OT SDN uses traffic engineering to process forwarding behavior, rather than relying on cast types, which results in a network that performs to the exact requirements of the applications and services on the network and nothing more.

IDSs are becoming more prevalent in control system environments. When a packet is denied by the OT SDN controller, it is either dropped or sent to an IDS, if one is in place, for deeper inspection. The IDS seeks to reveal the actual intent of the packet’s content.

OT SDN makes adding an IDS a cost-effective and streamlined process. Previously, an operator would need to install sensors at every switch location on the mirror port and program each individual sensor with the desired behavior, increasing the cost and time of installation. But with OT SDN, network operators can reduce the number of required sensors and send the denied packets to a central sensor using the data plane of the OT SDN fabric.

The OT SDN flow controller is the software configuration tool and central management interface. Operators use the flow controller to define which devices and conversations to allow. The OT SDN solution manages the circuit provisioning and establishes proactive redundancy for high reliability and network healing performance in microseconds, supporting even the most demanding signals.

The OT SDN flow controller is not required after it proactively programs the network. Once the switches receive the flows from the flow controller, they will retain the flows even if the flow controller has been removed from the network or the switch is power cycled. And because the only changes allowed on the network are those made through the flow controller, the operator knows exactly how the network is operating at any given moment. With the flow controller online, network operators have increased situational awareness and visibility of each of the devices and every conversation those devices are allowed to have in their systems.

SEL‘s OT SDN solution is transparently priced up front. There are no annual licensing fees or additional maintenance contracts.

Every solution includes in the purchase price:

• SEL SDN switches.
• SEL SDN flow controller software.
• Ten-year warranty and technical support for all SEL devices.

When the initial purchase price, annual operating cost, and product support are all considered, the SEL OT SDN solution offers a much lower cost of ownership than competing solutions.

The DoDIN APL is a consolidated list of network communications products and applications that are approved for use in DoD information networks and control systems. When a product makes this list, it is the result of rigorous and extensive testing, validation, and certification to ensure that the solution meets the cybersecurity and interoperability standards for the Defense Information System Network and Federal Acquisition Regulation.