html{display:none} OPNsense on SEL Hardware Firewall | Schweitzer Engineering Laboratories

OPNsense on SEL Hardware


Secure operational technology (OT) networks and enhance the resilience of network communications between substations and the control center. OPNsense on rugged SEL hardware provides stateful firewall tracking, deep-packet inspection, adaptive routing, and hardware failover. 

OPNsense on SEL hardware is configured to your exacting specifications by the SEL Cybersecurity Services team. The system is purpose-built for industrial environments, contains no moving parts, and operates over a wide temperature range, from –40° to +75°C (–40° to +167°F).  

Request a Follow-Up



Request a Follow-Up

Protect the OT Network From Malware and Unauthorized Access—Apply a stateful firewall with OPNsense on SEL hardware. The firewall tracks the state of network connections (such as TCP streams and UDP communication) to increase filtering while reducing configuration needs. The firewall protects OT networks, such as substation LANs, against ransomware, trojans, viruses, and other malware and uses deep-packet inspection to detect malicious code in incoming packets from WANs. OPNsense on SEL hardware supports multiple network address translation (NAT) options, such as one to one, port forwarding, and outbound NAT, and supports multiple public interfaces.

Rely on Hardware Designed Specifically for OT Environments—The system uses SEL rugged automation controllers, which are tested to protective relay standards. These automation controllers have no moving parts and are designed to withstand vibration, electrical surges, fast transients, and extreme temperatures.

Enhance Resiliency With Dynamic Routing Between Substations and the Control Center—Deploy the system as a dynamic edge router for the substation. The firewall supports adaptive routing protocols, such as Open Shortest Path First (OSPF), the Border Gateway Protocol (BGP), and the Route Information Protocol (RIP), to improve fault tolerance and reduce configuration needs. It also supports VPNs and is a VPN concentrator that allows multiple VPN tunnels to use a single network.

Improve Reliability With Automatic and Seamless Failover—Configure multiple firewalls for high availability using the Common Address Redundancy Protocol (CARP) for hardware failover. If the primary firewall fails, then the secondary firewall becomes active.

Make High-Priority OT Traffic More Deterministic—Apply traffic shaping in the firewall to limit bandwidth for various IT and OT applications and to prioritize network traffic. Bandwidth limitations can be configured based on the interface, IP source and destination, direction of traffic, and port numbers.


    1. 1

      Operational Status LEDs

      A green “ENABLED” LED indicates normal operation. The “ALARM” LED illuminates red when a nonoptimal system condition exists.

    2. 2

      Ethernet Status Indicators

      “LNK” (link) indicates that the port is connected, and “ACT” (activity) indicates when data are being transmitted and received.

    1. 1

      “ETH1” and “ETH2”

      Onboard independent Gigabit Ethernet interfaces.

    2. 2

      PCI Expansion Slots

      Install SEL or third-party PCI or PCI Express expansion cards for additional network, serial, or other application-specific I/O.

    3. 3

      Earth Ground Terminal Screw

      The earth ground connection for the SEL-3355-2 Automation Controller.

    4. 4

      Power Supply Modules

      The rated input voltage is clearly marked on the chassis near the terminals.



Stateful Firewall
Protect the substation from unauthorized access by applying a stateful firewall and increased filtering while reducing configuration.

Network Protection
Detect and filter out malicious code with deep-packet inspection. OPNsense on SEL hardware offers a built-in Network Intrusion Detection System (NIDS) and Network Intrusion Prevention System (NIPS).

Edge Routing
Add resilient edge routing—dynamic routing with adaptive routing protocols.

VPN Tunneling
Allow multiple VPN tunnels to use a single network. Create a VPN concentrator.

Traffic Shaping
Prioritize critical OT traffic with traffic shaping.

Flexible NAT Options
Avoid IP address overlapping by applying flexible network address translation (NAT) options.

High Availability
Configure the firewall for high availability and load balancing with CARP for hardware failover.

Tough Hardware
Operate in tough conditions with SEL rugged automation controller hardware.

Expand connectivity with up to ten Ethernet ports on the SEL-3355 Automation Controller.

Easy Configuration
Shorten the configuration time using the intuitive graphical user interface.

User Authentication
Control user access with user authentication, including the Lightweight Directory Access Protocol (LDAP), Remote Authentication Dial-In User Service (RADIUS), and two-factor authentication.

Secure Communications
Secure Ethernet communications using Secure Shell (SSH) and Transport Layer Security (TLS).

Time Synchronization
Time-synchronize IEDs with the Network Time Protocol (NTP).

Network Management
Centralize network management with the Simple Network Management Protocol (SNMP) and Representational State Transfer (REST) application program interfaces (APIs).

Event Logs
Maintain event logs for remote and local events.

Streamline troubleshooting using detailed diagnostics and logging capabilities.

The Firmware IDs for older versions of the firmware can typically be found in Appendix A of the instruction manual.