html{display:none} Cybersecurity | Schweitzer Engineering Laboratories

Solutions

Cybersecurity

We understand, defend, and serve ICS and OT networks.

Cybersecurity is not one thing. It is never finished. Our mission is to provide services and solutions that defend and maintain the availability of Industrial Control System (ICS) and operational technology (OT) power systems.

Our Approach

We simplify cybersecurity with layered defenses that apply the right technologies in each layer. 

Our Solutions

Cyber systems and solutions designed for critical infrastructure.

Our Services

Strengthen your defenses and streamline maintenance and compliance.

Our Support

We strive to be not just a vendor, but a partner you can rely on.

Zero Trust for ICS and OT Cybersecurity 

The concept of zero trust for securing information networks is gaining in popularity. This is underscored by the executive order of May 12, 2021 to improve the nation’s cybersecurity, highlighting zero trust as a key component.

A zero-trust architecture is a powerful tool that helps security professionals determine optimal ways to design security controls for their networks. However, ICS and critical infrastructure networks have important differences from IT networks and require a modified approach—particularly regarding the decision of where to encrypt traffic and at what point end-to-end encryption hurts the availability of protection and control devices.

Furthermore, the notion that trust can be excluded from the calculus of network security is misguided. Trust underpins all security; therefore, when applying zero trust to a network, security professionals should continually evaluate these questions:

  • What do I trust?
  • Why do I trust it?
  • When should I no longer trust it?

From our knowledge base

Zero Trust for ICS and OT Cybersecurity 

The concept of zero trust for securing information networks is gaining in popularity. This is underscored by the executive order of May 12, 2021 to improve the nation’s cybersecurity, highlighting zero trust as a key component.

A zero-trust architecture is a powerful tool that helps security professionals determine optimal ways to design security controls for their networks. However, ICS and critical infrastructure networks have important differences from IT networks and require a modified approach—particularly regarding the decision of where to encrypt traffic and at what point end-to-end encryption hurts the availability of protection and control devices.

Furthermore, the notion that trust can be excluded from the calculus of network security is misguided. Trust underpins all security; therefore, when applying zero trust to a network, security professionals should continually evaluate these questions:

  • What do I trust?
  • Why do I trust it?
  • When should I no longer trust it?

From our knowledge base

Encryption and the CIA Triad

The core of cybersecurity is defined by three intertwining goals: confidentiality, integrity, and availability, commonly known as the CIA triad.

Confidentiality is the idea that information can be kept secret and known only to those people or systems who need that information to perform their duties. Integrity is the idea the information is valid and verifiably correct. Availability is the idea that a system or data are running or available when needed. Each of these core concepts are required when designing a secure ICS or OT network, but the priority of each shifts based on the security zone.

Generally, these security zones are broken up into levels based on the Purdue diagram for ICS security. SEL defines six levels: Perimeter (level 5), SCADA (level 4), Access (level 3), Automation (level 2), Control (level 1), and Physical (level 0). Protocols like Transport Layer Security (TLS) and IPsec are powerful encryption tools for Levels 4 and 5, which focus more on the confidentiality of data. But these off-the-shelf IT protocols are often misapplied in ICS/OT networks, making it more difficult to detect intrusions and to perform forensic investigations into cyber attacks.

Encryption at Levels 1 and 0 should be limited and specialized, like Media Access Control Security (MACsec) or Secure Shell (SSH), which don’t overload protection and control devices with unnecessary code.  

From our knowledge base

Encryption and the CIA Triad

The core of cybersecurity is defined by three intertwining goals: confidentiality, integrity, and availability, commonly known as the CIA triad.

Confidentiality is the idea that information can be kept secret and known only to those people or systems who need that information to perform their duties. Integrity is the idea the information is valid and verifiably correct. Availability is the idea that a system or data are running or available when needed. Each of these core concepts are required when designing a secure ICS or OT network, but the priority of each shifts based on the security zone.

Generally, these security zones are broken up into levels based on the Purdue diagram for ICS security. SEL defines six levels: Perimeter (level 5), SCADA (level 4), Access (level 3), Automation (level 2), Control (level 1), and Physical (level 0). Protocols like Transport Layer Security (TLS) and IPsec are powerful encryption tools for Levels 4 and 5, which focus more on the confidentiality of data. But these off-the-shelf IT protocols are often misapplied in ICS/OT networks, making it more difficult to detect intrusions and to perform forensic investigations into cyber attacks.

Encryption at Levels 1 and 0 should be limited and specialized, like Media Access Control Security (MACsec) or Secure Shell (SSH), which don’t overload protection and control devices with unnecessary code.  

From our knowledge base

Attack Surface Reduction

Keeping up with ever-changing cybersecurity threats can seem daunting, but there are several practical steps that all owners of critical infrastructure systems can begin taking immediately to mitigate the risk of a damaging cyber attack.

These steps include knowing all the communications paths to your assets, using the appropriate encryption and authentication tools, practicing need-to-know policies, incorporating multiple layers of defense, developing an incident response plan, and using and managing strong passwords. 

These practical steps do not directly address regulatory requirements or any particular cybersecurity framework. For help meeting regulatory requirements and implementing risk mitigation solutions, please contact SEL Cyber Services.

From our knowledge base

Attack Surface Reduction

Keeping up with ever-changing cybersecurity threats can seem daunting, but there are several practical steps that all owners of critical infrastructure systems can begin taking immediately to mitigate the risk of a damaging cyber attack.

These steps include knowing all the communications paths to your assets, using the appropriate encryption and authentication tools, practicing need-to-know policies, incorporating multiple layers of defense, developing an incident response plan, and using and managing strong passwords. 

These practical steps do not directly address regulatory requirements or any particular cybersecurity framework. For help meeting regulatory requirements and implementing risk mitigation solutions, please contact SEL Cyber Services.

From our knowledge base

Deny-by-Default Cybersecurity

Deny-by-default is the strongest approach to designing communications paths in an OT zero-trust network architecture. We achieve this through our OT software-defined networking (SDN) solution, which is part of the Department of Defense Information Network’s Approved Product List. Products in this list are tested, validated, and certified to the cybersecurity and interoperability standards of Defense Information Systems Networks.  

OT SDN takes the decision-making control out of the switch and puts it with the operator. The operator defines all the primary and backup flows, decides what is and isn’t allowed on the network, and determines what actions to take when a rogue packet is identified.

Anything that doesn’t match the predefined set of rules is identified, denied by default, and either dropped or sent to an intrusion detection system. This eliminates the network technologies that lead to spoofing, MAC flooding and table poisoning, Bridge Protocol Data Unit (BPDU) attacks, ransomware attacks, and more.  

From our knowledge base

Deny-by-Default Cybersecurity

Deny-by-default is the strongest approach to designing communications paths in an OT zero-trust network architecture. We achieve this through our OT software-defined networking (SDN) solution, which is part of the Department of Defense Information Network’s Approved Product List. Products in this list are tested, validated, and certified to the cybersecurity and interoperability standards of Defense Information Systems Networks.  

OT SDN takes the decision-making control out of the switch and puts it with the operator. The operator defines all the primary and backup flows, decides what is and isn’t allowed on the network, and determines what actions to take when a rogue packet is identified.

Anything that doesn’t match the predefined set of rules is identified, denied by default, and either dropped or sent to an intrusion detection system. This eliminates the network technologies that lead to spoofing, MAC flooding and table poisoning, Bridge Protocol Data Unit (BPDU) attacks, ransomware attacks, and more.  

From our knowledge base

Layered Cybersecurity

SEL solutions incorporate layered cyber defenses to help keep your system secure.  

These defenses incorporate security features that support the specific purpose of each part of the system, such as: 

  • OT software-defined networking (SDN).
  • Role-based access controls.
  • Integration with multifactor authentication systems and one-time-password (OTP) solutions.
  • Encrypted external communications via VPN with IPsec. 
  • Hardened engineering access and HMI systems.

SEL networking solutions and automation controllers can also be integrated into security information and event management (SIEM) and intrusion detection systems (IDSs), which help detect and counter cyber attacks before they disrupt operations.

We thoroughly review and test every line of code in our products, which provides greater control over their quality, security, and functionality. 

We also follow secure supply chain management best practices and help our customers comply with applicable supply chain and cybersecurity standards (for instance, NERC CIP-013 for certain North American utilities). 

Simplified Security Tiers

Layered Cybersecurity

SEL solutions incorporate layered cyber defenses to help keep your system secure.  

These defenses incorporate security features that support the specific purpose of each part of the system, such as: 

  • OT software-defined networking (SDN).
  • Role-based access controls.
  • Integration with multifactor authentication systems and one-time-password (OTP) solutions.
  • Encrypted external communications via VPN with IPsec. 
  • Hardened engineering access and HMI systems.

SEL networking solutions and automation controllers can also be integrated into security information and event management (SIEM) and intrusion detection systems (IDSs), which help detect and counter cyber attacks before they disrupt operations.

We thoroughly review and test every line of code in our products, which provides greater control over their quality, security, and functionality. 

We also follow secure supply chain management best practices and help our customers comply with applicable supply chain and cybersecurity standards (for instance, NERC CIP-013 for certain North American utilities). 

Simplified Security Tiers

Secure OT Networking

The SEL software-defined networking (SDN) solution is purpose-built to improve cybersecurity and situational awareness in OT environments such as substation LANs, ICSs, and facility-related control systems (FRCS).

A true deny-by-default solution, OT SDN allows the operator to define all communication flows and specify exactly what type of traffic and devices are allowed on the network. Anything not matching those specifications is identified, denied by default, and dropped.

OT SDN helps you:

  • Easily see and understand what should be happening on your network.
  • Make intrusion detection system (IDS) integration simpler and more cost-effective.
  • Streamline NERC CIP data collection and reporting.
  • Meet the performance requirements of IEC 61850 systems with high-speed failover, efficient traffic handling, and high network availability.

Our OT SDN solution has been tested against several challenging OT requirements and is certified on the U.S. Department of Defense Information Network Approved Products List.

From our knowledge base

Secure OT Networking

The SEL software-defined networking (SDN) solution is purpose-built to improve cybersecurity and situational awareness in OT environments such as substation LANs, ICSs, and facility-related control systems (FRCS).

A true deny-by-default solution, OT SDN allows the operator to define all communication flows and specify exactly what type of traffic and devices are allowed on the network. Anything not matching those specifications is identified, denied by default, and dropped.

OT SDN helps you:

  • Easily see and understand what should be happening on your network.
  • Make intrusion detection system (IDS) integration simpler and more cost-effective.
  • Streamline NERC CIP data collection and reporting.
  • Meet the performance requirements of IEC 61850 systems with high-speed failover, efficient traffic handling, and high network availability.

Our OT SDN solution has been tested against several challenging OT requirements and is certified on the U.S. Department of Defense Information Network Approved Products List.

From our knowledge base

Perimeter Security and Secure Access Control

SEL secure communications products are specifically designed to create cybersecure OT networks that function seamlessly with the IEDs that protect your systems.

The robust cybersecurity features integrated into these products have been proven in substations and industrial plants around the world. We issue security patches, firmware upgrades, and technical bulletins for the entire service life of every product.

Secure your control system communications with SEL Ethernet security gateways, which function as routers, VPN endpoints, and firewalls with built-in malware protection. They also provide secure access control for serial- and Ethernet-based IEDs.

Enhance the security and resiliency of network communications between substations and the control center with the SEL Unified Threat Management (UTM) Firewall. An advanced cybersecurity system that embeds in the SEL-3355 Automation Controller, it features stateful firewall tracking, deep-packet inspection, adaptive routing, and hardware failover.

See SEL Products for Secure Communications

Perimeter Security and Secure Access Control

SEL secure communications products are specifically designed to create cybersecure OT networks that function seamlessly with the IEDs that protect your systems.

The robust cybersecurity features integrated into these products have been proven in substations and industrial plants around the world. We issue security patches, firmware upgrades, and technical bulletins for the entire service life of every product.

Secure your control system communications with SEL Ethernet security gateways, which function as routers, VPN endpoints, and firewalls with built-in malware protection. They also provide secure access control for serial- and Ethernet-based IEDs.

Enhance the security and resiliency of network communications between substations and the control center with the SEL Unified Threat Management (UTM) Firewall. An advanced cybersecurity system that embeds in the SEL-3355 Automation Controller, it features stateful firewall tracking, deep-packet inspection, adaptive routing, and hardware failover.

See SEL Products for Secure Communications

SEL cybersecurity professionals will work with you directly to develop a secure solution that is tailored to your priorities and objectives.

We help with:

  • Services and solutions that ensure compliance with NERC CIP requirements.

  • Assessment services and risk remediation plans based on National Institute of Standards and Technology (NIST), NERC CIP, and IEC 62443 cybersecurity frameworks.

  • Design and implementation of secure communications networks, access management, and remote access solutions.

  • OT system baselining.

  • Threat management solutions, including logging and monitoring, visualization, reporting and alerting, incident response plans, and data backup and recovery.

  • Making a cybersecure transition from serial communications to Ethernet—and streamlining the maintenance and compliance requirements that follow.

SEL practices a defense-in-depth philosophy of cybersecurity. We design secure systems starting with the device closest to the critical asset and working out to the user, ensuring that authentication, authorization, and accountability are intact at each stage. We also ensure that security features don’t compromise the performance of critical protection and control systems.

SEL cybersecurity professionals will work with you directly to develop a secure solution that is tailored to your priorities and objectives.

We help with:

  • Services and solutions that ensure compliance with NERC CIP requirements.

  • Assessment services and risk remediation plans based on National Institute of Standards and Technology (NIST), NERC CIP, and IEC 62443 cybersecurity frameworks.

  • Design and implementation of secure communications networks, access management, and remote access solutions.

  • OT system baselining.

  • Threat management solutions, including logging and monitoring, visualization, reporting and alerting, incident response plans, and data backup and recovery.

  • Making a cybersecure transition from serial communications to Ethernet—and streamlining the maintenance and compliance requirements that follow.

SEL practices a defense-in-depth philosophy of cybersecurity. We design secure systems starting with the device closest to the critical asset and working out to the user, ensuring that authentication, authorization, and accountability are intact at each stage. We also ensure that security features don’t compromise the performance of critical protection and control systems.

NERC CIP Compliance

SEL provides services and solutions that streamline the demanding, potentially time-consuming tasks of maintaining compliance with NERC CIP cybersecurity standards and keeping your critical electric power infrastructure secure.

We can also test, design, and implement complete OT networking solutions that comply with any cybersecurity standards that may apply to you.

NERC CIP Compliance

SEL provides services and solutions that streamline the demanding, potentially time-consuming tasks of maintaining compliance with NERC CIP cybersecurity standards and keeping your critical electric power infrastructure secure.

We can also test, design, and implement complete OT networking solutions that comply with any cybersecurity standards that may apply to you.

Cyber Attack Mitigation

We freely provide a broad set of best practices that you and your team can begin using immediately to improve the security of your systems and mitigate the risk of a damaging cyber attack. 

And if you need to meet regulatory requirements or need expert help implementing cybersecurity solutions, SEL Cyber Services professionals are ready to partner with you to get it done. 

Cyber Attack Mitigation

We freely provide a broad set of best practices that you and your team can begin using immediately to improve the security of your systems and mitigate the risk of a damaging cyber attack. 

And if you need to meet regulatory requirements or need expert help implementing cybersecurity solutions, SEL Cyber Services professionals are ready to partner with you to get it done. 

The Industry’s Best Warranty

SEL devices are designed for a working life of at least 20 years, and every SEL-manufactured device comes with a 10-year warranty—the best in the electric power industry. If it fails under warranty, repair and replacement are free.

We always do all that we can to repair any returned product, whether it meets our warranty or not.

Proven Reliability 

SEL products are designed and manufactured for the world’s most challenging environments, exceeding all industry standards for temperature, shock, and electric stress. An optional conformal coating for circuit boards adds an extra level of protection against contaminants in extreme environments.

Our products have a mean time between returns for repair (MTBR) of more than 250 years, based on observed field performance. This means that if you have 250 SEL products installed in your systems, you can expect to have less than one unscheduled removal from service per year for any reason, whether it’s a defect or an external factor such as overvoltage, overcurrent, wildlife damage, or environmental exposure.

The Industry’s Best Warranty

SEL devices are designed for a working life of at least 20 years, and every SEL-manufactured device comes with a 10-year warranty—the best in the electric power industry. If it fails under warranty, repair and replacement are free.

We always do all that we can to repair any returned product, whether it meets our warranty or not.

Proven Reliability 

SEL products are designed and manufactured for the world’s most challenging environments, exceeding all industry standards for temperature, shock, and electric stress. An optional conformal coating for circuit boards adds an extra level of protection against contaminants in extreme environments.

Our products have a mean time between returns for repair (MTBR) of more than 250 years, based on observed field performance. This means that if you have 250 SEL products installed in your systems, you can expect to have less than one unscheduled removal from service per year for any reason, whether it’s a defect or an external factor such as overvoltage, overcurrent, wildlife damage, or environmental exposure.

Lifetime Product Support

Every device we manufacture comes with free lifetime technical support.

SEL support teams are stationed in regional offices around the world and staffed with application engineers who are experts in our products and in power system applications.

No matter how often you need to call or how long your SEL products have been in service, our customer service and technical support professionals are ready to help. 

Security Bulletins and Updates

We notify product owners of updates and security patches for the full life of the product. Software and firmware updates are distributed directly to our customers via secure file transfer, and their authenticity and integrity are verifiable through digital signatures and cryptographic hashes. 

SEL Process for Disclosing Security Vulnerabilities 

Lifetime Product Support

Every device we manufacture comes with free lifetime technical support.

SEL support teams are stationed in regional offices around the world and staffed with application engineers who are experts in our products and in power system applications.

No matter how often you need to call or how long your SEL products have been in service, our customer service and technical support professionals are ready to help. 

Security Bulletins and Updates

We notify product owners of updates and security patches for the full life of the product. Software and firmware updates are distributed directly to our customers via secure file transfer, and their authenticity and integrity are verifiable through digital signatures and cryptographic hashes. 

SEL Process for Disclosing Security Vulnerabilities 

Cybersecurity Support

Cyber services support contracts can include incident response, audits, system hardening, patch and update management, and more, depending on your anticipated needs. 

We also practice secure supply chain management and help our customers comply with applicable supply chain and cybersecurity standards (for instance, NERC CIP-013 for certain North American utilities). 

Contact SEL Cyber Services

 

Cybersecurity Support

Cyber services support contracts can include incident response, audits, system hardening, patch and update management, and more, depending on your anticipated needs. 

We also practice secure supply chain management and help our customers comply with applicable supply chain and cybersecurity standards (for instance, NERC CIP-013 for certain North American utilities). 

Contact SEL Cyber Services

 

Training and Education

SEL meets your workforce training and continuing education needs through seminars, conference and tradeshow presentations, and SEL University courses.

As an International Association for Continuing Education and Training (IACET)-accredited provider, SEL University offers continuing education units (CEUs) which meet the internationally recognized American National Standards Institute (ANSI)/IACET Continuing Education and Training Standard.

SEL University courses and many of our seminars provide Professional Development Hours (PDHs) for maintaining Professional Engineering (PE) licenses. Courses and seminars can be delivered in various formats, including self-paced online learning, virtual classrooms, live and recorded webinars, and in person.

We can also work with you to develop training that is customized to the specific needs of your workforce.

See our current training and education offerings: 

Training and Education

SEL meets your workforce training and continuing education needs through seminars, conference and tradeshow presentations, and SEL University courses.

As an International Association for Continuing Education and Training (IACET)-accredited provider, SEL University offers continuing education units (CEUs) which meet the internationally recognized American National Standards Institute (ANSI)/IACET Continuing Education and Training Standard.

SEL University courses and many of our seminars provide Professional Development Hours (PDHs) for maintaining Professional Engineering (PE) licenses. Courses and seminars can be delivered in various formats, including self-paced online learning, virtual classrooms, live and recorded webinars, and in person.

We can also work with you to develop training that is customized to the specific needs of your workforce.

See our current training and education offerings: 

Questions? Contact Us!

If you have questions about SEL products, services, or cybersecurity best practices, please contact us. One of our cybersecurity professionals will reach out to you to discuss your questions and concerns.