html{display:none} Cybersecurity | Schweitzer Engineering Laboratories

Solutions

Cybersecurity

We understand, defend, and serve ICS and OT networks.

Cybersecurity is not one thing. It is never finished. Our mission is to provide services and solutions that defend and maintain the availability of Industrial Control System (ICS) and operational technology (OT) power systems.

Our Approach

We simplify cybersecurity with layered defenses that apply the right technologies in each layer. 

Our Solutions

Cyber systems and solutions designed for critical infrastructure.

Our Services

Strengthen your defenses and streamline maintenance and compliance.

Our Support

We strive to be not just a vendor, but a partner you can rely on.

Zero Trust for ICS and OT Cybersecurity 

The concept of zero trust for securing information networks is gaining in popularity. This is underscored by the executive order of May 12, 2021 to improve the nation’s cybersecurity, highlighting zero trust as a key component.

A zero-trust architecture is a powerful tool that helps security professionals determine optimal ways to design security controls for their networks. However, ICS and critical infrastructure networks have important differences from IT networks and require a modified approach—particularly regarding the decision of where to encrypt traffic and at what point end-to-end encryption hurts the availability of protection and control devices.

Furthermore, the notion that trust can be excluded from the calculus of network security is misguided. Trust underpins all security; therefore, when applying zero trust to a network, security professionals should continually evaluate these questions:

  • What do I trust?
  • Why do I trust it?
  • When should I no longer trust it?

From our knowledge base

Zero Trust for ICS and OT Cybersecurity 

The concept of zero trust for securing information networks is gaining in popularity. This is underscored by the executive order of May 12, 2021 to improve the nation’s cybersecurity, highlighting zero trust as a key component.

A zero-trust architecture is a powerful tool that helps security professionals determine optimal ways to design security controls for their networks. However, ICS and critical infrastructure networks have important differences from IT networks and require a modified approach—particularly regarding the decision of where to encrypt traffic and at what point end-to-end encryption hurts the availability of protection and control devices.

Furthermore, the notion that trust can be excluded from the calculus of network security is misguided. Trust underpins all security; therefore, when applying zero trust to a network, security professionals should continually evaluate these questions:

  • What do I trust?
  • Why do I trust it?
  • When should I no longer trust it?

From our knowledge base

Encryption and the CIA Triad

The core of cybersecurity is defined by three intertwining goals: confidentiality, integrity, and availability, commonly known as the CIA triad.

Confidentiality is the idea that information can be kept secret and known only to those people or systems who need that information to perform their duties. Integrity is the idea the information is valid and verifiably correct. Availability is the idea that a system or data are running or available when needed. Each of these core concepts are required when designing a secure ICS or OT network, but the priority of each shifts based on the security zone.

Generally, these security zones are broken up into levels based on the Purdue diagram for ICS security. SEL defines six levels: Perimeter (level 5), SCADA (level 4), Access (level 3), Automation (level 2), Control (level 1), and Physical (level 0). Protocols like Transport Layer Security (TLS) and IPsec are powerful encryption tools for Levels 4 and 5, which focus more on the confidentiality of data. But these off-the-shelf IT protocols are often misapplied in ICS/OT networks, making it more difficult to detect intrusions and to perform forensic investigations into cyber attacks.

Encryption at Levels 1 and 0 should be limited and specialized, like Media Access Control Security (MACsec) or Secure Shell (SSH), which don’t overload protection and control devices with unnecessary code.  

From our knowledge base

Encryption and the CIA Triad

The core of cybersecurity is defined by three intertwining goals: confidentiality, integrity, and availability, commonly known as the CIA triad.

Confidentiality is the idea that information can be kept secret and known only to those people or systems who need that information to perform their duties. Integrity is the idea the information is valid and verifiably correct. Availability is the idea that a system or data are running or available when needed. Each of these core concepts are required when designing a secure ICS or OT network, but the priority of each shifts based on the security zone.

Generally, these security zones are broken up into levels based on the Purdue diagram for ICS security. SEL defines six levels: Perimeter (level 5), SCADA (level 4), Access (level 3), Automation (level 2), Control (level 1), and Physical (level 0). Protocols like Transport Layer Security (TLS) and IPsec are powerful encryption tools for Levels 4 and 5, which focus more on the confidentiality of data. But these off-the-shelf IT protocols are often misapplied in ICS/OT networks, making it more difficult to detect intrusions and to perform forensic investigations into cyber attacks.

Encryption at Levels 1 and 0 should be limited and specialized, like Media Access Control Security (MACsec) or Secure Shell (SSH), which don’t overload protection and control devices with unnecessary code.  

From our knowledge base

Attack Surface Reduction

Keeping up with ever-changing cybersecurity threats can seem daunting, but there are several practical steps that all owners of critical infrastructure systems can begin taking immediately to mitigate the risk of a damaging cyber attack.

These steps include knowing all the communications paths to your assets, using the appropriate encryption and authentication tools, practicing need-to-know policies, incorporating multiple layers of defense, developing an incident response plan, and using and managing strong passwords. 

These practical steps do not directly address regulatory requirements or any particular cybersecurity framework. For help meeting regulatory requirements and implementing risk mitigation solutions, please contact SEL Cyber Services.

From our knowledge base

Attack Surface Reduction

Keeping up with ever-changing cybersecurity threats can seem daunting, but there are several practical steps that all owners of critical infrastructure systems can begin taking immediately to mitigate the risk of a damaging cyber attack.

These steps include knowing all the communications paths to your assets, using the appropriate encryption and authentication tools, practicing need-to-know policies, incorporating multiple layers of defense, developing an incident response plan, and using and managing strong passwords. 

These practical steps do not directly address regulatory requirements or any particular cybersecurity framework. For help meeting regulatory requirements and implementing risk mitigation solutions, please contact SEL Cyber Services.

From our knowledge base

Deny-by-Default Cybersecurity

Deny-by-default is the strongest approach to designing communications paths in an OT zero-trust network architecture. We achieve this through our OT software-defined networking (SDN) solution, which is part of the Department of Defense Information Network’s Approved Product List. Products in this list are tested, validated, and certified to the cybersecurity and interoperability standards of Defense Information Systems Networks.  

OT SDN takes the decision-making control out of the switch and puts it with the operator. The operator defines all the primary and backup flows, decides what is and isn’t allowed on the network, and determines what actions to take when a rogue packet is identified.

Anything that doesn’t match the predefined set of rules is identified, denied by default, and either dropped or sent to an intrusion detection system. This eliminates the network technologies that lead to spoofing, MAC flooding and table poisoning, Bridge Protocol Data Unit (BPDU) attacks, ransomware attacks, and more.  

From our knowledge base

Deny-by-Default Cybersecurity

Deny-by-default is the strongest approach to designing communications paths in an OT zero-trust network architecture. We achieve this through our OT software-defined networking (SDN) solution, which is part of the Department of Defense Information Network’s Approved Product List. Products in this list are tested, validated, and certified to the cybersecurity and interoperability standards of Defense Information Systems Networks.  

OT SDN takes the decision-making control out of the switch and puts it with the operator. The operator defines all the primary and backup flows, decides what is and isn’t allowed on the network, and determines what actions to take when a rogue packet is identified.

Anything that doesn’t match the predefined set of rules is identified, denied by default, and either dropped or sent to an intrusion detection system. This eliminates the network technologies that lead to spoofing, MAC flooding and table poisoning, Bridge Protocol Data Unit (BPDU) attacks, ransomware attacks, and more.  

From our knowledge base

Layered Cybersecurity

SEL solutions incorporate layered cyber defenses to help keep your system secure.  

These defenses incorporate security features that support the specific purpose of each part of the system, such as: 

  • OT software-defined networking (SDN).
  • Role-based access controls.
  • Integration with multifactor authentication systems and one-time-password (OTP) solutions.
  • Encrypted external communications via VPN with IPsec. 
  • Hardened engineering access and HMI systems.

SEL networking solutions and automation controllers can also be integrated into security information and event management (SIEM) and intrusion detection systems (IDSs), which help detect and counter cyber attacks before they disrupt operations.

We thoroughly review and test every line of code in our products, which provides greater control over their quality, security, and functionality. 

We also follow secure supply chain management best practices and help our customers comply with applicable supply chain and cybersecurity standards (for instance, NERC CIP-013 for certain North American utilities). 

Simplified Security Tiers

Layered Cybersecurity

SEL solutions incorporate layered cyber defenses to help keep your system secure.  

These defenses incorporate security features that support the specific purpose of each part of the system, such as: 

  • OT software-defined networking (SDN).
  • Role-based access controls.
  • Integration with multifactor authentication systems and one-time-password (OTP) solutions.
  • Encrypted external communications via VPN with IPsec. 
  • Hardened engineering access and HMI systems.

SEL networking solutions and automation controllers can also be integrated into security information and event management (SIEM) and intrusion detection systems (IDSs), which help detect and counter cyber attacks before they disrupt operations.

We thoroughly review and test every line of code in our products, which provides greater control over their quality, security, and functionality. 

We also follow secure supply chain management best practices and help our customers comply with applicable supply chain and cybersecurity standards (for instance, NERC CIP-013 for certain North American utilities). 

Simplified Security Tiers

Secure OT Networking

The SEL software-defined networking (SDN) solution is purpose-built to improve cybersecurity and situational awareness in OT environments such as substation LANs, ICSs, and facility-related control systems (FRCS).

A true deny-by-default solution, OT SDN allows the operator to define all communication flows and specify exactly what type of traffic and devices are allowed on the network. Anything not matching those specifications is identified, denied by default, and dropped.

OT SDN helps you:

  • Easily see and understand what should be happening on your network.
  • Make intrusion detection system (IDS) integration simpler and more cost-effective.
  • Streamline NERC CIP data collection and reporting.
  • Meet the performance requirements of IEC 61850 systems with high-speed failover, efficient traffic handling, and high network availability.

Our OT SDN solution has been tested against several challenging OT requirements and is certified on the U.S. Department of Defense Information Network Approved Products List.

From our knowledge base

11

Secure OT Networking

The SEL software-defined networking (SDN) solution is purpose-built to improve cybersecurity and situational awareness in OT environments such as substation LANs, ICSs, and facility-related control systems (FRCS).

A true deny-by-default solution, OT SDN allows the operator to define all communication flows and specify exactly what type of traffic and devices are allowed on the network. Anything not matching those specifications is identified, denied by default, and dropped.

OT SDN helps you:

  • Easily see and understand what should be happening on your network.
  • Make intrusion detection system (IDS) integration simpler and more cost-effective.
  • Streamline NERC CIP data collection and reporting.
  • Meet the performance requirements of IEC 61850 systems with high-speed failover, efficient traffic handling, and high network availability.

Our OT SDN solution has been tested against several challenging OT requirements and is certified on the U.S. Department of Defense Information Network Approved Products List.

From our knowledge base

11

Perimeter Security and Secure Access Control

SEL secure communications products are specifically designed to create cybersecure OT networks that function seamlessly with the IEDs that protect your systems.

The robust cybersecurity features integrated into these products have been proven in substations and industrial plants around the world. We issue security patches, firmware upgrades, and technical bulletins for the entire service life of every product.

Secure your control system communications with SEL Ethernet security gateways, which function as routers, VPN endpoints, and firewalls with built-in malware protection. They also provide secure access control for serial- and Ethernet-based IEDs.

Enhance the security and resiliency of network communications between substations and the control center with the SEL Unified Threat Management (UTM) Firewall. An advanced cybersecurity system that embeds in the SEL-3355 Automation Controller, it features stateful firewall tracking, deep-packet inspection, adaptive routing, and hardware failover.

See SEL Products for Secure Communications