At SEL, cybersecurity and supply chain security have always been fundamental to ensuring the quality of our products; security has been a top priority for SEL for over 35 years.
All of our electronic devices are designed, tested, and manufactured in the United States, in facilities that we own and operate.
We thoroughly review and test the code that goes into our products. The source code is continually monitored for new threats, and we provide cybersecurity bulletins and updates for the full lifetime of every device we manufacture.
We also participate in government-led and industry-led initiatives and standards development activities (for instance, we use the NIST Cybersecurity Framework) to stay abreast of current best practices and stay attuned to the evolving demands placed on our customers.
Because we realize that our supply chain becomes part of your supply chain, we also share the supply chain management processes and best practices we follow. Our cybersecurity and operations security teams are also available to consult on complying with NERC CIP supply chain management standards.
The supply chain for SEL is global and complex, requiring a systematic and comprehensive risk management approach to ensure the quality, cybersecurity, and dependable availability of all our products’ critical components.
We hope that outlining the processes and best practices we follow to ensure a secure supply chain will provide you with useful information as you consider your own cybersecurity and compliance efforts.
At SEL, the selection of vendors is a team effort between our product development, quality, and purchasing groups. Similarly, teams with complementary areas of expertise work together on component selection, ongoing monitoring of vendors and parts, and onsite vendor audits.
We employ a supplier rating system that evaluates every supplier based on price, quality, features, innovation, delivery, and service. To arrive at this rating, we assess several areas of risk:
To help ensure the secure delivery of our products to our customers, we apply the same supplier qualification processes to our transportation and shipping suppliers.
We host a yearly conference for vendors who supply us with component parts, equipment, and services. During this event, we share our technical needs and strategic objectives for the coming year with 200+ suppliers and identify ways to mutually improve our partnership.
We also build relationships with our suppliers as we conduct onsite audits to verify that their quality and security processes meet our requirements.
It’s not enough to know our first-tier suppliers. We ask them to identify their first-tier suppliers along with key risks, mitigation strategies, and replenishment methodologies.
To keep product and parts information secure for SEL and our vendors, we do not share our bills of materials (BOMs) or send out design schematics. We provide forecasts using part numbers that are unrelated to the product.
To ensure the integrity of our products, we procure components directly from the manufacturer or official distributors whenever possible. We then verify the performance of purchased components against supplier product specifications.
If components must be sourced from independent distributors, we use several methods to detect counterfeit products, including functional testing and microscopic, x-ray, x-ray fluorescence, and decapsulation inspections.
We constantly test our products throughout the manufacturing process. If variations in performance are found, we work to understand the root cause of the discrepancy.
As a U.S.-based company, we source materials from the United States to the greatest extent possible.
We work with suppliers to ensure that we and they keep sufficient inventory of specialty and at-risk parts. Whenever possible, we ensure that critical components can be sourced from at least two qualified suppliers.
Source code integrity is of utmost importance. We inspect and test every line of our source code, and we do not share source code or schematics.
We develop most software internally, which provides a quality control advantage along with the ability to make rapid enhancements. If we use third-party software, we acquire the source code.
Access to code is permitted only for SEL R&D engineers working on these projects.
All testing of software and firmware is performed onsite at SEL by SEL employees.
We have a robust process that includes reviews by peer developers and both positive and negative testing. We also use automated tools for inspecting code to identify potential issues developers may have missed.
Digitally signed software allows you to verify that software files are genuine—produced by SEL—and that they have not been altered or tampered with.
SEL hardware products transparently check the integrity of firmware files during the firmware upgrade process using data built into the firmware. If a mismatch occurs, the SEL device will reject the firmware file and abort the upgrade.
We provide firmware hashes as an additional tool to verify the integrity of SEL firmware files.
Information security and physical security at SEL are layered and conform to internationally recognized standards. This ensures that all SEL devices and services are delivered securely and all data entrusted to SEL is protected.
We protect customer information both in our business systems and during support activities. This includes securing customer information in products returned for repair.
When remote access is necessary for technical support, we use a tracking and notification system to document and coordinate control of that access. We compartmentalize projects and limit access to information internally to those with a need to know.
When we identify an incident affecting customer information, we notify those affected and offer full support for incident response.
All SEL employees undergo exhaustive pre-hire background checks. SEL physical and information security systems are monitored and supported by a security operations center that is staffed 24/7 by SEL employees. Our teams scour an array of public and private intelligence streams to detect and analyze potential threats.
We also go beyond standards to increase cybersecurity; for instance, we’ve implemented software-defined networking in our manufacturing operation to eliminate several common network vulnerabilities.
Our Quality Management System is certified to the ISO 9001 standard, and our manufacturing processes comply with the IPC-A-610 Class 3 workmanship standard for products requiring high reliability, such as those used in life-support and aerospace systems.
We keep detailed records of the products we manufacture and the components built into them so that we can notify customers of potential quality or security issues.
When we identify a product issue that poses a risk, we inform affected customers with a service bulletin. We distribute service bulletins both directly and through our sales force.
Service bulletins include an explanation of the identified problem as well as the root cause, impact, observed defect rate, corrective actions, and recommended maintenance solutions.
When a security vulnerability is identified, our team quickly develops corrective steps and informs customers of the vulnerability and suggested actions in a service bulletin.
We provide a ten-year repair or replacement warranty at no cost on all SEL-manufactured products, which encourages our customers to return products to us when they fail.
Our “product hospital” team examines returned products to find the root cause of failure; every warranty return helps us improve our design, manufacturing, and supply processes.
We’re happy to answer all your questions and help develop the best solution for your needs.
SEL support teams are stationed in regional offices around the world and staffed with application engineers who are experts in our products and in power system applications.
Technical support for SEL-manufactured devices is always free. No matter how often you need to call or how long your SEL products have been in service, you’ll reach an SEL expert who can provide the service and support you need.
Our cybersecurity team is always ready with the information and resources needed to keep your OT networks and critical systems secure and working effectively. Cyber services support contracts can include incident response, audits, system hardening, and more, depending on your anticipated needs.