Secure Supply Chain Management
All of our electronic devices are designed, tested, and manufactured in the United States, in facilities that we own and operate.
We thoroughly review and test the code that goes into our products. The source code is continually monitored for new threats, and we provide cybersecurity bulletins and updates for the full lifetime of every device we manufacture.
We also participate in government-led and industry-led initiatives and standards development activities to stay abreast of current best practices and stay attuned to the evolving demands placed on our customers. For instance, we partner with the U.S. Department of Energy (DOE) Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program, which focuses on identifying vulnerabilities in the technology supply chain.
Because we realize that our supply chain becomes part of your supply chain, we also share the supply chain management processes and best practices we follow. Our cybersecurity and operations security teams are also available to consult on complying with NERC CIP supply chain management standards.
A Five-Part Approach to Supply Chain Security
The supply chain for SEL is global and complex, requiring a systematic and comprehensive risk management approach to ensure the quality, cybersecurity, and dependable availability of all our products’ critical components.
We hope that outlining the processes and best practices we follow to ensure a secure supply chain will provide you with useful information as you consider your own cybersecurity and compliance efforts.
Build Trusted Supply Networks
At SEL, the selection of vendors is a team effort between our product development, quality, and purchasing groups. Similarly, teams with complementary areas of expertise work together on component selection, ongoing monitoring of vendors and parts, and onsite vendor audits.
We employ a supplier rating system that evaluates every supplier based on price, quality, features, innovation, delivery, and service. To arrive at this rating, we assess several areas of risk:
- Manufacturing locations
- Material lead times
- Financial health
- Replenishment methodologies
- Technology type
- On-time delivery performance
To help ensure the secure delivery of our products to our customers, we apply the same supplier qualification processes to our transportation and shipping suppliers.
Fostering Partnerships With Suppliers
We host a yearly conference for vendors who supply us with component parts, equipment, and services. During this event, we share our technical needs and strategic objectives for the coming year with 200+ suppliers and identify ways to mutually improve our partnership.
We also build relationships with our suppliers as we conduct onsite audits to verify that their quality and security processes meet our requirements.
It’s not enough to know our first-tier suppliers. We ask them to identify their first-tier suppliers along with key risks, mitigation strategies, and replenishment methodologies.
To keep product and parts information secure for SEL and our vendors, we provide forecasts using part numbers that are unrelated to the product and do not share design schematics.
Ensure Component Integrity and Availability
To ensure the integrity of our products, we procure components directly from the manufacturer or official distributors whenever possible. We then verify the performance of purchased components against supplier product specifications.
If components must be sourced from independent distributors, we use several methods to detect counterfeit products, including functional testing and microscopic, x-ray, x-ray fluorescence, and decapsulation inspections.
We constantly test our products throughout the manufacturing process. If variations in performance are found, we work to understand the root cause of the discrepancy.
Minimizing the Impact of Disruptions
As a U.S.-based company, we source materials from the United States to the greatest extent possible.
We work with suppliers to ensure that we and they keep sufficient inventory of specialty and at-risk parts. Whenever possible, we ensure that critical components can be sourced from at least two qualified suppliers.
Verify Security of Software and Firmware
We do not share source code or schematics.
We develop most software internally, which provides a quality control advantage along with the ability to make rapid enhancements. If we use third-party components in our firmware, we acquire the source code.
Access to code is permitted only for SEL R&D engineers working on these projects.
Rigorous Internal Testing
Software and firmware testing is performed onsite at SEL by SEL employees.
We have a robust process that includes reviews by peer developers and both positive and negative testing. We also use automated tools for inspecting code to identify potential issues developers may have missed.
SEL Digital Signatures and Firmware Hashes
Digitally signed software allows you to verify that software files are genuine—produced by SEL—and that they have not been altered or tampered with.
SEL hardware products transparently check the integrity of firmware files during the firmware upgrade process using data built into the firmware. If a mismatch occurs, the SEL device will reject the firmware file and abort the upgrade.
We provide firmware hashes as an additional tool to verify the integrity of SEL firmware files.
Protect Operations and Control Access
Information security and physical security at SEL are layered and are certified to internationally recognized standards. This ensures that all SEL devices and services are delivered securely and all data entrusted to SEL is protected.
Protection of Information
We protect customer information both in our business systems and during support activities. This includes securing customer information in products returned for repair.
When remote access is necessary for technical support, we use a tracking and notification system to document and coordinate control of that access. We compartmentalize projects and limit access to information internally to those with a need to know.
When we identify an incident affecting customer information, we notify those affected and offer full support for incident response.
Protection of Operations
All SEL employees undergo exhaustive pre-hire background checks. SEL physical and information security systems are monitored and supported by a security operations center that is staffed 24/7 by SEL employees. Our teams scour an array of public and private intelligence streams to detect and analyze potential threats.
We also go beyond standards to increase cybersecurity. For instance, we’ve applied SEL software-defined networking technologies in our manufacturing operations to optimize communication efficiency and ensure that unwanted or malicious traffic is never allowed to traverse our networks.
Monitor for Quality and Security Vulnerabilities
The information security, quality, safety, and environmental management systems that underpin SEL research, development, manufacturing, and corporate environments are each certified to internationally recognized standards by the British Standards Institution (BSI).
Our manufacturing processes comply with the IPC-A-610 Class 3 workmanship standard for products requiring high reliability, such as those used in life-support and aerospace systems. We maintain an onsite testing laboratory certified by the American Association for Laboratory Accreditation (A2LA) to the ISO/IEC 17025 standard.
We keep detailed records of the products we manufacture and the components built into them so that we can notify customers of potential quality or security issues.
Service and Security Bulletins
When a security vulnerability is identified in an SEL product, our team quickly develops necessary patches and then informs customers of the vulnerability and suggested actions. SEL responds immediately to any significant vulnerability that is likely to be actively exploited. We will rapidly provide mitigation guidance followed by any necessary patches or upgrades.
When we identify a product issue that poses a significant risk, we inform affected customers with a service bulletin. Service bulletins include an explanation of the identified problem as well as the root cause, impact, corrective actions, and recommended maintenance solutions. Sign up to receive service bulletins.
- For high-risk vulnerabilities, service bulletins are sent out. We distribute digitally signed service bulletins both directly to product owners and through our sales force.
- For other issues, a revision is made to Appendix A of the affected product's instruction manual. Changes that impact cybersecurity are clearly marked.
- For software products, notices are posted to the Latest Software Versions page in the SEL website.
Determining Root Cause
We provide a ten-year repair or replacement warranty at no cost on all SEL-manufactured products, which encourages our customers to return products to us when they fail.
Our Product Hospital team examines returned products to find the root cause of failure; every warranty return helps us improve our design, manufacturing, and supply processes.