Solutions

OT Software-Defined Networking

Improve network security, situational awareness, and reliability with OT SDN.

What Is OT SDN?

OT SDN, or operational technology software-defined networking, is a protection-class Ethernet network solution for critical infrastructure.

Purpose-engineered technology forms the backbone of critical infrastructure systems. These systems must perform specific tasks accurately and precisely—without fail.  

The system’s Ethernet network must be designed to the same rigorous standard as the technology it supports. That’s why SEL developed OT SDN—to give you the ability to engineer the behavior and content of your critical infrastructure network.

OT SDN is a networking solution that is purpose-engineered to meet the specific demands of IEC 61850 and cyber-sensitive facility-related control systems. It unlocks the previously closed, restricted networking behavior of legacy solutions and delivers improved security, situational awareness, reliability, and performance.   

OT SDN also reduces a system’s total cost of ownership. Legacy technology requires owners to invest significant time manipulating the closed, fixed behavior of their networks, increasing the complexity in system testing and upkeep. With OT SDN, owners have direct control over the operation of and the content that is forwarded on the network. They also have the confidence the network will operate exactly as intended at all times—regardless of traffic or devices attempting to connect—resulting in secure, simple, and reliable networks.

Ethernet is quickly becoming the leading communications protocol in power systems throughout the world—both in terms of what is currently being deployed and what is being modeled for systems of the future.

Meanwhile, the standards community has launched hundreds of efforts focused on how to modify legacy Ethernet technology to meet the industry’s changing needs. For system owners with legacy technology, these evolving standards will lead to extensive change management in the future.

In contrast, OT SDN offers simplicity. With fully programmable control and data planes, you no longer have to wait for standards and suppliers to be updated to deliver the desired behavior—you now have direct programmable control. It also eliminates long-term change management while offering a level of security and performance that can only be found in a solution that was intended for critical infrastructure from the start.

OT SDN is an open, interoperable, and standards-based networking solution that simplifies what system owners need to consider when planning for their IEC 61850 systems’ extended lifetimes.

Unlike legacy technology, OT SDN automates the network-provisioning process through leveraging the same configuration files that are used for a system’s relays—saving time and reducing opportunities for human error. Automated network provisioning also makes it easier to add applications as needs evolve and reduces the training burden for implementing these changes.

In addition to its simplicity, OT SDN offers security and performance advantages that make it the best networking solution for IEC 61850 applications. This includes delivering the microsecond healing times that are required for IEC 61850 Sampled Values communications.

From our knowledge base

As of July 2021, SEL’s OT SDN is certified on the U.S. Department of Defense Information Network (DoDIN) Approved Products List (APL). This solution offers a significant advantage over traditional packet delivery, greatly improves network security, and increases network situational awareness.

The deny-by-default and programmable circuit provisioning architecture of OT SDN decreases both cyber and operational risk for facility-related control systems while improving safety and reliability. The DoDIN APL certification verifies that OT SDN conforms to DoD standards for both cybersecurity and interoperability with other DoD-approved devices.

Additionally, OT SDN’s purpose-engineered approach for facility-related control system (FRCS) networks has allowed it to be tested against several challenging OT requirements, including the Advanced Cyber Industrial Control System (ACI) Tactics, Techniques, and Procedures (TTPs) for DoD industrial control systems, MITRE’s ATT&CK framework, and the zero-trust network architecture.

OT SDN meets or exceeds 22 of the 28 TTPs listed in the ACI TTPs. Having a network that immediately provides many of the ACI TTPs allows DoD to move from assessing the problem to taking action to reduce risk.

From our knowledge base

Consultation

OT SDN Virtual Pilot Program

A personalized, no-cost program that shows firsthand how simple it is to engineer OT SDN to meet your specific requirements.

Schweitzer Drive

Better, Faster, Simpler, Safer: A New Approach to OT Network Communications

The electric power grid has been called the largest machine in the world.

OT SDN Benefits

The SEL OT SDN solution prioritizes network security, situational awareness, reliability, and high-speed performance for critical applications. OT SDN also simplifies data collection for NERC CIP compliance and can help you prepare for the proposed NERC CIP internal network security monitoring (INSM) standards.

OT SDN is foundational to the SEL approach to cybersecurity, particularly the idea of zero trust (removing implicit trust). OT SDN deny-by-default technology offers the strongest option for designing a network that aligns with a zero-trust architecture strategy.

With a deny-by-default architecture, no conversations happen on the network that the system owner has not authorized. Instead, the system owner pre-programs all primary and backup communications paths using the SEL-5056 Flow Controller.

This allows vulnerable legacy technology to be removed from managed Ethernet switches’ control plane. This eliminates network vulnerabilities to MAC spoofing, Bridge Protocol Data Unit (BDPU) attacks, or flooding attacks.

Any unauthorized packets that attempt to access an OT SDN network are identified and denied access to the network by default. The system owner may also choose to forward these packets to an intrusion detection system (IDS). OT SDN makes IDS integration simpler and more cost-effective.

As a testament to its cybersecurity, OT SDN is certified onto the Department of Defense Information Network (DoDIN) Approved Products List (APL).

How Does Deny-by-Default Technology Work?

OT SDN uses flow match rules to approve network flows. The ingressing packets are matched against the ingress port, Ethernet source or destination MAC address, Ethertype, VLAN identifier, IP source or destination address, and so on. Then, the owner defines actions for ingressing messages that match the various criteria. Finally, a set of counters is used to monitor the ingress and egress of traffic and the overall network health.

From our knowledge base

OT SDN puts complete traffic-engineering control in the system owner's hands. 

Through determining all primary and backup communications paths, the owner builds a network that’s optimized for the system. Network owners have the freedom to choose the topology that best meets their needs, because OT SDN does not rely on a particular topology to achieve its best performance.

Unlike legacy technology, OT SDN makes it possible to automate the network configuration process. Instead of manually entering settings, system owners can leverage the same files that were used to configure their system’s relays. This reduces upfront engineering work and eliminates misconfigurations due to human error.  

OT SDN also improves the owner’s situational awareness. They gain a real-time understanding of all devices on their network and what conversations they are having with other devices. System owners can also integrate an intrusion detection system (IDS) in their system and see any unauthorized devices that attempted to access their network and what they were attempting to do. With OT SDN, IDS integration is simple and cost-effective.

Due to the nature of SDN, the system owner also has confidence that their network’s behavior will never change—until they tell it to.

OT SDN heals faster than traditional Ethernet networks. Failover times are reduced to 0.1 milliseconds—100 times faster than traditional networks. This failover speed is required for IEC 61850 Sampled Values communications.

This level of performance is possible because system owners predetermine all backup communications paths and because OT SDN eliminates broadcast traffic on networks (where each device transmits packets to all other network devices). Instead, OT SDN is engineered for targeted multicast traffic, with the system owner defining specific communications paths between devices.

Through eliminating unnecessary network traffic, OT SDN also delivers higher bandwidth availability.

From our knowledge base

OT SDN possesses the security controls described in proposed cybersecurity requirements for LANs operating in high- and medium-impact bulk electric systems (BESs).

FERC has released a notice of public rule making (NOPR) instructing NERC to develop or modify Critical Infrastructure Protection (CIP) reliability standards that would require internal network security monitoring (INSM) within LAN “trust zones.” Through improving visibility of communications between the networked devices in trust zones, these proposed requirements would bolster network security in a threat landscape that’s becoming more sophisticated.

Utility LANs subject to these requirements would benefit from a deny-by-default architecture that controls and monitors all traffic that passes through the LAN itself—not just through its electronic security perimeter (firewall). OT SDN provides network access control for all devices and conversations on an OT LAN. The solution inspects Ethernet packets at every hop to validate that they are part of authorized conversations.

With its automated network provisioning process, OT SDN offers a simple option for utilities preparing for the future of secure networking.

Collecting data for NERC CIP audits typically requires days of network scanning to document open ports and services. This process can impact network performance and interfere with critical systems.

But with OT SDN, the system owner has this information at their fingertips. Because all network flows and backup paths are preconfigured in the controller, the information needed for NERC CIP reporting (the active devices, ports, and services on a network) is already available without conducting any network scans.

The data collection process is shortened to minutes instead of hours or days.

Flow Auditor, the first application in the SEL-5057 SDN Application Suite, supports this simplified data collection process. It compiles data directly from the controller database, rather than querying every device, which eliminates the risk of disrupting network performance.

From our knowledge base

Cybersecurity

Converged Industrial Edge

OT SDN is a foundational part of the Converged Industrial Edge—a multivendor network architecture that simplifies and improves the information exchange between IT and OT network devices.

Solution Components

The SEL OT SDN networking solution is open, interoperable, and standards-based—simplifying what owners need to consider throughout their system’s extended lifetime. It has been designed to meet the needs of industries within critical infrastructure—utilities, water and wastewater, oil, gas, petrochemical, and more—while also being tailored to each individual system it supports.

OT SDN Switches

The OT SDN switches’ data plane is IEEE 802.3-interoperable, allowing the OT SDN solution to be interoperable with your current network and all hosts.

We offer three hardened Ethernet switches designed to meet IEEE 1613 requirements:

  • Surface-, rack-, or panel-mounted SEL-2731
  • Surface-, rack-, or panel-mounted SEL-2741
  • DIN-rail- or surface-mounted SEL-2742
  • Surface-, rack-, or panel-mounted SEL-2740S

Flow Controller Software

SEL-5056 Software-Defined Network Flow Controller software provides the central interface for network configuration and management. It is standards-based and compatible with OpenFlow 1.3.

The Flow Controller is available as an application for SEL Blueframe or as a service on Microsoft Windows Server 2016.

Flow Auditor Application

Flow Auditor, the first application in the SEL-5057 SDN Application Suite, simplifies data collection for NERC CIP compliance. Due to the nature of OT SDN, the information needed for NERC CIP reporting is available without conducting any network scans. Flow Auditor compiles data directly from the controller database, rather than querying every device, which reduces the data collection process to minutes.

From our knowledge base

Engineer a Better Network—It Starts With SDN

SEL-2731

Ethernet Switch

View Product Info 
SEL-2741

Ethernet Switch

View product info 
SEL-2742

Ethernet Switch

View product info 
SEL-2740S

Software-Defined Network Switch

View product info 
SEL-5056

Software-Defined Network Flow Controller

View product info 
SEL-5057

SDN Application Suite

View product info 

Learn & Lock Features of SEL-5056

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

SDN Commissioning

1 of 4

  • Learn & Lock Features of SEL-5056

  • Commission and User Creation with the SEL-5056 Flow Controller

  • Adopt SEL-2740S Using the SEL-5056 Flow Controller

  • Adopt Hosts using the SEL-5056 Flow Controller

SEL-5056 SDN Quick Start

In this video, we go over how to set up a small network using the SEL-5056 Software-Defined Network Flow Controller.

SDN Communication Setup

1 of 6

  • SEL-5056 SDN Quick Start

  • SEL-5056 Logical Connections Part 1- CSTs and Logical Connection Definitions

  • SEL-5056 Logical Connections Part 2- Creating CSTs

  • SEL-5056 Logical Connections Part 3- Creating Unicast Logical Connections

  • SEL-5056 Logical Connections Part 4- Creating Multicast Logical Connections

  • Enabling SEL Relay Failover Mode with the SEL-5056 Flow Controller

Backing Up and Restoring SEL-5056 Databases

SDN Management and Troubleshooting

1 of 1

  • Backing Up and Restoring SEL-5056 Databases

Your first look into the all new flow controller—coming soon

SEL-5056 Version 3.0 Release Videos

1 of 4

  • Your first look into the all new flow controller—coming soon

  • Explore the Redesigned SDN Flow Controller Topology Space

  • Previewing the Streamlined Primary Panel

  • Designing your network in the overhauled OT SDN Flow Controller

Our Services

SEL is your partner in implementing OT SDN and tailoring the solution to your priorities and requirements. Depending on your needs, we can deliver a turnkey solution or assist you with specific stages of your project, such as cybersecurity evaluations, OT SDN network engineering, and system testing. We support greenfield installations or existing network migrations.

With every project, we prioritize the system owner’s self-sufficiency at the handover stage. SEL will ensure your team has the training and information needed to independently maintain your OT SDN network or make changes to it in the future.

Cybersecurity

NERC CIP Compliance Services

Streamline the process of maintaining compliance with NERC CIP cybersecurity standards.

SEL

Engineering Services

Turnkey solutions engineered specifically for your system and operational goals.

Consultation

Virtual Pilot Program

A personalized, no-cost program that shows firsthand how simple it is to engineer OT SDN to meet your specific requirements.

Our Support

We believe you should never have to worry about whether your protection and control systems will be working when you need them most. SEL products are designed and manufactured for the world’s most challenging environments, exceeding all industry standards for temperature, shock, and electric stress, which has led to one of the highest MTBF ratings in the industry.

However, sometimes the unexpected happens. That’s why you always have access to SEL engineers—and every device we manufacture comes with a ten-year warranty and no-cost technical support.

After your systems are commissioned, our application engineers provide technical support for SEL products at no cost.

As long as your SEL products remain in service, you have access to direct technical support from SEL engineers—not just a handful of customer-facing product engineers, but a large corps of application engineers who are intimately familiar with the way our devices are deployed and the functions they typically perform in the field.

No matter how often you need to call or how long your SEL products have been in service, our customer service and technical support professionals are ready to help.

Customer support staff and application engineers are stationed in regional offices across North America and around the world.

Find your local office 

SEL offers complete cybersecurity support for every solution, system, and product we provide.

We also practice secure supply chain management and help our customers comply with applicable supply chain and cybersecurity standards.

Security Bulletins and Updates

We thoroughly review and test the code in our products, which allows us greater control over their quality, security, and functionality. Security-related software and firmware updates are provided for the entire service life of every SEL device and are distributed directly to our customers via secure file transfer.

End users of SEL products can sign up to receive email notifications of security vulnerabilities, including information on how to mitigate their risks.

Cybersecurity Services and Support

From system assessment and baselining to cyber-defense solution development and ongoing system management, our full suite of cybersecurity services can help strengthen your defenses and streamline the demands of maintenance and compliance.

Cyber services support contracts can include incident response, audits, system hardening, patch/update management, and more.

Contact SEL Cyber Services 

SEL meets your workforce training and continuing-education needs through seminars, conference and tradeshow presentations, and SEL University courses.

SEL University courses and many of our seminars provide professional development hours (PDHs) for maintaining Professional Engineering (P.E.) licenses. Courses and seminars can be delivered in various formats, including in-person seminars, self-paced online learning, virtual classrooms, and live and recorded webinars.

We can also work with you to develop training that is customized to the specific needs of your workforce.

Training and education offerings:

Warranty and Technical Support

Read SEL product warranty information, see how to return a product, or contact technical support.

Security Notifications and Updates

Stay informed on cyber vulnerabilities and keep your SEL products up to date.

System and Product Certifications

SEL systems, processes, and products are certified to internationally recognized standards.

Cybersecurity Solutions

From assessment to cyber-defense solutions, our full suite of security services can help strengthen defenses and streamline maintenance and compliance.

SEL University

Training and education for power system engineers, technicians, and managers.

OT SDN Highlights

Defending Critical Substation Communications in Slovenia
Learn more 
Belgium Integrates Offshore Wind Power Into European Grid
Learn more 
Engineer a Better Network—It Starts With SDN
Watch Video 
SEL Microgrid Controller Wins NREL Competition
Watch Video 

SDN News

Get the latest updates about OT SDN enhancements, options, and applications.
Subscribe to SDN News

Training

SELU Course SYS 407: Software-Defined NetworksStudents will learn how to engineer networks using OT SDN to enhance the cybersecurity, situational awareness, and performance of OT networks. This hands-on course uses SDN to engineer a network supporting a motor protection system with dual sources, teaching how to design, configure, test, troubleshoot, and validate an SDN network.

Related Content

Technical Papers

Flyers

Training

White Papers

Podcast

Case Study

Webinars

Questions? Contact Us!

If you have any questions about SEL products, services, solutions, or support, please contact us. Our service and support professionals are ready to provide the answers you need.

Unbeatable Support

SEL support teams are stationed in regional offices around the world and staffed with application engineers who are experts in our products and in power system applications.

Technical support for SEL-manufactured devices is always complimentary. No matter how often you need to call or how long your SEL products have been in service, you’ll reach an SEL expert who can provide the service and support you need.

Our cybersecurity team is always ready with the information and resources needed to keep your OT networks and critical systems secure and working effectively. Cyber services support contracts can include incident response, audits, system hardening, and more, depending on your anticipated needs.

More about SEL warranty and support