html{display:none} OT Software-Defined Networking | Schweitzer Engineering Laboratories
Video Player is loading.
Current Time 0:00
Duration 0:00
Loaded: 0%
Stream Type LIVE
Remaining Time 0:00
 
1x
    • Chapters
    • descriptions off, selected
    • captions off, selected

      Solutions

      OT Software-Defined Networking

      Improve network security, situational awareness, and reliability with operational technology (OT) software-defined networking (SDN).

      Purpose-engineered technology forms the backbone of critical infrastructure systems. These systems must perform specific tasks accurately and precisely—without fail.  

      The system’s Ethernet network must be designed to the same rigorous standard as the technology it supports. That’s why SEL developed OT SDN—to give you the ability to engineer the behavior and content of your critical infrastructure network.

      OT SDN is a networking solution that is purpose-engineered to meet the specific demands of IEC 61850 and cyber-sensitive facility-related control systems. It unlocks the previously closed, restricted networking behavior of legacy solutions and delivers improved security, situational awareness, reliability, and performance.   

      OT SDN also reduces a system’s total cost of ownership. Legacy technology requires owners to invest significant time manipulating the closed, fixed behavior of their networks, increasing the complexity in system testing and upkeep. With OT SDN, owners have direct control over the operation of and the content that is forwarded on the network. They also have the confidence the network will operate exactly as intended at all times—regardless of traffic or devices attempting to connect—resulting in secure, simple, and reliable networks.

      Ethernet is quickly becoming the leading communications protocol in power systems throughout the world—both in terms of what is currently being deployed and what is being modeled for systems of the future.

      Meanwhile, the standards community has launched hundreds of efforts focused on how to modify legacy Ethernet technology to meet the industry’s changing needs. For system owners with legacy technology, these evolving standards will lead to extensive change management in the future.

      In contrast, OT SDN offers simplicity. With fully programmable control and data planes, you no longer have to wait for standards and suppliers to be updated to deliver the desired behavior—you now have direct programmable control. It also eliminates long-term change management while offering a level of security and performance that can only be found in a solution that was intended for critical infrastructure from the start.

      Purpose-engineered technology forms the backbone of critical infrastructure systems. These systems must perform specific tasks accurately and precisely—without fail.  

      The system’s Ethernet network must be designed to the same rigorous standard as the technology it supports. That’s why SEL developed OT SDN—to give you the ability to engineer the behavior and content of your critical infrastructure network.

      OT SDN is a networking solution that is purpose-engineered to meet the specific demands of IEC 61850 and cyber-sensitive facility-related control systems. It unlocks the previously closed, restricted networking behavior of legacy solutions and delivers improved security, situational awareness, reliability, and performance.   

      OT SDN also reduces a system’s total cost of ownership. Legacy technology requires owners to invest significant time manipulating the closed, fixed behavior of their networks, increasing the complexity in system testing and upkeep. With OT SDN, owners have direct control over the operation of and the content that is forwarded on the network. They also have the confidence the network will operate exactly as intended at all times—regardless of traffic or devices attempting to connect—resulting in secure, simple, and reliable networks.

      Ethernet is quickly becoming the leading communications protocol in power systems throughout the world—both in terms of what is currently being deployed and what is being modeled for systems of the future.

      Meanwhile, the standards community has launched hundreds of efforts focused on how to modify legacy Ethernet technology to meet the industry’s changing needs. For system owners with legacy technology, these evolving standards will lead to extensive change management in the future.

      In contrast, OT SDN offers simplicity. With fully programmable control and data planes, you no longer have to wait for standards and suppliers to be updated to deliver the desired behavior—you now have direct programmable control. It also eliminates long-term change management while offering a level of security and performance that can only be found in a solution that was intended for critical infrastructure from the start.

      OT SDN is an open, interoperable, and standards-based networking solution that simplifies what system owners need to consider when planning for their IEC 61850 systems’ extended lifetimes.

      Unlike legacy technology, OT SDN automates the network-provisioning process through leveraging the same configuration files that are used for a system’s relays—saving time and reducing opportunities for human error. Automated network provisioning also makes it easier to add applications as needs evolve and reduces the training burden for implementing these changes.

      In addition to its simplicity, OT SDN offers security and performance advantages that make it the best networking solution for IEC 61850 applications. This includes delivering the microsecond healing times that are required for IEC 61850 Sampled Values communications.

      From our knowledge base

      OT SDN is an open, interoperable, and standards-based networking solution that simplifies what system owners need to consider when planning for their IEC 61850 systems’ extended lifetimes.

      Unlike legacy technology, OT SDN automates the network-provisioning process through leveraging the same configuration files that are used for a system’s relays—saving time and reducing opportunities for human error. Automated network provisioning also makes it easier to add applications as needs evolve and reduces the training burden for implementing these changes.

      In addition to its simplicity, OT SDN offers security and performance advantages that make it the best networking solution for IEC 61850 applications. This includes delivering the microsecond healing times that are required for IEC 61850 Sampled Values communications.

      From our knowledge base

      As of July 2021, SEL’s OT SDN is certified on the U.S. Department of Defense Information Network (DoDIN) Approved Products List (APL). This solution offers a significant advantage over traditional packet delivery, greatly improves network security, and increases network situational awareness.

      The deny-by-default and programmable circuit provisioning architecture of OT SDN decreases both cyber and operational risk for facility-related control systems while improving safety and reliability. The DoDIN APL certification verifies that OT SDN conforms to DoD standards for both cybersecurity and interoperability with other DoD-approved devices.

      Additionally, OT SDN’s purpose-engineered approach for facility-related control system (FRCS) networks has allowed it to be tested against several challenging OT requirements, including the Advanced Cyber Industrial Control System (ACI) Tactics, Techniques, and Procedures (TTPs) for DoD industrial control systems, MITRE’s ATT&CK framework, and the zero-trust network architecture.

      OT SDN meets or exceeds 22 of the 28 TTPs listed in the ACI TTPs. Having a network that immediately provides many of the ACI TTPs allows DoD to move from assessing the problem to taking action to reduce risk.

      From our knowledge base

      As of July 2021, SEL’s OT SDN is certified on the U.S. Department of Defense Information Network (DoDIN) Approved Products List (APL). This solution offers a significant advantage over traditional packet delivery, greatly improves network security, and increases network situational awareness.

      The deny-by-default and programmable circuit provisioning architecture of OT SDN decreases both cyber and operational risk for facility-related control systems while improving safety and reliability. The DoDIN APL certification verifies that OT SDN conforms to DoD standards for both cybersecurity and interoperability with other DoD-approved devices.

      Additionally, OT SDN’s purpose-engineered approach for facility-related control system (FRCS) networks has allowed it to be tested against several challenging OT requirements, including the Advanced Cyber Industrial Control System (ACI) Tactics, Techniques, and Procedures (TTPs) for DoD industrial control systems, MITRE’s ATT&CK framework, and the zero-trust network architecture.

      OT SDN meets or exceeds 22 of the 28 TTPs listed in the ACI TTPs. Having a network that immediately provides many of the ACI TTPs allows DoD to move from assessing the problem to taking action to reduce risk.

      From our knowledge base

      OT SDN is foundational to SEL’s approach to cybersecurity, particularly the idea of zero trust (removing implicit trust). OT SDN’s deny-by-default technology offers the strongest option for designing a network that aligns with a zero-trust architecture strategy.

      With a deny-by-default architecture, no conversations happen on the network that the system owner has not authorized. Instead, the system owner pre-programs all primary and backup communications paths using the SEL-5056 Flow Controller.

      This allows vulnerable legacy technology to be removed from managed Ethernet switches’ control plane. This eliminates network vulnerabilities to MAC spoofing, Bridge Protocol Data Unit (BDPU) attacks, or flooding attacks.

      Any unauthorized packets that attempt to access an OT SDN network are identified and denied access to the network by default. The system owner may also choose to forward these packets to an intrusion detection system (IDS). OT SDN makes IDS integration simpler and more cost-effective.

      As a testament to its cybersecurity, OT SDN is certified onto the Department of Defense Information Network (DoDIN) Approved Products List (APL).

      How Does Deny-by-Default Technology Work?

      OT SDN uses flow match rules to approve network flows. The ingressing packets are matched against the ingress port, Ethernet source or destination MAC address, Ethertype, VLAN identifier, IP source or destination address, and so on. Then, the owner defines actions for ingressing messages that match the various criteria. Finally, a set of counters is used to monitor the ingress and egress of traffic and the overall network health.

      SDN-Flowmatch-Diagram

      From our knowledge base

      OT SDN is foundational to SEL’s approach to cybersecurity, particularly the idea of zero trust (removing implicit trust). OT SDN’s deny-by-default technology offers the strongest option for designing a network that aligns with a zero-trust architecture strategy.

      With a deny-by-default architecture, no conversations happen on the network that the system owner has not authorized. Instead, the system owner pre-programs all primary and backup communications paths using the SEL-5056 Flow Controller.

      This allows vulnerable legacy technology to be removed from managed Ethernet switches’ control plane. This eliminates network vulnerabilities to MAC spoofing, Bridge Protocol Data Unit (BDPU) attacks, or flooding attacks.

      Any unauthorized packets that attempt to access an OT SDN network are identified and denied access to the network by default. The system owner may also choose to forward these packets to an intrusion detection system (IDS). OT SDN makes IDS integration simpler and more cost-effective.

      As a testament to its cybersecurity, OT SDN is certified onto the Department of Defense Information Network (DoDIN) Approved Products List (APL).

      How Does Deny-by-Default Technology Work?

      OT SDN uses flow match rules to approve network flows. The ingressing packets are matched against the ingress port, Ethernet source or destination MAC address, Ethertype, VLAN identifier, IP source or destination address, and so on. Then, the owner defines actions for ingressing messages that match the various criteria. Finally, a set of counters is used to monitor the ingress and egress of traffic and the overall network health.

      SDN-Flowmatch-Diagram

      From our knowledge base

      OT SDN puts complete traffic-engineering control in the system owner's hands. 

      Through determining all primary and backup communications paths, the owner builds a network that’s optimized for the system. Network owners have the freedom to choose the topology that best meets their needs, because OT SDN does not rely on a particular topology to achieve its best performance.

      Unlike legacy technology, OT SDN makes it possible to automate the network configuration process. Instead of manually entering settings, system owners can leverage the same files that were used to configure their system’s relays. This reduces upfront engineering work and eliminates misconfigurations due to human error.  

      OT SDN also improves the owner’s situational awareness. They gain a real-time understanding of all devices on their network and what conversations they are having with other devices. System owners can also integrate an intrusion detection system (IDS) in their system and see any unauthorized devices that attempted to access their network and what they were attempting to do. With OT SDN, IDS integration is simple and cost-effective.

      Due to the nature of SDN, the system owner also has confidence that their network’s behavior will never change—until they tell it to.

      OT SDN puts complete traffic-engineering control in the system owner's hands. 

      Through determining all primary and backup communications paths, the owner builds a network that’s optimized for the system. Network owners have the freedom to choose the topology that best meets their needs, because OT SDN does not rely on a particular topology to achieve its best performance.

      Unlike legacy technology, OT SDN makes it possible to automate the network configuration process. Instead of manually entering settings, system owners can leverage the same files that were used to configure their system’s relays. This reduces upfront engineering work and eliminates misconfigurations due to human error.  

      OT SDN also improves the owner’s situational awareness. They gain a real-time understanding of all devices on their network and what conversations they are having with other devices. System owners can also integrate an intrusion detection system (IDS) in their system and see any unauthorized devices that attempted to access their network and what they were attempting to do. With OT SDN, IDS integration is simple and cost-effective.

      Due to the nature of SDN, the system owner also has confidence that their network’s behavior will never change—until they tell it to.

      OT SDN heals faster than traditional Ethernet networks. Failover times are reduced to 0.1 milliseconds—100 times faster than traditional networks. This failover speed is required for IEC 61850 Sampled Values communications.

      This level of performance is possible because system owners predetermine all backup communications paths and because OT SDN eliminates broadcast traffic on networks (where each device transmits packets to all other network devices). Instead, OT SDN is engineered for targeted multicast traffic, with the system owner defining specific communications paths between devices.

      Through eliminating unnecessary network traffic, OT SDN also delivers higher bandwidth availability.

      From our knowledge base

      OT SDN heals faster than traditional Ethernet networks. Failover times are reduced to 0.1 milliseconds—100 times faster than traditional networks. This failover speed is required for IEC 61850 Sampled Values communications.

      This level of performance is possible because system owners predetermine all backup communications paths and because OT SDN eliminates broadcast traffic on networks (where each device transmits packets to all other network devices). Instead, OT SDN is engineered for targeted multicast traffic, with the system owner defining specific communications paths between devices.

      Through eliminating unnecessary network traffic, OT SDN also delivers higher bandwidth availability.

      From our knowledge base

      Collecting data for NERC CIP audits typically requires days of network scanning to document open ports and services. This process can impact network performance and interfere with critical systems.

      But with OT SDN, the system owner has this information at their fingertips. Because all network flows and backup paths are preconfigured in the controller, the information needed NERC CIP reporting (the active devices, ports, and services on a network) is already available without conducting any network scans.

      The data collection process is shortened to minutes instead of hours or days.

      Flow Auditor, the first application in the SEL-5057 SDN Application Suite, supports this simplified data collection process. It compiles data directly from the controller database, rather than querying every device, which eliminates the risk of disrupting network performance.

      From our knowledge base

      NERC-CIP-Software

      Collecting data for NERC CIP audits typically requires days of network scanning to document open ports and services. This process can impact network performance and interfere with critical systems.

      But with OT SDN, the system owner has this information at their fingertips. Because all network flows and backup paths are preconfigured in the controller, the information needed NERC CIP reporting (the active devices, ports, and services on a network) is already available without conducting any network scans.

      The data collection process is shortened to minutes instead of hours or days.

      Flow Auditor, the first application in the SEL-5057 SDN Application Suite, supports this simplified data collection process. It compiles data directly from the controller database, rather than querying every device, which eliminates the risk of disrupting network performance.

      From our knowledge base

      NERC-CIP-Software

      Video Playlists

      SDN Commissioning support videos

      • SEL-5056 Using the Learn & Lock Feature
      • Commission and User Creation with the SEL-5056 Flow Controller
      • Adopt SEL-2740S Using the SEL-5056 Flow Controller
      • Adopt Hosts using the SEL-5056 Flow Controller

      Videos in this series:

      • SEL-5056 SDN Quick Start
      • SEL-5056 Logical Connections Part 1- CSTs and Logical Connection Definitions
      • SEL-5056 Logical Connections Part 2- Creating CSTs
      • SEL-5056 Logical Connections Part 3- Creating Unicast Logical Connections
      • SEL-5056 Logical Connections Part 4- Creating Multicast Logical Connections
      • Enabling SEL Relay Failover Mode with the SEL-5056 Flow Controller

      Videos in this series:

      • Backing Up and Restoring SEL-5056 Databases
      • SEL-2740S Redundancy and Replacement with the SEL-5056 Flow Controller

      SEL devices are designed for a working life of at least 20 years, and every SEL-manufactured device comes with a ten-year warranty—the best in the electric power industry. If it fails under warranty, repair and replacement are free.  

      We always do all that we can to repair any returned product, whether it meets our warranty or not.  

      Rugged and Reliable—Guaranteed

      SEL products are designed and manufactured for the world’s most challenging environments, exceeding all industry standards for temperature, shock, and electric stress. An optional conformal coating for circuit boards adds an extra level of protection against contaminants in extreme environments.  

      Our products have a mean time between returns for repair (MTBR) of more than 250 years, based on observed field performance. This means that if you have 250 SEL products installed in your systems, you can expect to have less than one unscheduled removal from service per year for any reason, whether it’s a defect or an external factor such as overvoltage, overcurrent, wildlife damage, or environmental exposure. 

      SEL devices are designed for a working life of at least 20 years, and every SEL-manufactured device comes with a ten-year warranty—the best in the electric power industry. If it fails under warranty, repair and replacement are free.  

      We always do all that we can to repair any returned product, whether it meets our warranty or not.  

      Rugged and Reliable—Guaranteed

      SEL products are designed and manufactured for the world’s most challenging environments, exceeding all industry standards for temperature, shock, and electric stress. An optional conformal coating for circuit boards adds an extra level of protection against contaminants in extreme environments.  

      Our products have a mean time between returns for repair (MTBR) of more than 250 years, based on observed field performance. This means that if you have 250 SEL products installed in your systems, you can expect to have less than one unscheduled removal from service per year for any reason, whether it’s a defect or an external factor such as overvoltage, overcurrent, wildlife damage, or environmental exposure. 

      Every device we manufacture comes with free lifetime technical support.  

      SEL support teams are stationed in regional offices around the world and staffed with application engineers who are experts in our products and in power system applications. 

      No matter how often you need to call or how long your SEL products have been in service, our customer service and technical support professionals are ready to help. 

      Security Bulletins and Updates

      We notify product owners of updates and security patches for the full life of the product. Software and firmware updates are distributed directly to our customers via secure file transfer, and their authenticity and integrity are verifiable through digital signatures and cryptographic hashes. 

      More About Security Notifications  

      SEL Process for Disclosing Security Vulnerabilities   

      Every device we manufacture comes with free lifetime technical support.  

      SEL support teams are stationed in regional offices around the world and staffed with application engineers who are experts in our products and in power system applications. 

      No matter how often you need to call or how long your SEL products have been in service, our customer service and technical support professionals are ready to help. 

      Security Bulletins and Updates

      We notify product owners of updates and security patches for the full life of the product. Software and firmware updates are distributed directly to our customers via secure file transfer, and their authenticity and integrity are verifiable through digital signatures and cryptographic hashes. 

      More About Security Notifications  

      SEL Process for Disclosing Security Vulnerabilities   

      SEL offers complete cybersecurity support for every solution, system, and product we provide.

      We also practice secure supply chain management and help our customers comply with applicable supply chain and cybersecurity standards (for instance, NERC CIP-013 for certain North American utilities).

      Security Bulletins and Updates

      We thoroughly review and test every line of code in our products, which allows us greater control over their quality, security, and functionality. Customers are notified of updates and security patches for the full life of every SEL product.

      Cyber-Attack Mitigation

      We freely provide a broad set of cybersecurity best practices that you and your team can begin using immediately to improve the security of your systems and mitigate the risk of a damaging cyber attack. 

      And if you need to meet regulatory requirements or need expert help implementing cybersecurity solutions, SEL Cyber Services professionals are ready to partner with you to get it done.

      Cybersecurity Services and Support

      From system assessment and baselining to cyber-defense solution development and ongoing system management, our full suite of security services can help strengthen your defenses and streamline the demands of maintenance and compliance.

      Cyber services support contracts can include incident response, audits, system hardening, patch/update management, and more, depending on your anticipated needs.

      Contact SEL Cyber Services

      SEL offers complete cybersecurity support for every solution, system, and product we provide.

      We also practice secure supply chain management and help our customers comply with applicable supply chain and cybersecurity standards (for instance, NERC CIP-013 for certain North American utilities).

      Security Bulletins and Updates

      We thoroughly review and test every line of code in our products, which allows us greater control over their quality, security, and functionality. Customers are notified of updates and security patches for the full life of every SEL product.

      Cyber-Attack Mitigation

      We freely provide a broad set of cybersecurity best practices that you and your team can begin using immediately to improve the security of your systems and mitigate the risk of a damaging cyber attack. 

      And if you need to meet regulatory requirements or need expert help implementing cybersecurity solutions, SEL Cyber Services professionals are ready to partner with you to get it done.

      Cybersecurity Services and Support

      From system assessment and baselining to cyber-defense solution development and ongoing system management, our full suite of security services can help strengthen your defenses and streamline the demands of maintenance and compliance.

      Cyber services support contracts can include incident response, audits, system hardening, patch/update management, and more, depending on your anticipated needs.

      Contact SEL Cyber Services

      SEL meets your workforce training and continuing education needs through seminars, conference and tradeshow presentations, and SEL University courses. 

      SEL University—an IACET-accredited provider—offers Continuing Education Units (CEUs) that meet the internationally recognized ANSI/IACET Continuing Education and Training Standard.  

      SELU courses and many of our seminars provide Professional Development Hours (PDHs) for maintaining Professional Engineering (PE) licenses. Courses and seminars can be delivered in various formats, including self-paced online learning, virtual classrooms, live and recorded webinars, and in person. 

      We can also work with you to develop training that is customized to the specific needs of your workforce.

      Training and Education Offerings

      SEL University Courses

      Conferences and Tradeshows

      Seminars and Webinars

      SEL meets your workforce training and continuing education needs through seminars, conference and tradeshow presentations, and SEL University courses. 

      SEL University—an IACET-accredited provider—offers Continuing Education Units (CEUs) that meet the internationally recognized ANSI/IACET Continuing Education and Training Standard.  

      SELU courses and many of our seminars provide Professional Development Hours (PDHs) for maintaining Professional Engineering (PE) licenses. Courses and seminars can be delivered in various formats, including self-paced online learning, virtual classrooms, live and recorded webinars, and in person. 

      We can also work with you to develop training that is customized to the specific needs of your workforce.

      Training and Education Offerings

      SEL University Courses

      Conferences and Tradeshows

      Seminars and Webinars

      Customer Highlights

      Elia-featured

      Belgium Integrates Offshore Wind Power Into European Grid

      Elia-featured

      Engineer a Better Network—It Starts With SDN

      Elia-featured

      SEL Microgrid Controller Wins NREL Competition

      CIE

      SEL and Dragos Partner to Detect and Respond to Industry Cyber Threats

      Training

      SELU Course SYS 407: Software-Defined Networks
      Students will learn how to engineer networks using OT SDN to enhance the cybersecurity, situational awareness, and performance of OT networks. This hands-on course uses SDN to engineer a network supporting a motor protection system with dual sources, teaching how to design, configure, test, troubleshoot, and validate an SDN network.

      View Course

      SDN News

      Subscribe and get the latest updates about OT SDN enhancements, options, and applications.

      Subscribe to SDN News