OT Software-Defined Networking

Purpose-engineered technology forms the backbone of critical infrastructure systems. These systems must perform specific tasks accurately and precisely—without fail.  

The system’s Ethernet network must be designed to the same rigorous standard as the technology it supports. That’s why SEL developed OT SDN—to give you the ability to engineer the behavior and content of your critical infrastructure network.

OT SDN is a networking solution that is purpose-engineered to meet the specific demands of IEC 61850 and cyber-sensitive facility-related control systems. It unlocks the previously closed, restricted networking behavior of legacy solutions and delivers improved security, situational awareness, reliability, and performance.   

OT SDN also reduces a system’s total cost of ownership. Legacy technology requires owners to invest significant time manipulating the closed, fixed behavior of their networks, increasing the complexity in system testing and upkeep. With OT SDN, owners have direct control over the operation of and the content that is forwarded on the network. They also have the confidence the network will operate exactly as intended at all times—regardless of traffic or devices attempting to connect—resulting in secure, simple, and reliable networks.

Ethernet is quickly becoming the leading communications protocol in power systems throughout the world—both in terms of what is currently being deployed and what is being modeled for systems of the future.

Meanwhile, the standards community has launched hundreds of efforts focused on how to modify legacy Ethernet technology to meet the industry’s changing needs. For system owners with legacy technology, these evolving standards will lead to extensive change management in the future.

In contrast, OT SDN offers simplicity. With fully programmable control and data planes, you no longer have to wait for standards and suppliers to be updated to deliver the desired behavior—you now have direct programmable control. It also eliminates long-term change management while offering a level of security and performance that can only be found in a solution that was intended for critical infrastructure from the start.

OT SDN is foundational to SEL’s approach to cybersecurity, particularly the idea of zero trust (removing implicit trust). OT SDN’s deny-by-default technology offers the strongest option for designing a network that aligns with a zero-trust architecture strategy.

With a deny-by-default architecture, no conversations happen on the network that the system owner has not authorized. Instead, the system owner pre-programs all primary and backup communications paths using the SEL-5056 Flow Controller.

This allows vulnerable legacy technology to be removed from managed Ethernet switches’ control plane. This eliminates network vulnerabilities to MAC spoofing, Bridge Protocol Data Unit (BDPU) attacks, or flooding attacks.

Any unauthorized packets that attempt to access an OT SDN network are identified and denied access to the network by default. The system owner may also choose to forward these packets to an intrusion detection system (IDS). OT SDN makes IDS integration simpler and more cost-effective.

As a testament to its cybersecurity, OT SDN is certified onto the Department of Defense Information Network (DoDIN) Approved Products List (APL).

How Does Deny-by-Default Technology Work?

OT SDN uses flow match rules to approve network flows. The ingressing packets are matched against the ingress port, Ethernet source or destination MAC address, Ethertype, VLAN identifier, IP source or destination address, and so on. Then, the owner defines actions for ingressing messages that match the various criteria. Finally, a set of counters is used to monitor the ingress and egress of traffic and the overall network health.

From our knowledge base

• Purpose-Engineered, Active-Defense Cybersecurity for Industrial Control Systems