OT Software-Defined Networking

Improve network security, situational awareness, and reliability with OT SDN.

What Is OT SDN?

OT SDN, or operational technology software-defined networking, is a protection-class Ethernet network solution for critical infrastructure.

Purpose-engineered technology forms the backbone of critical infrastructure systems. These systems must perform specific tasks accurately and precisely—without fail.  

The system’s Ethernet network must be designed to the same rigorous standard as the technology it supports. That’s why SEL developed OT SDN—to give you the ability to engineer the behavior and content of your critical infrastructure network.

OT SDN is a networking solution that is purpose-engineered to meet the specific demands of IEC 61850 and cyber-sensitive facility-related control systems. It unlocks the previously closed, restricted networking behavior of legacy solutions and delivers improved security, situational awareness, reliability, and performance.   

OT SDN also reduces a system’s total cost of ownership. Legacy technology requires owners to invest significant time manipulating the closed, fixed behavior of their networks, increasing the complexity in system testing and upkeep. With OT SDN, owners have direct control over the operation of and the content that is forwarded on the network. They also have the confidence the network will operate exactly as intended at all times—regardless of traffic or devices attempting to connect—resulting in secure, simple, and reliable networks.

Ethernet is quickly becoming the leading communications protocol in power systems throughout the world—both in terms of what is currently being deployed and what is being modeled for systems of the future.

Meanwhile, the standards community has launched hundreds of efforts focused on how to modify legacy Ethernet technology to meet the industry’s changing needs. For system owners with legacy technology, these evolving standards will lead to extensive change management in the future.

In contrast, OT SDN offers simplicity. With fully programmable control and data planes, you no longer have to wait for standards and suppliers to be updated to deliver the desired behavior—you now have direct programmable control. It also eliminates long-term change management while offering a level of security and performance that can only be found in a solution that was intended for critical infrastructure from the start.

OT SDN Benefits

SEL’s OT SDN solution prioritizes network security, situational awareness, reliability, and high-speed performance for critical applications. OT SDN also simplifies data collection for NERC CIP compliance and can help you prepare for the proposed NERC CIP internal network security monitoring (INSM) standards.

OT SDN is foundational to SEL’s approach to cybersecurity, particularly the idea of zero trust (removing implicit trust). OT SDN’s deny-by-default technology offers the strongest option for designing a network that aligns with a zero-trust architecture strategy.

With a deny-by-default architecture, no conversations happen on the network that the system owner has not authorized. Instead, the system owner pre-programs all primary and backup communications paths using the SEL-5056 Flow Controller.

This allows vulnerable legacy technology to be removed from managed Ethernet switches’ control plane. This eliminates network vulnerabilities to MAC spoofing, Bridge Protocol Data Unit (BDPU) attacks, or flooding attacks.

Any unauthorized packets that attempt to access an OT SDN network are identified and denied access to the network by default. The system owner may also choose to forward these packets to an intrusion detection system (IDS). OT SDN makes IDS integration simpler and more cost-effective.

As a testament to its cybersecurity, OT SDN is certified onto the Department of Defense Information Network (DoDIN) Approved Products List (APL).

How Does Deny-by-Default Technology Work?

OT SDN uses flow match rules to approve network flows. The ingressing packets are matched against the ingress port, Ethernet source or destination MAC address, Ethertype, VLAN identifier, IP source or destination address, and so on. Then, the owner defines actions for ingressing messages that match the various criteria. Finally, a set of counters is used to monitor the ingress and egress of traffic and the overall network health.

From our knowledge base

Learn & Lock Features of SEL-5056

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

SDN Commissioning

1 of 4
  • Learn & Lock Features of SEL-5056

  • Commission and User Creation with the SEL-5056 Flow Controller

  • Adopt SEL-2740S Using the SEL-5056 Flow Controller

  • Adopt Hosts using the SEL-5056 Flow Controller

SEL-5056 SDN Quick Start

In this video, we go over how to set up a small network using the SEL-5056 Software-Defined Network Flow Controller.

SDN Communication Setup

1 of 6
  • SEL-5056 SDN Quick Start

  • SEL-5056 Logical Connections Part 1- CSTs and Logical Connection Definitions

  • SEL-5056 Logical Connections Part 2- Creating CSTs

  • SEL-5056 Logical Connections Part 3- Creating Unicast Logical Connections

  • SEL-5056 Logical Connections Part 4- Creating Multicast Logical Connections

  • Enabling SEL Relay Failover Mode with the SEL-5056 Flow Controller

Backing Up and Restoring SEL-5056 Databases

In this video, learn how to set up backup and restore options in the flow controller software.

SDN Management and Troubleshooting

1 of 2
  • Backing Up and Restoring SEL-5056 Databases

  • SEL-2740S Redundancy and Replacement with the SEL-5056 Flow Controller

Our Services

SEL is your partner in implementing OT SDN and tailoring the solution to your priorities and requirements. Depending on your needs, we can deliver a turnkey solution or assist you with specific stages of your project, such as cybersecurity evaluations, OT SDN network engineering, and system testing. We support greenfield installations or existing network migrations.

With every project, we prioritize the system owner’s self-sufficiency at the handover stage. SEL will ensure your team has the training and information needed to independently maintain your OT SDN network or make changes to it in the future.

Our Support

We believe you should never have to worry about whether your protection and control systems will be working when you need them most. That’s why every device we manufacture comes with a ten-year warranty and free technical support.  

It’s been this way at SEL since the company was founded nearly 40 years ago—a major reason why we’re North America’s most trusted provider of protective relays and ranked #1 by international utilities in price, service, and support. 

SEL devices are designed for a working life of at least 20 years, and every SEL-manufactured device comes with a ten-year warranty—the best in the electric power industry. If it fails under warranty, repair and replacement are free.  

We always do all that we can to repair any returned product, whether it meets our warranty or not.  

Rugged and Reliable—Guaranteed

SEL products are designed and manufactured for the world’s most challenging environments, exceeding all industry standards for temperature, shock, and electric stress. An optional conformal coating for circuit boards adds an extra level of protection against contaminants in extreme environments.  

Our products have a mean time between returns for repair (MTBR) of more than 250 years, based on observed field performance. This means that if you have 250 SEL products installed in your systems, you can expect to have less than one unscheduled removal from service per year for any reason, whether it’s a defect or an external factor such as overvoltage, overcurrent, wildlife damage, or environmental exposure. 

SDN News

Get the latest updates about OT SDN enhancements, options, and applications.
Subscribe to SDN News


SELU Course SYS 407: Software-Defined NetworksStudents will learn how to engineer networks using OT SDN to enhance the cybersecurity, situational awareness, and performance of OT networks. This hands-on course uses SDN to engineer a network supporting a motor protection system with dual sources, teaching how to design, configure, test, troubleshoot, and validate an SDN network.