Security Updates for SEL Products
Security updates are disclosed to customers in three ways:
For high-risk vulnerabilities—through a Service Bulletin
For other vulnerabilities—through a revision to Appendix A of the affected product’s instruction manual
For software products—through an addition to the Latest Software Versions page on the SEL website
All changes that address security vulnerabilities are marked with a [Cybersecurity] tag. Other improvements to cybersecurity functionality are marked with a [Cybersecurity Enhancement] tag.
Monthly Security Vulnerability Notifications
End users of SEL products can sign up to receive an emailed summary at the end of each month listing all cybersecurity product changes that month, including all security service bulletins and any product revisions marked as [Cybersecurity] or [Cybersecurity Enhancement].
Note: To receive email security vulnerability notifications, you must have a corporate email account whose domain is recognized by SEL as an end-user customer. If you would also like vulnerability notification emails sent to a designated corporate mailbox, please send a request to security@selinc.com.
Software and Firmware Updates
When you receive a software update from SEL, it will be digitally signed so you can verify that it has not been altered or tampered with.
Verify an SEL software download.
We provide firmware tools that you can use to view the latest firmware version for your products, check the integrity of a device’s firmware, and verify the integrity of new firmware files.
SEL Vulnerability Disclosure Policy
Our Commitment
Since our founding in Pullman, Washington, in 1982, SEL has conducted business following a strong set of core values—quality, customer focus, discipline, communication, integrity, creativity, community, ownership, and dignity of work. We have applied these values in everything we do, including product and supply chain security, which has been a top SEL priority for more than 40 years.
Our goal will always be to invent, design, and build secure products to safeguard critical infrastructure. When a vulnerability is found, we rapidly assess risk and inform customers. SEL does not manufacture products with any form of undocumented authentication bypass mechanism or undisclosed communication channel.
Because the lifespan of an SEL product is measured in decades, and because it protects or controls critical infrastructure in a constantly shifting threat environment, we understand our responsibility and the need for constant vigilance. We also understand that patch application in operational technology environments is often costly to our customers. Our pledge is to act with urgency and transparency throughout the disclosure and remediation process and to minimize risk at every turn.
We reveal sufficient information about a vulnerability so our customers can accurately assess and mitigate risk without unnecessarily disclosing sensitive information. We will never knowingly disclose vulnerabilities in a way that tips the scale in favor of a potential attacker, and we will always provide a disclosure to customers in advance of any other dissemination.
How We Assess Vulnerabilities
The SEL Product Security Incident Response Team (PSIRT) assesses every report of an SEL product security issue, regardless of whether the report comes from within SEL as a function of our continuous improvement processes or from an external reporter. The PSIRT considers several factors to evaluate the risk a vulnerability poses and calibrate the urgency of and resources devoted to remediation, including:
Type of access required for exploitation (i.e., physical, network, privileged, etc.).
Complexity of an attack.
Need for user interaction.
Impact on core product functionality.
Likelihood of active exploitation.
Presence in multiple products.
How We Disclose Vulnerabilities
Vulnerabilities are disclosed to customers in three ways:
For high-risk vulnerabilities—through a Service Bulletin
For other vulnerabilities—through a revision to Appendix A of the affected product’s instruction manual
For software products—through an addition to the Latest Software Versions page on the SEL website
SEL responds immediately to any significant vulnerability affecting an SEL product that is likely to be actively exploited. We will rapidly provide mitigation guidance followed by any necessary patches or upgrades.
To report a suspected vulnerability in an SEL product or service, please email security@selinc.com for secure file transfer instructions. When individuals or external organizations report vulnerabilities to SEL, we first inform our customers and later update this webpage with relevant information.System and Product Certifications
SEL’s quality, safety, information security, and environmental management systems are certified to internationally recognized standards by the British Standards Institution (BSI) and the American Association for Laboratory Accreditation (A2LA).
Learn more about SEL system and product certifications.Security-Related Questions
Please submit your question regarding the security of SEL products or services.