html{display:none} SEL Security Support | Schweitzer Engineering Laboratories

SEL Security Support

SEL distributes notifications classified as “Security Vulnerability” to end-user customers both directly and through our sales force. End users of SEL products may also sign up to receive email notifications of security vulnerabilities, including information on how to mitigate their risks.

Note: To receive email security vulnerability notifications, you must have a corporate email account whose domain is recognized by SEL as an end-user customer. If you would also like vulnerability notification emails sent to a designated corporate mailbox, please send a request to security@selinc.com.

SEL Vulnerability Disclosure Policy

Our Commitment

Since our founding in Pullman, Washington, in 1982, SEL has conducted business following a strong set of core values—quality, customer focus, discipline, communication, integrity, creativity, community, ownership, and dignity of work. We have applied these values in everything we do, including product and supply chain security, which has been a top SEL priority for more than 35 years.

Our goal will always be to invent, design, and build secure products to safeguard critical infrastructure. When a vulnerability is found, rapidly assessing risk, and informing customers is central to maintaining the trust we have worked decades to earn. SEL does not manufacture products with any form of undocumented authentication bypass mechanism or undisclosed communication channel.

Because the life span of an SEL product is often measured in decades, and because it protects or controls critical infrastructure in a constantly shifting threat environment—we understand our responsibility and the need for constant vigilance. We also understand that patch application in operational technology environments is often costly to our customers. Our pledge is to always act with the urgency and transparency throughout the disclosure and remediation process and minimize risk at every turn.

We reveal sufficient information about a vulnerability to enable our customers to accurately assess and mitigate risk without unnecessarily disclosing sensitive information likely to empower an adversary. We will never knowingly disclose vulnerabilities in a way that tips the scale in favor of a potential attacker, and we will always provide a disclosure to customers in advance of any other dissemination.

How We Assess Vulnerabilities

The SEL Product Security Incident Response Team (PSIRT) assesses every report of a security issue with SEL products, whether those reports come from within SEL as a function of our continuous improvement processes or from an external reporter. The PSIRT, with executive leadership support, considers several factors to evaluate the risk a vulnerability poses, and calibrate the urgency of, and resources devoted to, remediation, including:

  • the type of access required to exploit it (e.g. physical, network, privileged, etc.)
  • complexity of an attack
  • need for user interaction
  • impact on core product functionality
  • likelihood of active exploitation
  • presence in multiple products

How We Disclose Vulnerabilities

Vulnerabilities are disclosed to customers in two ways:.

  • through a Service Bulletin for high-risk vulnerabilities
  • through a revision to Appendix A of the affected product’s instruction manual for other vulnerabilities

SEL responds immediately to any significant vulnerability affecting an SEL product that is likely to be actively exploited. We will rapidly provide mitigation guidance followed by any necessary patches or upgrades.

Security Related Questions

Please submit your question regarding the security of SEL products or services.

Literature

Documents sorted by newest first.

Literature

Publications

Drawings