SEL products are not vulnerable to the remote code execution vulnerability in the Apache Log4j 2 Java library (CVE-2021-44228). Shortly after the vulnerability was disclosed, the SEL Product Security Incident Response Team (PSIRT) began a product-by-product analysis that confirmed the vulnerable Log4j 2 library is not present in any SEL product.
SEL distributes notifications classified as “Security Vulnerability” to end-user customers both directly and through our sales force. End users of SEL products may also sign up to receive email notifications of security vulnerabilities, including information on how to mitigate their risks.
Note: To receive email security vulnerability notifications, you must have a corporate email account whose domain is recognized by SEL as an end-user customer. If you would also like vulnerability notification emails sent to a designated corporate mailbox, please send a request to email@example.com.
When you receive a software update from SEL, it will be digitally signed so you can verify that it has not been altered or tampered with.
We provide firmware tools that you can use to view the latest firmware version for your products, check the integrity of a device’s firmware, and verify the integrity of new firmware files.
Since our founding in Pullman, Washington, in 1982, SEL has conducted business following a strong set of core values—quality, customer focus, discipline, communication, integrity, creativity, community, ownership, and dignity of work. We have applied these values in everything we do, including product and supply chain security, which has been a top SEL priority for more than 35 years.
Our goal will always be to invent, design, and build secure products to safeguard critical infrastructure. When a vulnerability is found, rapidly assessing risk, and informing customers is central to maintaining the trust we have worked decades to earn. SEL does not manufacture products with any form of undocumented authentication bypass mechanism or undisclosed communication channel.
Because the life span of an SEL product is often measured in decades, and because it protects or controls critical infrastructure in a constantly shifting threat environment—we understand our responsibility and the need for constant vigilance. We also understand that patch application in operational technology environments is often costly to our customers. Our pledge is to always act with urgency and transparency throughout the disclosure and remediation process and minimize risk at every turn.
We reveal sufficient information about a vulnerability to enable our customers to accurately assess and mitigate risk without unnecessarily disclosing sensitive information likely to empower an adversary. We will never knowingly disclose vulnerabilities in a way that tips the scale in favor of a potential attacker, and we will always provide a disclosure to customers in advance of any other dissemination.
The SEL Product Security Incident Response Team (PSIRT) assesses every report of a security issue with SEL products, whether those reports come from within SEL as a function of our continuous improvement processes or from an external reporter. The PSIRT, with executive leadership support, considers several factors to evaluate the risk a vulnerability poses, and calibrate the urgency of, and resources devoted to, remediation, including:
Vulnerabilities are disclosed to customers in two ways:
SEL responds immediately to any significant vulnerability affecting an SEL product that is likely to be actively exploited. We will rapidly provide mitigation guidance followed by any necessary patches or upgrades.
Please submit your question regarding the security of SEL products or services.