SEL OT SDN

Operational Technology Software-Defined Networking

A better OT network awaits

• Establish deny-by-default, zero-trust local-area network (LAN)
access control.
• Improve network failover times to under 100 µs to support
demanding real-time control applications like Sample Measured
Values.
• Simplify and automate IEC 61850 network configuration by
uploading SCD files.
• Streamline data collection for cybersecurity audits and support
of NERC CIP compliance efforts.
• Improve situational awareness by knowing what devices are on
the network and exactly what conversations each device is
allowed to have.
Key Features
SEL Uses SDN to Optimize OT Networks Eliminate Cyber Vulnerabilities
Traditional Ethernet switches generally behave similarly Traditional networks use features like media access
regardless of the environment—one size fits all. With control (MAC) tables, the Rapid Spanning Tree Protocol
SEL OT SDN, LAN switching can be tuned or optimized (RSTP), and cast types for many conveniences,
for the specific requirements of the environment. Only including plug-and-play functionality. However, these
SEL has implemented OT SDN with the goal of optimizing features also make traditional networking vulnerable to
an OT network. OT SDN allows you to purpose-engineer cybersecurity threats, including MAC flooding and table
networks like you purpose-engineer the power system. poisoning, Address Resolution Protocol (ARP) spoofing,
Bridge Protocol Data Unit (BPDU) attacks, and more.
Network-Engineer Simply and Accurately With OT SDN, all network flows and backup paths are
Automate network engineering tasks by importing specifically defined in the controller, so there is no need
existing IEC 61850 or Real-Time Automation Controller for MAC tables or RSTP. In addition, OT SDN uses traffic
(RTAC) communication configuration files into the engineering to process forwarding behavior, rather than
SEL-5056 Software-Defined Network Flow Controller relying on cast types.
for streamlined network settings. This feature saves
time and resources and greatly decreases the chance Allowlist All LAN Traffic
of input errors or misalignment between relay settings OT SDN provides deny-by-default, multilayer packet
and network communication settings. inspection at each hop to control what conversations
each device is allowed to have on the network. Packets
that do not match the rules do not get forwarded.

SDN Flow Match Rule

Ingress Ethernet Header TCP/UDP Header

Port
IP Header Payload
LAYER 1 LAYER 2 LAYER 3 LAYER 4

PACKET

In traditional substations, all traffic in

and out of the perimeter is firewalled.
SEL OT SDN adds another layer of
cyber defense by allowlisting traffic
on the interior LAN.
OT SDN provides strict network access control on both You can configure user accounts on the SEL-5056 or
north-south and east-west traffic on the LAN. This use the Lightweight Directory Access Protocol (LDAP)
provides protection against attacks which physically to authenticate users. The OT SDN solution supports
take place inside the firewalls and also adds protection syslog and SNMP for secure log and diagnostic
against unauthorized traffic that slips past firewalls. management. In addition, the flow controller provides
backup and restore features for maintaining high
Manage the Network Centrally and Securely reliability.
The SEL-5056 Flow Controller is the central interface
for the commissioning, configuration, and monitoring Reduce Network Failover Times by Two Orders
of all OT SDN switches. The only changes allowed on of Magnitude
the network are made through the flow controller. The SEL-5056 configures redundant paths for each
You’ll know exactly what devices are on your network circuit. This enables OT SDN switches to heal the
and all the conversations each device is having. network significantly faster than RSTP Ethernet
switches because there is no waiting for discovery
OT SDN switches have no engineering access user
or convergence times. This fast failover is critical for
interfaces, saving you time and money, as there is
applications using IEC 61850 GOOSE messages and
no need to manage those accounts and passwords.
IEC 61850-9-2 Sampled Values.
SEL-5056 communication to all OT SDN switches
occurs through encrypted and authenticated Control Network Traffic With Greater Precision
Transport Layer Security (TLS). Keys are securely
With OT SDN, it’s easier to manage large amounts of
managed through X.509 certificates.
network traffic than it is with traditional networking.
The difference is that OT SDN eliminates unnecessary
traffic on your network. Instead of having a node
broadcast to all other nodes on the LAN, you can
engineer specific paths and remove the extraneous
ones. This ensures bandwidth availability and high
Network Failover Times performance in critical applications, such as IEC 61850
GOOSE messaging. And unlike RSTP switches, there
Traditional RSTP Switches SEL OT SDN Switches
are no blocked ports limiting bandwidth. For Ethernet-
>10 ms <0.1 ms based control, OT SDN eliminates several problems
inherent in traditional Ethernet switches.
IEC 61850 Substation Configuration Description (SCD) and RTAC
Connection Service File Import
Import your IEC 61850 and RTAC Connection Services files directly to
the SEL-5056 Flow Controller and watch all the required circuits get
provisioned through automated, guided workflows. Have confidence your
network is doing exactly what it should and nothing else by unifying the
baseline configuration with a single source of truth. The same configuration
file used to program your relays or RTAC is now used to program your
network, saving you time and improving reliability.

Control Network Flows Precisely

The SEL-5056, a software tool for OT SDN configuration and management,
comes either Microsoft Windows Server-based or as an embedded
application on the SEL Blueframe® platform. This flow controller provides
topology management, circuit provisioning, and telemetry monitoring.
The SEL-5056 provides automated OpenFlow programming through user-
friendly, circuit orchestration tools. This eliminates the additional network-
required tags or labels and simplifies operations. With the removal of RSTP,
the network bandwidth is free for operational data and free from RSTP
topology design restrictions.
SEL-5056 network configuration can be performed in the field with all IEDs
connected or performed offline in a lab. Offline configuration provides
flexibility and can reduce the downtime required for field installations.
The SEL-5056 provides comprehensive monitoring of all path- and packet-
level network statistics of each communications flow, increasing awareness
of the network health and status. In addition, you can programmatically
test the network implementation before deployment.

Automate Configuration
Learn & Lock functionality in the SEL-5056 provides supervised automation
for commissioning OT SDN switches, learning what conversations are trying
to happen, and provisioning circuits to allow those conversations. Learn
& Lock streamlines configuration by discovering devices on the LAN and
creating a set of flows for the current traffic.
Learn & Lock automates the following functions:
• Topology Management—Adopting switches, hosts, and links.
• Communications Circuit Provisioning—Discovering the Transmission
Control Protocol (TCP), User Datagram Protocol (UDP), ARP, and Internet
Control Message Protocol (ICMP) conversations on the network and
provisioning the circuits to allow them to happen.
• Reporting—The ability for the system operator to review or remove
devices or learned communications circuits and to save the final state
as the baseline for future reference.
• Network Reset—The removal of all previous configurations of past
Learn & Lock sessions.
Streamline Data Collection for NERC CIP Reporting
Flow Auditor is the first application in the SEL-5057 SDN Application Suite.
It works with the SEL-5056 to generate audit reports for NERC CIP-007-6 R1
for each OT SDN network that the controller manages.
Unlike network scanning, Flow Auditor does not disrupt the operational
network or inject any packets on the network. The application audits the
controller database for the configuration without needing to pull data from
switches. Flow Auditor can create new audit reports at any time for each
registered controller without impacting the performance of the operational
network. Reports are stored in the Flow Auditor database and can be retrieved
and exported through the user interface. Flow Auditor streamlines data
collection from days or weeks to minutes!
Flow Auditor supports Microsoft Windows 7, Windows 10, and Windows Server
2016 and is installed on the same computer as the SEL-5056 or on a computer
that can reach the flow controller through the network.

Validate Your Design Before It’s Deployed

Don’t wait until deployment to validate your design. Instead, use the SEL‑5056
to programmatically test the network implementation and validate all
configurations and contingencies during factory acceptance testing. That way,
you eliminate errors before going live and reduce commissioning timelines.
SEL-2731 Overview
• 24-port 1U Ethernet switch • Dual power supplies for high redundancy
• Eight 1 Gbps and sixteen 100 Mbps ports • IEC 61850-3 and IEEE 1613 compliance
• Rack-, surface-, and panel-mount options • Precision Time Protocol (PTP) transparent
clock power profile support
• SEL and third-party fiber small form-factor
pluggable (SFP) transceiver support • –40° to +85°C (–40° to +185°F)
operating range
• Syslog and SNMP support for event and
status monitoring • Form C alarm contact
• Support for proactive, traffic-engineered
OpenFlow for OT SDN

Visit selinc.com/products/2731 for details.

SEL-2740S Overview
• 20-port 1U Ethernet switch • Dual power supplies for high redundancy
• Rack-, surface-, and panel-mount options • IEC 61850-3 and IEEE 1613 compliance
• Five modular slots for copper or fiber Ethernet • PTP transparent clock power profile support
interface options (in sets of four) • –40° to +85°C (–40° to +185°F)
• 10/100/1,000 Mbps data rate support on Slot D operating range
• Syslog and SNMP support for event and • Form C alarm contact
status monitoring
• Support for proactive, traffic-engineered
OpenFlow for OT SDN

Visit selinc.com/products/2740S for details.

SEL-2741 Overview
• 24-port 1U Ethernet switch • Support for proactive, traffic-engineered
OpenFlow for OT SDN
• 100 Mbps or 1 Gbps support on all 24 ports
• Dual power supplies for high redundancy
• 2 digital inputs for controlling a factory-
default reset and a settings lock • IEC 61850-3 and IEEE 1613 compliance
• Rack-, surface-, and panel-mount options • PTP transparent clock power profile support
• Copper and SFP fiber support • –40° to +85°C (–40° to +185°F)
operating range
• Syslog and SNMP support for event and
status monitoring • Form C alarm contact

Visit selinc.com/products/2741 for details.

SEL-2742 Overview
• 12 ports, including 2 PoE+ ports
• DIN-rail and surface-mount options
• Syslog and SNMP support for event and
status monitoring
• Support for proactive, traffic-engineered
OpenFlow for OT SDN
• Dual power supplies for high redundancy
• IEC 61850-3 and IEEE 1613 compliance
• PTP transparent clock power profile support
• –40° to +85°C (–40° to +185°F)
operating range
• Form C alarm contact
Visit selinc.com/products/2742
for details.
Making Electric Power Safer, More Reliable, and More Economical
+1.509.332.1890 | info@selinc.com | selinc.com
© 2025 by Schweitzer Engineering Laboratories, Inc.
PF00333 · 20250110