SEL
Automates IED Password Management! 
SEL-3620

SEL-3620 Ethernet Security Gateway

Ordering Information

Budgetary Price:
$3,300

Online Product Configuration

The SEL-3620 is a router, virtual private network (VPN) endpoint, and firewall device that can perform security proxy services for serial and Ethernet-based intelligent electronic devices (IEDs). The SEL-3620 helps create a user audit trail through strong, centralized, user-based authentication and authorization to modern and legacy IEDs. The SEL-3620 secures your control system communications with a stateful deny-by-default firewall, strong cryptographic protocols, and logs for system awareness. The SEL-3620 also manages protected IED passwords, ensuring that passwords are changed regularly and conform to complexity rules for stronger security. The integrated security proxy also provides user-based single sign-on access to Ethernet and serial devices.

 

Designed and built in conjunction with the U.S. Department of Energy National SCADA Test Bed and the following companies:

  • Schweitzer Engineering Laboratories, Inc.
  • EnerNex Corporation
  • Tennessee Valley Authority
  • Sandia National Laboratories

 

 

  • User-Based Access to Relays and IEDs
    Use the SEL-3620 to provide a central point of entry to critical cyberassets with user-based access control and detailed activity logs.
  • IED Password Management
    Enforce strong passwords on IEDs and have them automatically changed on a configurable schedule. Satisfy regulatory password requirements, and ensure that no weak or default passwords are in use.
  • Substation Firewall
    Secure your substation network from malicious traffic with a powerful deny-by-default firewall. Manage status and configuration with an intuitive, menu-driven web interface. Use VLANs to segregate traffic and improve network organization and performance.
  • IPsec VPN
    Integrate with existing IT and control systems over VPN tunnels secured using Internet Protocol Security (IPsec). Use X.509 certificates with Online Certificate Status Protocol (OCSP) to centrally manage VPN trust.
  • User Activity Reports
    Log and time-stamp user access events and every command. Integrate event records into existing log management systems using Syslog.
  • Single Sign-On
    Log on to the SEL-3620, not individual IEDs. Users have a single account and password to remember—their own. Manage user accounts and group memberships centrally using Lightweight Directory Access Protocol (LDAP) accessible systems, such as Microsoft® Active Directory®
  • Support NERC CIP Requirements
    Implement strong user-based access controls to the electronic security perimeter (ESP) while protecting IEDs with strong passwords and blocking shared or default accounts. Granular access control for users limits users’ access to their assigned roles on individual IEDs.

  • Industry-Vetted Security and Interoperability 

    • IRIG-B time synchronization receives and distributes IRIG-B signal to maintain time synchronization.
    • X.509 certificates ensure strong authentication for incoming connection requests.
    • OCSP certificate revocation operates with standard certificate servers to centrally revoke certificates and prevents unwanted connections.
    • HTTPS web interface allows convenient, secure setup and management, and eliminates the need for extra PC software.
    • Syslog logs events for consistency and compatibility, and enables centralized collection. 
    • IPsec (RFC 4301, 4302, 4303) creates a secure VPN.
    • Lemnos interoperability facilitates communications between Cisco routers and Lemnos-compliant devices.

Apply IPsec for Secure Site-to-Site Communications.

Utilize Robust, Secure Engineering Access to IEDs.

Use Highly-Configurable Port Mappings.

Use Centralized Authentication With LDAP.

Use Centralized Accounts to Access Relays.

Support High Availability at the Substation.

Provide Substation Time Synchronization.

Provide Granular User Activity Reports.

Integrate with Centralized Logging Infrastructure.

 SEL University Training

APP 3620: Sensible Cybersecurity Using the Ethernet Security Gateway

To effectively mitigate evolving cyberthreats, the cybersecurity posture of the modern substation must be aligned with modern defense-in-depth strategies. APP 3620 is designed to bridge the gap between foundational cybersecurity competencies and practical application.

COM 203: SEL Cybersecurity Best Practices for Critical Infrastructure

If modern substation design is implemented poorly and lacks adequate cybersecurity, it can be vulnerable to cyberattack and exploitation. A lack of cybersecurity will eventually lead to decreased power system reliability. Cybersecurity is a key component of enhanced power system reliability and operation.

Access drawings via the Online Product Configuration link in the Ordering Information box at the top right of this page (below the product photo).

From the Product Configuration page, configure your product or enter your part number via the Universal Part Number Reverse Lookup. Then download custom .dwg or .pdf files specific to your product.

You may also go directly to the Product Configuration page to make a product selection.

To view the latest firmware version currently shipping with this product, go to the Latest Firmware Version page.

UL_Logo

Schweitzer Engineering Laboratories, Inc.

2350 NE Hopkins Court
Pullman, WA 99163 - USA
Phone: +1.509.332.1890
Fax: +1.509.332.7990
© 2012 SEL  | SEL Links  | SEL Expert  | SEL Mexico  | SEL Brazil