SEL-3622 Security Gateway
12Pages

Major Features and Benefits The SEL-3622 is a compact router, virtual private network (VPN) endpoint, and firewall device that can perform security proxy services for serial and Ethernet-based intelligent electronic devices (IEDs). The small size and low power consumption of the SEL-3622 make it suitable for use in small enclosures such as pole cabinets. Like the SEL-3620, the SEL-3622 helps create an audit trail by using strong, centralized, user-based authentication and authorization to communicate with modern and legacy IEDs. The SEL-3622 secures your control system communication with a stateful deny-by-default firewall, strong cryptographic protocols, and logs for system awareness. The SEL-3622 also manages protected IED passwords, ensuring that passwords are changed regularly and conform to complexity rules for stronger security. The integrated security proxy also provides user-based, single sign-on access to Ethernet and serial connected IEDs. ➤ Secure Architecture and Malware Protection. Maximize reliability with integrated exe-GUARD® whitelist antivirus and other malware protections, eliminating costly patch management and signature updates. ➤ Centralized User-Based Access to Protected IEDs. Provide strong, centralized access control and user accountability to all protected devices with Lightweight Directory Access Protocol (LDAP) or Remote Authentication Dial-In User Service (RADIUS). Simplify compliance with accurate logging. ➤ Automated Management of IED Passwords. Migrate from shared passwords and accounts by using the SEL-3622 as a password manager for protected devices. ➤ Security Proxy Services. Connect securely with identity-based access controls to command line interfaces. ➤ Physical Tamper Detection. Detect and report physical tampering with the built in light sensor, accelerometer, and input contact. ➤ Detailed Connection Reports. Receive detailed connection reports for user activity audits. ➤ Secure Ethernet Communication. Use Internet Protocol Security (IPsec), Secure Shell (SSH), and Transport Layer Security (TLS) to provide confidential communication and maintain message integrity among devices. ➤ Stateful Deny-by-Default Firewall. Prevent unauthorized traffic from entering or exiting your private network. Log all successful or blocked connections to the firewall, and receive alerts indicating the presence of unauthorized network communication attempts. Schweitzer Engineering Laboratories, Inc.

Syslog. Log events for speedy alerts, consistency, compatibility, and centralized collection. For slow communications links, the SEL-3622 can throttle the number of outgoing syslog messages. Integrated Port Switch. Map one or more of the serial ports to any other serial port, or to Ethernet TCP or UDP connections. Script Engine. Perform command-driven tasks with a single push of a button, and restrict users to specific scripted tasks. X.509 Certificates. Ensure strong authentication with third party validation of incoming connection requests over the IPsec VPN, Active Directory connection,...

An integrated, stateful, deny-by-default firewall prevents unauthorized communication from entering or exiting the protected network. The SEL-3622 filters incoming and outgoing TCP, UDP, ICMP, AH, and ESP communication based on a user-configurable set of rules. Trusted Network Malicious Traffic Authorized Traffic Deny-by-Default Firewall User-based accounts increase log granularity and make password management easy and effective. The SEL-3622 includes support for centralized authentication and authorization to simplify management of user accounts, passwords, and user privileges for all your...

Ethernet-to-Serial Conversions The SEL-3622 forwards communication among separate Ethernet networks. Any device that has access to the SEL-3622 can use it to forward Ethernet packets to a destination on a different network. Gain Ethernet-based access to your serial devices through the SEL-3622. The SEL-3622 performs both bitand byte-based serial-to-Ethernet media conversions for Telnet, SSH, Raw TCP, and UDP protocols. The SEL-3622 supports Network Address Translation (NAT) for a wide variety of dynamic network applications. Port forwarding enables the use of similar remote address space...

Physical Tamper Detection Detect and report physical tampering or intrusions to the SEL-3622 installation with the built in accelerometer, light sensor, and input contact. The SEL-3622's accelerometer can detect and alert on both impacts and tilt events to the SEL-3622 or its enclosure. The light sensor detects changes in ambient light levels; useful for reporting enclosure door open or close events. The input contact can also be wired to a door contact or motion detector as an alternate method of reporting intrusions. Time Distribution Synchronize all your devices with the SEL-3622,...

Substation Engineering Access Security Gateway Domain Controller Communications Processor Provide access Request credentials Provide credentials Verify credentials Credentials verified and authorization Successful authentication Request IED access Connect to communications processor Connect to IED Authenticated, authorized, and recorded session Central User Authentication Syslog The SEL-3622 uses the syslog format to log events. These logs contain several fields that indicate event severity, event origin, event type, and details regarding the cause of the event. Additionally, the event...

Multiple Access Methods Users have multiple methods of accessing IEDs to provide flexibility for various types of software. SSH and Telnet provide a command line interface to protected devices through the SEL-3622. You can also map specific TCP and UDP ports to physical serial ports. Firewall To protect your private network from malicious traffic, the stateful firewall in the SEL-3622 denies all traffic by default. Explicitly identifying traffic that the SEL-3622 permits makes it far less likely that the SEL-3622 will overlook specific types of traffic. Secure Management Configuration of...