Cybersecurity for SEL Devices — NERC CIP Compliance
Key Takeaway
How to secure SEL relays and RTAC for NERC CIP — password management, port hardening, access control, audit logging, DNP3 Secure Authentication, and firmware management.
Quick Answer
SEL devices at BES substations require NERC CIP compliance: change default passwords (CIP-007), disable unused ports and services, enable audit logging, implement DNP3 Secure Authentication for control commands, and manage firmware patches. SEL relays support these requirements through built-in security features.
NERC CIP Standards
- CIP-005 — Electronic Security Perimeters
- CIP-007 — Systems Security Management (ports, services, patches, logging)
- CIP-010 — Configuration Change Management
- CIP-013 — Supply Chain Risk Management
Hardening Steps
- Change default passwords (1, 2, ACC → complex passwords)
- Disable unused serial ports and protocols
- Enable only required DNP3/Modbus/IEC 61850 services
- Restrict Level 2 access to authorized personnel
- Enable audit logging (SER records access attempts)
DNP3 Secure Authentication
SAv5 adds HMAC-SHA256 challenge-response to DNP3 control commands. See DNP3 SA guide. Also see OT cybersecurity and Modbus security for broader context.
Frequently Asked Questions
SEL relays at high-impact and medium-impact BES cyber systems are subject to NERC CIP requirements including CIP-007 systems security management.
Use the PASSWORD command via Quickset or terminal at access level 2+. CIP-007 requires complexity and rotation. Document changes per CIP-010.
SAv5 adds HMAC-SHA256 cryptographic authentication to DNP3 commands, preventing unauthorized SCADA control of SEL relays.