Abstract: A system includes an intelligent electronic device (IED) and a proxy device communicatively coupled to the TED via a Media Access Control (MACsec) communication link. The proxy device is configured to perform operations that include receiving permissions data, receiving a request to perform an action associated with the TED, determining whether the action is authorized based on the permissions data, and transmitting data to the TED via the MACsec communication link in response to determining that the action is authorized.

Abstract: An intelligent electronic device (IED) includes memory and a processor operatively coupled to the memory. The processor is configured to establish, over a communication network of a power system, a communication link according to a media access control security (MACsec) Key Agreement (MKA). The TED receives a plurality of access control secure association keys (SAKs) via the communication link. The TED receives one or more checked-out SAKs indicating a request to access the TED The TED allows access based on the one or more checked-out access control SAKs matching at least one of the plurality of access control SAKs.

Abstract: A key server device obtains authorization information of a user associated with an intelligent electronic device (IED). The key server communicates the authorization information to the IED, via a Media Access Control Security (MACsec) Key Agreement (MKA) protocol to allow the IED to authenticate the user. The key server receives one or more commands from the user. The key server communicates the one or more commands to the IED to allow the IED to perform operations based on the one or more commands.

Abstract: A system includes an entropy device configured to generate and distribute input entropy data and an intelligent electronic device (IED) of an electric power distribution system. The IED is configured to perform operations that include receiving the input entropy data distributed by the entropy device, generating a set of keys using the input entropy data, and establishing a Media Access Control Security (MACsec) communication link using the set of keys.

Abstract: An intelligent electronic device (IED) includes memory and a processor operatively coupled to the memory. The processor is configured to establish, over a communication network of a power system, a communication link according to a media access control security (MACsec) Key Agreement (MKA). The TED receives a plurality of access control secure association keys (SAKs) via the communication link. The TED receives one or more checked-out SAKs indicating a request to access the TED The TED allows access based on the one or more checked-out access control SAKs matching at least one of the plurality of access control SAKs.

Abstract: A key server device obtains authorization information of a user associated with an intelligent electronic device (TED). The key server communicates the authorization information to the TED, via a Media Access Control Security (MACsec) Key Agreement (MKA) protocol to allow the TED to authenticate the user. The key server receives one or more commands from the user. The key server communicates the one or more commands to the TED to allow the TED to perform operations based on the one or more commands.

Abstract: A software-defined network controller (SDN controller) defines a first network flow to be selectively implemented by a networking device according to a first network operation profile. The SDN controller defines a second network flow to be selectively implemented by the networking device according to a second network operation profile. A memory device of the networking device may store at least first and second network operation profiles for selective implementation during defined event windows. The event window(s) may be defined by start event inputs and stop event inputs. The event inputs may include, without limitation, a combination of parameter-based inputs and/or temporal inputs. In one specific embodiment, the networking device detects a network event and modifies a network operation profile for a preset time period and/or until an interrupt or stop event is detected.

Abstract: A system includes an entropy device configured to generate and distribute input entropy data and an intelligent electronic device (IED) of an electric power distribution system. The IED is configured to perform operations that include receiving the input entropy data distributed by the entropy device, generating a set of keys using the input entropy data, and establishing a Media Access Control Security (MACsec) communication link using the set of keys.

Abstract: A system includes an intelligent electronic device (IED) and a proxy device communicatively coupled to the TED via a Media Access Control (MACsec) communication link. The proxy device is configured to perform operations that include receiving permissions data, receiving a request to perform an action associated with the TED, determining whether the action is authorized based on the permissions data, and transmitting data to the TED via the MACsec communication link in response to determining that the action is authorized.

Abstract: Systems and methods are disclosed herein relating to the secure configuration of intelligent electronic devices. Intelligent electronic devices are used in electric power generation and transmission systems for protection, control, automation, and/or monitoring of equipment. The use of tokens and token-based digital signatures in the configuration process of intelligent electronic devices reduces the likelihood of malicious acts or unintended errors. Tokens distributed to engineers, technicians, intelligent electronic devices, computing devices, and/or software decrease the likelihood of errors being introduced in the configuration process.

Abstract: The present disclosure pertains to systems and methods of restricting access to devices utilizing tokens. In some embodiments, a system may include a user requesting a token, ensuring the user requesting a token has the permission to request the token and is not the user approving the token. In some embodiments, the system may include the user granting the token, wherein the user granting the token is not the user receiving the token. The system ensures that the user accessing the device has the permission to access the device. Additionally, the system decreases the opportunities for insider attacks and increases the resistance to credential theft attacks. Further, the system increases the accountability for changes and the ability to review changes.

Abstract: The present disclosure pertains to systems and methods for eliminating Address Resolution Protocol (ARP) traffic in data networks. In one embodiment, a controller in a software-defined network (SDN) may generate a plurality of communication flows. The controller may program a plurality of network devices in a data plane based on the plurality of communication flows. A packet to be transmitted in the data plane may be received from a transmitting host by one of the plurality of network devices. A destination host specified in the packet may be determined without reliance on an original media access control (MAC) address in the packet, and the packet may be routed to the destination host.

Abstract: The present disclosure pertains to systems and methods for improving security and simplifying authentication in a software defined network (“SDN”). In various embodiments, the systems and methods disclosed herein may be applied in operational technology networks, such as those used in electrical power systems. In one embodiment, a device to be authenticated may be in communication with a network device. The network device may receive authentication credentials from the device to be authenticated and may communicate the authentication credentials to an authenticator. The authenticator may assess and approve the authentication credentials and communicate approval of the authentication credentials to the network device. The network device may implement a plurality of communication flows associated with the device to be authenticated.

Abstract: The present disclosure pertains to systems and methods of handling Address Resolution Protocol (ARP) responses in a software defined network (SDN). In one embodiment, a system may comprise a controller in a control plane to generate an address store comprising information associated with a plurality of devices in communication with the SDN. The controller may also program a plurality of network devices in a data plane based on a plurality of communication flows. The network devices may forward traffic according to the plurality of communication flows received from the controller. The network device may also receive: a request from the first device for information associated with the second device, determine that the first device is authorized to communicate with the second device based on the plurality of communication flows, and generate a response to the request comprising the information associated with the second device based on the address store.

Abstract: Systems and methods are disclosed herein relating to the secure configuration of intelligent electronic devices. Intelligent electronic devices are used in electric power generation and transmission systems for protection, control, automation, and/or monitoring of equipment. The use of tokens and token-based digital signatures in the configuration process of intelligent electronic devices reduces the likelihood of malicious acts or unintended errors. Tokens distributed to engineers, technicians, intelligent electronic devices, computing devices, and/or software decrease the likelihood of errors being introduced in the configuration process.

Abstract: The present disclosure pertains to systems and methods of restricting access to devices utilizing tokens. In some embodiments, a system may include a user requesting a token, ensuring the user requesting a token has the permission to request the token and is not the user approving the token. In some embodiments, the system may include the user granting the token, wherein the user granting the token is not the user receiving the token. The system ensures that the user accessing the device has the permission to access the device. Additionally, the system decreases the opportunities for insider attacks and increases the resistance to credential theft attacks. Further, the system increases the accountability for changes and the ability to review changes.

Abstract: A software-defined network controller (SDN controller) defines a first network flow to be selectively implemented by a networking device according to a first network operation profile. The SDN controller defines a second network flow to be selectively implemented by the networking device according to a second network operation profile. A memory device of the networking device may store at least first and second network operation profiles for selective implementation during defined event windows. The event window(s) may be defined by start event inputs and stop event inputs. The event inputs may include, without limitation, a combination of parameter-based inputs and/or temporal inputs. In one specific embodiment, the networking device detects a network event and modifies a network operation profile for a preset time period and/or until an interrupt or stop event is detected.

Abstract: Systems and methods are described herein for token-based access to an intelligent electronic device (IED) resource in a power delivery system. A token server and an IED resource may be communicatively connected via a communication network. The token server may generate a token associated with access privileges to one or more IED resources. The token server associates an access duration time with the generated token. The user presents the IED resource with the token as part of an access attempt. The IED resource grants access at a first time defined with reference to the device uptime of the IED resource until a second time defined with reference to the device up time. The difference between the first time and the second time corresponds to the access duration time of the token.

Abstract: The present disclosure pertains to systems and methods for improving security and simplifying authentication in a software defined network (“SDN”). In various embodiments, the systems and methods disclosed herein may be applied in operational technology networks, such as those used in electrical power systems. In one embodiment, a device to be authenticated may be in communication with a network device. The network device may receive authentication credentials from the device to be authenticated and may communicate the authentication credentials to an authenticator. The authenticator may assess and approve the authentication credentials and communicate approval of the authentication credentials to the network device. The network device may implement a plurality of communication flows associated with the device to be authenticated.

Abstract: A software-defined network controller (SDN controller) defines a first network flow to be selectively implemented by a networking device according to a first network operation profile. The SDN controller defines a second network flow to be selectively implemented by the networking device according to a second network operation profile. A memory device of the networking device may store at least first and second network operation profiles for selective implementation during defined event windows. The event window(s) may be defined by start event inputs and stop event inputs. The event inputs may include, without limitation, a combination of parameter-based inputs and/or temporal inputs. In one specific embodiment, the networking device detects a network event and modifies a network operation profile for a preset time period and/or until an interrupt or stop event is detected.