Abstract: A system has an intelligent electronic device (TED) and a switch configured to perform operations that include obtaining a rule associating a media access control security (MACsec) port identifier (PI) of the TED with a data flow, receiving a frame comprising data and the MACsec PI, and transmitting the data of the frame based on the data flow associated with the rule.

Abstract: Disclosed are systems and methods for configuring time synchronization in a network. The system includes a time signal source to provide a common time signal to multiple configurable communication devices and a network controller in a control plane, in communication with the multiple configurable communication devices. The network controller is configured to receive time signal source information and to receive device configuration information for a first configurable communication device. The network controller is also configured to determine settings for time signal distribution and to transmit the settings to the multiple configurable communication devices to cause the first configurable communication device to transmit the time signal from the time signal source in a data plane for consumption by the multiple configurable communication devices.

Abstract: Disclosed are systems and methods for configuring communication of a communication network in accordance with a configuration file from the hosts that are on the network. The system may include a network controller that receives a configuration file and determines a configuration of the data plane in accordance with information in the configuration file. The network controller may generate communication flows and send instructions to programmable network devices to implement communication among data consuming/producing devices in accordance with the configuration file.

Abstract: A system has an intelligent electronic device (TED) and a switch configured to perform operations that include obtaining a rule associating a media access control security (MACsec) port identifier (PI) of the TED with a data flow, receiving a frame comprising data and the MACsec PI, and transmitting the data of the frame based on the data flow associated with the rule.

Abstract: Systems and methods are disclosed herein relating to the secure configuration of intelligent electronic devices. Intelligent electronic devices are used in electric power generation and transmission systems for protection, control, automation, and/or monitoring of equipment. The use of tokens and token-based digital signatures in the configuration process of intelligent electronic devices reduces the likelihood of malicious acts or unintended errors. Tokens distributed to engineers, technicians, intelligent electronic devices, computing devices, and/or software decrease the likelihood of errors being introduced in the configuration process.

Abstract: A system includes an intelligent electronic device (IED) and a control system configured to perform operations that include initiating establishment of a media access control security (MACsec) communication link via a MACsec key agreement (MKA) protocol, identifying information associated with the IED in response to initiation of the establishment of the MACsec communication link, the information being indicative of a protocol to be used by the IED to communicate data, and establishing a unidirectional MACsec communication link based on the information associated with the IED.

Abstract: A software defined network (SDN) switch of a communication network includes a memory and a processor operatively coupled to the memory. The SDN switch receives a media access control security (MACsec) frame of power system data. The SDN switch detects an SDN flow match based at least in part on a port identifier of the MACsec frame. The SDN switch performs an action based on the SDN flow match.

Abstract: The present disclosure pertains to systems and methods of restricting access to devices utilizing tokens. In some embodiments, a system may include a user requesting a token, ensuring the user requesting a token has the permission to request the token and is not the user approving the token. In some embodiments, the system may include the user granting the token, wherein the user granting the token is not the user receiving the token. The system ensures that the user accessing the device has the permission to access the device. Additionally, the system decreases the opportunities for insider attacks and increases the resistance to credential theft attacks. Further, the system increases the accountability for changes and the ability to review changes.

Abstract: The present disclosure pertains to systems and methods for eliminating Address Resolution Protocol (ARP) traffic in data networks. In one embodiment, a controller in a software-defined network (SDN) may generate a plurality of communication flows. The controller may program a plurality of network devices in a data plane based on the plurality of communication flows. A packet to be transmitted in the data plane may be received from a transmitting host by one of the plurality of network devices. A destination host specified in the packet may be determined without reliance on an original media access control (MAC) address in the packet, and the packet may be routed to the destination host.

Abstract: Systems and methods are disclosed herein relating to the secure configuration of intelligent electronic devices. Intelligent electronic devices are used in electric power generation and transmission systems for protection, control, automation, and/or monitoring of equipment. The use of tokens and token-based digital signatures in the configuration process of intelligent electronic devices reduces the likelihood of malicious acts or unintended errors. Tokens distributed to engineers, technicians, intelligent electronic devices, computing devices, and/or software decrease the likelihood of errors being introduced in the configuration process.

Abstract: The present disclosure pertains to systems and methods of restricting access to devices utilizing tokens. In some embodiments, a system may include a user requesting a token, ensuring the user requesting a token has the permission to request the token and is not the user approving the token. In some embodiments, the system may include the user granting the token, wherein the user granting the token is not the user receiving the token. The system ensures that the user accessing the device has the permission to access the device. Additionally, the system decreases the opportunities for insider attacks and increases the resistance to credential theft attacks. Further, the system increases the accountability for changes and the ability to review changes.

Abstract: Systems and methods are described herein for token-based access to an intelligent electronic device (IED) resource in a power delivery system. A token server and an IED resource may be communicatively connected via a communication network. The token server may generate a token associated with access privileges to one or more IED resources. The token server associates an access duration time with the generated token. The user presents the IED resource with the token as part of an access attempt. The IED resource grants access at a first time defined with reference to the device uptime of the IED resource until a second time defined with reference to the device up time. The difference between the first time and the second time corresponds to the access duration time of the token.

Abstract: The present disclosure pertains to systems and methods for establishing trust relationships between a software defined network (SDN) controller and a SDN communication device. In one embodiment, a SDN controller may comprise a communications interface configured to communicate with a plurality of SDN network devices. A commissioning subsystem configured to detect a new device associated with the SDN. In response to a new device, a user interface subsystem may be configured to receive a user approval to commission the new device. A trust subsystem configured to establish a first SDN controller trusted credential and to transmit a first device trusted credential based on the first SDN controller credential to the new device. Programming instructions to the new device authenticated using the first SDN controller trusted credential by a SDN programming subsystem.

Abstract: The present disclosure pertains to systems and methods of monitoring communication devices and communication links in a software-defined network (SDN). Network packets may be colored or tagged for routing to a packet analyzer. A VLAN bitmask may be added to a packet to identify the packet for inspection and, optionally, provide origin information identify a switch and/or port of origin. Port mirroring may be utilized and/or eventual routing of network packets to their original destination may ensure that network traffic is not disrupted. In one example, a most significant bit of a VLAN bitmask may be used by a match rule to identify packets intended for a packet analyzer without regard to original packet routing instructions and/or packet content.

Abstract: The present disclosure pertains to systems and methods for automating the configuration of communication hosts in a software defined network (SDN) associated with an electric power transmission and distribution system. The systems and methods presented herein may utilize communication host profiles to specify various repeatable attributes and customizable attributes that may be utilized to configure the communication host and the SDN. In one embodiment, a system may comprise a communication host profile subsystem configured to select a communication host profile associated with a communication host. The host communication profile subsystem may configure the communication host based on one or more repeatable attributes and on one or more customizable attributes specified in the host communication profile. A traffic routing system may further configure a plurality of communication flows in the SDN based on the communication host based on the host communication profile.

Abstract: The present disclosure pertains to systems and methods of monitoring communication devices and communication links in a software-defined network (SDN). Network packets may be colored or tagged for routing to a packet analyzer. A VLAN bitmask may be added to a packet to identify the packet for inspection and, optionally, provide origin information identify a switch and/or port of origin. Port mirroring may be utilized and/or eventual routing of network packets to their original destination may ensure that network traffic is not disrupted. In one example, a most significant bit of a VLAN bitmask may be used by a match rule to identify packets intended for a packet analyzer without regard to original packet routing instructions and/or packet content.

Abstract: The present disclosure pertains to systems and methods to identify high-priority traffic within a software defined network (“SDN”) and to route such traffic through physically distinct communication paths. Such routing may help to reduce network congestion faced by high-priority traffic and increase the reliability of transmission of such data. Certain embodiments may further be configured to generate a failover communication path that is physically distinct from a primary communication path. Still further, certain embodiments may be configured to suggest enhancements to a network that may improve a reliability criterion.

Abstract: The present disclosure pertains to systems and methods to identify high-priority traffic within a software defined network (“SDN”) and to route such traffic through physically distinct communication paths. Such routing may help to reduce network congestion faced by high-priority traffic and increase the reliability of transmission of such data. Certain embodiments may further be configured to generate a failover communication path that is physically distinct from a primary communication path. Still further, certain embodiments may be configured to suggest enhancements to a network that may improve a reliability criterion.

Abstract: The present disclosure pertains to systems and method for configuration of communication flows in a software defined network (“SDN”). In one embodiment, a system is operable to configure a communication flow between a first host and a second host. A mode selection subsystem is configured to cause a plurality of network devices in a network connecting the first communication host and the second communication host to transition between an open mode and an SDN operating mode. In the open mode, the network devices may discover a communication path between the first host and the second host. An analysis subsystem may receive information from the plurality of network devices information about the discovered path, and a topology discovery subsystem may be configured to create a communication flow corresponding to the discovered path. The communication flow may allow communication between the first host and the second host in the SDN operating mode.

Abstract: The present disclosure pertains to systems and methods for establishing communication with a remote communication device in a software defined network (SDN) during time when an SDN controller is unavailable. In one embodiment, a local communication device may be configured to receive a plurality of data flows from an SDN controller and to store the plurality of data flows in a persistent data memory. The device may generate a unique identifier for the local communication device that is transmitted to a remote communication device. Following a disruption the results in the SDN controller being unavailable, the local communication device may recover into a default configured state based on the plurality of data flows in the persistent data memory. The local communication device may then transmit the unique identifier to the remote communication device after the disruption to begin a process of reestablishing communication with the remote communication device.