Abstract: A software-defined network (SDN) rule modification counter system provides counters that track all changes and edits to rules at SDN controllers and SDN switches on an SDN. The system compares counters at the SDN controller and SDN switch to determine if they match. If the counters do not match, a change has been made to the rules. With the addition of rule edit statistics the SDN controller will now have visibility that a rule modification was performed. The SDN controller then verifies that the state of the device is the same as its expected state as a secondary integrity check. Based on the rule modification notification, changes to a central rules table at the SDN controller and changes to rule settings at the SDN switch are made according to pre-programmed logic.

Abstract: A software-defined network (SDN) rule modification counter system provides counters that track all changes and edits to rules at SDN controllers and SDN switches on an SDN. The system compares counters at the SDN controller and SDN switch to determine if they match. If the counters do not match, a change has been made to the rules. With the addition of rule edit statistics the SDN controller will now have visibility that a rule modification was performed. The SDN controller then verifies that the state of the device is the same as its expected state as a secondary integrity check. Based on the rule modification notification, changes to a central rules table at the SDN controller and changes to rule settings at the SDN switch are made according to pre-programmed logic.

Abstract: A software-defined network (SDN) rule modification counter system provides counters that track all changes and edits to rules at SDN controllers and SDN switches on an SDN. The system compares counters at the SDN controller and SDN switch to determine if they match. If the counters do not match, a change has been made to the rules. With the addition of rule edit statistics the SDN controller will now have visibility that a rule modification was performed. The SDN controller then verifies that the state of the device is the same as its expected state as a secondary integrity check. Based on the rule modification notification, changes to a central rules table at the SDN controller and changes to rule settings at the SDN switch are made according to pre-programmed logic.

Abstract: Systems and methods are disclosed herein relating to the secure configuration of intelligent electronic devices. Intelligent electronic devices are used in electric power generation and transmission systems for protection, control, automation, and/or monitoring of equipment. The use of tokens and token-based digital signatures in the configuration process of intelligent electronic devices reduces the likelihood of malicious acts or unintended errors. Tokens distributed to engineers, technicians, intelligent electronic devices, computing devices, and/or software decrease the likelihood of errors being introduced in the configuration process.

Abstract: The present disclosure pertains to systems and methods of restricting access to devices utilizing tokens. In some embodiments, a system may include a user requesting a token, ensuring the user requesting a token has the permission to request the token and is not the user approving the token. In some embodiments, the system may include the user granting the token, wherein the user granting the token is not the user receiving the token. The system ensures that the user accessing the device has the permission to access the device. Additionally, the system decreases the opportunities for insider attacks and increases the resistance to credential theft attacks. Further, the system increases the accountability for changes and the ability to review changes.

Abstract: The present disclosure pertains to systems and methods of handling Address Resolution Protocol (ARP) responses in a software defined network (SDN). In one embodiment, a system may comprise a controller in a control plane to generate an address store comprising information associated with a plurality of devices in communication with the SDN. The controller may also program a plurality of network devices in a data plane based on a plurality of communication flows. The network devices may forward traffic according to the plurality of communication flows received from the controller. The network device may also receive: a request from the first device for information associated with the second device, determine that the first device is authorized to communicate with the second device based on the plurality of communication flows, and generate a response to the request comprising the information associated with the second device based on the address store.

Abstract: The present disclosure pertains to systems and methods of restricting access to devices utilizing tokens. In some embodiments, a system may include a user requesting a token, ensuring the user requesting a token has the permission to request the token and is not the user approving the token. In some embodiments, the system may include the user granting the token, wherein the user granting the token is not the user receiving the token. The system ensures that the user accessing the device has the permission to access the device. Additionally, the system decreases the opportunities for insider attacks and increases the resistance to credential theft attacks. Further, the system increases the accountability for changes and the ability to review changes.

Abstract: Systems and methods are disclosed herein relating to the secure configuration of intelligent electronic devices. Intelligent electronic devices are used in electric power generation and transmission systems for protection, control, automation, and/or monitoring of equipment. The use of tokens and token-based digital signatures in the configuration process of intelligent electronic devices reduces the likelihood of malicious acts or unintended errors. Tokens distributed to engineers, technicians, intelligent electronic devices, computing devices, and/or software decrease the likelihood of errors being introduced in the configuration process.

Abstract: The present disclosure pertains to systems and methods for generation of a physical and logical design of a software defined network (SDN). In one embodiment, a system may receive a plurality of user-provided parameters associated with a plurality of performance requirements of the SDN. A library may include performance metrics of a plurality of devices comprised in the SDN. An SDN design subsystem may generate the physical and logical design of the SDN based on the user-provided parameters and the performance metrics of the devices in the library. A traffic routing subsystem may generate a plurality of communication flows based on the logical design of the physical and logical design and to be implemented by the SDN. An SDN simulation subsystem may generate an assessment of the physical and logical design of the SDN and the plurality of communication flows in comparison to the user-provided parameters.

Abstract: The present disclosure pertains to systems and methods for generation of a physical and logical design of a software defined network (SDN). In one embodiment, a system may receive a plurality of user-provided parameters associated with a plurality of performance requirements of the SDN. A library may include performance metrics of a plurality of devices comprised in the SDN. An SDN design subsystem may generate the physical and logical design of the SDN based on the user-provided parameters and the performance metrics of the devices in the library. A traffic routing subsystem may generate a plurality of communication flows based on the logical design of the physical and logical design and to be implemented by the SDN. An SDN simulation subsystem may generate an assessment of the physical and logical design of the SDN and the plurality of communication flows in comparison to the user-provided parameters.

Abstract: Systems and methods are described herein for token-based access to an intelligent electronic device (IED) resource in a power delivery system. A token server and an IED resource may be communicatively connected via a communication network. The token server may generate a token associated with access privileges to one or more IED resources. The token server associates an access duration time with the generated token. The user presents the IED resource with the token as part of an access attempt. The IED resource grants access at a first time defined with reference to the device uptime of the IED resource until a second time defined with reference to the device up time. The difference between the first time and the second time corresponds to the access duration time of the token.

Abstract: The present disclosure pertains to systems and methods for establishing trust relationships between a software defined network (SDN) controller and a SDN communication device. In one embodiment, a SDN controller may comprise a communications interface configured to communicate with a plurality of SDN network devices. A commissioning subsystem configured to detect a new device associated with the SDN. In response to a new device, a user interface subsystem may be configured to receive a user approval to commission the new device. A trust subsystem configured to establish a first SDN controller trusted credential and to transmit a first device trusted credential based on the first SDN controller credential to the new device. Programming instructions to the new device authenticated using the first SDN controller trusted credential by a SDN programming subsystem.

Abstract: The present disclosure pertains to systems and methods of handling Address Resolution Protocol (ARP) responses in a software defined network (SDN). In one embodiment, a system may comprise a controller in a control plane to generate an address store comprising information associated with a plurality of devices in communication with the SDN. The controller may also program a plurality of network devices in a data plane based on a plurality of communication flows. The network devices may forward traffic according to the plurality of communication flows received from the controller. The network device may also receive: a request from the first device for information associated with the second device, determine that the first device is authorized to communicate with the second device based on the plurality of communication flows, and generate a response to the request comprising the information associated with the second device based on the address store.

Abstract: The present disclosure pertains to systems and methods to identify high-priority traffic within a software defined network (“SDN”) and to route such traffic through physically distinct communication paths. Such routing may help to reduce network congestion faced by high-priority traffic and increase the reliability of transmission of such data. Certain embodiments may further be configured to generate a failover communication path that is physically distinct from a primary communication path. Still further, certain embodiments may be configured to suggest enhancements to a network that may improve a reliability criterion.

Abstract: The present disclosure pertains to systems and methods to identify high-priority traffic within a software defined network (“SDN”) and to route such traffic through physically distinct communication paths. Such routing may help to reduce network congestion faced by high-priority traffic and increase the reliability of transmission of such data. Certain embodiments may further be configured to generate a failover communication path that is physically distinct from a primary communication path. Still further, certain embodiments may be configured to suggest enhancements to a network that may improve a reliability criterion.

Abstract: The present disclosure pertains to systems and method for configuration of communication flows in a software defined network (“SDN”). In one embodiment, a system is operable to configure a communication flow between a first host and a second host. A mode selection subsystem is configured to cause a plurality of network devices in a network connecting the first communication host and the second communication host to transition between an open mode and an SDN operating mode. In the open mode, the network devices may discover a communication path between the first host and the second host. An analysis subsystem may receive information from the plurality of network devices information about the discovered path, and a topology discovery subsystem may be configured to create a communication flow corresponding to the discovered path. The communication flow may allow communication between the first host and the second host in the SDN operating mode.

Abstract: The present disclosure pertains to systems and methods to identify high-priority traffic within a software defined network (“SDN”) and to route such traffic through physically distinct communication paths. Such routing may help to reduce network congestion faced by high-priority traffic and increase the reliability of transmission of such data. Certain embodiments may further be configured to generate a failover communication path that is physically distinct from a primary communication path. Still further, certain embodiments may be configured to suggest enhancements to a network that may improve a reliability criterion.

Abstract: The present disclosure pertains to systems and methods for establishing trust relationships between a software defined network (SDN) controller and a SDN communication device. In one embodiment, a SDN controller may comprise a communications interface configured to communicate with a plurality of SDN network devices. A commissioning subsystem configured to detect a new device associated with the SDN. In response to a new device, a user interface subsystem may be configured to receive a user approval to commission the new device. A trust subsystem configured to establish a first SDN controller trusted credential and to transmit a first device trusted credential based on the first SDN controller credential to the new device. Programming instructions to the new device authenticated using the first SDN controller trusted credential by a SDN programming subsystem.

Abstract: The present disclosure pertains to systems and methods for simulating data packet routing within a software defined network (“SDN”), visualizing the results of the simulation, and permitting a user to search the resulting simulation. In one specified embodiment, a system may receive from a user a simulation parameter associated with a packet to be simulated in the SDN. A packet based on the at least one simulation parameter may be generated. A response of the SDN to the packet may be simulated by identifying applicable traffic routing rules and identifying a subsequent destination based on the applicable traffic routing rules. A record of the subsequent destination may be added to the simulation result, and the process may continue until a terminating condition is satisfied.

Abstract: The present disclosure pertains to systems and methods for assessing reliability of communication links in a software defined network (SDN). In one embodiment, a system may include an SDN architecture subsystem configured to generate SDN architecture information and a bandwidth subsystem configured to generate bandwidth information. A latency subsystem may receive the bandwidth information from the bandwidth subsystem and may be configured to generate latency information using the bandwidth information. A failover subsystem may receive the SDN architecture information, the bandwidth information, and the latency information and generate a failover assessment and a failover route for the communication link. A reliability assessment subsystem may receive the SDN architecture information, the bandwidth information, and the latency information, and the failover assessment and generate a reliability assessment.