TSO DSO Technopedia - Software Defined Security

Software Defined Security

Overview

Operational security mechanisms in Information and Communication Technology (ICT) systems are currently facing challenges in dealing with new network threats and attacks. Software-Defined Security (SDS or SDSec) has been proposed to meet such challenges. It is a generic security model within which information security is controlled and managed by security software. The well-known functions of network security devices, such as firewalling, intrusion detection, access controls and network segmentation, are extracted from hardware devices and framed into a software layer. Protection is based on logical policies which are no longer tied to any security device [1].

The architecture of SDS is designed to be modular, scalable and secure [2]. Security data and control planes are separated, hence automating detection and protection using standardised control messages [3].

The architecture organisation follows three layers [4, 5]:

The Physical Layer: this is at the bottom of the three-tier hierarchy, known also as the data layer or base layer. It contains hardware-forwarding devices such as switches, routers, virtual switches and access points.
The Control Layer: this handles all the control and management operations. The security mechanisms are abstracted from the security devices: they sit inside the controller in the control layer. Security solutions that are normally implemented in the control layer include anti-virus, firewall, anti-spam and intrusion prevention system (IPS).
The Application Layer: this contains software-defined networking (SDN) applications. Network security techniques can be deployed as applications in this layer. To be effective, security must be built into the architecture and must protect the availability, integrity and privacy of information.

The key features and attributes of SDS [2, 3]:

Abstraction: SDS abstracts security policies from the hardware layer. They are run within the software layer. Common security models are defined and can be deployed repeatedly.
Automation: each asset or device in the system is deployed and put in a security trust zone automatically. This is performed manually in traditional security approaches.
Flexibility: SDS is entirely software-based. The security policy is flexible, and security is available “on demand”. It is relatively easy to scale up and adapt to changes. It consistently enforces security policies across board irrespective of the location of the network systems.
Concurrency control: network security controls (such as intrusion and prevention, network segmentation, firewalling, violation monitoring, etc.) work together concurrently. Such an orchestration improves security and reduces the cost.
Visibility: Because security can be virtualised, network professionals can discover abnormal activities that would not be possible with physical devices.
Portability: SDS allows for assets to carry their security settings with them as they scale or move from one location to another.
AI Integration: SDS approach can be further enhanced through Artificial Intelligence (AI) and Machine Learning (ML) techniques. These technologies enable real-time analysis of large volumes of network and security data, supporting adaptive and predictive threat detection. By embedding AI-driven analytics into the control layer, the system can automatically adjust security policies, isolate compromised assets, and improve overall resilience.

Application fields:

Efficient and dynamic mitigation of security threats and attacks
Abstraction of security away from hardware vulnerabilities to overcome the cybersecurity issue
Hardware cost reduction, due to the virtualisation of the network security applications in commodity hardware
Utilisation of existing network appliances, even if they do not support advanced traffic monitoring mechanisms
Dynamic configuration of existing network nodes to mitigate against attack
Harmonised view of logical security policies, which exist within the SDN controller model and are not tied to any server or specialised security device
Visibility of information from one source
Integration with sophisticated applications to correlate events in a simpler manner and respond more effective and intelligently to security threats
Central management of security, which is implemented, controlled and managed by security software through the SDN controller.

Shaping SDN in the cloud environment uses the SDS components to address the following challenges:

The security levels within the infrastructure, control and application layers
The foreseen attacks within these layers
The actual security state
The preventive and mitigation measures to effectively address the security issues raised by the analysis

Benefits

The functionalities of SDS lead to the following benefits [6]:

Simplicity: the security architecture of physical data centres is complex, because of requiring multiple servers, specialised hardware devices (i.e. Firewall Appliances, Hardware Security Modules), and network identities, etc. SDS supports the protection of information flows anywhere they reside.
Automation: SDS allows for automation as it is independent from rigid hardware. For instance, encryption can be automated across virtual servers, availability zones or geographical regions.
Scalability and Flexibility: Geography becomes irrelevant in securing networks with devices in multiple locations.

Operating three functional blocks pinpoints the link between SDS tools and SDN in future ICT systems such as cloud environments. SDS introduces simplicity to network security. However, SDN must immediately be followed by SDS as the foundation for software-defined data centres.

Software-defined security naturally aligns with the Zero Trust paradigm, which assumes no implicit trust within or outside the network perimeter. Through software-based orchestration, SDSec supports dynamic micro-segmentation, continuous authentication, and contextual access control. Furthermore, SDSec principles underpin Secure Access Service Edge (SASE) architectures, enabling unified and cloud-based management of connectivity and security policies across hybrid infrastructures, remote users, and distributed assets.

The European Cyber Resilience Act (CRA) is a legal framework that describes the cybersecurity requirements for hardware and software products with digital elements placed on the market of the European Union. End devices such as smart cards, smart meters and mobile devices exploited by TSOs undergo CRA [7].

Challenges

Challenges for DSO Software Designed Security are listed below:

Broadband Overpower lines performance is sensitive to local power line conditions, including noise, impedance, and network topology, which can vary significantly between feeders. It can be challenging to optimize signal parameters and ensure reliable performance in diverse environments.
Integration with smart metering infrastructure while ensuring full compliance with end-to-end security specifications may be challenging. Close coordination is needed to align protocol stacks, interface requirements, and system behaviors.
Scaling the management platform to support hundreds of thousands of endpoints, while maintaining real-time oversight, diagnostics, and policy enforcement, added further architectural complexity.

Current Enablers

Three components are integrated to protect the network, as schematised in the diagram above. They are the enablers of SDS.

Host: the host aims to send or receive data through the network. In traditional networks, security techniques reside in the host. The host checks new packets to see if they have threats. For the SDS, all security techniques are transferred to the controller.
Controller: the controller is fully software based. All security checks are done inside the controller. The controller must have efficient access control by stating which types of packets should be carried within the network. It has visibility of the traffic flows and collects and processes information about the network.
Switch: the switch consults the controller to decide whether to accept or reject a request. The current switches have limited storage capacity and cannot store all the rules. A reactive caching mechanism is adopted in SDN. However, this makes switches vulnerable to Denial of Service (DoS) attacks [8].

This generic approach can address the major components of a complex ICT system. Subsequently, the Software-defined System is split into five major components:

Software-defined Networking (SDN)
Software-defined Cloud Networking (SDCN)
Software-defined Storage (SDS)
Software-defined Data Centre (SDDC)
Software-defined Radio (SDR)

Each hardware component of the considered ICT system is scanned involving the three-tier approach (Host, Controller, Switch), which constitute the enablers of SDS.

Applications

DSO

Location: Germany	Year: 2018
Description: Under Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI) Smart Meter Gateway program, Corinex and E.ON launched a mass-deployment partnership in 2018 in Germany, marking a significant milestone in the application of software-defined security to critical energy infrastructure. The initiative aimed to establish a secure, high-speed communication backbone across the low-voltage distribution grid while meeting's EON stringent cybersecurity requirements as part of E.ON's broader smart grid modernization strategy. Leveraging broadband over power line (BPL) technology, the project created a centrally managed, adaptive, and secure data network connecting smart meters, substations, and control systems via existing electrical wiring. At its core, the deployment integrates dedicated hardware with a centralized software platform that dynamically enforces security policies. This demonstrates the value of managing grid cybersecurity through software-defined methods, enabling flexibility and scalability not achievable through static, hardware-based approaches.
Design: The choice to deploy a software-defined security architecture over a BPL-based communication network is shaped to fulfil EU regulation according to NIS-2 Directive - Cyber Resilience Act (CRA) and Cyber Solidary Act that has to turn into national law. It was specifically developed to comply with Germany's Infrastructure Security Requirements, as defined by BSI, which mandate strict controls for encryption, authentication, and system auditing as part of the national smart metering framework. These requirements were satisfied by combining a BPL communication infrastructure secured with IEEE 802.1X authentication and AES 128-bit encryption, and a management system based on a Public Key Infrastructure (PKI) framework with automated certificate provisioning in accordance with RFC 7030 (Enrollment over Secure Transport). This security ecosystem was further enhanced by the implementation of signed firmware updates and VLAN-based payload separation to ensure network segmentation and integrity. In this context, software-defined security operated over a BPL-based network was particularly well suited to meeting these requirements. It enabled centralized policy control and allowed the system to remain adaptable to evolving standards without requiring replacement of installed hardware. In addition, Germany's dense urban and suburban networks made leveraging existing power lines both cost-effective and minimally disruptive compared to laying fiber or installing cellular modems at each meter. The need for a scalable and future-proof solution further favored this approach, as security policies could be upgraded over time through software updates. Implementing the solution, however, required addressing several challenges. BPL performance is sensitive to local power line conditions, including noise, impedance, and network topology, which can vary significantly between feeders. Extensive field trials were conducted to optimize signal parameters and ensure reliable performance in diverse environments. Another major challenge was integration with Germany's smart metering infrastructure while ensuring full compliance with end-to-end security specifications. This required close coordination between Corinex and E.ON to align on protocol stacks, interface requirements, and system behaviors. Finally, scaling the management platform to support hundreds of thousands of endpoints, while maintaining real-time oversight, diagnostics, and policy enforcement, added further architectural complexity.
Result: Despite these challenges, the project achieved its goals and delivered measurable benefits. The secure BPL network connected several hundred thousand smart meters and grid devices, exceeding E.ON's benchmarks for performance and compliance. By leveraging existing infrastructure, the solution avoided the cost and time required to deploy a parallel communication network. The high bandwidth and low latency of BPL enabled more frequent and granular data collection, improving demand forecasting, fault detection, and maintenance planning. The software-defined security architecture reduced operational burdens by allowing updates and policy changes to be rolled out centrally, eliminating the need for technicians to visit each device when standards changed or new vulnerabilities were discovered. Field service visits related to communication failures declined significantly, while meter reading success rates improved, reducing customer complaints and estimated bills. Critically, the system maintained full compliance with Germany's Infrastructure Security Requirements, while providing the flexibility to adapt quickly to future regulatory changes or emerging threats. The Corinex and E.ON activities to support Germany's Smart Meter Gateway rollout demonstrates how software-defined security transforms grid management by making protection dynamic, scalable, and centrally enforceable. By decoupling security from fixed hardware configurations, E.ON gained a secure communication infrastructure that remains resilient in the face of new risks and operational demands. The deployment has modernized E.ON's low-voltage grid while setting an example for how other utilities can achieve both cybersecurity and operational excellence through innovative, software-driven solutions.
Technology Readiness Level (TRL): TRL 9
References: [1] P. A. Manos, “E.ON Chooses Corinex BPL Technology for Smart Metering Rollout,” Tdworld.com, 2018. “Grid Visibility \| Identify Grid Capacity Constraints,” Corinex.com, 2018. J. Richardson, “How Broadband Over Power Lines Can Support Electrical Grids - CleanTechnica,” CleanTechnica, Apr. 18, 2025.

TSO

Location: Slovenia	Year: 2023
Description: TSOs may benefit from OT software-defined networking. SDN decouples the network management and switch configuration functionality from the switch hardware and places it into a centralised SDN controller. OT SDN mitigates risks by providing a completely deny-by-default data plane. It allows for a zero-touch deployment approach to designing a secure network with repeatable and predictable behaviour.
Design: Construction of a new 400/110 kV substation and new 400 kV power lines to Hungary and Croatia by the ELES Transmission System Operator (TSO) from 2018 to 2022, accompanied by SDN and IEC 61850 station bus deployment.
Result: SDN network switches can be configured to communicate only with an intended SDN controller and prevent users from connecting another SDN controller to the network for any malicious intent of changing or manipulating settings.
Technology Readiness Level (TRL): TRL 7
References:

Location:	Year:
Description: Within the scope of evolving requirements for critical infrastructure management and in line with the guiding principles of software-defined security (SDS), Terna has undertaken the development of an integrated security architecture. This approach is designed to address the specific requirements of both operational technology (OT) and information technology (IT) domains, ensuring that remote access for substation systems is managed following a rigorous approach, while also deploying a comprehensive set of OT-specific security controls. For non-OT environments, the adoption of Zero Trust and Secure Access Service Edge (SASE) models further reinforces the security framework, ensuring that access to corporate resources is continuously verified and situationally enforced. These initiatives reflect a strategic commitment to adopting the software-defined security paradigm, with ongoing efforts to align with the most relevant international standards and regulatory frameworks (such as IEC 62443, IEC 62351, NIS2 Directive) ensuring that security practices remain flexible, robust, and aligned with defined policies.
Design: The design for remote access to operational technology environments is grounded in the adoption of software-defined networking (SDN) technologies, such as Virtual Local Area Networks (VLANs) and Virtual Routing and Forwarding (VRF), which enable logical segmentation and granular control of network flows. This solution includes identity awareness mechanisms, implemented through dedicated agents capable of dynamically managing user and device identities and supporting context-based authorization and centralized policy enforcement. A key aspect of security enforcement lies in the incorporation of operational technology-specific components — occasionally deployed on virtualized instances — that collectively enable the implementation of software-defined security capabilities. These components operate in synergy to deliver dynamic and centrally orchestrated control across the OT environment. They include traffic regulation mechanisms such as next-generation firewalls, advanced diagnostic tools for real-time threat detection, asset visibility modules that support continuous and adaptive inventory of industrial systems, and passive traffic replication points designed to ensure non-intrusive monitoring of network flows while preserving operational integrity. For remote access scenarios outside the operational technology domain, the implementation of Zero Trust and Secure Access Service Edge (SASE) principles ensures that every access request is subject to continuous verification, regardless of user location or device, thereby strengthening the security of information technology and digital services.
Result: The implementation of this comprehensive security architecture is intended to provide significant benefits in terms of improved security posture, operational isolation, and greater efficiency in the management of network and security policies. The integration of software-defined security principles enables real-time, identity-centric controls and supports automated compliance and continuous monitoring across both operational technology and information technology domains. Policies are dynamically enforced based on user, device, and context, embodying the programmability principle. The resulting environment is characterized by enhanced resilience, adaptability, and compliance with the stringent requirements associated with the protection of critical infrastructure.
Technology Readiness Level (TRL): TRL 9
References:

R&D Needs

Further R&D activities should cover the following topics:

Security automation in Software Defined Networks [9]
Security challenges on SDN planes [10] (attack types):

Distributed Denial of Service (DDoS) Attacks
Address Resolution Protocol (ARP) Spoofing Attacks
Flow Rule Conflicts
Weak Authentication and Communication Attacks
Flooding Attacks
Saturation Attacks
Information Disclosure Attacks
Tempering Attacks
Scanning Attacks
Man-in-the-middle (MIM) attack
Cache Poisoning Attacks
Control Channel Hijacking Attacks
Cyber Attacks

Disrupting the operation of an Internet of Things (IoT) system can be realised by a simple yet effective attack - malicious packet-modification attack (MPA) - that was previously identified in IoT based on wireless sensor networks.

The technology is in line with milestone “Development of restoration plans and update of pan-EU system defence plan” under Mission 3, milestones “Innovative cyber security approach for control centres” and “Integration of PMU (WAMS) in dynamic security assessment process” under Mission 4 of the ENTSO-E RDI Roadmap 2024-2034.

Technology Readiness Level (TRL)

TRL 8-9 for industrial applications.

TRL 7 for the TSO context.

To find more information on the TRL definition for the Technopedia, read here.

References

H. Tu et al., “A scalable flow rule translation implementation for software defined security,” Proceedings of Asia-Pacific Network Operation and Management Symposium, 2014.

M. N. O. Sadiku et al., “Software-Defined Security,” (2016) IJERAT, Vol. 2, no. 10, p. 13, 2016.

L. Wenmao et al., “SDN oriented software-defined security architecture,” J. Frontiers Comp. Sci. & Tech., vol. 9, no. 1, pp. 63-70, 2015

A. Darabseh et al., “SDSecurity: a software defined security experimental framework,” Pro. IEEE Workshop CCSNA, pp. 1871-1876, 2015.

L. Yanbing et al., “SDSA: a framework of a software-defined security architecture,” China Communications, vol. 13, pp. 178-188, 2016.

“The benefits of software defined security.” e-spincorp.com [online]

“Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.”

M. Dabbagh et al., “Software-defined networking security: pros and cons,” IEEE Communications Magazine, pp. 73-79, June 2015.

N. M. Yungaicela-Naula et al., 'Towards security automation in Software Defined Networks,” Computer Communications, vol. 183, pp. 64-82, 2022.

ENTSO-E. “ENTSO-E Research, Development, & Innovation Roadmap 2024-2034.” Entsoe.eu. [online].

M. S. Farooq et al., “Security and Privacy Issues in Software-Defined Networking (SDN): A Systematic Literature Review,” Electronics, vol. 12, no. 14, p. 3077, Jul. 2023.