Eight Tips for Lighting Cybersecurity
July 22, 2019
Connectivity enables LED lighting to go far beyond illumination and energy savings to offer revolutionary new capabilities and value for occupants, cost reduction, quality lighting, and business process improvement.
By networking luminaires and lighting control points in a centralized architecture, the lighting system becomes programmable and able to generate data. These data can be applied to strategies like optimizing space utilization, tracking inventory, and providing location-based services. These strategies in turn can produce tangible impacts on cost reduction, process efficiency, branding, and occupant satisfaction.
While connecting devices for various business purposes can produce extraordinary value, it can also impose data privacy and security risks. These risks may take several forms, with two notable attacks being sniffing and vectoring. Sniffing is when a hacker intercepts data between devices and assumes control of the device. A vectoring attack is when a hacker uses a building system network to penetrate a more secure connected corporate network for data theft.
Cybersecurity is a major challenge for the Internet of Things (IoT) as a whole (and corporate information networks beyond that), and lighting is not immune. The challenge is serious enough that it is now being targeted by legislation such as California’s SB-327, which requires manufacturers of connected devices to design them with certain security features by January 1, 2020.
Meanwhile, several IoT-related bills have been introduced in the U.S. Congress, such as the IoT Cybersecurity Improvement Act of 2017 (minimum security standards for connected devices acquired by the government), IoT Consumer TIPS Act of 2017 (directs the Federal Trade Commission to educate consumers), and the Smart IoT Act (requires the Department of Commerce to study the state of the industry). None of these bills have yet made it to a vote, however.
While the cybersecurity industry has a deep well of expertise and experience dealing with potential threats, it’s a new issue for many building industry, including the lighting industry, which is now working hard to ensure networked lighting systems are a strong link in the IoT.
While all this is developing, specifiers and designers should evaluate connected lighting systems with some basic knowledge of cybersecurity. In terms of security, what constitutes a “good” system for a given application depends on how it’s designed (security features) and configured (how it communicates) as well as the owner’s risk tolerance and level of technical knowledge.
For example, while IP-based systems enable lighting devices to be connected, monitored, and controlled in an Internet-based network, which can facilitate remote support, ability to access data, and an enhanced role for lighting in the IoT, they may require stronger security.
Many major manufacturers are prioritizing the issue with initiatives, drawing on standards and best practices such as ANSI/UL 2900-1, IEC standards, ISO 27000, and the NIST IoT Cybersecurity Framework. Over time, manufacturers ideally will streamline methodologies around best practices and design products with good cybersecurity tools built in, making security transparent for professionals wanting to focus on lighting.
It is possible the IoT will drive demand for standards-based security in connected lighting because it brings different stakeholders like IT professionals into the decision-making process.
Below are eight tips for enhancing cybersecurity in your projects:
1. Become conversant in cybersecurity “hygiene.” While lighting professionals need not become cybersecurity experts, they can benefit from education about basic concepts and practices.
2. Engage with the client about cybersecurity. It can be beneficial to engage the client about security needs during the project programming phase. This may require talking to client IT departments, which vary in how they’re composed. The IT department may have questions and requirements that will affect how the project is designed.
After product selection, it can be beneficial to include security documentation as part of the project documents. For challenging questions, the manufacturer should be able to provide support.
3. Ensure good encryption. Encryption is encoding data between devices to prevent them from being intercepted and manipulated. In a May 2018 bulletin, Cyber Security for Lighting Systems, the U.S. Department of Energy’s Federal Energy Management Program (FEMP), recommends AES 128-bit encryption.
AES 256-bit encryption is available, but there is a trade-off between power draw (and latency) and encryption in wireless lighting devices, resulting in a majority of devices using 128 instead of 256.
4. Choose an appropriate method of authentication. Authentication is about ensuring only devices that trust each other can share data. The FEMP recommends good authentication, with possibly the most secure authentication method being use of both a public and private key. The device initiating communication does so using a public key, and the responding device answers with a private key.
5. Safeguard the lighting network. If security is a concern, the network should be protected by a firewall. If the lighting network will touch the corporate network, as an added security measure, FEMP recommends segmenting it using a virtual local area network (VLAN). With a VLAN, a portion of a network is partitioned and run separately as a subnet with its own functionality and security.
6. Advise client on their responsibilities. The client should be advised about delineating administrator permissions (who will have access to the network and what powers they will have inside), the importance of installing vendor software updates (which may include important security enhancements) and changing passwords, and so on.
7. Secure after commissioning. FEMP recommends that any radios used to commission the control system be turned off after use. Or, if the radios are needed for ongoing system operation, they should be secured.
8. Scrutinize products. Look for suppliers that use a strong security methodology, are able to explain it, and can support you when needed. Here, education can go a long way in evaluating products with comparable security features but where the manufacturer implements them very differently.
One resource for evaluating products is the DesignLights Consortium (DLC), which lists networked control systems in a Qualified Products List that utilities in turn use to qualify products for their rebate programs. The Qualified Products List allows manufacturers to report compliance with certain security standards, and will require standards compliance in 2020.
Networked lighting and the IoT are a new world, presenting exciting opportunities for end-users but requiring new skillsets and creating new potential risks. Savvy building professionals will become educated on the basic issues, demand good security methodology from manufacturers, and engage with the right people at the customer to ensure all requirements are satisfied.
Photo by jaydeep_ on Pixabay
Craig DiLouie, LC, is Education Director for the Lighting Controls Association. Reprinted with permission of the Lighting Controls Association, www.lightingcontrolsassociation.org
