Will connected lighting’s security story have a happy ending?
By Samantha Schwirck
Let’s take a quick trip down memory lane, to the early days of electricity, when scientists were trying to figure out how to protect users from receiving electric shocks. “At the time, it wasn’t obvious how to solve this,” says Tom Blewitt, director of principal engineers for Underwriters Laboratories (UL), which develops safety standards and provides testing services. “People didn’t have the same knowledge and science, and it took trial and error.”
It felt daunting, Blewitt says—much like cybersecurity does today. Statistics on the threat facing IoT devices are overwhelming: HP, for example, estimates that 70 percent of IoT devices—webcams, home thermostats and connected light bulbs, to name a few—are vulnerable to an attack.
What’s more, the connected lighting market, and therefore the threat to it, is rapidly growing. While only about 1 percent of the current installed lighting base is connected, the Department of Energy’s SSL Program, when assuming penetration growth along the same trajectory as LED lighting, forecasts an increase to 15 percent in 2020, 31 percent in 2025 and 59 percent in 2035.
To make matters worse, the technology is continually evolving. “It’s a moving target,” Blewitt explains. “It’s still in a highly innovative state, so even if you protect one approach, the marketplace may have moved on and that’s a challenge.”
Altogether, the idea of vulnerable devices multiplying and shape shifting does sound intimidating, but how bad could hacking the lights really be? More importantly, what will it take for cybersecurity to follow electric shock into the dust bin of lighting history?
WHY AND HOW
UL first evaluated the implications of cyber-attacks on connected lighting when President Obama’s cybersecurity coordinator, J. Michael Daniel, recommended the establishment of a UL-type safety certification, which could serve as a basic model for driving IoT product security. “That was music to our ears, and it really jumpstarted the whole effort from all the players in the industry,” Blewitt says. “We looked at the safety significance—if the light’s turned on or off, it may be inconvenient but not a safety concern, but the extent to which lighting is essential for pathways and more critical infrastructures, there’s a safety aspect there.
“The concern for lighting is that it’s ubiquitous,” he adds. “A lot of the devices are the same—rows and rows of similar luminaires, sensors and controls. The consequences are not so great if you’re just disrupting the system, but someone may use your connected lighting products as a gateway to other systems, right on into secure building computers or secret information.”
The type of cyber-attack—and its severity—often depends on the motive behind it, according to NewAE Technology president, Colin O’Flynn, who develops hardware and software that analyzes the security of embedded systems. Competitors may attack a product to copy its code and create a counterfeit; criminals may attack infrastructure to take control of a device and access nearby networks; even researchers attack systems to find flaws and propose remedies.
In general, these attacks are carried out on hardware (smart devices, hubs, routers, luminaires/lamps, drivers, sensors), software (applications, operating systems) or networks (asset management).
Consequences vary depending on the motive and method, as well as the target, which for connected lighting can range from individual residences to commercial buildings to cities.
While smart bulbs in residences likely represent the simplest connected lighting target, the consequences of a security breach can still be severe. Compromised devices could be used to steal personal information, send spam or infect other nearby lights. “An insecure system looks the same to users as a secure system,” O’Flynn says. “If an attack happens, there’s a big risk of causing damage to the value placed on the system. For consumers, if an attacker damages their bulbs, they may be unwilling to try again, even if the attacked product was of a completely different design from current generation devices.”
The consequences of cyber-attacks in commercial applications—for example, office buildings, retail settings and hospitals—are more complex because these settings often contain more connected devices and more people. The “attack surface,” in Blewitt’s words, is larger, which means the threat of stealing one person’s password, for example, could elevate to stealing, say, 1,000 office workers’ passwords.
“Some devices, for example, the wall thermostat, you have to get to it through the building,” Blewitt explains. “Depending on the wireless technology, you may have to get pretty close to it, and it’s probably connected to something like the HVAC system that’s pretty secure, so if there’s any isolation in the system you minimize the threat and, in my mind, that prevents a large attack surface.”
Without isolation, the variety of security levels within one building could do more harm than good. “If you use the same luminaire in your non-secure space as in your more secure space, maybe I’ll learn about it in your non-secure space and attack it in your secure space,” Blewitt adds.
And then there are connected cities, where “IoT deployments can help save lives and increase comfort and productivity, but their abuse can cause harm in exactly the same areas,” says Tanuj Mohan, CTO, Enlighted. “As folks from the operational technology (OT) industry rush to have connected solutions, a lot of the learnings from decades of security in the IT industry are missed. IT breaches and containment protocols are well-developed and a continuous learning and improvement process is in place. In the OT world, we are in a very nascent stage of understanding the risks, compounded by a lack of experience dealing with hackers. In the OT world the risk of breaches can pose imminent physical danger.”
That imminent danger is the subject of study by Stuart Madnick, director of MIT’s Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity. “Now-a-days, everything is a target, there are so many different motives, and IoT devices in general have very weak security,” Madnick says. “Serious breaches could be the source of cascading problems that I dubbed the ‘Cyber Hurricane,’” whereby a major cyber-attack on power grids or other essential systems could have a ripple effect on the availability of water, public transportation and waste disposal. “Not only must attempts be made to prevent breaches, there must be efforts to detect and effectively recover from breaches, which are even more poorly addressed,” he adds.
The consortium is also investigating possible backlash against the industry and technologies. Gal Messinger, head of corporate security for Philips Lighting, has similar concerns. “The immediate impact may be contained to only affect trust in a particular manufacturer, such as damage to a brand’s reputation or a decline in share price,” Messinger says, “but as the volume and severity of attacks pick up, it could erode trust in an entire category like the smart city or smart home. Erosion of trust at this scale could stifle innovation and economic development.”
Dave Bartlett, CTO of Current, powered by GE, refers to the ageold phrase, “a chain is only as strong as its weakest link,” to describe the company’s security outlook. “Any robust implementation begins with strong processes around architecture, standards and testing,” he says. “It’s up to each partner to provide rigorous security implementation and testing.” Same goes for Cree, which “emphasizes designing, developing and testing for security, and continuing to be vigilant with updates,” says Gary Trott of the intelligent lighting team. For some platforms, Cree uses the same encryption standards that banks and e-commerce organizations use to protect consumers. “If the security is good enough for your money, it will probably be good enough for your lights,” he adds.
In other words, the current best practice is to design products or systems that adhere to an industry-accepted standard—for example, UL’s 2900 marketplace-assurance standard or 5500 safetyrelated security standard—and only partner those products with devices and services from organizations that take the same precautions. This mindset extends to include parties such as municipalities, which could store gathered data with yet another party such as a cloud service.
“A well-designed network follows protection in depth,” Blewitt says. “There are layers of protection, just like in a house—a locked door, a locked box for jewelry. One of the challenges is putting together a network with lots of different things. Do they all meet the same expectations? Am I protecting them in the same way? It does require a certain level of sophistication to look at the entire network.”
Additional industry activity related to IoT security includes work by the National Electrical Manufacturers Association (NEMA), the Department of Energy and the Internet of Things Security Foundation (IoTSF). “Unfortunately there is no silver bullet when it comes to security,” Messinger says. “Rather, it is a collective approach of several different activities in order to have a cumulative effect. Consortiums like the IoTSF are important because they work on several levels—for example, to provide a summary of applicable standards to companies, and to define best practices for implementation.”
ONE STEP FURTHER
In O’Flynn’s opinion, a critical next step in designing secure systems is asking questions. “One of the most important things is simply to start asking the question about security issues in a given product, and what is being done to keep on top of them. If you’re just purchasing, this might be a question for the vendor; if you’re a vendor, this might be a question for your design team or engineers; and if you’re running the engineering team, this might be a question that needs new training or external advice. It’s very hard to secure these products fully—it’s almost certain that someone who tells you ‘there is no problem, and there couldn’t be a problem’ hasn’t fully thought this through.”
Beyond that, Messinger says, “Legislation is necessary to help ensure a baseline level of protection and mechanism for enforcement, but regulations [to ensure compliance] also need to be measured so as not to place an undue or excessive burden that could adversely affect progress,” he says. “The pace of innovation is such that we shouldn’t expect everyone to be a security expert in order to adopt new technology; however, we have to find ways to increase overall awareness so they understand the risks and can make informed decisions accordingly.”
And for MIT’s Madnick, true protection calls for a shift in mindset—a realignment of managerial and organizational strategies that prioritizes cybersecurity within our safety culture. “If you walk into an industrial plant, you will often see a sign that says, ‘520 days since the last industrial accident.’ If you walk into a data center, do you ever see a sign that reads, ‘520 days since the last successful cyberattack?’” he asks.
As the connected lighting market expands, however, lighting professionals remain focused on—and confident about—strengthening testing procedures and security standards. “It’s a never-ending priority that must continue to evolve,” Bartlett says. “Good cybersecurity is all about discipline and rigor—that’s what helps us stay one step ahead of those who might seek to cause damage.”
The evolution of cybersecurity is not just up to the experts, Blewitt adds. “There are simple, basic things that people can do. Manage what you can manage. At the least, don’t increase your chances of your company having a problem. There are things homeowners and installers can do to cause the bad guys to move on to lower hanging fruit.” Eventually, he says, “this will get tamed.” Just like electricity did.