The lighting industry can’t afford to be the weak link in the IoT
By Gary Meshberg
Networked lighting offers unprecedented capabilities and a potential platform for Internet of Things (IoT) solutions. From energy management to space utilization, inventory tracking and location-based services, the IoT promises extraordinary value; the key to unlocking it is connectivity.
This connectivity, however, may also bring data, privacy and security risks. This is a relatively new issue for the lighting industry to deal with. The good news is security professionals have developed robust best practices manufacturers can draw on. The bad news is the industry must get up to speed quickly to avoid being a weak link in an overall IoT solution.
If intelligent lighting devices are networked, they become essentially another communication or computer network in a building, prone to hacking attempts. While one might think the big issue is a hacker taking over a lighting system, which would be a “sniffing” attack, from an economic point of view, the bigger threat is a hacker using a building system network to penetrate a more secure corporate network for the purpose of data theft, known as a “vectoring” attack.
At a Wall Street Journal CEO Council meeting in London in April 2018, Darktrace CEO Nicole Eagan told the attendees how hackers accessed a casino’s network via an Internet-connected thermostat in a lobby aquarium. Once they had access, they were able to draw a high-roller database through the device and up into the Cloud. This is a good example of how a network can be only as secure as its weakest link. If a device connects to a network that connects to other networks or the Internet, the consequences of hacking can be greater, so a higher level of security is required to protect the entire ecosystem.
As shown in this example, this isn’t just a lighting problem; it’s a problem inhibiting adoption of the entire IoT. It’s a big enough issue that California recently passed SB-327, a law requiring manufacturers of connected devices to equip them with certain cybersecurity measures by January 1, 2020.
The answer is for lighting designers and specifiers to look for products and solutions that have good cybersecurity measures. “Good security” being defined on the product side as what specific measures are built into a system and how they’re implemented, and on the client side about their level of technical acumen and risk tolerance.
In May 2018, the U.S. Department of Energy’s Federal Energy Management Program published a bulletin recommending 128-bit encryption or virtual local area networks (VLANs) as appropriate security tools, backed by good authentication. Encryption prevents data between devices being intercepted. Authentication ensures only trusted devices share data, with possibly the most secure method involving one device initiating communication with a public key and the responding device answering with a private key. VLANs involve partitioning a network to run part of it as a subnet with its own level of functionality and security.
The good news is the industry is now prioritizing cybersecurity, with many major players in the industry addressing it with initiatives. Standards and best practices such as ANSI/UL 2900-1, IEC standards, ISO 27000, and the NIST IoT Cybersecurity Framework are developing, though manufacturers may implement standards with varying methodologies, resulting in diverse risk. Ideally, manufacturers will reach a point where products are designed with good cybersecurity tools built in, based on open standards and best practices. The IoT, where IT professionals are key decisionmakers, will be a major driver.
One resource is the DesignLights Consortium’s (DLC) Networked Lighting Controls Qualified Products List, publicly available at designlights.org. The DLC lists networked control systems from a variety of manufacturers with major features (required to be listed, or reported for additional information) in a standardized format. With its most recent version, the list allows manufacturers to report adherence to certain security standards. In 2020, the DLC will require it.
Eliminating cybersecurity risks completely can be very difficult, and designers and specifiers should not be expected to be deep security experts. However, it can pay to be conversant in cybersecurity “basic hygiene” (encryption, authentication, segmenting administrator permissions, the importance of installing vendor software updates and changing passwords, etc.) and explore the client’s cybersecurity needs during the project’s programming phase.
In some cases, this may require talking to the client’s IT department, which will likely have questions and requirements. The designer or specifier may need to have security documentation prepared as part of the project documents, and for difficult questions have access to manufacturer support to gain client confidence. They should also ask manufacturers to explain their security methodology and ensure any radios used to commission the control system are turned off or, if needed for system operation, secured.
Connecting lighting devices offers enormous potential value, though it is this very connectivity that makes the system vulnerable unless it is secured against intrusion. Designers, specifiers and the clients they serve can benefit by becoming educated about cybersecurity so as to provide the right secure solutions.