Defending the Light: Cybersecurity for Lighting and the IoT

Cybersecurity for Lighting and the IoT Image credit: Spainter_VFX / Sergey Niven
Image credit: Spainter_VFX / Sergey Niven

Networked lighting controls connect luminaires in a programmable system to offer exciting and robust capabilities. Connected lighting packages of luminaires and controls are increasingly touted as “internet of things (IoT) ready,” which means they have connectivity, intelligence, sensors and bidirectional data communication.

A networked lighting control system is a communications network between devices that are becoming more intelligent as they are increasingly built around microprocessors. As such, it is vulnerable to the same hackers who attack corporate networks.

In 2016, hackers penetrated a networked lighting system in an office building using a drone, making the lights flash “SOS” in Morse code. This is an example of a “sniffing” attack, in which data sent between devices is intercepted and altered.

However, theft is usually the main goal of a hack. A single device can provide an entry point for a “vectoring” attack on a joining network, which is only as secure as its weakest link.

For example, in April 2018, Darktrace CEO Nicole Eagan told the Wall Street Journal CEO Council in London how hackers penetrated a casino’s network through an internet-connected thermostat in a lobby aquarium. Once inside the network, they pulled a database of high-roller gamblers through the device and up into the cloud.

As a result, cybersecurity is emerging as a significant issue for the IoT and connected building systems such as networked lighting. The issue is so important that California recently passed SB-327, an information privacy law requiring manufacturers of connected devices to equip them with certain security features by Jan. 1, 2020.

As demand for connected lighting grows with development of the IoT, electrical contractors may increasingly find themselves installing these systems. What are the risks to ECs, and what do they need to know?

Controls and security

Different types of connected lighting systems inherently pose varying degrees of vulnerability and, require different levels of security, according to a May 2018 U.S. Department of Energy (DOE)/Federal Energy Management Program (FEMP) bulletin, “Cyber Security for Lighting Systems.”

IP-based systems—Some connected lighting systems assign internet protocol (IP) addresses to devices, which enables them to be connected, monitored and controlled within an internet-based network. This facilitates remote support, ability to access data from lighting devices and enhanced ability for lighting to play a part in the IoT. As such, the DOE predicted strong demand for these systems. According to the DOE, however, major cybersecurity concerns exist with them due to their internet connectivity, imposing greater security requirements.

Wired versus wireless—The control system may connect using wiring, wireless signaling or a combination of these approaches. Wired systems are considered more secure due to their physical installation behind walls and ceilings, providing a high level of isolation that in networking terminology is called the “air gap.” Meanwhile, applicable protocols such as BACnet are updating to greater security due to new functionality. Wired power over ethernet (PoE) and similar systems featuring devices with IP addresses are at greater risk, according to the DOE.

Also ongoing is the debate regarding the level of security risks with wireless, though reports of hacking have given some owners caution. The challenge with wireless is data flows through open air and may exit the building. While encryption and authentication are important tools in all network communication, it is particularly critical with wireless. When data is sent from one point to another, we A) don’t want unauthorized people intercepting and reading it and B) do want devices to verify the device they’re talking to is trusted. Encryption is the process of preventing interception of data moving between points. Authentication is the process of ensuring only trusted devices share data.

Security by application

In its May 2018 FEMP bulletin, the DOE recommended, if the networked lighting system is IP-based, security risk can be mitigated by using Advanced Encryption Standard (AES) 128-bit encryption or virtual local area networks (VLANs) and by specifying equipment with good authentication measures. Additionally, care should be taken to secure the system after the commissioning process.

Encryption—Considered highly secure, AES 128-bit encryption uses a 128-bit key to encrypt and decrypt data. AES 256-bit encryption is available, but the trade-off between power draw and encryption in wireless lighting devices has resulted in a majority of devices using 128 rather than 256.

VLAN—In a centralized networked lighting system, data collected by sensors is fed to a central collection point, which may be a server, typically installed in an electrical or IT closet in the building core. Devices may be directly connected using a dedicated ethernet cable, which reduces security risks, or they could piggyback onto (and become part of) a corporate network, which reduces cost.

One solution is to build a VLAN between the luminaires and the gateways or network switches. A VLAN is created when an ethernet switch partitions a piece of a network to run as a subnet. Administrators can add sections with different levels of security and functionality to their networks without running new cabling.

Authentication—Authentication using a public and private key is considered the most secure. The public key initiates communication between devices with a challenge from the authenticating device and the other device responding with a unique private key. Authentication method may not be identified in manufacturer literature, so the specifier will have to ask for documentation if needed. The documentation should be clear enough about the security methodology used so as to satisfy the owner.

Commissioning—Manufacturers have simplified configuration and functional testing using hand-held devices communicating wirelessly with the control system based on Bluetooth, ZigBee or another protocol. The DOE recommended turning off radios used to commission the lighting after commissioning is complete. If those radios are needed for system operation, they must be secured.

Security by design

New security standards are affecting product development, such as the ANSI/UL 2900-1 standard. Published in 2016, this standard covers lighting along with other common building devices and systems, from HVAC to building automation to fire and alarm systems. It provides testable cybersecurity criteria for network-connectable devices and systems to assess software vulnerabilities and weaknesses, minimize exploitation and address known malware. It’s important to note these standards are used to test security for systems, while these systems may use different approaches to accomplish security.

In June 2018, the DesignLights Consortium (DLC) released Networked Lighting Control System Technical Requirements Version 3.0. Networked lighting control systems tested to satisfy these criteria are listed in the DLC’s Qualified Products List for Networked Lighting Controls, which utility rebate programs may use to qualify systems as eligible for new rebates promoting this technology.

With V3.0, the DLC tackled cybersecurity for the first time, reporting compliance with security standards including ANSI/UL 2900-1, two International Electrotechnical Commission standards, ISO 27000 and the National Institute of Standards and Technology IoT Cybersecurity Framework. Publishing in June 2020, V5.0 will require cybersecurity compliance.

Currently, the DLC’s Qualified Products List presents a list of networked lighting control systems in a table identifying a range of capabilities, including cybersecurity information. This can be a helpful resource in sourcing and comparing systems.

Security and the contractor

While networking lighting devices offers enormous potential value, this connectivity makes these systems vulnerable unless they are secured—with which specific cybersecurity measures are implemented (and how) defining how secure a given system is.

Electrical contractors do not need to become cybersecurity experts, though when installing networked systems, they should become familiar with key concepts. They can benefit from a basic understanding of both the customer’s security needs and how securely the selected system operates.

Often, it is challenging to eliminate risk, though it is possible to achieve an acceptable level. What is acceptable starts with a best practice baseline (through standards, though specific best practices are still evolving) and ends with the customer, which depends on their security needs and technical acumen. If the customer has an IT department, it can be beneficial to engage with them early in the process to hear any requirements and provide whatever documentation they need to address their concerns.

Networked intelligent lighting and the IoT are a new world, presenting exciting opportunities for users but requiring new skillsets and imposing new risks. Savvy ECs will become educated on the basic issues, demand good security methodology from their manufacturing partners and engage with the right people and the customer to ensure all requirements are satisfied.

Stay Informed Join our Newsletter

Having trouble finding time to sit down with the latest issue of
ELECTRICAL CONTRACTOR? Don't worry, we'll come to you.