Security in Connected Lighting: Understanding the Roles of the EC, Manufacturers and IT Department

Digital Security and Lighting Photo Credit: Shutterstock / Mott Jordan
Photo Credit: Shutterstock / Mott Jordan

Connected lighting and the internet of things (IoT) offer exciting potential for energy and operational efficiencies, but attention must be paid to ensure these systems are safe from hackers. While the owner bears the brunt of these risks, electrical contractors may find themselves sharing them.

“The contractors’ role is currently miscast,” said Jonathan Cartrette, systems architect, Wattstopper/Legrand. “They’re accepting significant responsibility and risk that few are aware of and fewer still are properly trained to address.”

Contractors often set passwords and ensure networks are locked down after installation, but this process can be complex. Evaluating a connected lighting system’s security is difficult as well. A device or system certified to a security standard typically is capable of being secure; however, to actually be secure, it must be deployed correctly. For example, if the system is installed with weak login and password credentials, the security potential may be wasted, Cartrette said.

“There are standardized methods, yet the penetration of them into lighting as best practices is diverse enough to seem random,” he said. “Presently, best practices are not standardized in networked lighting controls.”

CSI specification language rewards directly comparable text, meaning manufacturers may offer security features but not detail differing ways the manufacturer implemented them. For example, say two manufacturers offer 128-bit encryption. If one system’s encryption key has the same first 10 digits for each device and those are available online along with the default system’s password to the gateway’s user account, potentially strong features are diluted.

“This leads to slower adoption of new technologies that might be harder to explain,” Cartrette said. “If a new best practice requires too much explanation, then it could take a full spec-cycle refresh or more to see it adopted. Until those new technologies can be bullet-pointed—unlikely with security practices—cut sheets and spec language obscure true product differences.”

The lighting industry can learn from other industries such as home security monitoring and broadband internet/TV, where suppliers began to recognize it was neither practical to hire certified network administrators to install products nor continuously train all installers on cybersecurity.

The solution was automation. Each device was manufactured with a unique, computer-readable digital identity called a certificate. Devices with certificates stemming from the same family were able to recognize and trust each other.

“Customers don’t ask the installers to get them the pay-per-view fight for free anymore,” Cartrette said. “The installer can’t do it because they don’t have the password, because there are no passwords.”

In use since around 2000, public key infrastructure has generated billions of certificates. In time, it began to be used in personal computers, telecom and broadband equipment, chip banking, credit cards, and the https web address protocol. Now, its adoption for the IoT is accelerating, including lighting control systems from multiple manufacturers. The next step is manufacturers promoting open interoperability between brands while retaining deliberately granted trust.

“The challenge will be educating the industry on how it’s accomplished and to select product knowing not all trusted hardware is as trustable as others,” Cartrette said. “Trusted hardware security strategies will be a learning curve just like dimming curves were at one time, but I’m confident our sector will rise to the occasion.”

The IoT will drive demand for standards- based security in connected lighting because it brings different stakeholders into the purchase decision-making process: professionals who are invested in security. With this accomplished, the industry can focus on the value of good lighting and robust lighting control.

In the meantime, Cartrette advises ECs to look for manufacturers that can provide easy-to-use deployment tools and the ability to support the installer and end-user when it comes to cybersecurity or other performance issues. The manufacturer should provide the same training and support to the EC regarding cybersecurity as they would with any other issue, such as energy code compliance. When meeting with IT departments to discuss implementation of a connected lighting system, the manufacturer should provide whatever documentation the IT department needs to eliminate concerns.

“Manufacturers occupy a place in the value chain that lets us look into the technology future of our channel to an extent,” he said. “If the brand pushed in the spec cycle is going to leave you responsible both for the final security of the system and the consequences for any breach in security, then demand something better.”

Stay Informed Join our Newsletter

Having trouble finding time to sit down with the latest issue of
ELECTRICAL CONTRACTOR? Don't worry, we'll come to you.