Below is my contribution to the March issue of tED Magazine, the official publication of the NAED. Reprinted with permission.
Connected lighting and the Internet of Things (IoT) promise extraordinary enhanced value for buildings, but this connectivity introduces data privacy and security risks. These issues are growing in importance in the lighting industry, which has the advantage of adopting established best practices but may need to accelerate its learning curve.
The problem
Networked lighting controls is essentially a network enabling communication between devices. These systems are often intelligent, as devices are increasingly built around microprocessors. If the lighting network connects to other networks or the Internet, the consequences of hacking are more severe, requiring higher levels of security. What specific cybersecurity measures are built into the system, and how they’re implemented, define how secure a given networked lighting control system is.
The most common computer network hacks are “sniffing” and “vectoring.” With sniffing, data passing between devices is intercepted and changed, which can result in a hacker taking control of a building system. With vectoring, a vulnerable portion of a network is penetrated so as to gain access to a more secure adjoining network, usually for the purpose of data theft.
This is not exclusively a lighting problem. This is a problem affecting adoption of the entire IoT. And it’s concerning enough California passed a law (SB-327) requiring connected device manufacturers to fit them with certain cybersecurity features by January 1, 2020.
“Cybersecurity is of the utmost importance in every system or application that could be connected to the Internet—directly or indirectly via an HVAC system, building management system, or lighting controls,” said Harsha Banavara, Cybersecurity Technical Policy Manager, Signify. In his view, cybersecurity is essential to product development and fundamental to being a responsible innovator.
As a result, to its credit, the lighting industry is now prioritizing cybersecurity, with many major companies recognizing its importance and launching initiatives. Meanwhile, the DesignLights Consortium (DLC), which lists networked control systems in a Qualified Products List—that utilities in turn use to qualify products for their rebate programs—allows manufacturers to report compliance with certain security standards, and will require standards compliance in 2020.
Despite the progress made, Jonathan Cartrette, Systems Architect, Wattstopper/Legrand, said the lighting industry can and should do better. “We need to start treating the intrusion and exploitation of the systems we install with the same importance as life/safety,” he said. “As a community, we have been doing a terrible job at securing these systems.”
Cartrette said standards are evolving, such as the ANSI/UL 2900-1 standard (2016), which covers lighting along with other common building devices and systems; IEC standards; ISO 27000; and the NIST IoT Cybersecurity Framework. Without best practices being similarly standardized, however, two manufacturers providing a feature such as 128-bit encryption may do it very differently, resulting in different levels of protection, he said. Security, Cartrette added, should be designed into the system and work off open standards—which were developed by larger industries from a deep well of expertise—and existing best practices such as public key infrastructure, which is used with PCs, broadband, and chip banking. He said electrical distributors carry sufficient risk recommending connected lighting, and have the clout to demand their suppliers use trusted open standards and explain their security methodology.
What distributors can do
Completely eliminating cybersecurity risks can be challenging, though it is possible to gain an acceptable level, with “acceptable” being based on choosing products with a good security methodology as well as the customer’s security needs and technical knowledge.
In a May 2018 U.S. Department of Energy (DoE)/Federal Energy Management Program (FEMP) bulletin, Cyber Security for Lighting Systems, the DoE recommended 128-bit encryption or virtual local area networks (VLANS) as good security tools, coupled with good authentication. Encryption is the process of preventing interception of data passing between devices. Authentication is the process of ensuring only trusted devices share data, with potentially the most secure type of authentication involving devices initiating communication with a public key and responding with a unique private key. VLANs involve an Ethernet switch partitioning a piece of a network to run as a subnet of a larger network with its own level of security and functionality.
“Electrical distributors need to constantly educate themselves on the evolving cybersecurity landscape to be responsible counselors,” Banavara said. “Every distributor should become conversant in cybersecurity’s ‘basic hygiene,’ understanding what is required of the customers implementing these systems. Distributors should also create awareness among their customers on cybersecurity, even if there is no explicit request from the customers—for example, explaining to them the importance of regularly installing vendor software updates and changing passwords.”
This does not require electrical distributors become cybersecurity experts, though, as Banavara pointed out, better consultation can be provided the more education one gains. Distributors may need to become accustomed to talking to customer IT departments for certain projects, and have security documentation ready for basic questions and possibly manufacturer support on call for tougher, more-detailed queries.
Cartrette said electrical distribution is a “normalizing force” in the industry, able to drive standardization through its influence. “Estimation, specification, design, and, really, the grind of it all, are what the channel does best,” he said. “Cybersecurity shouldn’t be disruptive to our workflows, it shouldn’t cost more to deploy a secure system than an insecure one, and it definitely shouldn’t be the case that picking wrong means the electrical industry can bear the blame for ‘leaving the barn door open.’ The electrical industry understands the Mike Rowe: Dirty Jobs part of building, renovating, and improving the built environment. If the products available to us do their ‘dirty jobs,’ then we won’t have to learn network admin or computer science-level facts about cybersecurity.”
Connected lighting and the IoT are technologies offering extraordinary value and sales potential, but they impose new risks such as the need for good cybersecurity. Distributors may benefit by getting educated about the issues so as to get the right product and be conversant with their customers.
