Eight Tips for Lighting Cybersecurity

Mar 18, 2019

By Craig DiLouie

Connectivity enables LED lighting to go far beyond illumination and energy savings to offer revolutionary new capabilities and value for occupants, cost reduction, quality lighting, and business process improvement.

By networking luminaires and lighting control points in a centralized architecture, the lighting system becomes programmable and able to generate data. These data can be applied to strategies like optimizing space utilization, tracking inventory, and providing location-based services. These strategies in turn can produce tangible impacts on cost reduction, process efficiency, branding, and occupant satisfaction.

While connecting devices for various business purposes can produce extraordinary value, it can also impose data privacy and security risks. These risks may take several forms, with two notable attacks being sniffing and vectoring. Sniffing is when a hacker intercepts data between devices and assumes control of the device. A vectoring attack is when a hacker uses a building system network to penetrate a more secure connected corporate network for data theft.

Cybersecurity is a major challenge for the Internet of Things (IoT) as a whole (and corporate information networks beyond that), and lighting is not immune. The challenge is serious enough that it is now being targeted by legislation such as California’s SB-327, which requires manufacturers of connected devices to design them with certain security features by January 1, 2020.

Meanwhile, several IoT-related bills have been introduced in the U.S. Congress, such as the IoT Cybersecurity Improvement Act of 2017 (minimum security standards for connected devices acquired by the government), IoT Consumer TIPS Act of 2017 (directs the Federal Trade Commission to educate consumers), and the Smart IoT Act (requires the Department of Commerce to study the state of the industry). None of these bills have yet made it to a vote, however.

While the cybersecurity industry has a deep well of expertise and experience dealing with potential threats, it’s a new issue for many building industry, including the lighting industry, which is now working hard to ensure networked lighting systems are a strong link in the IoT.

While all this is developing, specifiers and designers should evaluate connected lighting systems with some basic knowledge of cybersecurity. In terms of security, what constitutes a “good” system for a given application depends on how it’s designed (security features) and configured (how it communicates) as well as the owner’s risk tolerance and level of technical knowledge.

For example, while IP-based systems enable lighting devices to be connected, monitored, and controlled in an Internet-based network, which can facilitate remote support, ability to access data, and an enhanced role for lighting in the IoT, they may require stronger security.

Many major manufacturers are prioritizing the issue with initiatives, drawing on standards and best practices such as ANSI/UL 2900-1, IEC standards, ISO 27000, and the NIST IoT Cybersecurity Framework. Over time, manufacturers ideally will streamline methodologies around best practices and design products with good cybersecurity tools built in, making security transparent for professionals wanting to focus on lighting.

It is possible the IoT will drive demand for standards-based security in connected lighting because it brings different stakeholders like IT professionals into the decision-making process.

Watch for 8 tips on how you can help your clients manage the data privacy and security risks in the April 9 issue of EIN.

Craig DiLouie, LC, is Education Director for the Lighting Controls Association. Reprinted with permission of the Lighting Controls

Association, www.lightingcontrolsassociation.org
Photo by jaydeep_ on Pixabay