Managing Security Risks in Smart Lighting Systems, Part 2

Access Control & Authentication

Dec 11, 2019

This blog post is the second of a 4-part introductory series on managing security risks in smart lighting systems.

The first blog post in this series introduced the concept of a multi-tiered approach to identifying and mitigating Building Automation and Control System (BACS) cybersecurity risks and threats. We highlighted the NIST cybersecurity framework and associated security controls as best practice guidelines. U.S. Federal Information Systems and Organizations have strict security and privacy control requirements and rely heavily on the work of NIST and the guidelines published.

In this blog post, we’ll focus on two key security control families: access control and identification and authentication.

Key Security Control Strategies

Access Control

A minimum security requirement is controlling physical access to the system as well as access between users (or processes acting on behalf of users). An access control strategy enables users to have access to a system function that they have privilege to access based on their role or identity. As examples, some personnel may need remote access to the lighting system for troubleshooting or remote management, while only a select group of privileged users should have access to the server in a server room. Only a system administrator should have the permissions to configure user rights.

Access control policies, procedures and account management

In order to operate a Smart Lighting System, the operating organization has to develop and document access control policies and procedures that define the roles and responsibilities of personnel interacting with the system. It also defines how these roles and responsibilities are managed. These roles include (but are not limited to) the following functions:

• system administrators

• facility managers & operators

• commissioning specialists

• field support and service specialists

All of these roles should be associated with a set of privileges or authorizations following a separation of duties and least privilege principles. Applying these principles allows users only to access and control system functions and information that are necessary to perform a certain task. For facility managers, this could mean that access is controlled to just the building operation functions of a specific asset. For instance, Facility Manager A might only have access to Building A, and Facility Manager B only access to Building B. Neither of them has access to system and security configuration functions such as user management or the configuration of system devices.

System administrators are responsible for identifying and naming authorized users and assigning/revoking users’ group memberships and privileges. It is important that an organization has a management process in place that regularly reviews and updates defined roles and responsibilities.

User authentication and authorization provides the necessary controls to enforce the logical access to system functions and controlled assets based upon the applicable access control policy. User access can be controlled for local, remote and wireless access, with each potentially having their own policies.

Where necessary, the system may control the number of concurrent user sessions and provide mechanisms to lock and terminate sessions after a defined period of inactivity. The latter reduces the risks of providing access to unauthorized users that intend to hijack an authenticated user session.

At the same time, the Building Automation Control System denies access to users that do not have the authorization to access the system and keeps record of unsuccessful logon attempts.

Identification and authentication

For secure operation, a BACS system must provide identification and authentication functions for users, devices and services.

Identification and authentication of system users is commonly known as user management where users either use individual or group credentials. Credentials can be either simple user name password credentials or more sophisticated authenticators such as tokens, Personal Identification Numbers (PINs), challenges or a public key infrastructure with the use of certificates. To increase security, the system may use multi- or two-factor authentication where two or more authenticators are combined, e.g. password and challenge.

Device identification and authentication ensures that only uniquely identified and authenticated devices, such as system controllers, control modules and sensors, gain access to the system. Identification can be based on IP or MAC addresses or other unique identifiers including certificate based identifiers. Similar to devices, the system has to ensure that only trusted services gain access to the system, e.g. by the use of web tokens of identified and authenticated users.

In many cases security guidelines require authenticators to be of a certain strength and to be changed on a periodic basis. When entering authenticators, systems should provide feedback and obscure the feedback. 

Authentications should expire, if connections are closed, after a certain amount of inactivity or when authenticators expire. To re-gain access to the system users, devices and services will have to successfully re-authenticate.

Authentication processes should be secure and should provide record/replay protection, e.g. by the use of Transport Layer Security.

The ENCELIUM® EXTEND Light Management System has been accepted by the GSA (General Services Administration), an independent agency of the United States government, and is currently used for smart lighting in government and commercial buildings.

Source https://info.osram.us/blog/best-practice-security-control-strategies-for-smart-lighting-systems

Related Articles


Latest Articles

  • Alberta Municipalities EV Charging Installation Rebate

    Alberta Municipalities EV Charging Installation Rebate

    April 4, 2025 Alberta Municipalities are proud to provide financial rebates for applicants to purchase and install electric vehicle charging stations in Alberta as part of the Electric Vehicle Charging Program (EVCP), funded by Natural Resources Canada (NRCan) & Alberta Municipalities.  The funding will cover up to 46% of your total project cost, which can… Read More…

  • Industry Legend Bill Smith Retires

    Industry Legend Bill Smith Retires

    April 4, 2025 By Electro-Federation Canada On March 25, Electrozad, a Sonepar Company, hosted a special retirement reception at Caesars Windsor for industry titan Bill Smith who marked an incredible 50-year career with the company.  The reception was held in the elegant Caesars Ballroom, which featured an array of food stations and elegant decor. In… Read More…

  • Schneider Electric: Your Trusted Partner in Sustainability and Efficiency

    Schneider Electric: Your Trusted Partner in Sustainability and Efficiency

    April 4, 2025 By Krystie Johnston Schneider Electric is on a mission to be the trusted partner in sustainability and efficiency. Since 1836, they have pioneered technological innovation to create a world where life is on. Frederick Morency, Vice President of Sustainability, Strategic Initiatives & Innovation at Schneider Electric Canada, has experienced this joie de… Read More…

  • The Evolving Landscape of Energy Management in Buildings with Trilliant’s Steven Lupo: AMI, EV Charging, DERs & Beyond Metering

    The Evolving Landscape of Energy Management in Buildings with Trilliant’s Steven Lupo: AMI, EV Charging, DERs & Beyond Metering

    March 31, 2025 By Blake Marchand Late last year Trilliant announced partnerships with Oshawa Power and Milton Hydro to enable suite metering and advanced metering technology using their Smart Building Platform. Those partnerships were the jumping off point for my conversation with Steven Lupo, Managing Director, North America at Trilliant, a company with four decades of innovation in Canada… Read More…


Changing Scene

  • NSAA Fee Change Effective April 1, 2025

    NSAA Fee Change Effective April 1, 2025

    As of April 1, 2025, the Nova Scotia Apprenticeship Agency’s fees have changed due to the 1% reduction in HST in Nova Scotia. NSAA noted on their website that due to the number of references across various pages, you may still come across old fee amounts as they work through updating their website. Here is… Read More…

  • Nominations Open for 2024 NETCO Leadership Excellence Award

    Nominations Open for 2024 NETCO Leadership Excellence Award

    Established in 2016, the NETCO Leadership Excellence award honours an industry training professional for his/her role for the success and their outstanding contributions to apprenticeship training and continuing electrical training. Read More…

  • Munded Partners with Kane Test Equipment in Atlantic Canada

    Munded Partners with Kane Test Equipment in Atlantic Canada

    April 4, 2025 Munden Enterprises has announced a partnership with Kane Test Equipment to bring their test and measurement solutions to Atlantic Canada. “We are now excited to announce a new and promising partnership with Kane Test Equipment. Kane Test Equipment brings innovative solutions that align with our dedication to providing the best tools for… Read More…

  • Nedco Announces Western Canadian Wire & Cable Sales Manager

    Nedco Announces Western Canadian Wire & Cable Sales Manager

    April 4, 2025 Don Blake has joined Nedco as their Western Canadian Wire & Cable Sales Manager. “With over 20 years of experience in the Wire & Cable industry, Don brings a wealth of knowledge and expertise to our Nedco West team,” said the company on LinkedIn. “His focus will be on expanding our product… Read More…