Eight Tips for Lighting Cybersecurity

Apr 14, 2019

By Craig DiLouie

Connectivity enables LED lighting to go far beyond illumination and energy savings to offer revolutionary new capabilities and value for occupants, cost reductions, quality lighting, and business process improvement. By networking luminaires and lighting control points in a centralized architecture, the lighting system becomes programmable and able to generate data. While connecting devices for various business purposes can produce extraordinary value, it can also impose data privacy and security risks. Part 1 of this article explored the nature of the risks, and what manufacturers are doing. Here in Part 2: eight tips on how you can help your clients manage the risks.

1. Become conversant in cybersecurity “hygiene.” While lighting professionals need not become cybersecurity experts, they can benefit from education about basic concepts and practices.

2. Engage with the client about cybersecurity. It can be beneficial to engage the client about security needs during the project programming phase. This may require talking to client IT departments, which vary in how they’re composed. The IT department may have questions and requirements that will affect how the project is designed.

After product selection, it can be beneficial to include security documentation as part of the project documents. For challenging questions, the manufacturer should be able to provide support.

3. Ensure good encryption. Encryption is encoding data between devices to prevent them from being intercepted and manipulated. In a May 2018 bulletin, Cyber Security for Lighting Systems, the U.S. Department of Energy’s Federal Energy Management Program (FEMP), recommends AES 128-bit encryption.

AES 256-bit encryption is available, but there is a trade-off between power draw (and latency) and encryption in wireless lighting devices, resulting in a majority of devices using 128 instead of 256.

4. Choose an appropriate method of authentication. Authentication is about ensuring only devices that trust each other can share data. The FEMP recommends good authentication, with possibly the most secure authentication method being use of both a public and private key. The device initiating communication does so using a public key, and the responding device answers with a private key.

5. Safeguard the lighting network. If security is a concern, the network should be protected by a firewall. If the lighting network will touch the corporate network, as an added security measure, FEMP recommends segmenting it using a virtual local area network (VLAN). With a VLAN, a portion of a network is partitioned and run separately as a subnet with its own functionality and security.

6. Advise client on their responsibilities. The client should be advised about delineating administrator permissions (who will have access to the network and what powers they will have inside), the importance of installing vendor software updates (which may include important security enhancements) and changing passwords, and so on.

7. Secure after commissioning. FEMP recommends that any radios used to commission the control system be turned off after use. Or, if the radios are needed for ongoing system operation, they should be secured.

8. Scrutinize products. Look for suppliers that use a strong security methodology, are able to explain it, and can support you when needed. Here, education can go a long way in evaluating products with comparable security features but where the manufacturer implements them very differently.

One resource for evaluating products is the DesignLights Consortium (DLC), which lists networked control systems in a Qualified Products List that utilities in turn use to qualify products for their rebate programs. The Qualified Products List allows manufacturers to report compliance with certain security standards, and will require standards compliance in 2020.

Networked lighting and the IoT are a new world, presenting exciting opportunities for end-users but requiring new skillsets and creating new potential risks. Savvy building professionals will become educated on the basic issues, demand good security methodology from manufacturers, and engage with the right people at the customer to ensure all requirements are satisfied.

Read Part 1 here.

Craig DiLouie, LC, is Education Director for the Lighting Controls Association. Reprinted with permission of the Lighting Controls Association.

Photo by jaydeep_ on Pixabay