Managing Security Risks in Smart Lighting Systems, Part 2

Access Control & Authentication

Dec 11, 2019

This blog post is the second of a 4-part introductory series on managing security risks in smart lighting systems.

The first blog post in this series introduced the concept of a multi-tiered approach to identifying and mitigating Building Automation and Control System (BACS) cybersecurity risks and threats. We highlighted the NIST cybersecurity framework and associated security controls as best practice guidelines. U.S. Federal Information Systems and Organizations have strict security and privacy control requirements and rely heavily on the work of NIST and the guidelines published.

In this blog post, we’ll focus on two key security control families: access control and identification and authentication.

Key Security Control Strategies

Access Control

A minimum security requirement is controlling physical access to the system as well as access between users (or processes acting on behalf of users). An access control strategy enables users to have access to a system function that they have privilege to access based on their role or identity. As examples, some personnel may need remote access to the lighting system for troubleshooting or remote management, while only a select group of privileged users should have access to the server in a server room. Only a system administrator should have the permissions to configure user rights.

Access control policies, procedures and account management

In order to operate a Smart Lighting System, the operating organization has to develop and document access control policies and procedures that define the roles and responsibilities of personnel interacting with the system. It also defines how these roles and responsibilities are managed. These roles include (but are not limited to) the following functions:

• system administrators

• facility managers & operators

• commissioning specialists

• field support and service specialists

All of these roles should be associated with a set of privileges or authorizations following a separation of duties and least privilege principles. Applying these principles allows users only to access and control system functions and information that are necessary to perform a certain task. For facility managers, this could mean that access is controlled to just the building operation functions of a specific asset. For instance, Facility Manager A might only have access to Building A, and Facility Manager B only access to Building B. Neither of them has access to system and security configuration functions such as user management or the configuration of system devices.

System administrators are responsible for identifying and naming authorized users and assigning/revoking users’ group memberships and privileges. It is important that an organization has a management process in place that regularly reviews and updates defined roles and responsibilities.

User authentication and authorization provides the necessary controls to enforce the logical access to system functions and controlled assets based upon the applicable access control policy. User access can be controlled for local, remote and wireless access, with each potentially having their own policies.

Where necessary, the system may control the number of concurrent user sessions and provide mechanisms to lock and terminate sessions after a defined period of inactivity. The latter reduces the risks of providing access to unauthorized users that intend to hijack an authenticated user session.

At the same time, the Building Automation Control System denies access to users that do not have the authorization to access the system and keeps record of unsuccessful logon attempts.

Identification and authentication

For secure operation, a BACS system must provide identification and authentication functions for users, devices and services.

Identification and authentication of system users is commonly known as user management where users either use individual or group credentials. Credentials can be either simple user name password credentials or more sophisticated authenticators such as tokens, Personal Identification Numbers (PINs), challenges or a public key infrastructure with the use of certificates. To increase security, the system may use multi- or two-factor authentication where two or more authenticators are combined, e.g. password and challenge.

Device identification and authentication ensures that only uniquely identified and authenticated devices, such as system controllers, control modules and sensors, gain access to the system. Identification can be based on IP or MAC addresses or other unique identifiers including certificate based identifiers. Similar to devices, the system has to ensure that only trusted services gain access to the system, e.g. by the use of web tokens of identified and authenticated users.

In many cases security guidelines require authenticators to be of a certain strength and to be changed on a periodic basis. When entering authenticators, systems should provide feedback and obscure the feedback. 

Authentications should expire, if connections are closed, after a certain amount of inactivity or when authenticators expire. To re-gain access to the system users, devices and services will have to successfully re-authenticate.

Authentication processes should be secure and should provide record/replay protection, e.g. by the use of Transport Layer Security.

The ENCELIUM® EXTEND Light Management System has been accepted by the GSA (General Services Administration), an independent agency of the United States government, and is currently used for smart lighting in government and commercial buildings.

Source https://info.osram.us/blog/best-practice-security-control-strategies-for-smart-lighting-systems

Related Articles


Latest Articles


Changing Scene

  • Save the Date: Ontario Apprenticeship Summit 2026 – November 4, 2026

    Save the Date: Ontario Apprenticeship Summit 2026 – November 4, 2026

    July 6, 2026 Skilled Trades Ontario (STO) is pleased to announce that the third annual Ontario Apprenticeship Summit will take place during National Skilled Trades and Technology Week. Industry partners, skilled trades professionals, and apprentices are invited to attend the Toronto Congress Centre on Wednesday, November 4, 2026. The Ontario Apprenticeship Summit 2026 is focused… Read More…

  • Fort McMurray Apprentice Electrician to Represent Canada at Skilled Canada National Competition

    Fort McMurray Apprentice Electrician to Represent Canada at Skilled Canada National Competition

    July 6, 2026 In recognition of World Youth Skills Day, which underscores the vital role of skills development among young people, Skills/Compétences Canada (SCC) is proud to officially announce the 31 talented members of WorldSkills Team Canada 2026.These young competitors will begin their training to prepare for the 48th WorldSkills Competition, in Shanghai, China, which will be held… Read More…

  • Westburne Celebrates 100 Years with Brandon Trade Show

    Westburne Celebrates 100 Years with Brandon Trade Show

    July 6, 2026 Recently, Westburne hosted over 200 guests and over 60 partners and suppliers at their Brandon Trade Show to celebrate 100 years of Westburne. “Westburne’s annual Midwest Tradeshow welcomed more than 220 attendees in Brandon this year, including representatives from over 60 partner businesses and suppliers. Taking place annually for over 15 years,… Read More…

  • B.C. Expands Energy Efficiency Program to Provide No-Cost Retrofits to Homeowners, Tenants

    B.C. Expands Energy Efficiency Program to Provide No-Cost Retrofits to Homeowners, Tenants

    July 3, 2026 Together with BC Hydro, FortisBC and Natural Resources Canada, the Province is supporting families with lower incomes to save money on their utility costs through home-energy improvements.  “We are taking action to help people lower their utility bills by expanding our home energy-efficiency programming for lower-income families,” said Adrian Dix, B.C.’s Minister… Read More…