Managing Security Risks in Smart Lighting Systems, Part 4
Apr 16, 2020
In this article, we focus on cyber-attacks and insider threats to the smart lighting system and the countermeasures an organization can take to help minimize these incidents. This is the fourth and final article in a multi-part introductory series on security in smart lighting systems. In this series, learn about best practices, based on NIST standards and guidelines, for identifying and mitigating cybersecurity risks and threats, as well as implementing cybersecurity controls on an organizational level. The first article introduced the concept of a multi-tiered approach to smart lighting system cybersecurity. We then covered key security control strategies. The second article focused on access control/identification and authentication, and the third article focused on system and communications protection and system and information integrity.
Smart lighting system cyber-attacks
Cyber-attacks to a connected lighting system are usually considered malicious attacks from the outside that target the function and operation of the system. A cyber-attack might involve deploying malware or ransomware that exploits sensitive information or demands the administrator pay a certain ransom. Ransomware that targets shutting down the system unless the requested ransom is paid could pose a serious issue for light management systems.
Other examples of external threats could be malicious intrusion of an attacker to gain access to the lighting system to control it. This intrusion could be as simple as a prank to control lighting in schools or public spaces, or as complex as a business or politically motivated attack that targets the operation of an industrial, commercial or public administration facility, such as for example, interrupting the production process in an industrial facility.
Systems need to be protected against cyber-attacks by implementing the controls presented in the previous articles in this series, including:
• encryption of all communication and sensitive information
• firewalls at external interfaces or between system components
• anti-malware to identify and to quarantine malicious code such as a virus, ransomware, etc.
• password protection of user accounts
Insider Threats to Smart Lighting Systems
Insider threats are attacks or security-related events that originate within the organization and the boundaries of the lighting system. They occur more frequently than cyber-attacks. Although some insider attacks are malicious and initiated by disgruntled employees, most occur accidentally and unknowingly due to lack of knowledge or carelessness. Often, they go unnoticed for a long time.
Insider attacks can be as simple as personal control users having privileges, in error, to control areas beyond their private office. Most likely these users were given the additional privileges by mistake, or they weren’t revoked after a user moved to another space within the building.
Access management and training play critical roles in mitigating the risk of insider attacks. When not used, serious attacks could result in the entire lighting system being shut down. This can happen when, for example:
• The lighting control system has full privilege admin accounts shared by all system users (administrators, operators, service techs) instead of individual user accounts that are restricted to the role of a system user.
• Control system administrators are not trained to fully understand the impact of their actions.
• Operators have uncontrolled access to critical system resources such as the system database, user management or encryption keys, that can erase without warning.
Another insider threat risk lies in (unknowingly) sharing protected system information with third parties that should not have access to the information. Modern technology, such as shared network drives, chat groups or other collaboration tools, make it easy to share information without being aware of the audience that has access to the information, especially when these tools are used as part of the daily work outside of the control system. For example, using the control system admin console or main processing unit as a personal workstation could erase the lines between common usage and the protection needed for the control system.
Processes that mitigate threats
For a control system to stay secure, it is essential that the system administrator implements the following processes.
1. Threat modeling and analysis
Identifying key cyber-attacks and insider threats as well as the measures to best protect the system against such threats, is critical. Threat modeling and analysis is a process that identifies vulnerabilities as well as those assets of most value from an attacker’s point of view. It is important for participants (control system operating team, IT, the system integrator and the corporate security team) to perform this process before implementing the control system, as well as on an annual basis.
2. Identification and access management
Before individuals can be granted access to the system, it is important to identify individual role and skills required to operate the control system safely and securely. Using an identification and access management process highlights not only who will have access to the system but also what privileges each role will have when accessing the system.
Individuals need to be selected for each access category carefully and they must receive initial training as well as periodic refreshers on system security functions and the impact their actions have especially when changing critical security and system parameters. A control system that provides identification and access management functions such as secure sign on, user identification and authentication, and role-based authorization can ensure the secure operation of the control system.
It is important that the identification and access management process and the individual privileges get reviewed on a periodic basis throughout the lifetime of the control system.
3. Security information and event management (SIEM)
SIEM defines relevant security events and how security information is gathered, stored, archived and audited. It also outlines how to react when a security event is recognized and how to inform stakeholders in the event of a security breach.
The lighting control system can help support the system administrator in detecting security incidents or identifying other events that impact the secure operation of the system. The system must be periodically audited and monitored for events that are significant and relevant including password changes, failed logons/system access, the use of administrative privileges, or events for any other relevant functions and operations.
It’s the responsibility of the control system to generate these audit records including information on the type of event, when and where it occurred, the source, outcome and the identity of any individuals or subjects associated. The control system also sends alerts on the detection of audible events or processing failures in the system’s audit and security functions.
The control system should timestamp, securely store, and protect the audit events from unauthorized access, and maintain the records according to retention polices for later analysis and audit.
The ENCELIUM EXTEND Light Management System has been accepted as a secure system by the GSA (General Services Administration), an independent agency of the United States government, and is currently used for smart lighting in government and commercial buildings.
This article is the fourth and final article in an introductory series about Managing Security Risks in Smart Lighting Systems.
• Part 1 10:00:00 introduces the concept of a multi-tiered approach to identifying and mitigating cybersecurity risks and threats.
• Part 2 highlights access control/identification and authentication — two key security control families.
• Part 3 highlights several additional security control families — system and communications protection and system and information integrity.