Managing Security Risks in Smart Lighting Systems, Part 4

Lighting

Apr 16, 2020

In this article, we focus on cyber-attacks and insider threats to the smart lighting system and the countermeasures an organization can take to help minimize these incidents. This is the fourth and final article in a multi-part introductory series on security in smart lighting systems. In this series, learn about best practices, based on NIST standards and guidelines, for identifying and mitigating cybersecurity risks and threats, as well as implementing cybersecurity controls on an organizational level. The first article introduced the concept of a multi-tiered approach to smart lighting system cybersecurity. We then covered key security control strategies. The second article focused on access control/identification and authentication, and the third article focused on system and communications protection and system and information integrity.

Smart lighting system cyber-attacks

Cyber-attacks to a connected lighting system are usually considered malicious attacks from the outside that target the function and operation of the system. A cyber-attack might involve deploying malware or ransomware that exploits sensitive information or demands the administrator pay a certain ransom. Ransomware that targets shutting down the system unless the requested ransom is paid could pose a serious issue for light management systems. 

Other examples of external threats could be malicious intrusion of an attacker to gain access to the lighting system to control it. This intrusion could be as simple as a prank to control lighting in schools or public spaces, or as complex as a business or politically motivated attack that targets the operation of an industrial, commercial or public administration facility, such as for example, interrupting the production process in an industrial facility.

Systems need to be protected against cyber-attacks by implementing the controls presented in the previous articles in this series, including:

• encryption of all communication and sensitive information
• firewalls at external interfaces or between system components
• anti-malware to identify and to quarantine malicious code such as a virus, ransomware, etc.
• password protection of user accounts

Insider Threats to Smart Lighting Systems

Insider threats are attacks or security-related events that originate within the organization and the boundaries of the lighting system. They occur more frequently than cyber-attacks. Although some insider attacks are malicious and initiated by disgruntled employees, most occur accidentally and unknowingly due to lack of knowledge or carelessness.  Often, they go unnoticed for a long time.

Insider attacks can be as simple as personal control users having privileges, in error, to control areas beyond their private office. Most likely these users were given the additional privileges by mistake, or they weren’t revoked after a user moved to another space within the building.

Access management and training play critical roles in mitigating the risk of insider attacks. When not used, serious attacks could result in the entire lighting system being shut down. This can happen when, for example:

• The lighting control system has full privilege admin accounts shared by all system users (administrators, operators, service techs) instead of individual user accounts that are restricted to the role of a system user.

• Control system administrators are not trained to fully understand the impact of their actions.

• Operators have uncontrolled access to critical system resources such as the system database, user management or encryption keys, that can erase without warning.

Another insider threat risk lies in (unknowingly) sharing protected system information with third parties that should not have access to the information.  Modern technology, such as shared network drives, chat groups or other collaboration tools, make it easy to share information without being aware of the audience that has access to the information, especially when these tools are used as part of the daily work outside of the control system. For example, using the control system admin console or main processing unit as a personal workstation could erase the lines between common usage and the protection needed for the control system.

Processes that mitigate threats

For a control system to stay secure, it is essential that the system administrator implements the following processes.

1. Threat modeling and analysis

Identifying key cyber-attacks and insider threats as well as the measures to best protect the system against such threats, is critical. Threat modeling and analysis is a process that identifies vulnerabilities as well as those assets of most value from an attacker’s point of view. It is important for participants (control system operating team, IT, the system integrator and the corporate security team) to perform this process before implementing the control system, as well as on an annual basis.

2. Identification and access management

Before individuals can be granted access to the system, it is important to identify individual role and skills required to operate the control system safely and securely. Using an identification and access management process highlights not only who will have access to the system but also what privileges each role will have when accessing the system.

Individuals need to be selected for each access category carefully and they must receive initial training as well as periodic refreshers on system security functions and the impact their actions have especially when changing critical security and system parameters. A control system that provides identification and access management functions such as secure sign on, user identification and authentication, and role-based authorization can ensure the secure operation of the control system.

It is important that the identification and access management process and the individual privileges get reviewed on a periodic basis throughout the lifetime of the control system.

3. Security information and event management (SIEM)

SIEM defines relevant security events and how security information is gathered, stored, archived and audited. It also outlines how to react when a security event is recognized and how to inform stakeholders in the event of a security breach.

The lighting control system can help support the system administrator in detecting security incidents or identifying other events that impact the secure operation of the system. The system must be periodically audited and monitored for events that are significant and relevant including password changes, failed logons/system access, the use of administrative privileges, or events for any other relevant functions and operations.

It’s the responsibility of the control system to generate these audit records including information on the type of event, when and where it occurred, the source, outcome and the identity of any individuals or subjects associated. The control system also sends alerts on the detection of audible events or processing failures in the system’s audit and security functions.

The control system should timestamp, securely store, and protect the audit events from unauthorized access, and maintain the records according to retention polices for later analysis and audit.

The ENCELIUM EXTEND Light Management System has been accepted as a secure system by the GSA (General Services Administration), an independent agency of the United States government, and is currently used for smart lighting in government and commercial buildings.

This article is the fourth and final article in an introductory series about Managing Security Risks in Smart Lighting Systems.

• Part 1 10:00:00 introduces the concept of a multi-tiered approach to identifying and mitigating cybersecurity risks and threats.

• Part 2 highlights access control/identification and authentication — two key security control families.

• Part 3 highlights several additional security control families — system and communications protection and system and information integrity.

Source

Related Articles


Latest Articles

  • Alberta Municipalities EV Charging Installation Rebate

    Alberta Municipalities EV Charging Installation Rebate

    April 4, 2025 Alberta Municipalities are proud to provide financial rebates for applicants to purchase and install electric vehicle charging stations in Alberta as part of the Electric Vehicle Charging Program (EVCP), funded by Natural Resources Canada (NRCan) & Alberta Municipalities.  The funding will cover up to 46% of your total project cost, which can… Read More…

  • Industry Legend Bill Smith Retires

    Industry Legend Bill Smith Retires

    April 4, 2025 By Electro-Federation Canada On March 25, Electrozad, a Sonepar Company, hosted a special retirement reception at Caesars Windsor for industry titan Bill Smith who marked an incredible 50-year career with the company.  The reception was held in the elegant Caesars Ballroom, which featured an array of food stations and elegant decor. In… Read More…

  • Schneider Electric: Your Trusted Partner in Sustainability and Efficiency

    Schneider Electric: Your Trusted Partner in Sustainability and Efficiency

    April 4, 2025 By Krystie Johnston Schneider Electric is on a mission to be the trusted partner in sustainability and efficiency. Since 1836, they have pioneered technological innovation to create a world where life is on. Frederick Morency, Vice President of Sustainability, Strategic Initiatives & Innovation at Schneider Electric Canada, has experienced this joie de… Read More…

  • The Evolving Landscape of Energy Management in Buildings with Trilliant’s Steven Lupo: AMI, EV Charging, DERs & Beyond Metering

    The Evolving Landscape of Energy Management in Buildings with Trilliant’s Steven Lupo: AMI, EV Charging, DERs & Beyond Metering

    March 31, 2025 By Blake Marchand Late last year Trilliant announced partnerships with Oshawa Power and Milton Hydro to enable suite metering and advanced metering technology using their Smart Building Platform. Those partnerships were the jumping off point for my conversation with Steven Lupo, Managing Director, North America at Trilliant, a company with four decades of innovation in Canada… Read More…


Changing Scene

  • NSAA Fee Change Effective April 1, 2025

    NSAA Fee Change Effective April 1, 2025

    As of April 1, 2025, the Nova Scotia Apprenticeship Agency’s fees have changed due to the 1% reduction in HST in Nova Scotia. NSAA noted on their website that due to the number of references across various pages, you may still come across old fee amounts as they work through updating their website. Here is… Read More…

  • Nominations Open for 2024 NETCO Leadership Excellence Award

    Nominations Open for 2024 NETCO Leadership Excellence Award

    Established in 2016, the NETCO Leadership Excellence award honours an industry training professional for his/her role for the success and their outstanding contributions to apprenticeship training and continuing electrical training. Read More…

  • Munded Partners with Kane Test Equipment in Atlantic Canada

    Munded Partners with Kane Test Equipment in Atlantic Canada

    April 4, 2025 Munden Enterprises has announced a partnership with Kane Test Equipment to bring their test and measurement solutions to Atlantic Canada. “We are now excited to announce a new and promising partnership with Kane Test Equipment. Kane Test Equipment brings innovative solutions that align with our dedication to providing the best tools for… Read More…

  • Nedco Announces Western Canadian Wire & Cable Sales Manager

    Nedco Announces Western Canadian Wire & Cable Sales Manager

    April 4, 2025 Don Blake has joined Nedco as their Western Canadian Wire & Cable Sales Manager. “With over 20 years of experience in the Wire & Cable industry, Don brings a wealth of knowledge and expertise to our Nedco West team,” said the company on LinkedIn. “His focus will be on expanding our product… Read More…