Managing Security Risks in Smart Lighting Systems, Part 4

Lighting

Apr 16, 2020

In this article, we focus on cyber-attacks and insider threats to the smart lighting system and the countermeasures an organization can take to help minimize these incidents. This is the fourth and final article in a multi-part introductory series on security in smart lighting systems. In this series, learn about best practices, based on NIST standards and guidelines, for identifying and mitigating cybersecurity risks and threats, as well as implementing cybersecurity controls on an organizational level. The first article introduced the concept of a multi-tiered approach to smart lighting system cybersecurity. We then covered key security control strategies. The second article focused on access control/identification and authentication, and the third article focused on system and communications protection and system and information integrity.

Smart lighting system cyber-attacks

Cyber-attacks to a connected lighting system are usually considered malicious attacks from the outside that target the function and operation of the system. A cyber-attack might involve deploying malware or ransomware that exploits sensitive information or demands the administrator pay a certain ransom. Ransomware that targets shutting down the system unless the requested ransom is paid could pose a serious issue for light management systems. 

Other examples of external threats could be malicious intrusion of an attacker to gain access to the lighting system to control it. This intrusion could be as simple as a prank to control lighting in schools or public spaces, or as complex as a business or politically motivated attack that targets the operation of an industrial, commercial or public administration facility, such as for example, interrupting the production process in an industrial facility.

Systems need to be protected against cyber-attacks by implementing the controls presented in the previous articles in this series, including:

• encryption of all communication and sensitive information
• firewalls at external interfaces or between system components
• anti-malware to identify and to quarantine malicious code such as a virus, ransomware, etc.
• password protection of user accounts

Insider Threats to Smart Lighting Systems

Insider threats are attacks or security-related events that originate within the organization and the boundaries of the lighting system. They occur more frequently than cyber-attacks. Although some insider attacks are malicious and initiated by disgruntled employees, most occur accidentally and unknowingly due to lack of knowledge or carelessness.  Often, they go unnoticed for a long time.

Insider attacks can be as simple as personal control users having privileges, in error, to control areas beyond their private office. Most likely these users were given the additional privileges by mistake, or they weren’t revoked after a user moved to another space within the building.

Access management and training play critical roles in mitigating the risk of insider attacks. When not used, serious attacks could result in the entire lighting system being shut down. This can happen when, for example:

• The lighting control system has full privilege admin accounts shared by all system users (administrators, operators, service techs) instead of individual user accounts that are restricted to the role of a system user.

• Control system administrators are not trained to fully understand the impact of their actions.

• Operators have uncontrolled access to critical system resources such as the system database, user management or encryption keys, that can erase without warning.

Another insider threat risk lies in (unknowingly) sharing protected system information with third parties that should not have access to the information.  Modern technology, such as shared network drives, chat groups or other collaboration tools, make it easy to share information without being aware of the audience that has access to the information, especially when these tools are used as part of the daily work outside of the control system. For example, using the control system admin console or main processing unit as a personal workstation could erase the lines between common usage and the protection needed for the control system.

Processes that mitigate threats

For a control system to stay secure, it is essential that the system administrator implements the following processes.

1. Threat modeling and analysis

Identifying key cyber-attacks and insider threats as well as the measures to best protect the system against such threats, is critical. Threat modeling and analysis is a process that identifies vulnerabilities as well as those assets of most value from an attacker’s point of view. It is important for participants (control system operating team, IT, the system integrator and the corporate security team) to perform this process before implementing the control system, as well as on an annual basis.

2. Identification and access management

Before individuals can be granted access to the system, it is important to identify individual role and skills required to operate the control system safely and securely. Using an identification and access management process highlights not only who will have access to the system but also what privileges each role will have when accessing the system.

Individuals need to be selected for each access category carefully and they must receive initial training as well as periodic refreshers on system security functions and the impact their actions have especially when changing critical security and system parameters. A control system that provides identification and access management functions such as secure sign on, user identification and authentication, and role-based authorization can ensure the secure operation of the control system.

It is important that the identification and access management process and the individual privileges get reviewed on a periodic basis throughout the lifetime of the control system.

3. Security information and event management (SIEM)

SIEM defines relevant security events and how security information is gathered, stored, archived and audited. It also outlines how to react when a security event is recognized and how to inform stakeholders in the event of a security breach.

The lighting control system can help support the system administrator in detecting security incidents or identifying other events that impact the secure operation of the system. The system must be periodically audited and monitored for events that are significant and relevant including password changes, failed logons/system access, the use of administrative privileges, or events for any other relevant functions and operations.

It’s the responsibility of the control system to generate these audit records including information on the type of event, when and where it occurred, the source, outcome and the identity of any individuals or subjects associated. The control system also sends alerts on the detection of audible events or processing failures in the system’s audit and security functions.

The control system should timestamp, securely store, and protect the audit events from unauthorized access, and maintain the records according to retention polices for later analysis and audit.

The ENCELIUM EXTEND Light Management System has been accepted as a secure system by the GSA (General Services Administration), an independent agency of the United States government, and is currently used for smart lighting in government and commercial buildings.

This article is the fourth and final article in an introductory series about Managing Security Risks in Smart Lighting Systems.

• Part 1 10:00:00 introduces the concept of a multi-tiered approach to identifying and mitigating cybersecurity risks and threats.

• Part 2 highlights access control/identification and authentication — two key security control families.

• Part 3 highlights several additional security control families — system and communications protection and system and information integrity.

Source

Related Articles


Latest Articles

  • Investment in Single-Family Homes Continues to Rise for April

    Investment in Single-Family Homes Continues to Rise for April

    June 14, 2024 Month over month, investment in building construction increased 4.5% to $20.4 billion in March. The residential sector was up 5.4% to $14.3 billion, while investment in the non-residential sector increased 2.3% to $6.1 billion. On a constant dollar basis (2017=100), investment in building construction increased 4.1% to $12.5 billion in March. Investment in single-family homes continues to rise Investment in… Read More…

  • Record High Levels in British Columbia’s Multi-Unit Residential Construction Intentions for April

    Record High Levels in British Columbia’s Multi-Unit Residential Construction Intentions for April

    June 14, 2024 Month over month, the total value of building permits in Canada significantly increased 20.5% to $12.8 billion in April. Construction intentions in the residential sector increased 21.0% to $8.0 billion and the non-residential sector rose 19.6% to $4.8 billion, with growth observed in all components. British Columbia posted a record high monthly total value of building permits ($3.1 billion),… Read More…

  • ECAO’s Ontario’s Energy Future Sector Analysis Report

    ECAO’s Ontario’s Energy Future Sector Analysis Report

    June 14, 2024 Driven by economy-wide decarbonization efforts in response to the global climate crisis, Ontario’s electricity sector is rapidly evolving to enable the shift from fossil-based energy sources to clean energy sources. At the same time, with electrification of industry, transportation and more, it is abundantly clear that the demand for electricity supply is… Read More…

  • Planned Shift from Gas to Electric Heat Required to Avoid High Costs and Emissions: Report

    Planned Shift from Gas to Electric Heat Required to Avoid High Costs and Emissions: Report

    June 14, 2024 New research published today by the Canadian Climate Institute finds that a system-wide shift from gas to electric heat is the lowest-cost path through the clean energy transition. The report, Heat Exchange: How today’s policy choices will drive or delay Canada’s transition to clean, reliable heat, concludes that provincial government action will be  necessary to protect reliability and… Read More…


Changing Scene

  • Danielle Mayer – 2024 ECAM Award Recipient

    Danielle Mayer – 2024 ECAM Award Recipient

    June 14, 2024 Danielle Mayer’s journey to receiving the 2024 ECAM Award is one of dedication and determination. Danielle’s interest in the electrical trade sparked when she realized its potential as a hands-on career path, prompted by the suggestion from her friends that they needed an electrician among them. Beginning her exploration of the electrical… Read More…

  • CAF-FCA Unveils Trades Talent – An Innovative Speaker Connection Service at 2024 National Apprenticeship Conference

    CAF-FCA Unveils Trades Talent – An Innovative Speaker Connection Service at 2024 National Apprenticeship Conference

    June 14, 2024 The 2024 National Apprenticeship Conference saw an exciting announcement from the Canadian Apprenticeship Forum (CAF-FCA) with the launch of Trades Talent, an innovative online service designed to connect event planners with expert speakers in the skilled trades sector. This ground-breaking platform promises to be a game-changer for those seeking knowledgeable and engaging… Read More…

  • Atkore Announces Environmental Product Declarations for Steel and PVC Conduit Products

    Atkore Announces Environmental Product Declarations for Steel and PVC Conduit Products

    Atkore Inc. announced it has published Environmental Product Declarations (EPDs) for its Galvanized Steel, Stainless Steel, and PVC Conduit & Fittings portfolios. Verified by an independent third party, each EPD contains a product’s life cycle assessment that measures its environmental impact, such as greenhouse gas emissions, energy use, water consumption, waste generation, and other factors…. Read More…

  • ECAO 2024 Douglas J.B. Wright Award

    ECAO 2024 Douglas J.B. Wright Award

    June 14, 2024 Congratulations to Mr. Allan Kellett, Co-Owner of K-Line Group of Companies, on being named the recipient of the ECAO’s 2024 Douglas J.B. Wright Award! The award was presented earlier this month as part of ECAO’s Annual General Meeting. View the LinkedIn post HERE Read More…