Feb 3, 2020

This is the third article of a four-part introductory series on managing security risks in smart lighting systems. In this series, learn about best practices, based on NIST standards and guidelines, for identifying and mitigating cybersecurity risks and threats, as well as implementing cybersecurity controls on an organizational level. The first article introduced the concept of a multi-tiered approach to smart lighting system cybersecurity. The second article focused on two key security control families: access control/identification and authentication. In this third article, we’ll focus on building automation and control system security control families that relate to system and communication protection, and system and information integrity.

A smart lighting system is a base building control system that can also be an important, integral part of a building automation and control system (BACS). At a fundamental level, every type of BACS facilitates the flow of information as well as automated control through connectivity. This information flow reduces operating costs and provides better and more timely information about a building function or asset. BACS are a form of business information system (BIS) and, like any other BIS, can pose potential security threats and risks to the business.

System and communications protection

System and communications protection security control strategies focus on attacks that target the system configuration, system resources, communications channels and private or classified information.

• System partitioning and application separation — one of the easiest ways to protect a smart lighting system is to partition the system into different network segments that separate user functions from system control and management functions. This creates logical and physical boundaries that can be monitored and protected for added security. One common approach is to have a private control network, only accessible to system administrators, that hosts all lighting controllers and management applications, and have a public network that users can access via personal control, web or mobile applications. Within the lighting control network, wired and wireless field bus technology further separates device control from system management traffic so that basic lighting control will still work should there be a management network failure.

• Secure system communication, session management and boundary protection — secure network connections and encryption of data in transit protects from man-in-the-middle attacks trying to gain access to information, as well as malicious or accidental alteration of information during transmission. Connection and session management ensures that sessions are unique and valid only for the duration of use. For example, session cookies with unique identifiers, timeouts, and password protected locks can be used.

• Cryptography and key management — secure control systems use cryptography to protect information, including personally identifiable data, passwords and certificates, while in transit or at rest. As part of the encryption process, the information protected is scrambled and is made readable only by using the matching keys. Also, it is common for secure connections to change the keys periodically. It is good practice to separate the security functions that generate and manage keys from user functions, and store the encryption keys in protected storage areas.

• System resources, denial of service and boundary protection — in case of attacks, malfunction or failure, the smart lighting system should provide a graceful degradation of services by maintaining limited functionality such as failsafe operations and default configuration sets, to prevent catastrophic failure. Firewalls, resources and traffic management functions can identify targeted or accidental denial of service attacks or monitor resource availability. Segregating services creates boundaries that help protect the operation of essential system functions from external influences.

• Remote access, wireless access and access from mobile devices — the system should protect remote, wireless or mobile access to the system using virtual private networks (VPNs), secure wireless access, and secure mobile interfaces. This allows only trusted users to have access to the system.

System and information integrity

It is essential for a system to operate flawlessly and for the integrity of both the system and information to be guaranteed. The following security controls help the system administrator maintain the integrity of the system:

• Malicious code protection — virus and malware scanners protect the system from viruses, Trojan horses, ransomware, backdoor attacks and many other forms of malicious code and malware. They continuously scan the control system for file transfers via network connections or sharable data mediums, and periodically scan the control system’s file system. When threats are detected, files are either quarantined or protected from opening or execution. To remain effective against evolving threats, malicious code protection tools must be updated on a regular basis and only the latest version must be run.

• System monitoring and system-generated events — to detect attacks or unauthorized use, smart lighting systems should notify the operator of any suspicious activity and provide the operator with a history of system activities. Receiving such information allows an operator to troubleshoot or audit the system and detect current or future problems.

• Software, firmware, and information integrity — it is essential that operators and users trust that the system is running the correct software and firmware, and that neither is accidentally or maliciously altered. The integrity of both can be protected by various integrity checks and functions. For instance, validated digital signatures can be required to execute software and firmware. In the same way, the system needs to check the integrity of critical system and personal information by applying various types of integrity checks.

• Information input validation and error handling — input validation protects the system from accidental or malicious malfunction due to invalid inputs that could result in system or application crashes, system restarts, or system lock ups. It ensures maximum system availability and filters malicious input vectors that could be used to exploit the system. Proper error messages indicate user and system errors. They need to be meaningful enough that a user or system operator can easily understand the error and take proper action to correct the error. However, it is also important that these error messages can’t be used by an attacker to exploit the system.

• Fail-safe procedures — in the case of a system or system component failure, the control system should switch to a known fail-safe state and be able to execute fail-safe procedures. A fail-safe state could be a defined default state, error state, or other state that allows basic system functions to run independently of the failed system components. It is important that these states and procedures protect the safety of the system and its users, as well as the security functions of the system.

• Security function verification — the control system operator needs to trust system security functions. In many cases, control systems provide an integrated verification of these security functions. It is important that the operator or administrator of the system check the critical security functions on a regular basis.

The Encelium Extend Light Management System has been accepted as a secure system by the GSA (General Services Administration), an independent agency of the United States government, and is currently used for smart lighting in government and commercial buildings. Learn more: www.osram.us/ds/products/light-management-systems/encelium/index.jsp.

Part 4, available shortly, will focus on insider threats and more.
Source https://info.osram.us/blog/smart-lighting-system-security-system-and-communications-protection-strategies