(Issue: December 2019)

10 Tips for Lighting Cybersecurity

By Craig DiLouie, CLCP, LC

Lighting management companies recommending and installing networked lighting controls should be aware of 10 tips regarding cybersecurity.

Connecting lighting systems can maximize energy cost savings, promote maintenance through monitoring, and enable a wide range of data-driven services from optimizing space utilization to tracking critical inventory. This very connectivity, however, poses challenges to keeping the system and data secure.

While the most visible risk is a hacker taking control of a building system such as lighting, the biggest risk is the hacker using a building system network to penetrate the more secure corporate network for data theft, called vectoring.

As the building industry steps up for the Internet of Things (IoT), it is benefiting from numerous established best practices and standards, while also being forced to get up to speed very quickly.

In time, the lighting industry may build cybersecurity tools into their products in such a way they are transparent to practitioners and users. Until then, lighting management companies recommending and installing networked lighting controls should be aware of 10 tips regarding cybersecurity, which were derived from manufacturer interviews and a Federal Energy Management Bulletin, Cyber Security for Lighting Systems (May 2018).

#1. Understand the basics. While lighting management companies may not be required to be experts in cybersecurity, they can benefit from educating themselves about basic concepts, practices and lingo.

#2. Know the application. Achieving perfect security is very difficult, and what makes a system good depends on its design (security features), configuration (how it communicates), and the owner’s tolerance for risk.

#3. IP-based systems may require stronger security. IP-based control systems allow devices to be connected, controlled, and monitored in an internet-based network. This enables remote support, ability to access data, and a stronger role for lighting in the IoT. This connectivity, however, may require stronger security.

#4. Talk to the customer about it. Consider talking to the customer about cybersecurity and doing so early in the project. This may require talking to the IT department. If challenged, the manufacturer should be able to help. After choosing the control system, consider including any security documents in the project documentation.

#5. Encrypt. Encryption is the encoding of data between devices to prevent its interception and manipulation. AES 128-bit encryption is recommended.

#6. Authenticate. This means only devices that trust each other should be able to share data. Good authentication is important, with potentially the most secure method being to use both a public and private key. The device initiating communication offers a public key, and the responding device answers with a private key.

#7. Safeguard the network. Consider a firewall to safeguard the lighting network, if security is a concern. If the lighting network will connect with the corporate network, as an added measure, consider segmenting it using a virtual local area network (VLAN). With a VLAN, a piece of a network is sectioned off and run separately as a subnet with its own security and functionality.

#8. Advise the customer on its responsibilities. Consider advising the owner about good security hygiene practices such as delineating administrator permissions (who can access the network and what they can do when inside it), installing vendor software updates (which may include security improvements), changing passwords regularly, etc.

#9. Secure following commissioning. If radios are used for commissioning, they should be turned Off after use or otherwise secured if they’re needed for ongoing system operation.

#10. Select products carefully. Look for manufacturers that use good security measures, are able to explain them (noting manufacturers may implement the same security measures differently), and can provide support when needed.

Besides the manufacturer, another resource is the DesignLights Consortium’s (DLC) Networked Lighting Controls Qualified Products List (downloadable free at DesignLights.org), which provides a list of networked control systems and identifies various features along with compliance with certain security standards.

Networked lighting controls and the IoT bring extraordinary new opportunities but with them new challenges. Lighting management companies recommending and installing networked lighting control systems should familiarize themselves with the basics of cybersecurity to best support their customers.

Craig DiLouie, CLCP, LC, principal of ZING Communications, Inc., is a consultant, analyst and reporter specializing in the lighting and electrical industries, and a regular contributor to LM&M. You may contact Craig at cdilouie@zinginc.com.