Jasper Hijink of lux-it Lighting Technology asked me what we’ve done to promote security in connected lighting systems . . . er – er – er . . . not enough, clearly. This is what Jasper has to say on the matter.
We hear about Cyber attacks on an almost weekly basis. And this is not restricted to small victims; high profile companies are involved, where you would think security is under control. There have been a few high-profile attacks where companies were held to ransom after a cyber-attack, for example the NHS and Bristol airport. Although there have been several reports of lighting systems being compromised (some examples: Philips Hue, Osram LED bulbs, LIFX LED lamp), no large scale incidents have happened… yet.
Cyber security of lighting systems is, or should be, on the list for large installations. You do not want to end-up in the news as the door-opener to closing down a hospital, bank or airport. That can become very expensive for you. So, what are the considerations? And what to look for to prevent problems?
Cyber Security Threats
The threat can come from various directions. Part of it must be solved within the organisation. In most cases there are people interacting with the systems and, unfortunately, that creates a weak link. We write down passwords, use easy passwords, use freebee USB sticks, etc.
Companies, including governments, are forced to take more and more action. The UK government has set-up a department around this topic, NCSC, and issued a Minimum Cyber Security Standard that all government departments need to adhere to.
While the consequences of a hack of a small system may appear to be manageable, our fast-growing connected world (smart buildings, smart cities, smart industry) makes those consequences grow exponentially. To hack a wired system you would at least need physical access but, with wireless systems, hacks can be performed from several hundred metres away, and with (cloud) connected lighting from anywhere.
As connected systems become more part of our life (and business), the opportunity for criminals is increasing. A higher chance and greater consequence means a far higher risk.
Considerations for a Lighting System
Let’s have a look at a few individual aspects that need to be considered within a Lighting System. We’re looking primarily at wireless systems as this is clearly the trend in the market and poses the greatest risk.
Access to the equipment must be considered for both wired and wireless systems. A conventional wired DALI lighting control system could be hacked by connecting physically to the network. This may not usually be considered as a high risk, as it will not be easy to get physical access (normally the system sits in the ceiling and cabinets) and with 64 devices the consequences are limited. Still, it should still be a security consideration for any system to prevent unauthorised access to devices (be it controllers, gateways, servers), especially if not 100% certain about all the system as a whole.
The devices in a wireless network communicate via each other via radio signals. It is common practice to use 128-bit encryption. This makes sure that only devices with the ‘key’ can take part in the communication. Most, if not all, wireless controls companies use this technology. However, most companies also use this as ‘proof’ to the client that their system is secure. However, it is just one of the elements.
Encryption of the device-to-device communication prevents ‘external’ devices from access. However, devices within the network, obviously, have access. This means that if there is access to one of those devices, security is compromised. This is an area where most systems fail because the devices themselves are not encrypted. This breach would give access to the keys and with that to the communication. It is important to verify that all of the devices have 128-bit encryption as well.
Open protocols, such as Zigbee or Bluetooth, are popular because they provide interoperability between systems. But security flaws have been reported. Widely used protocols make them interesting for hackers as it will give them access to a large market.
Proprietary systems may not be as interoperable (on the communications level), and are less likely to be hacked from a volume perspective.
As soon as the systems get connected to the outside world (Cloud), proper protocols need to be in place. This is a quite well-developed part of the network, with technology standards such as HTTPS and WPA2.
Authentication & authorisation
The last step is authentication. It is of vital importance to make sure that a) the user is who the user says he is, and b) the ‘owner’ of the system has full control over who has access and what ‘rights’ they have. The first point seems obvious. Techniques like 2-step authentication have stepped this up. Nevertheless, there are still systems that only offer minimal functionality. For the second point, some systems do not give any functionality to control (add and remove) access. Once access has been gained (installer, former employee), they cannot be removed from the network (compare this to a bluetooth speaker). Advanced systems give opportunity for the owner to add and remove users, restrict their rights, and require additional restrictions like device IDs or even geo-fencing.
What to do?
Analogy: Online banking
A well-developed application for cyber security is online banking. For online banking, we use encrypted communication, encrypted devices, 2-step verification, HTTPS servers, etc. However, we should expect the same degree of protection for our connected lighting control systems, not only for large installations, but for all types of installations.
There is some standardisation on Cyber Security, but it is still very local and not harmonized. As mentioned, governments are rolling out policies, standards and in some cases certification. Until this is more developed the onus is on the client to verify for themself if enough security is in place.
Things to look for
As a client it makes sense to address each of these considerations when evaluating a system. Make sure that the performance is to your satisfaction. Insist on system documentation that describes the functionality of the system in detail; the marketing brochure is not likely to cover it. Especially for wireless systems, it is important that the system is capable of running ‘over-the-air’ (OTA) updates. Any observed security flaw can quickly be resolved. Not all systems are equipped with this functionality.
Be aware that not all systems can do firmware updates in a system that is in operation (which makes it difficult for 24/7 operations). Last but not least, a client should convince themself that the company developing a system has proof of an acceptable “security strategy”. This will describe their technology, development and supply-chain status (remember, hardware is regularly produced by 3rd party subcontractors). Furthermore, has the system been assessed by third parties and/or tested for hacking (penetration testing) – probably the gold standard for security testing..