Guest post by Steve Mesh
Advanced Persistent Threats … Denial of Service … Access Control and Authentication … Structured Penetration Testing … Fuzz Testing – wait a minute! All of these terms are associated with cyber security. Isn’t this a blog about lighting control systems? Guess what – if you’re installing a lighting control system in 2018, you have to be concerned about cyber security. Why? Very simply – because many current lighting control systems are NETWORKED!
It’s true that some systems are “networked” without any possibility for outside access. For example, certain vendors offer systems that are “autonomous” and make use of pre-programmed behaviors based on input from sensors and switches. Because these systems are essentially closed to the outside world, they can’t receive ADR (Automated Demand Response) signals. Generally, these systems are not connected to and driven by other building systems such as building management systems (BMS), nor do they generate data on energy consumption or occupancy.
Most lighting control systems, however, have the possibility of being open to the outside world. How so? Two main possibilities exist:
1. Server-gateway connections – In networked lighting control systems, the server (typically located in an electrical or IT closet in the building’s core) is connected to one or more gateways (typically located in the occupied space). It’s always possible to make direct connections between these components – for example by using a dedicated Ethernet cable. However, it is probably more expedient to make that connection over a building’s existing network. That would eliminate the need to run a new, dedicated Ethernet cable – saving both expense as well as reducing installation complexity and time. In order for the server to “discover” the gateways, the commissioning agent simply needs to know the IP addresses of the gateways and search for them on the existing network. This requires permission from the owner to piggyback onto an existing IT network. In this scenario, the lighting control system server and gateways are now integral parts of the entire network – even though their function is essentially limited to that of lighting control. What if there is any inadvertent malicious code baked into the lighting control system? It’s possible that this could impact anything on the entire network.
2. Remote access – Many current lighting control systems allow access to the server’s software from a remote location. This can be very beneficial in a number of ways. It can allow building engineers or other “sysops” to make changes from anywhere, even if they are not physically at the server itself. Many systems also have functions to e-mail or even text designated people when alerts or alarms go off in the system. Having “remote access” to the system’s software allows for immediate resolution of any problem that might arise. However, these connections are always made through the internet. Just as when you’re making an on-line purchase, there is always a potential vulnerability once your “transactions” are open to the outside.
IoT – Many vendors these days say that they have “IoT” (or at least IoT “compatible”) systems. IoT – Internet of Things – is a giant buzzword that most vendors like to use to indicate that their products are current. But what does IoT really mean? According to Chris Yorgey, Engineering Project Leader at Lutron, their working definition of IoT is … “devices, systems, and services that are CONNECTED, collect and share DATA and information and that are SMART enough to use the information to DELIVER REAL VALUE”. Based on that definition, even a closed legacy system using let’s say DALI protocol could be considered as an IoT product. However, in 2018, the important part of “Internet of Things” is … Internet. The main paradigm shift in the lighting controls industry in recent years has been to systems that are for all intents and purposes computer networks – which just happen to drive light fixtures. So, regardless of whether a given lighting control system uses DALI protocol or 0-10V signals to drive the end-use components (i.e., fixture controllers), some part of the system is truly a computer network, and many are “connected”, often through the internet.
If you think about the connectivity inherent in an IoT system, it’s always a double-edged sword. There are potentially huge benefits to reap from being able to access information from every single fixture, sensor, switch, etc. However, it is exactly this connectivity that makes the system vulnerable. Are there ways to reduce or eliminate 100% of the vulnerabilities inherent in a current state-of-the-art lighting control system? Eliminate 100% – probably not. Reduce to an acceptable level – yes. How so?
ANSI/UL 2900-1 – This is a new standard for testing procedures titled “Software Cybersecurity for Network-Connectable Products”. Why is UL involved in writing a standard for software cybersecurity? UL’s raison d’être is to help manufacturers reduce or eliminate risk from the use of their products. Vulnerabilities from cybersecurity represent an enormous risk for any vendor – whether they only affect that particular system, or if they are used as a gateway for much more malicious activity in the owner’s enterprise. UL now has a robust procedure for determining how vulnerable a vendor’s operating software is to potential threats. They look for any and all of the following:
• Malware – viruses, Trojans and worms
• Advanced persistent threats (specific targets)
• Denial of Service attacks
• Other common attacks – Phishing, brute force, back door
There are a variety of techniques that they use to assess the vulnerability of a system’s operating software. For example:
• Fuzz testing – a technique used to discover coding errors and security loopholes in software, operating systems, or networks by inputting massive amounts of random data (called fuzz), in an attempt to make the device operate improperly
• Code and binary analysis
• Evaluation of access control and authentication
• Structured penetration testing
• Known vulnerability testing – verifying that the software is not vulnerable to existing, documented malware (especially when patches already exist)
Boy this is getting complicated! As you can tell, you cannot be a lighting control system vendor in 2018 and have no knowledge whatsoever of IT or cybersecurity! Alternately, hire someone who does. It is absolutely essential that any vendor has done what they can to eliminate or at least reduce the risks of using a “connected” system to an acceptable level.
Hardware – So far, we’ve talked a lot about the potential security vulnerabilities inherent on the software side of a system. Are there potential risks based on the specific hardware that a given system uses? For sure. Unless you’ve been living under a rock for the past 5-10 years, then you must know that wireless systems are all the rage. The potential benefits in using a wireless system are enormous:
1. End-use components such as fixture controllers do not have to be physically connected to the lighting control system’s network. This can potentially save enormous amounts of time and money during installation.
2. Wireless fixture controllers (as well as on-board sensors) can be pre-installed in the factory. Once they are on the job site, the electrician simply connects the line-voltage power wires as they would with any other fixture. They don’t have to have any prior knowledge of 0-10V dimming, network connections, etc.
Isn’t there more inherent vulnerability if you install a system that uses wireless signals to connect components? Interestingly, current thinking about this may be changing. Why? Because a wireless system is essentially “air-gapped” from other networks. Before making a purchase decision, you should definitely ask prospective vendors for their opinions on this subject – and most importantly, why they feel the way they do about wired vs. wireless.
Standard methods of protection – There are common techniques of protection that should be standard for any vendor offering a networked lighting control system. These include:
• AES 128-bit encryption
• Distributed security architecture – i.e., each gateway having its own key(s)/password(s)
• NIST-recommended best practices for securing passwords, including salting and use of SCrypt
• HTTPS protocol (many systems have software that is accessed as a web page residing on a server or gateway – HTTPS is a secure protocol for making web connections)
• WPA2 technology for making wi-fi connections
Lastly, there has been a bit of a tug-of-war concerning system architecture. In Silicon Valley, the mantra is to have systems that are 100% “open and interoperable”. This implies that everything should be readily accessible – even down to the lowest-level end-use components (i.e., fixture controllers, sensors, etc.). In some systems, these devices actually have their own IP addresses and are literally “on the web”. Some lighting controls vendors, however, prefer a different approach to system architecture. For example, some vendors prefer to have a “closed” system – but are okay with the brains of that system (the server) being connected to other building systems (i.e., Building Management System, Automated Demand Response server, etc.). The idea is to allow interoperability, but only when the actual access is constricted to the “head-end” part of the system (the server). This approach substantially limits the vulnerability because it reduces the components that are actually connected to the “outside” to … one.
Cybersecurity is now an integral aspect of most lighting control systems. There’s no getting around it. There may be a steep learning curve for anyone trained in the lighting industry to keep abreast of the latest techniques in eliminating security vulnerabilities. Just remember that there are plenty of people who have been trained in just those subjects outside of the lighting industry. Vendors may also want to contact UL to find out more about the new ANSI/UL 2900-1 certification.