The 2013 Target data breach of 40 million credit and debit card numbers revealed the risks of connecting information technology (IT) and building operational technology (OT) systems. “[I]t introduced the retail industry to a more sophisticated type of cybercrime,” said Target chief information security officer Rich Agostino at the 2020 National Retail Federation Big Show. “It wasn’t just a wake-up call for us, but for retail as a whole.1”
The incident led to perhaps the largest retail effort to reanalyze security parameters and the establishment of the current gold standard in retail security. The attackers gained initial access via the remote building management and monitoring system. Information was also compromised through rudimentary email phishing. Further investigation found poor credentialing of edge-device security policies and capabilities, improper network segmentation, and insufficient employee training regarding supply-chain security2.
Since then, security design has attempted to limit unanticipated interactions by keeping the attack surface small, as network security specialists have learned how far and wide IoT spreads this surface potential. IoT security is complicated. The ecosystem is rapidly changing and exponential growth positions IoT for future attacks. Professionals responsible for connecting lighting and building systems into a converged network must understand the risks and mitigate security gaps by implementing proven IT security measures.
Identify potential weaknesses in communications systems
Any lighting system in a commercial facility includes a communications network and intelligent system elements, such as sensors, lighting devices, and user interfaces for lighting control. Lighting network technologies are often proprietary, but commonly interface with the public (or semipublic) networks that are typically connected to the internet. This is done through bridging, or gateways, that deliver the proprietary to the digital communications norms — most commonly Ethernet and the TCP/IP stack. The benefit of open connectivity is its innate ability to link with other systems and devices through these norms. Still, its inherent “standard” communication philosophy effectively opens the surface area of attack.
This surface area deeply depends on the medium of communications. Wireless data transfer is typically used for short-range, low-power communications devices integrated into fixtures or formerly wired, external control elements such as wall switches, motion sensors, and dimmers. In this case, communication has typically been proprietary in nature. The lighting industry has seen a solid pickup of standards such as Zigbee, Wi-Fi, and Bluetooth. Yet often these communications are encoded upstream by a gateway or bridge into Ethernet that enters this aformentioned public, or semipublic, network.
Though a common response is to avoid connecting the lighting system to Ethernet, this is rarely feasible. In our digitized world, building systems’ connectivity — be it in our homes or commercial buildings — has elevated efficiency, convenience, automation, sustainability, and management. Lighting technology can fulfill many roles beyond illumination, but manufacturers must offer simple, secure, and well-built cross-connection methods to other building and IT systems . Separate from legislation, manufacturers are responsible for the security of solutions provided, and as such must invest in security that meets the IT space going forward.
The easy solution is to follow IT norms in security and provide edge-based security to limit the size of the security plane. Commonly used in IT, “edge” refers to anything in the field that is interconnected by common IT means; and an “edge device” is anything that is touching the internet, from a residential thermostat to light and motion sensors in a commercial facility. In the lighting or HVAC industry, an edge device can be a hardware gateway connecting a trade to the world. The trade could be proprietary to the industry. In a networked lighting system, or “edge system,” 500 DALI or 0–10V drivers connected to fixtures could live in solitude behind an edge gateway that connects the internet to the subsystem of these fixtures. Modern commercial buildings and facilities have a multitude of edge systems that talk to each other and to the outside world through edge gateways.
Standards and policy that prioritize security
In 2021, more than 10 billion IoT devices were in operation3, a number that is expected to surpass 25.4 billion by 2030. Technology advances have brought Ethernet to the forefront in commercial building systems. It is no longer practical to silo building operations systems and lighting systems on separate networks. Increased uptake of Power over Ethernet (PoE) lighting and a growing call for unified systems to ease operation and maintenance have created demand for building technology to live on business networks for cost management reasons alone. Protecting these devices and networks is more critical than ever.
Security pain points with IoT connected devices have been the subject of so-called “ethical hacking” demonstrations. For instance, at London’s 2016 LuxLive event, security consultancy Pen Test Partners showed how easily Wi-Fi passwords and other information can be accessed by unsecured home appliances, smart toys, and other networked products. At the 2017 IEEE Symposium on Security and Privacy, researchers took over and controlled smart lamps to demonstrate a chain reaction that could spread throughout a city4. Their study demonstrated that attackers bridging the gap between the physical IoT network (the lamps) and other targets could infiltrate a home computer, offices, or an entire city.
Regulatory policy will influence security measures required by both device makers and systems integrators. An example of this is The State of California Bill SB-327, which went into effect January 2021, requiring manufacturers of connected devices to eliminate default passwords that are often unchanged. It extends the scope into healthcare, automotive, and commercial building systems5. The bill defines an IoT device as “any device, or other physical object which can connect to the internet, directly, or indirectly, and that is assigned an internet protocol address or Bluetooth address”6. Given the structure of lighting systems and their connectivity to the greater world, it is clear the policy applies to them.
This followed the IoT Cybersecurity Improvement Act (HR1668)7, which required a set of standards and guidelines on the appropriate use and management of IoT devices controlled by any U.S. government agency to be published by the National Institute of Standards and Technology (NIST8). The act prohibits any federal agency from procuring, obtaining, or using IoT devices that don’t meet the new standard. Though NIST hasn’t fulfilled this obligation yet, it will drive purchasing behavior for federal, state, and most likely private sectors alike.
The aforementioned NIST standards could begin requiring building components that cross-connect with IT systems to enter the world of IT standards, such as secure hardware booting and TPM support (Trusted Platform Module — a standard for a secure cryptoprocessor)9. The IT sector has staked a claim on determining what a chip is doing, how it communicates, what it communicates, and so on. These concepts are crossing into the lighting systems world. Understanding their importance and impact on supply-chain traceability, walking in the well-worn paths of IT developments, is critical.
Conclusion
With IoT becoming the driving force in our fully digitized built environment, automated buildings and facilities are propelled by IT technologies. The lighting industry has two choices: Run alone in order to secure its world on its own devised principles; or embrace IT norms and work to integrate transparently with IT solutions. Lighting professionals must accept that new building systems will require integration at this IT level, given the IT space was charged with security by necessity years ago. IoT technology is expanding; manufacturers of devices, from cameras to mousetraps, have adopted and embraced IT standards.
Building systems, including lighting, have changed drastically in recent years. Manufacturer adoption of IT standards does not preclude trade specialties that exist between brands and systems. Instead, it allows the lighting and electrical sectors to leverage the best practices of the IT industry, offering the security and integration that the modern building demands.
References
1. Target Bullseye View, “How Target’s Leading the Way in the Industry Through Cybersecurity Collaboration” (Jan. 20, 2020).
2. Entech, “Anatomy of a data breach – what we learned from Target” (May 1, 2019).
3. B. Jovanovic, “Internet of Things statistics for 2022 - Taking Things Apart,” via DataProt (Mar. 8, 2022).
4. E. Ronen et al., “IoT Goes Nuclear: Creating a ZigBee Chain Reaction,” Proc 2017 IEEE Symp Sec and Privacy (June 26, 2017).
5. A. Vigderman, “California Passes Nation’s First Cybersecurity Law Addressing Internet of Things,” via security. org (Dec. 2, 2020).
6. California State Bill SB-327, Information privacy: connected devices (2017–2018).
7. 116th U.S. Congress, U.S. Congress HR1668, IoT Cybersecurity Improvement Act of 2020 (2019–2020).
8. U.S. Congress HR1668, IoT Cybersecurity Improvement Act of 2020 (via trackbill.com).
9. S. Cheruvu et al., Demystifying Internet of Things Security, New York, apressOpen (2020).
Get to know our expert
MICHAEL C. SKURLA is chief product officer of Radix IoT, LLC, a commercial IoT platform offering monitoring and management of multisite infrastructure ranging from smart buildings to telecommunications. Skurla has more than 26 years of experience in control automation, lighting, and IoT product design with Fortune 500 companies, focusing on the intersection of software and hardware that emphasizes data aggregation and analytics for mission-critical industries. He is a recognized thought leader and a contributor to industry publications such as Critical Facilities, Oilman Magazine, IoT Playbook, IoT News, and Digitalisation World (U.K.), and is a frequent lecturer on the topic of outcome-based analytics and consolidated data methodologies for building and industrial applications to drive efficiency and alternative business outcomes through data. Skurla is a contributing member to industry associations, including ASHRAE, USGBC, CABA, and IES.
An abridged version of this article was published in the April/May 2022 issue of LEDs Magazine.
For up-to-the-minute LED and SSL updates, why not follow us on Twitter? You’ll find curated content and commentary, as well as information on industry events, webcasts, and surveys on our LinkedIn Company Page and Facebook page.
