Managing Security Risks in Smart Lighting Systems

This blog post is the first of a multi-part introductory series on Managing Security Risks in Smart Lighting Systems.  

Building Automation and Control Systems (BACS) monitor and control a range of building systems such as lighting, heating, air conditioning and more. The terms used for BACS are widespread--Building Management System, Building Automation System, Smart Building and more, depending on the scope of the system. A Smart Lighting System is a base building system that is an important, integral part of a BACS.  

At a fundamental level, every type of BACS facilitates the flow of information as well as automated control through connectivity. This flow of information is required to reduce operating costs and provide better and timely information about a building function or asset. BACS are a form of business information system (BIS) and, like any other BIS, can create potential security threats and risks to the business.

Navigant Research recently analyzed the implications of increased connectivity and concluded that building stakeholders, such as facility management professionals, need to take a proactive approach to cybersecurity threats. They need to determine vulnerabilities and educate the enterprise even though security may not be their main focus area.

Let’s get started with some basics on Smart Lighting System security, and identify the needs and risks facility managers and operators should know about.

Multi-Tier Approach to Security

The range of security threats and risks involving BACS is broad with examples including unauthorized access, denial of service to those that should have access, physical destruction of devices and the loss or manipulation of data. BACS security should support a multi-tier approach that includes features implemented at the device, network and software levels within the system as well as implementing cybersecurity controls on an organization level.

Security vulnerabilities will never be eliminated in a BACS. Instead, the risks must be managed.

It’s important to understand how the system supports security and what security tactics and risk mitigation strategies have been implemented within the system. The BACS should be able to limit or contain the impact of a potential cybersecurity event.

The end customer must develop and implement appropriate procedures to identify the occurrence of a cybersecurity event, take action regarding the detected incident, and restore capabilities and services impaired by the event. Security features built into the BACS can help enable the end customer to do these aspects of their job better. End customer procedures and responsibilities will be covered in a later post as part of this multi-part introductory series on Security in Smart Lighting Systems.

Security by Design

When choosing and implementing a secure BACS, facility managers have to ensure that they pick a system that supports their multi-tier cybersecurity approach and that provides the necessary technical security controls for the right level of protection.

Security cannot be an afterthought in system design.

It should be an integral part of design and development, and introduced to both the software and hardware early in the process.  A variety of security management measures such as access control, authentication, system and communication protection, and other best practices should be part of the system design process.

Cybersecurity Framework and Security Standards

To implement a multi-tier cybersecurity system, there are several well-established cybersecurity frameworks and security standards to help organizations manage their cybersecurity risks including:

• NIST Cybersecurity Framework
• NIST SP 800-53
• IEC 62443
• ISO 27000

Leverage NIST Security Controls

U.S. Federal Information Systems and Organizations have strict security and privacy control requirements and rely heavily on the work of NIST, the National Institute of Standards and Technology. NIST is a unique federal agency that advances measurement science, standards and technology.  NIST security controls have a well-defined organization and structure, and aspects include policy, oversight, supervision, manual processes, actions by individuals, and automated mechanisms implemented by information systems/devices.

NIST provides two frameworks--the NIST Cybersecurity Framework and the NIST Special Publication 800-53--that build on each other. Both are widely adopted by US Federal Agencies either as standalone or a combined framework.

NIST Cybersecurity Framework

At a high level, the NIST Cybersecurity Framework is a core tool that can be used to identify, assess and manage cybersecurity risk. Designed to complement existing business and cybersecurity operations, the NIST Cybersecurity Framework Core has five security functions:

• Identify
• Protect
• Detect
• Respond
• Recover

Each of these 5 functions have groups of cybersecurity outcomes tied to them. For example, under the IDENTIFY framework core security function, a smart lighting system would focus, as one example, on Identity Management and Access Control. A specific technical or management outcome of this activity, as an example, would be the definition of organizational roles and responsibilities and their mapping to system access privileges.

NIST SP800-53

NIST SP 800-53 provides guidelines on baseline security controls that fulfill these 5 security functions. The guidelines also meet the minimum security requirements for Federal Information Processing Standards (FIPS 200). NIST FIPS 200 breaks down security requirements into different areas that address the management, operational, and technical aspects of protecting federal information and processing systems including the following:

• Access Control
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• System and Communications Protection
• System and Information Integrity

Additional Standards

IEC 62443 can be used as an alternative set of standards to NIST in non-Federal deployed industrial control systems. The standards define security controls at the organizational, system and device level.

The ENCELIUM® EXTEND Light Management System has been accepted as a secure system by the GSA (General Services Administration), an independent agency of the United States government, and is currently used for smart lighting in government and commercial buildings.

This blog post is the first in a series about Managing Security Risks in Smart Lighting Systems. We will cover best practice security control strategies and managing insider threats in future posts. If you are a subscriber to the Digital Systems Blog, you will automatically receive notification of these posts in your email box.