Lighting Controls Security in the IOT Reality

Lighting Control Security in IOTIn 2015 Lighting Controls Security in the IOT (Internet of Things) world is a major concern for many facility managers, building owners and tenants alike.

System Integrators and Lighting Control Manufacturers typical push back and attempt to deny responsibility stating:

 

“This system’s network security is not my responsibility! This is up to the building owner or facility manger.”

This response doesn’t cut it anymore.

Another typical work around for the alarming security holes in lighting control systems is to install completely separate LAN cabling exclusively for the networked lighting control system – and not connect them to IOT services and devices. This has to been done due to the unsecured nature of existing lighting control systems and because of the known security vulnerabilities, risk and exposure related to these older legacy systems.

But this is an unnecessary cost in both labour and materials and potentially impacts the usefulness of these systems and the benefits of integrating and leveraging their data.

Lighting control manufacturers need to migrate into the 21st century and ensure their systems provide encrypted, authenticated communications to allow these systems to co exist on building’s core LAN infrastructure.

This can result in a significant real dollar savings and cost cutting associated with NOT using this out-dated process of installing exclusive lighting control networks or pushing more burden onto the facility manager’s IT resources.

The Internet of Things is the Next Industrial Evolution

It has been forecasted that there may be up to 50 billion devices connected to each other by 2020. Not all of these will be in commercial buildings or be lighting control systems or lighting devices.

But they will be interconnected, communicating with each other without any human interaction.

And a large number of them will be unsecured.

Image Credit: Patrick/Flickr

Image Credit: Patrick/Flickr

Consider that (IBM) International Business Machines Corp said on Tuesday it will invest $3 billion over the next four years in a new ‘Internet of Things’ unit.

If IBM thinks its worth investing $3billion dollars, the larger consulting, engineering and property development communities should sit up and listen.

If a lighting control system can be easily compromised – as most in common use in Australia can be –  and these are then used as the stepping stone into the larger building network, the potential for harm and risk exposure is severe to those facilities, occupants and welfare of individuals and organisations.

Of course not all buildings have all systems interconnected, yet, so what risk is there?

Is your Lighting Control System a Chink in the Armour of your Facility’s Digital Security?

 

“Why would I care about my lighting control system getting hacked?”

At worst, someone gets information about how often I turn on or off my lights. Maybe an adversary could even annoy me by turning off my lights. How bad is that?” Mr. Harrington asks in this article, ‘Internet of Things a playground for hackers‘.

This asks completely the wrong question and trivialises the problem.

The hacking of “the smart light bulb” in a single room of a single persons house is not a very big deal. But now expand that:

  • Hacking EVERY light in a fully automated house – that’s not just a little inconvenient, it’s a major problem
  • Hacking EVERY light in a fully automated apartment block – that’s probably going to lead to legal action
  • Hacking EVERY light in a commercial office building – that’s going to lead to a building evacuation especially with Australia strict Worplace Safety Laws…

…and sooner or later when a cause is found, heads will roll, damages will be claimed, and its going to be messy!

Looking at a few worst case scenarios helps.

In the world of risk management the question is often asked  “How do you determine the level of damage you might be in for?”

The worst possible case often cited for an airline: Assume a plane crashes, and it is filled with American Lawyer’s wives… now what damages might you be up for?

Back on earth and with commercial buildings we have some different realities.

Credit: FORSCHUNGSZENTRUM JÜLICH/MARC STRUNZ-MICHELS

Credit: FORSCHUNGSZENTRUM JÜLICH/MARC STRUNZ-MICHELS

  • Building evacuations happen down stairs.
  • What happens if someone trips and falls?
  • What if they get trampled?
  • What if there is a panic?
  • How many people are injured or killed during that process?
  • Assuming NONE is the wrong answer.

Anything where automation or lighting control prevents orderly evacuation WILL RESULT IN LEGAL ACTION and WILL SEE THOSE TAKING ACTION hunt for the deep pockets. After all, that’s what lawyers do.

Risk Mitigation Beyond Human Injury

These outcomes listed above are only the physical outcomes to personnel and facility occupants.

It is well known that lighting control systems are often connected to other systems in buildings including:

  1. FIP (Fire Indication Panels)
  2. HVAC (Heating Ventilation Air Conditioning) Systems
  3. Security Access Systems
  4. Room Booking Systems
  5. AV Systems

If the lighting control system is compromised, these connected systems are compromised. Now when asking the question “Why would I care if my lighting control system was hacked”, the answer is complex and dangerous to consider.

Do Not Trivialise the Importance of a Secure Lighting Control System

So the point being made is that trivialising the issue “How bad can that be” is not connected to reality, and misses the point.

Comprising the lighting control system in some manner is of itself a huge problem.

Balance

There are degrees of madness in all this:  If you have physical access you can take out the lighting system by swinging an axe through a wiring cabinet – or attach some clips to the physical wiring and start injecting packets.

But lighting control manufacturers are not in charge of physical site security, that’s out of their hands.

They are only considering access that’s not local:  wireless, or remote through remote networking / internet.

Lighting Control Security in 2015 and beyond will continue to evolve. Today in Australia, the incumbent or legacy systems provide no level of security equivalent to or capable of withstanding a rudimentary system attack or hack – potentially exposing hundreds of facilities nationwide.

Only systems which provide standardised encryption on communications with appropriate authentication schemes should be specified and installed. It is the responsibility of Engineers and Consulting firms involved with the specification of these systems to provide a level of security and peace of mind, not just for today but for what the future holds.