Geoff Archenhold: Will smart buildings be a security risk too far?

Another month and yet another security risk identified with smart lighting systems but what can architects, lighting designers and engineering firms really do to assure their clients their projects are secure and robust? Dr Geoff Archenhold investigates.

Modern smart buildings are embracing technology at a rapid pace and smart lighting is a vanguard for creating a new working environment that embraces the quality of personalised lighting. Indeed, the research firm Gartner predicts that more than 500 million connected devices will be installed in commercial buildings during 2016 to help improve energy efficiency by up to 20 – 50%.

The use of embedded ambient light and occupancy sensors will allow smart buildings to run with optimal conditions using building management systems (BMS) that can be connected to the corporate network and internet. Smart systems can now determine desk, office and building occupancy rates to adjust heating and lighting accordingly in unused areas. However, this increased connectivity also brings about vulnerability to cyber-attacks. With so many entry points to a BMS in a modern smart building, it becomes crucial to build cyber-security into the system architecture from an early stage, in order to reduce the risk of attack. Cyber security has become second nature to IT companies and the same needs to be true for lighting designers, architects and engineering consultants.

In July, security researchers discovered nine vulnerabilities in the Osram Lightify LED light bulbs that could allow attackers access to the local Wi-Fi network to either control the lights without authorisation or to control the network itself.

The vulnerabilities range from poor security management principles such as storing unencrypted Wi-Fi network passwords in the mobile app to more complex Zigbee protocol based issues. The researchers discovered that the lighting systems’ installed management console, which runs on Ethernet ports 80 and 443, was open to a continuous cross-site scripting (XSS) vulnerability that could facilitate the injection of malicious code into the management interface. Third party code could be executed as if it were a command from an authenticated user, which would allow the hacker to alter system configurations, access and modify data, and override the system to launch attacks against other systems.

Although Osram has stated it will attempt to patch the more obvious vulnerabilities with a software release, the real issue is how many of these systems will be updated and will they be secure, especially if the software isn’t pushed to all devices?

Osram isn’t alone as previous security flaws have also been found in LiFX and Philips Hue smart bulb systems.

Unfortunately, the vast majority within the lighting design and engineering consultancy community seem to be ignorant of the importance of system security. Last month I visited two well-known lighting design and engineering consultants in London to discuss security in lighting control systems with significantly different outcomes. The first organisation embraced new technologies and wanted to know more about how to secure control systems whilst the second organisation stated security wasn’t considered or wouldn’t be perceived by them to be an issue for their clients as they believed no one would ever want to hack a lighting control system.

As I tried (and failed) to explain to the latter organisation, security isn’t just about the possibility of the lighting being hacked and controlled, it is also about the corporate risk covering damage to their clients brand and reputation, data protection issues and business continuity.     

There are three types of reasons to disrupt a BMS or smart lighting system:

1. The Thrill Seeker – This encompasses anyone who just wants to access a system to see what they can do.

2. The Goal Seeker – This type of disrupter seeks to accomplish a goal such as infiltrating a corporate network via the BMS, and to get past those controls to accomplish a larger goal or seek a more specific target.

3. The Prankster – They don’t want to access a system at all but want to stop the system from working by causing disruption. This could easily be achieved by blocking RF signals or a Dedicated Denial of Service attack.

The following precautions will ensure that basic cyber security in your BMS and lighting control system can be achieved:

• Invite critical personnel, including the CIO and necessary IT staff to talk about cybersecurity.

• Examine the information networks used by facilities staff. Predict and plan how to safeguard vital information and network access points.

• Include BMS cybersecurity in annual operational expenditure budget.

• Remember the value that staff has for security; encourage vigilance, send facility management staff for periodic education, and conduct security audits on control network use.

• Prepare for the possibility of cyber-attacks and train staff how to respond accurately and methodically.

• Encrypt network traffic and secure wireless network access.

• Choose your suppliers carefully, and be aware of exactly what BMS functions are accessible via online portals.

• Look for easy access points.

• Avoid wireless systems within the BMS.

• Include firewalls to protect the network where possible.

• Make a plan to ensure the operating system can be patched for security flaws and updated to latest supported versions.

• Create a straightforward method for adding, removing and suspending user accounts on the BMS system without the need for users to type in username and passwords.

• Ensure all networked devices are secured by minimizing IP and MAC addresses and changing default passwords.

• Attempt to isolate the BMS system from corporate networks.

Who is liable for cyber-security breaches?

• The lighting designer, architect or consultants – If the BMS or lighting control system is defined by the designers and they haven’t undertaken basic cyber security diligence should they be liable?

• The system manufacturer – If the BMS or control system has security vulnerabilities should the manufacturer be liable?

• The installer – If weaknesses, such as not changing default passwords for routers, are not closed down then should the installer be liable?

• The client – If the client doesn’t specify the need for cyber security within the project, should they be liable for any breaches?

In order to simplify your selection criteria for suppliers of smart lighting and BMS systems, I have compiled a list of questions you can ask to gain additional cyber security assurances:

1) What security principles does your BMS or lighting control system employ?

2) Do you employ encryption rather than usernames and passwords and if so what type and how many bits are used to encrypt the data?

3) How quickly can the system repudiate, generate and transfer encryption key-pairs between devices that are on both the open and secure parts of a control network?

4) How do we ensure the operating system and application software can be patched for security flaws and updated to the latest supported versions?

5) How quickly can one add, remove and suspending user accounts within the system?

6) Is the core system reliant on RF based technologies to operate and how does the system perform if RF jamming systems are deployed?

7) What support do you provide once the system has been commissioned?

8) If a system is compromised how does the system know and what contingency plans do you have to repair the system?

9) Does your system connect to the internet and is it physically separated from any corporate network and how can you prove this?

10) Has the system been tested by third party security experts or test laboratories?

Top 500 global companies are being compromised on a daily basis despite spending billions on cyber security activities, so the lighting sector will need to take the threats to smart lighting seriously.

Geoff Archenhold is an active investor in LED driver and fixture manufacturers and a lighting energy consultant. The views expressed in this article are those of the author and do not necessarily represent the views of mondo*arc.