PNNL Study Targets Authentication Vulnerability of Connected Lighting Systems

Connected Lighting Systems Thumbnail

July 3, 2020

By Craig DiLouie

The U.S. Department of Energy has released the results of a study examining authentication vulnerabilities in connected lighting systems (CLS). Particularly as emerging CLS incorporate distributed intelligence, network interfaces and sensors, they can serve as data-collection platforms that enable a wide range of valuable new capabilities as well as greater energy savings in buildings and cities. However, CLS technology is currently at an early stage of development, and its increased connectivity introduces cybersecurity risks that are new to the lighting industry and must be addressed for successful integration with other systems.

There are numerous existing frameworks and guidelines for evaluating cybersecurity vulnerability, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the NIST 800 series comprising more than 150 resources, the International Electrotechnical Commission (IEC) 62443 series, International Organization for Standardization 27001 and 27002, Unified Facilities Criteria (UFC) 4-010-06, and UL 2900-1. Furthermore, a variety of testing resources are widely available, including the Open Web Application Security Project (OWASP) Testing Guide. While these frameworks, guidelines, and tests may apply to CLS in whole or in part, there is currently no mandatory requirement for cybersecurity testing or certification.

Photo: Conceptual representation of multiple connected lighting systems, showing common system architecture variations and technology implementations:

Lighting SystemThe lighting industry, including technology developers and specification organizations, is currently evaluating the suitability of existing frameworks and guidelines for CLS. To support these efforts, the Pacific Northwest National Laboratory (PNNL) is conducting a series of studies intended to educate lighting-industry stakeholders on specific cybersecurity practices and characterize their implementation in commercially available CLS with varying system architectures, network-communication technologies, and degrees of maturity.

The first study explores authentication practices and their implementation in multiple CLS. A total of 18 tests were developed by UL and implemented in PNNL’s Connected Lighting Test Bed (CLTB). The tests explore the implementation of basic authentication best practices as well as known technology-specific best practices. As a result, not all tests are applicable to all CLS.

A total of 40 out of 72 potential tests (4 CLS, 18 potential tests each) were applicable for 4 evaluated CLS, and the CLS collectively passed 26 of the 40 tests (65%). While pass/fail ratio is a simple way of reporting test results, it is not really a relevant metric. Cybersecurity vulnerability testing is a risk-analysis practice; the relevance of passing or failing a certain test is best evaluated in concert with an understanding of the risk associated with that vulnerability in a specific implementation. Nevertheless, pass/fail ratios give some indication of the range of performance found in market-available CLS.

Based on the limited results of this study, it appears that the CLS being brought to market have varying levels of authentication vulnerability. It is hoped that these evaluations will support and perhaps accelerate industry discussions on the risks of specific security vulnerabilities, what vulnerabilities should be addressed by lighting-specific best practices in development, and whether any such practices should be included in voluntary lighting standards.

PNNL plans to conduct more authentication testing and to work with UL and other cybersecurity experts to explore authorization vulnerabilities. PNNL will bring these results to the ANSI C137 Lighting Systems ad-hoc working group focusing on cybersecurity vulnerability, for consideration in the creation and development of new standards.

Go HERE for the report.

Craig DiLouie, LC, is Education Director for the Lighting Controls Association. Reprinted with permission of the Lighting Controls Association, www.lightingcontrolsassociation.org

Related Articles


Latest Articles

  • Light Efficient Design Introduces TYPE A+B Omni-Directional PL Lamps with FLEXCOLOR Technology

    Light Efficient Design Introduces TYPE A+B Omni-Directional PL Lamps with FLEXCOLOR Technology

    Light Efficient Design has developed TYPE A+B Omni-Directional PL Lamps with FLEXCOLOR technology. Combining the versatility of Type A and Type B compatibility with the ability to adjust color temperature on-site, these lamps provide unparalleled flexibility and efficiency for commercial and industrial applications.  With FLEXCOLOR technology, users can easily switch between 3000K, 4000K, and 5000K… Read More…

  • Government Building Is Illuminated for the First Time in Its 160-Year History

    Government Building Is Illuminated for the First Time in Its 160-Year History

    Lightemotion, a global lighting design consultancy, has completed its innovative lighting scheme for the exterior of the West Block, one of three government buildings forming the core of Canada’s Parliamentary Precinct in Ottawa. Lightemotion was contracted by RMA+SH architects as the prime consultant for this project, with additional collaboration from Stantec for electrical engineering and… Read More…