Connected lighting products can help us improve the energy efficiency of our homes and businesses, but they must be designed with security in mind.
The light bulb has evolved over the last 150 years. During that time innovators have constantly strived to improve efficiency and now, much of the technology that illuminates our homes, businesses, and streets lasts longer and consumes less energy than ever before.
However, the next step forward for the industry is not necessarily changing the efficiency of the bulb, it is connecting it to a network to give us more control over the level and quality of our lighting. This is particularly important in the commercial sector. According to a recent report, lighting accounts for about 12% of the electricity consumed by business and institutional buildings, public streets, and highway schemes in the United States.
For organizations, advances in technology, including the Internet of Things (IoT), could offer significant benefits. For example, according to the DesignLights Consortium® (DLC), a non-profit organization that works with others in the industry to improve the energy efficiency of commercial lighting: “Networked lighting controls (NLC) have vast potential for not only energy efficiency and energy management, but for building optimization and functionality.”
Basic lighting control is a requirement of some building efficiency standards and energy codes, and deploying IoT devices to help maintain compliance is, increasingly, seen as beneficial because it helps organizations save money as well as reduce their impact on the environment. Being able to remotely monitor and control lighting, as well as other building operations, also became more important during the COVID-19 pandemic. Some firms are reported to have saved hundreds of thousands of dollars per month by ensuring the lights were not left on in their buildings when many workers had to stay at home.
While the growth of this sector is good news for the manufacturers of connected lighting products there are regulations, standards, and requirements that must be met to access certain markets or qualify the devices for rebates and incentives. Adequately protecting products from cyberattacks is essential to meeting the criteria.
The Importance of IoT Security for Connected Lighting
Cybersecurity has become a priority for leaders in the lighting industry and for the people buying connected products in recent years. In fact, a report by the Pacific Northwest National Laboratory for the U.S. Department of Energy describes it as a “nearly universal concern”. The document, which outlines the findings of research into people’s attitudes towards the IoT, particularly lighting products, goes on to state: “Cyber security is one of the issues manufacturers frequently commented on as a barrier related to the adoption of IoT devices. Most end users also cited it as a concern because of the potential scale of the effect of failure to a business or to one’s job or reputation.”
Unfortunately, a vulnerability in a single device is all it takes to impact an entire system. Jan Münther, Head of Digital Product Security at ams OSRAM, highlighted the risk in an episode of the #beyondthenow IoT Security Podcast. “… if they are all uniform and you have a vulnerability that affects all of them, you can potentially not just take over a single device, but an entire fleet of devices with the very same vulnerability. So that is something that is attractive to attackers. When you look at our industry specifically, there are applications … that have heightened security requirements. We have lights in the medical sector, for instance. We have public lighting, civil infrastructure, lighting on airport runways. If we have our devices compromised in these settings, it can cause very palpable damage.”
However, hackers may not stop there. A weakness in one product can also give them access to confidential information. As IoT software solutions company, Silvair, explains on its blog: “Connected LEDs with flawed security can potentially be taken over remotely by someone who’s not even inside a given building. Furthermore, such an intruder might get access to much more than lighting controls. The abundance of data that can be generated by sensory networks is one of the biggest benefits of commercial smart lighting systems, but this data might be attractive also for cybercriminals.”
To realize the potential of the IoT in this market, people must have confidence in their connected lighting products and trust device makers to protect their data from cyberattacks. That means security must be designed-in to devices from the outset.
Overcoming IoT Security Challenges For Connected Lighting
The challenge for manufacturers is that IoT security is complex, and they may not have access to the expertise they need to build protection into every layer of a device. Many are concerned about the cost and time involved in securing a connected product, while almost half of respondents (48%) to the PSA Certified 2021 Security Report said navigating regional and industry standards, laws, and regulations was a barrier to implementation.
To help the manufacturers of connected lighting products in North America, the DLC has established both efficiency and cybersecurity requirements that incorporate industry standards. The organization sets performance criteria, maintains a list of products that have been evaluated to meet these criteria, promotes high quality and energy-efficient products for commercial and industrial spaces, and is emphasizing the importance of securing these devices. Beginning 28 February 2022, all products qualified on the DLC NLC Qualified Product List (QPL) will be required to meet NLC5 Technical Requirements which incorporate cybersecurity criteria for listed systems.
The requirements are intended to help decision-makers choose products that are built on a firm foundation of security. The DLC QPLs help build trust in the devices that are being deployed, so that more networked lighting controls will be installed, and the energy efficiency of buildings will improve.
So, where do device makers start? In a webinar earlier this year, Levin Nock, Senior Technical Manager at the DLC explained: “The first crucial step in the ongoing journey of addressing cybersecurity is to create an organizational culture where development processes are aligned with concerns about cybersecurity. From that starting point, it’s more feasible to develop product upgrades and new product components and systems that address ever-evolving cybersecurity concerns at the component and systems levels.”
Simplifying IoT Security for Connected Lighting Products
Here at PSA Certified, we’re delighted that PSA Certified is officially one of the security standards that is recognized by the DLC. Our global partnership provides an easy-to-use framework and independent evaluation program to help manufacturers build protection into their products, starting at the silicon. We’re delighted that our methodology, created by world-leading security experts, is continuing to be recognized by other world-leading organizations as a route to removing barriers to implementation. Ultimately making security simpler, quicker, and more cost-effective to implement.
Levin Nock from the DLC adds: “PSA Certified is one of the cybersecurity standards we’re encouraging our industry partners to build their approach to cybersecurity on. We want to ensure everyone has the information and tools they need to strengthen the security of their systems and build confidence in these technologies.”
For more information on DLC’s emerging requirements visit its website.