Industry expert warns that smart lighting can be the easiest path to a cybersecurity attack.
The bad news? Ponemon Institute’s 2017 “Cost of Data Breach Study” revealed that U.S. companies reported over 2,200 data breaches in 2017, compromising over six billion records. The worse news? Experts estimate that cybercriminals will swipe a whopping 33 billion records by 2023.
Exposing people and corporations to untold damage, cybercrime represents one of the most significant threats to global populations, economies, and businesses in the modern age. Whether to infiltrate operations, compromise/corrupt data, steal or misuse it, or simply for ‘bragging rights,’ the global cost of cybercrime is predicted to reach $6 billion by 2021, double its $3 billion cost in 2015, and rise even further from there.
While the perception is that IT systems are the clear conduit for these potentially devastating incidents, “the reality is that smart lighting may be the new gateway to a cybersecurity attack,” said Joe Dawson, principle security analyst with Intertek-EWA Canada, a premiere global provider of information and communications technology security and assurance services, security engineering, and test and evaluation innovation.
In the following Part 1 of a special two-part lightED series, Dawson explains how smart lighting has become one of the newest conduits for cybersecurity attacks and how industry professionals can protect themselves and reduce their own (and their customers’) risk.
lightED: Based on your experience testing security for businesses in a variety of industries over the last 30 years, how do you feel that cybersecurity testing has changed over time?
Dawson: While the concepts behind the testing we do haven’t necessarily changed over 30 years, the devices that we test security for definitely have. Years back, information was primarily shared between one computer communicating with another; since then, we’ve seen the advent of such other diverse communication devices as ATM machines, cell phones, doorbells, medical devices, robotic lawnmowers, lighting, and more. Also, while all communication between two computers years ago was done over some kind of copper wire or cable, today it’s often done wirelessly through Bluetooth, Zigbee, Z-Wave, or some other protocol. There’s also the presence of LiFi, a wireless communication technology that uses the medium of light for high-speed data communication; with LiFi, the super-high-frequency blinking of light transmits data to devices equipped with optical readers, enabling lights to communicate with each other. While this is a newer technology, it represents yet another way for devices to connect.
lightED: In general, what are some of the key tenets of security testing?
Dawson: When it comes to security, the “transport layer” refers to the way we communicate and none of the different approaches are necessarily more secure than another; it’s about what we do to ensure their security that matters. The basic concepts of security are ‘encryption,’ ‘authentication,’ and ‘non-repudiation’ to confirm that you are who you say you are and that systems know who they’re talking to. Also, businesses don’t always need to have the tightest security if the information being shared is very general, such as the weather, sports scores, headline news, etc. It’s about knowing what you’re sending and the purpose for sending it. Medical information is highly sensitive and requires much more security, for instance, than the transmission of something like a tourism brochure.
lightED: How can a smart lighting system be a conduit for hackers?
Dawson: Up until recently, the primary motivation for businesses to pursue lighting upgrades was for energy conservation purposes – e.g., to reduce energy and save money – and the concept of how secure those systems were wasn’t a consideration. However, whether they incorporate LED or another technology, smart lighting solutions are all computer-controlled today and turn lights on and off based on timing and/or available daylight. A lot of the businesses using these systems have no security or passwords embedded in them and the systems are connected to the wireless network of the whole business.
lightED: How might a hacker compromise a company through its smart lighting system?
Dawson: If the system is connected to the WiFi, a hacker (often an insider and/or a disgruntled employee) could turn the lights off and insert a password that prevents others from being able to turn them back on. Regardless of the light source used, smart lighting is automated to go on and off at a certain time and from a central point, and that’s essentially the “weakness” of the system. It can have frightening and far-reaching impacts based on the application or use case – for example, if hackers turn off the lighting in a hospital operating room, a nuclear facility, or on a highway or oil field at night. In some situations, it might not be critical (as mentioned earlier), but in others, it could be a matter of life safety.
lightED: How easy is it to sabotage a business through its smart lighting system?
Dawson: It’s surprisingly easy to wage this kind of attack and you don’t have to be an IT expert to do it. The level of knowledge needed to compromise these systems is that of a high school student, and it can be done through the use of a cell phone.
lightED: Can the smart lighting system be a gateway to hacking other business systems?
Dawson: Yes. People attacking systems generally look for the easiest way in; because the lighting industry hasn’t historically engaged in a lot of cybersecurity, it hasn’t been as secure as other things on the client’s network, so lighting systems can reveal the password for the whole company’s system and end up being the gateway to a more invasive attack.
lightED: In light of this threat, has the lighting industry become more proactive about ensuring the security of its products?
Dawson: Yes. Lighting manufacturers are starting to become more aware of the threat posed by their products and standards like UL 2900 and IEC 62443 are being introduced for controls. At Intertek, we’re definitely being asked to do more security testing on lighting by our clients and we can help make these systems more secure. We’ve helped them understand that they don’t want to be the weakest link on their client’s network and the conduit through which hackers can access sensitive info.
lightED: What advice can you offer manufacturers regarding the security of smart lighting?
Dawson: If a customer buys a smart lighting solution from a manufacturer and their computers get compromised through the lighting system, the manufacturer could be liable for the damage, so a lighting manufacturer offering a solution that’s undergone testing and is more secure has an advantage over a competitor. More and more lighting manufacturers are coming to us for testing on their products, but a lot of others in the industry are still waiting to see what their competitors do. The key thing to realize is that, though security testing through Intertek or any of the market’s testing providers can cost upwards of $20,000, the damage caused by an untested/unsecure system could be in the millions, not to mention the damage to the manufacturer’s reputation. We’re also seeing a lot of big-box retail stores coming to us to help them understand whether the products they’re buying are secure and they’re declining to carry less-secure products based on the liability their store could incur. The overriding message is that the cost of doing security testing is low compared to the impact of a disaster.
lightED: What advice can you offer distributors regarding the security of smart lighting?
Dawson: Distributors should be asking their lighting suppliers what they’re doing to deal with security – e.g., what standards they’re following, what independent testing they’re pursuing, etc. – and opt to carry lighting products that are more secure. Regardless of who does the testing on those products, some security testing is better than none.
In Part 2 of this special two-part lightED series on Monday, April 29, lighting manufacturers share how they’re responding to the security threat posed by smart lighting products.
Tagged with cybersecurity, IoT, LiFi