In Part I of this article series, we talked to industry experts who warn that smart lighting can be the easiest path to a cybersecurity attack.
Manufacturers share how they’re protecting their smart lighting products from being “the weakest link on a company’s network.”
With cybercriminals compromising over six billion customer records held by U.S. companies in 2017 (a number expected to grow to a staggering 33 billion records by 2023), cybercrime represents one of the most significant threats to global populations, economies, and businesses in the modern age. Even more disturbing is the reality that, based on its connection into larger corporate systems and historic absence of safeguards, “smart lighting may be the weakest link on a company’s network and the new gateway to a cybersecurity attack,” according to expert Joe Dawson, principle security analyst with Intertek-EWA Canada.
In this second part of a special two-part lightED series, executives at Hubbell Inc. and Signify discuss the role smart lighting can play in a system breach, how they’ve addressed security assurance in their own product portfolios, and top tips for distributors when it comes to protecting themselves and their customers from the risk of a cyberattack.
An Inherent Risk
According to Pritam Yadav, IoT product cybersecurity lead at Hubbell Inc., connected LED lighting has become an attractive integration point for the Internet of Things (IoT) as well as other assets but, as is the case with all things connected, it brings an inherent risk of cyber exposure.
“While security has always been an area of focus at Hubbell, we’re seeing more and more industry awareness and security inclusion by other manufacturers towards a competitive and reliable offering that possesses the value-added element of cyber assurance,” Yadav confirmed. “Any connected devices and services on the end user network that aren’t secure not only expose these devices to the potential for a cyberattack or unauthorized access on the network, but also expose the network and associated devices, data, and platform.”
For all of those reasons, Heather Milcarek, head of Professional Channel Marketing at Signify, agreed that smart lighting represents both a great opportunity as well as a unique challenge.
“With the shift to connected lighting systems and lighting for the IoT opening the door to so many opportunities for light to deliver value in new ways, there’s never been a more exciting time to be part of the lighting industry,” Milcarek shared. But to realize this potential, Signify has made cybersecurity among its top priorities.
“As you create any product that links into a network – whether it be a connected light point or otherwise – it’s important to understand that you’re creating new potential points of entry into the ecosystem,” Milcarek explained. “The network is only as secure as its weakest link, and all companies building any kind of internet-connected device need to take the process of securing these products extremely seriously and deploy the latest technologies and best practices.”
Based on the cybersecurity threat that smart lighting products pose and the liability they could expose users to, our experts confirmed that their customers – from distributors and OEMs to retailers, consumers, etc. – are increasingly requiring cybersecurity assurance from their suppliers. And this is just one measure that lighting manufacturers are taking to reduce their risk and provide peace of mind to customers.
At Hubbell Lighting, for instance, “our cybersecurity program not only assures the security of the connected devices and services through established best practices, but also extends education and awareness to the end user,” said Yadav, who added that technology security dependencies and awareness by end users are equally important for a secure and reliable product. “Some examples of our efforts include an enterprise-wide Cyber Security Council and framework focused on product cyber assurance in compliance with internationally-recognized cybersecurity standards,” Yadav said. “We also engage in active cyber testing and remediation, a continuous supply chain risk management process, and cyber assurance/compliance phase gates integrated into our new product development process.”
At Signify too, Milcarek said that data privacy and security are essential elements of the company’s product development process and are fundamental to being a responsible innovator. “We work extensively with security researchers and ethical hackers to securely design our systems and to identify any vulnerabilities and patch them before there’s any risk to customers,” she shared. “We also operate a responsible disclosure process where security researchers can submit vulnerabilities they’ve identified in our products before publication; these researchers are then given a secure channel to transfer information on the vulnerability so that Signify can take any necessary action before it becomes public.”
Words to the Wise
To best protect themselves and their customers from products that could expose users to a cybersecurity attack, “distributors should ask manufacturers for cybersecurity certifications as well as evidence of a product cyber assurance process, a supply chain risk management process, and end user education programs,” Hubbell’s Yadav said.
Signify’s Milcarek agreed. “The most effective approach for distributors to consider is to have security embedded throughout the entire ecosystem, which includes everything from products and systems to projects and applications,” she said. “That means not only addressing basic security best practices around authentication, encryption, and secure configuration, but also addressing process requirements.” Ultimately, she said, “distributors need to constantly educate themselves on the evolving cybersecurity landscape to be responsible counselors, both now and in the future.”
When evaluating connected lighting solutions, Milcarek added that it’s also important for distributors to work with reputable manufacturers who’ve incorporated security precautions from the start. She also believes that, while cybersecurity and privacy are emerging aspects within the lighting industry, it’s only a matter of time before they’re absolute requirements. “Several new standards are currently under development and governments around the globe are actively exploring regulatory measures,” Milcarek said. “For our part, Signify conducts extensive research and ongoing testing, which includes independent, third-party verification programs.”
Tagged with cybersecurity