How to enhance the security of commercial lighting systems

March 8, 2021
Insulating commercial and industrial lighting from cyberattacks is an important focus for the Design Lights Consortium (DLC)

It used to be that lighting was just about illumination.  Not anymore. With words and phrases like sensors, controls, connectivity and data mining now peppering marketing materials and design and building conferences, turning on the lights now often means tapping into the Internet of Things (IoT).

Installed throughout the interior and exterior of industrial and commercial buildings, lighting is ubiquitous and, if connected and outfitted with advanced control technology, can collect data useful for a variety of functions. With networked lighting controls (NLC), lighting fixtures can communicate with other building systems and (through a dashboard or phone app) directly with facility managers to improve building environments in ways ranging from energy efficiency and employee comfort to space and resource utilization and emergency response.         

While networked fixtures now comprise less than one percent of all commercial lighting, the US Department of Energy (DOE) estimates just under a third of lighting in commercial buildings will have network connectivity by 2035. Realizing that projected expansion hinges on several factors, however, including overcoming worry over the potential for cyberattacks that haunts all IoT technologies.

An Increase in Networked Lighting Impacts Security

A December 2020 report by McAfee Corp. and the Center for Strategic and International Studies (CSIS)  estimated the annual worldwide cost of cybercrime at more than $1 trillion. That’s just over one percent of global GDP and up more than 50 percent from the nearly $600 billion cost estimate in a 2018 CSIS report that singled out inadequately-protected IoT devices as particularly at risk. This concern extends also to operational technology (OT), such as automated building systems set to control lighting, heating, cooling and ventilating equipment. The smart buildings research firm Memoori reported last year that while the lighting controls market is growing faster than markets for other building automation systems, the growth pace for the sector overall may be affected by factors such as “persistent concerns over data privacy and cybersecurity”.

Increased connectivity presents commercial lighting - and virtually all commercial building sectors - with new risks related to cybersecurity. In a March 2020 report, the DOE noted that the lighting industry must address such risks "in order for successful integration with other systems”. 

Insulating commercial and industrial lighting from cyberattacks is an important focus for the Design Lights Consortium (DLC), a non-profit organization whose work includes developing technical specifications manufacturers of NLC systems must meet to get their products listed on the DLC’s Qualified Products List (QPL). The NLC QPL is an objective, third-party vetted resource designed to help lighting designers, architects and others search for, compare and select the best products for their purposes. Electric utilities also consult the QPL in designing energy efficiency (EE) incentive programs for C & I customers.

First introduced in 2016, the DLC’s Technical Requirements for Networked Lighting Controls are evolving specifications that are updated bi-annually. Aware that making NLCs more resilient to malicious attacks is critical for building the customer trust needed to increase uptake of the technology, the DLC in 2019 established acceptable cybersecurity standards and services for commercial lighting controls. The newest version, which took effect last July, requires manufacturers’ products to certify utilization of one or more of these standards or services to remain on the QPL.

This stronger focus on cybersecurity will continue to develop through the bi-annual updates and a multi-year plan to continually advance specifications related to NLC cybersecurity. We envision one outcome of the policy will be to catalyze more support for NLC technology on the part of utility EE programs - in turn, resulting in networked systems installed in more projects and enabling greater energy savings and increased building intelligence.

Several systems have already complied with the DLC’s enhanced cybersecurity requirements. Among these is Cooper Lighting Solutions, whose CTO, VP Engineering Parth Joshi said: “cybersecurity and data privacy are a core tenet” of the company’s networked and connected lighting solutions.

“A testament to that is the incorporation of these principles throughout our product development lifecycle and obtaining external certifications,” Joshi said. “To cite a few features of our Trellix system, we ensure mobile devices are paired with a digital key from a secure portal for users to access the system and implement AES 128-bit encryption as part of FIPS publication 197, along with HTTPS protocol and WPA2 technology. We are proud to have this system certified to UL 2900-1, compliant to ISA/IEC 62443-4-1 and NIST Cybersecurity Framework.”

Enabling greater building intelligence and demonstrating the potential for significant energy savings, the capabilities of NLCs dovetail with the DLC’s mission to optimize energy use by enabling controllability with a focus on quality, people, and the environment and the organization is committed to removing hurdles to expanded adoption of this transformative technology. The next iteration of the DLC’s Technical Requirements for NLCs is expected out in draft form for comment in Q4 of 2021, with a planned effective date of July 2022. Security technology professionals are valuable stakeholders in this work, and we look forward to engaging with the sector in the months ahead.  To get involved, please contact [email protected].

Strengthening the value proposition of cybersecurity for networked lighting for building owners, managers and end-users by increasing its resilience to cyber mischief is an important step toward realizing the potential of this under-utilized technology capable of driving significant energy savings while opening new pathways to building intelligence.

About the author:Stuart Berjansky is Technical Director at the DesignLights Consortium