Ransomware, malware and other cyberattacks are in the news, and with costs in the neighborhood of $100 billion annually in the US alone, lighting equipment manufacturers and designers are moving cybersecurity and resiliency up their priority lists. Customers’ cyber-fears increasingly turn toward lighting as it continues to expand in connectedness and is considered by some to be the backbone of the IoT. Every day new functions provided by networked sensors and communications are added to lighting systems: measurement; automated operations; productivity, service and inventory optimization; asset and people tracking; big data streams; health and safety management; etc.
There may be 20 billion things in use on the internet by 2020, all connected to the cloud and operating 24/7. Any device with an IP address and connected to the internet is vulnerable to hackers. IoT devices, however, tend to fall outside the purview of vigilant IT staff. IoT devices often have long lifecycles, which means they can become increasingly insecure over time, particularly if the manufacturer no longer supports security updates. IoT devices are found in all sorts of locations, which makes them more subject to tampering. In a 2018 survey by Shared Assessments, 97 percent of respondents said an attack related to unsecured IoT devices could be catastrophic for their organization and 60 percent are concerned the IoT ecosystem is vulnerable to a ransomware attack.
Early iterations of networked lighting operated locally and only reported limited occupancy and energy data to the cloud, so there was low vulnerability. But according to Tanuj Mohan, chief technology officer at Enlighted, today’s networked lighting instruments now include a decision-making “brain” with edge processing capabilities. “An essential feature of these end IoT nodes, I’ll now call them, is the fact that they can be upgraded both for delivering new features as well as patching vulnerabilities.” Counterintuitively, this has made lighting instruments more vulnerable. Spoofing incoming data can cause the lighting to behave in an undesirable way, perhaps endangering security and life safety. Where devices are unsecured or unencrypted, hackers can hijack all these little brains to operate in an undesirable way – perhaps even driving them to dangerous catastrophic failure. Phlashing, or permanent denial of service (PDoS), can brick a device by rewriting firmware or otherwise disabling functions to make the devices irreversibly inoperable.
While too many headlines warn how your lightbulb may turn against you, in my research I did not find instances of lighting instruments, specifically, being bricked or exploded. The Philips Hue demonstration attack of 2016 spread a worm via Zigbee connectivity to allow “unauthorized” remote control of lamps from a drone; Philips has since issued a patch. I did find an IoT spambot report that specifically included lighting.
Ransomware is potentially effective with IoT devices: it threatens hardware and functionality but not loss of data. What would an owner pay to avoid a huge electric bill? To turn the lights back on immediately in a high-rise hotel? To not have to replace 10,000 luminaires?
“So far I don’t know of any ‘in the wild’ attacks on commercial lighting systems,” Colin O’Flynn, cofounder of NewAE Technology, reported in an email. “But based on similar devices, attackers are looking for a quick financial payout – ransomware that shuts down lights in a large merchant, for example. The attacker knows that every hour the lights are out has a considerable cost in lost revenue, so the target may be willing to pay for a quick fix while their IT team sorts out what really happened.” He imagines that hackers might choose to extort specific brands, as some small devices cannot be cost-effectively repaired. “Many of these threats mirror what has happened in other industries.”
Because they are usually not directly overseen by users, IoT devices are also particularly vulnerable to cryptojacking – the devices surreptitiously run cryptocurrency mining software (Bitcoin, Monero, etc.). Random IoT nodes could generate income for a long time, with a few thousand devices earning hundreds of dollars a day for hackers.
Manipulation of demand via IoT (MadIoT) botnets could cause local power outages or widespread backouts on aging electrical infrastructure. This mode of attack seems hypothetical, to date, but power grids have been a target of Russian hackers overseas (in Ukraine, specifically) and in the US.
The most famous IoT bots (a.k.a., thingbots) co-opt just about any device with an IP address, such as vending machines, household appliances and (ironically) security cameras, to perpetrate distributed denial of service (DDoS) attacks. At nearly zero cost, IoT botnet malware self-propagates virally; a thingbot may slave hundreds of thousands of compromised devices. The objective, usually, is to generate massive amounts of internet traffic to send out spam (which can be a hacker’s phishing attempt) or to disable targeted websites or devices. Miriai and BrickerBot exploited Linux-based devices with open ports and factory-default passwords left unchanged.
“You are trying to bring a simple product to market where it can be adopted by the masses, but security concerns require it to be not that easily deployed,” explained Mohan. “The IoT world is where security and ease-of-use are completely at odds with one another.” Factory passwords must be changed immediately on-site. An integrator-installer may do this as a matter of course, but a maintenance person or homeowner is far less likely to. A software backdoor is a convenience that allows a manufacturer to reset a password if it’s lost or forgotten. “But that is a vulnerability, because if that way exists somebody else can exploit it,” Mohan said. Firmware updates from manufacturers are necessary to secure known vulnerabilities and can enhance a device’s ability to respond to an attack.
Most businesses employ an enterprise IT network, often containing valuable proprietary and customer data, completely separate from the building network. Theoretically, any device added onto the building systems would then not have the keys to the kingdom. Residential systems are different in that they’re commonly run off the household router, through which tons of personal and financial information passes. “The good thing is that the Googles and the other networking companies – Amazon, Apple – they’re all getting into this space and they are forcing practices and standards that will help us all,” said Mohan. (Though he admitted that these tech giants could disrupt the lighting industry in ways we cannot anticipate.)
For some owners building operations is their business, and valuable customer and asset data is gathered and acted on by building sensors and other devices. Medical, industrial and hospitality facilities – along with security systems manufacturers – are among those in the vanguard of building systems cybersecurity. “The impacts of getting connected, you know the benefits are huge, but the risks are equally big. So it is a double-edged sword,” said Mohan. “A lot of people are trying to use the same network for multiple purposes, but that’s not what you want, because then you are exposing yourself to a much larger attack surface.” Occupancy data, temperature measurement and asset tracking are three major data streams currently being gathered and transmitted via lighting systems. “When you start using this data as a true IoT platform, that means it gets extensible not just for lighting, but well beyond lighting,” he added.
Businesses are collaborating through the National Cybersecurity Center of Excellence, a part of the National Institute of Standards and Technology (NIST), on cybersecurity for the hospitality sector. Medical device manufacturers are early adopters of UL’s 2900 series of standards for software-connected products and systems. UL is working to create an Industry Task Force for Lighting specifically. “Our goal is by Q1-Q2 of next year to potentially have one specific [standard] for connected lighting, that the lighting industry has come together to ‘tweak’ the specific requirements for inclusion of an assessment for connected lighting,” explained Ken Modeste, UL’s director of connected technologies, in an email exchange. “The standard is not prescriptive, but risk-based, and its intent is to focus on the risks that can evolve over time.”
This risk-based strategy is a response to the near-inevitability of a determined hacker being able to find a way into a system, eventually. Stuart Madnick, director of cybersecurity at the MIT Sloan School of Management, advised, don’t be the low-hanging fruit: “Make it more of a challenge for someone to get in. It doesn’t mean they won’t get in; it just means it raises their effort level and may make them decide not to bother.” Business owners need a plan for detection, gauging the spread of infiltration, and mitigation. “What serious damage can be done with a lighting system? I should warn you, the bad guys are much more creative than I am.” A strategy as common as segmenting standard lighting systems and controls from emergency lighting might prevent injuries in a blackout. “What is the worst thing that could happen, and how do you make sure that worst thing can’t happen?” Madnick said.
Unhackable is impossible, according to O’Flynn, but it’s crucial to ensure that the overall system not fall victim when a single device is compromised. “Having security at all levels is important for defense in depth – a vulnerability that exists in a lighting controller might be a lot harder to exploit if the end devices also have security that prevents an attacker from easily getting access,” he wrote. End-to-end encryption, programming and long-term support of these devices adds to cost, which remains an important factor in the lighting products market. “Ultimately the product manufacturers are only going to provide as much security as makes commercial sense however – meaning that either they are forced [by] standards, or end customers start asking enough questions.”
UL forecasts that value propositions like human-centric lighting, LiFi and automated vehicle navigation will make lighting increasingly attractive to malicious actors. Baked-in – as opposed to bolted-on – cybersecurity is extremely important. “Baking-in today reduces significantly the cost to address tomorrow,” added Modeste. “If you add in capabilities today, and design for them, then you run less of a risk of having the burden of adding it tomorrow in the event of an incident.” Mohan described devices with defensive programming designed to protect delicate electronics and maintain operational integrity. For instance, devices could reject firmware coming from unfamiliar IP addresses; ignore instructions to operate outside normal parameters; or request a higher level of clearance for abnormal instructions, thus alerting administrators to discover a hack.
In just about any commercial building, no lights or misbehaving lights means no occupancy; at best, severe curtailment of productivity. The effects of cybercrime on businesses is estimated at $600 billion annually, worldwide. “Ultimately, customers pushing for more security will help reduce their vulnerability,” O’Flynn concluded.
Author’s note: Please share your cybersecurity tips and horror stories in the comments. If you (or your customer) don’t want to publicize a bad experience, email mail me and we’ll look at posting it anonymously.
- HLB and Atelier Ten Venture into VR - April 16, 2019
- Hiram Banks Lighting Design Makes a Splash with Forward-Thinking Medical Office - March 19, 2019
- Lighting as a Service: New Tool or Old Saw? - February 19, 2019
- Passamonte Green: Lighting Designers Are Storytellers First - January 15, 2019
- With Great Connected Lighting Comes Great Responsibility: Cybersecurity in the Age of IoT - November 27, 2018
- Basis of Design and Sequence of Operations Avoid “Misunderstandings” in Lighting Controls Design - October 16, 2018
- Six Young California Lighting Designers – in the Spotlight - September 17, 2018
- DC Lighting: Empowering Our Digital Future - August 21, 2018
- Office Lighting 2018: An Immersive Experience - July 16, 2018
- Arup’s “Live-In” Circadian Lighting Labs - June 18, 2018