If you’re in the business of data, you’ll know that it’s a valuable asset that must be protected. You’ll also be acutely aware that wherever there is data, there is risk, and not just to your data.
Physical security – the protection of people, property and assets – should also be considered for their potential vulnerabilities.
While data centres are famously secure, ‘six layers deep’ in some cases, data theft still occurs. With a number of high-profile cases in the media, questions have been rightly raised over cybersecurity in the Internet of Things (IoT) and unfortunately, lighting and lighting control systems are not immune.
Data centre operators have come to expect that the products installed within their data hall meet certain criteria. Equipment should save energy, be sustainably sourced, but most of all, be safe and secure. However, technology is not without its vulnerabilities; we have all heard ‘that case’ with regards to ‘sub-standard’ data centres, security breaches and spying. As more things become connected, new levels of exposure are being discovered.
Considerations for a connected lighting system
It is important to note that connected (wired) lighting systems without an IP address only communicate within your building. They pose a relatively low-security risk because a person has to be in the facility to attack the system. For example, a conventional wired DALI lighting control system could only be breached if the attacker physically connected to the network.
Lighting and control systems in a wireless network communicate outside of the building. It is common practice to use encryption, which means only devices with the correct ‘key’ can communicate with your system. Correct commissioning is therefore vital.
We know for some businesses, the fear of the unknown makes them reluctant to embrace and invest in new technologies through the fear of being exposed to potential attacks. They instil a culture of ‘if it’s not broken, it doesn’t need to be fixed’, but with cyber-attacks increasing in sophistication, there is every reason to be more vigilant. After all, an ounce of prevention is worth a pound of cure.
As soon as systems get connected to the IoT (Cloud) proper protocols need to be in place. Potential forms of attack on connected lighting systems might include vectoring, Distributed Denial of Service (DDoS) and sniffing.
A Distributed Denial of Service attack is an attempt to make an online service unavailable to its users by temporarily or disrupting services indefinitely.
Occurs when there is a security breach that uses an unsecured system to gain access to other networked systems.
An attacker sees a packet (data) in transmission from one point to other systems that utilise protocols that are not encrypted. Because it’s not encrypted, the information can be modified i.e. to turn off the lights or CCTV.
How to mitigate risk
When it comes to the physical building infrastructure ecosystem, there are many different facets that need to be considered before you can be assured that the product meets your security criteria.
When considering the threats, we recommend starting at the beginning: with a rigorous procurement process, including developing trusted supply chain partnerships.
For example, when a luminaire or control system is specified, are you aware of every component that goes into that product?
Do you know if the manufacturer makes all components themselves? Or, do they rely on third-party suppliers? If so, you’re placing an enormous amount of trust in a potentially unknown supply chain: leaving systems open to security risks and significantly affecting quality control standards
So, what is the answer?
We’d recommend always working with a single-source supplier who can evidence where their components have been sourced and who offer full transparency of their supply chain partners.
As part of the product selection, thorough testing of both hardware and software used in any connected lighting and controls system is highly advisable.
Futureproofing for tomorrow
There is also another advantage of working with fewer trusted supply chain partners.
Not only does consolidating manufacturers into as few as possible make it easier to combat security vulnerabilities, it can also allow for future add-on services to be integrated at a later stage.
For example, it might be a lighting trunking system when installed, but it can also be a flexible infrastructure for future digital services.
A lighting track system can provide a backbone for adding future monitoring services that can grow with the data centre’s needs. It is simply a case of integrating sensors to accurately record the data a facility is interested in monitoring – for example, heat – to ensure the optimum operating temperature within the facility.
Alternatively, if a new sensor is required to measure other variables such as air quality, occupancy and motion, it is easy to remove the original sensor and add on the new one without reconfiguring the entire infrastructure. This naturally saves a significant amount of money in the long term, making it a fully flexible and future proof solution.
New connected lighting and control systems offer exciting improvements in energy and operational efficiencies, but care must be taken to ensure they are secure and not a chink in your data security armour.
We believe that it is crucial to focus on security from the very beginning of your product specification and selection process.
Data centre operators and their design teams should focus on working with supply chain partners who understand system security and who offer safe, strong and secure links to enable campus wide integration.
Mitigate risks by choosing a single source manufacturing partner who is able to offer full traceability and accountability of your lighting ecosystem and offer long term support through a range of services when required.