Is your lighting compromising your data security?

If you’re in the business of data, you’ll know that it’s a valuable asset that must be protected. You’ll also be acutely aware that wherever there is data, there is risk, and not just to your data. Physical security – the protection of people, property and assets should also be considered for their potential vulnerabilities. By Steve Mansell, Divisional Director Critical Facilities, Zumtobel Group

  • Tuesday, 21st December 2021 Posted 2 years ago in by Phil Alsop

While data centres are famously secure, ‘6 layers deep’ in some cases, data theft still occurs. With a number of high-profile cases in the media, questions have been rightly raised over cybersecurity in the Internet of Things (IoT) and unfortunately, lighting and lighting control systems are not immune.

We ask Steve Mansell, Divisional Director of Critical Facilities for Zumtobel Group, how building services, such as lighting and controls, could be increasing your risk.

THE POTENTIAL THREATS

Data centre operators have come to expect that the products installed within their data hall meet certain criteria. Equipment should save energy, be sustainably sourced, but most of all, be safe and secure. However, technology is not without its vulnerabilities; we have all heard ‘that case’ with regards to ‘sub-standard’ data centres, security breaches and spying. As more things become connected, new levels of exposure are being discovered.

CONSIDERATIONS FOR A CONNECTED LIGHTING SYSTEM

Physical security

It is important to note that connected (wired) lighting systems without an IP address only communicate within your building. They post a relatively low-security risk because a person has to be in the facility to attack the system. For example, a conventional wired DALI lighting control system could only be breached if the attacker physically connected to the network.

Device-to-device security

Lighting and control systems in a wireless network communicate outside of the building. It is common practise to use encryption, which means only devices with the correct ‘key’ can communicate with your system. Correct commissioning is therefore vital.

We know for some businesses, the fear of the unknown makes them reluctant to embrace and invest in new technologies through the fear of being exposed to potential attacks. They instil a culture of “if it’s not broken, it doesn't need to be fixed”, but with cyber-attacks increasing in sophistication, there is every reason to be more vigilant. After all, an ounce of prevention is worth a pound of cure.

This paper has therefore been designed to help data centre operators, who work tirelessly to ensure they have the in-house cybersecurity knowledge and expertise to make sound investments, stay a step ahead of attackers.

THE RISKS

As soon as systems get connected to the IoT (Cloud) proper protocols need to be in place. Potential forms of attack on connected lighting systems might include vectoring, Distributed Denial of Service (DDoS) and sniffing.

DDos

A Distributed Denial of Service attack is an attempt to make an online service unavailable to its users by temporarily or disrupting services indefinitely.

Vectoring

Occurs when there is a security breach that uses an unsecured system to gain access to other networked systems.

Sniffing

An attacker sees a packet (data) in transmission from one point to other systems that utilise protocols that are not encrypted. Because it’s not encrypted the information can be modified i.e. to turn off the lights or CCTV.

HOW TO MITIGATE RISK

When it comes to the physical building infrastructure ecosystem, there are many different facets that need to be considered before you can be assured that the product meets your security criteria.

When considering the threats, we recommend starting at the beginning: with a rigorous procurement process, including developing trusted supply chain partnerships.

For example, when a luminaire or control system is specified, are you aware of every component that goes into that product?

Do you know if the manufacturer makes all components themselves? Or, do they rely on third-party suppliers? If so, you’re placing an enormous amount of trust in a potentially unknown supply chain: leaving systems open to security risks and significantly affecting quality control standards

QUALITY ASSURANCE

So, what is the answer?

We’d recommend always working with a single-source supplier who can evidence where their components have been sourced and who offer full transparency of their supply chain partners.

For example, the Zumtobel Group, are in complete control of their entire value chain.

The Group comprises three core brands - Tridonic, Thorn and Zumtobel. Tridonic is a leading manufacturer of components and control gear used by various manufacturers worldwide due to its uncompromising reputation for product quality. Fortunately for Thorn and Zumtobel lighting, having a sister company that specialises in components and control gear certainly has its advantages since there is complete oversight on where their componentry is sourced. Every individual product that makes up a Thorn or Zumtobel luminaire is therefore carefully selected, tested, and secured through the use of intelligent software and hardware protocols. When the manufacturer controls its own supply chain, there is complete end-to-end traceability and accountability, mitigating potential external threats.

As part of the product selection, thorough testing of both hardware and software used in any connected lighting and controls system is highly advisable.

FUTUREPROOFING FOR TOMORROW

There is also another advantage of working with fewer trusted supply chain partners.

Not only does consolidating manufacturers into as few as possible make it easier to combat security vulnerabilities, it can also allow for future add-on services to be integrated at a later stage.

For example, it might be a lighting trunking system when installed, but it can also be a flexible infrastructure for future digital services.

A lighting track system such as TECTON or TECTON IP from Zumtobel can provide a backbone for adding future monitoring services that can grow with the data centre’s needs. It is simply a case of integrating sensors to accurately record the data a facility is interested in monitoring, for example, heat, to ensure the optimum operating temperature within the facility. Instead of having to purchase/install a whole new system for thermal management within a facility, operators and their technical teams can liaise with Zumtobel to plan the required system upgrade then the additional products/sensors can be fitted directly to the TECTON track without the need to power the system down.

Alternatively, if a new sensor is required to measure other variables such as air quality, occupancy and motion, it is easy to remove the original sensor and add on the new one without reconfiguring the entire infrastructure. This naturally saves a significant amount of money in the long term, making it a fully flexible and future proof solution.

IN SUMMARY

New connected lighting and control systems offer exciting improvements in energy and operational efficiencies, but care must be taken to ensure they are secure and not a chink in your data security armour.

We believe that it is crucial to focus on security from the very beginning of your product specification and selection process.

Data centre operators and their design teams should focus on working with supply chain partners who understand system security and who offer safe, strong and secure links to enable campus wide integration.

Mitigate risks by choosing a single source manufacturing partner - like Zumtobel; who are able to offer full traceability and accountability of your lighting ecosystem and offer long term support through a range of services when required.