As the market becomes flooded with smart products, the providers of those products (whether manufacturer, lighting designer, or retailer) need to address cyber-safety concerns or risk losing customer loyalty. Here is what to look for in connected products. By Wayne Stewart
The Internet of Things (IoT) and connected products are trending in many industries, including lighting. As manufacturers and designers seek to create lighting products, sensors, and controls that tie into networks, there are many concerns that need to be considered — especially cyber-security. Mitigating cyber threats is critical to successful product development and launch.
“There are not many standards in place to address cyber-security concerns for connected lighting products.”
IoT security is still in its infancy and, like technology, threats evolve rapidly. Few devices on the market today have been designed with cyber-security in mind and even fewer have had independent cyber-security assessments and testing. What should designers and manufacturers consider when developing connected lighting products? What standards exist to help ensure the safety, security, and performance of these products?
Connected Lighting Under Attack
There is a broad IoT threat landscape for all products — from malware, botnets, ransomware, and cryptojacking to denial of service (DoS) attacks, and more. Few connected products have been designed or assessed for cyber-risks like these, making the threats very real for manufacturers, designers, retailers, and consumers. Additionally, few standards exist that address cyber-security and many of the existing standards look at the device in isolation, even though cloud and mobile application security can be equally as important.
Many IoT devices connect to a cloud service, which has privileged access to other devices and sensitive data. The typical scope of an IoT endpoint security evaluation doesn’t normally consider the back-end servers and services the device is connected to…which often contains sensitive data. This model is deficient, based on an underlying assumption that securing the product itself is enough.
Consider as well that security concerns for lighting vary greatly from those for medical devices or conventional computer environments. Security solutions need to fit the device, data, and service provided. To ensure the end-to-end security of products – as well as cloud services – designing for security from the beginning is a critical first step.
Designing for Security
Starting with a secure product provides peace of mind to the end-user that a device is safe, secure, and will perform as intended. It is important to start by identifying and addressing security concerns at the design phase. Adding in security after the fact is almost never effective and always costs more. Instead, the product should be designed to be intrinsically secure.
Designing for security means starting with a safe design and a rigorous development process that includes regular code review, security testing, plus consistent monitoring of threats and ways to mitigate them. It also benefits from a trusted independent third party who can assist with risk assessment, design reviews, code analysis, penetration tests, gap assessments, compliance assessments, and product certification.
To design effectively, it is also important to make sure project teams understand security concerns and best practices as they perform their jobs. Providing regular security-awareness training allows designers, technicians, evaluators, and other staff to better consider risk and mitigation to bring security to the forefront of product design.
This approach offers the consumer connected lighting products that are safe and secure, plus it ensures their privacy remains intact, giving peace of mind when using the product. For manufacturers, this means better brand reputation, lower liability risk, easier regulatory approval, and ease to market.
Design considerations alone will not be enough to mitigate cyber-risks; full-scope testing and evaluation will also offer enhanced assurance. This would include testing throughout the development and design process as well as final testing to industry standards plus fulfilling any certification requirements for not only the IoT functions of the product but also the lighting industry requirements.
Testing & Evaluations
Testing throughout the product development process is an iterative process that must be undertaken. If security testing is spread throughout the early stages and no issues are found, the product and manufacturer will be ok. However, if it fails as a result of testing initiated at the end of the development lifecycle, there could be a fundamental design flaw that requires the project to begin again…from scratch. Whenever possible, test for cyber-security early and often to ensure risks are mitigated along the way such as testing for software weaknesses, potential backdoors, interoperability concerns, functionality and performance, code analysis, and other evaluations.
As mentioned previously, there are not many standards in place to address cyber-security concerns for connected lighting products. Here are a few options; however, selecting the right one will depend on the objective of your testing and the intended use of your product:
The ISA/IEC62443 (formerly ISA-99) series of standards. The IEC has published a conformity assessment scheme for an industrial cyber-security program intended to provide a framework for the assessment of industrial automation controls through a series of standards. An assessment under this standard evaluates security capabilities and ensures these capabilities have been applied to either a specific component, system, or operating environment.
ANSI/UL 2900 family of standards. This family of standards for software cyber-security for network-connectable products requires that products be evaluated for vulnerabilities, software weaknesses, and malware. Under this standard, product documentation, risk management, the application of security controls, and the elimination of product weakness and vulnerabilities must be illustrated to show compliance.
Common Criteria. This international set of guidelines and specifications were developed for evaluating information security products to ensure they meet an agreed-upon security standard for government use. They are internationally accepted, providing a methodology for evaluating security features and can be applied to hardware, software, firmware, or a combination thereof. Common criteria allow vendors to describe products’ security functionality with proof to support the claims. Today, there are 28 members of the Common Criteria Recognition Arrangement (CCRA); 17 are certificate-authorizing members, who authorize ISO 17025-accredited labs and 11 consuming members.
California IoT Bill. Approved in September 2018, this bill takes effect in January 2020 and will require manufacturers of connected products to equip devices with reasonable security features or features appropriate to the nature and function of the device; the information it may collect, contain, or transmit; and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified. To fulfill these requirements, manufacturers will need to demonstrate reasonable security to protect data contained in the device, in transit, and when stored in back-end services. All copies of client data must be deleted upon termination of device or service and manufacturers must ensure that access to client data is protected from modification and disclosure.
In addition to product-focused security standards, there are standards and guidelines that exist for the management of risk and information security. These standards generally do not focus on product-specific requirements, rather they focus on organizational processes for information security controls. Some examples are:
NIST Cybersecurity Framework. Published in February 2014 and updated in April 2018, this framework provides voluntary guidance – based on existing industry standards, guidelines, and practices – with the goal of helping organizations manage and reduce cybersecurity risks. Because it functions as guidance, it is not simply a checklist of requirements. It must be customized by each organization based on risks, situations, and needs.
ISO/IEC27000 family of standards for information security management systems. These standards provide a structure for implementing an information security management system, safeguarding information assets while making the process easier to manage, measure, and improve. It helps address three dimensions of information security: Confidentiality, Integrity, and Availability and is a good standard for organizations wishing to assess security risks at an organizational
– not product – level. As such, it requires a mature understanding of security at an organizational level, as well as policy and procedure-based security, touching every aspect of a company from software development to human resources. It will not address technical vulnerabilities within a specific product.
As lighting designers and manufacturers look to fulfill consumer demand for connected lighting products, cyber-security remains a critical consideration. The safety of connected lighting products goes beyond electrical safety standards and testing as these products are connected to a network of other devices and data. Ensuring the device is safe – while keeping information and data within a network secure – is important to a product’s success, brand value, and company reputation. Make sure these threats are considered and mitigated throughout the product design cycle to get in-demand products to market more quickly and effectively.
Wayne Stewart is Director of Intertek EWA-Canada (an international assurance, inspection, product testing, and certification company) and is a renowned speaker and expert on cyber-security including intrusion detection, cryptography, vulnerability assessment, penetration testing, static code analysis, payment technologies, and product reviews.