If you’re in the business of data, you’ll know that it’s a valuable asset that must be protected. You’ll also be acutely aware that wherever there is data, there is risk, and not just to your data alone. Physical security – the protection of people, property and assets should also be considered for their potential vulnerabilities.
While data centres are famously secure, ‘six layers deep’ in some cases, data theft still occurs. With a number of high-profile cases in the media, questions have been rightly raised over cybersecurity in the Internet of Things (IoT) and unfortunately, lighting and lighting control systems are not immune.
We ask Steve Mansell, Divisional Director of Critical Facilities for Zumtobel Group, how building services, such as lighting and controls, could be increasing your risk.
The potential threats
Data centre operators have come to expect that the products installed within their data hall meet certain criteria. Equipment should save energy, be sustainably sourced, but most of all, be safe and secure. However, technology is not without its vulnerabilities; we have all heard ‘that case’ with regards to ‘sub-standard’ data centres, security breaches and spying. As more things become connected, new levels of exposure are being discovered.
Considerations for a connected lighting system
It is important to note that connected (wired) lighting systems without an IP address only communicate within your building. They pose a relatively low-security risk because a person has to be in the facility to attack the system. For example, a conventional wired DALI lighting control system could only be breached if the attacker physically connected to the network.
Lighting and control systems in a wireless network communicate outside of the building. It is common practice to use encryption, which means only devices with the correct ‘key’ can communicate with your system. Correct commissioning is therefore vital.
We know for some businesses, the fear of the unknown makes them reluctant to embrace and invest in new technologies through the fear of being exposed to potential attacks. They instil a culture of “if it’s not broken, it doesn’t need to be fixed”, but with cyber-attacks increasing in sophistication, there is every reason to be more vigilant. After all, an ounce of prevention is worth a pound of cure.
This paper has therefore been designed to help data centre operators, who work tirelessly to ensure they have the in-house cybersecurity knowledge and expertise to make sound investments, stay a step ahead of attackers.
As soon as systems get connected to the IoT (cloud) proper protocols need to be in place. Potential forms of attack on connected lighting systems might include vectoring, Distributed Denial of Service (DDoS) or sniffing.
A Distributed Denial of service attack is an attempt to make an online service unavailable to its users by temporarily or indefinitely disrupting services.
Occurs when there is a security breach that uses an unsecured system to gain access to other networked systems.
An attacker sees a packet (data) in transmission from one point to other systems that utilises protocols that are not encrypted. Because it’s not encrypted the information can be modified i.e. to turn off the lights or CCTV.
How to mitigate risks
When it comes to the physical building infrastructure ecosystem, there are many different facets that need to be considered before you can be assured that the product meets your security criteria.
When considering the threats, we recommend starting at the beginning: with a rigorous procurement process, including developing trusted supply chain partnerships.
For example, when a luminaire or control system is specified, are you aware of every component that goes into that product?
Do you know if the manufacturer makes all components themselves? Or, do they rely on third-party suppliers? If so, you’re placing an enormous amount of trust in a potentially unknown supply chain: leaving systems open to security risks and significantly affecting quality control standards.
So, what is the answer?
We’d recommend always working with a single-source supplier who can evidence where their components have been sourced and who offers full transparency of their supply chain partners.
For example, the Zumtobel Group are in complete control of their entire value chain.
The Group comprises three core brands – Tridonic, Thorn and Zumtobel. Tridonic is a manufacturer of components and control gear used by manufacturers worldwide due to its reputation for quality. Fortunately for Thorn and Zumtobel lighting, having a sister company that specialises in components and control gear certainly has its advantages, since there is complete oversight on where their componentry is sourced. Every individual product that makes up a Thorn or Zumtobel luminaire is therefore carefully selected, tested, and secured through the use of intelligent software and hardware protocols. When the manufacturer controls its own supply chain, there is complete end-to-end traceability and accountability, mitigating potential external threats.
As part of the product selection, thorough testing of both hardware and software used in any connected lighting and controls system is highly advisable.
Futureproofing for tomorrow
There is also another advantage of working with fewer trusted supply chain partners.
Not only does consolidating manufacturers make it easier to combat security vulnerabilities, it can also allow for future add-on services to be integrated at a later stage.
For example, it might be a lighting trunking system when installed, but it can also be a flexible infrastructure for future digital services.
A lighting track system such as TECTON or TECTON IP from Zumtobel can provide a backbone for adding future monitoring services that can grow with the data centre’s needs. It is simply a case of integrating sensors to accurately record the data a facility is interested in monitoring. For example, heat, to ensure the optimum operating temperature within the facility. Instead of having to purchase/install a whole new system for thermal management within a facility, operators and their technical teams can liaise with Zumtobel to plan the required system upgrade, then the additional products/sensors can be fitted directly to the TECTON track without the need to power the system down.
Alternatively, if a new sensor is required to measure other variables such as air quality, occupancy and motion, it is easy to remove the original sensor and add on the new one without reconfiguring the entire infrastructure. This naturally saves a significant amount of money in the long term, making it a fully flexible and future proof solution.