Smart Lighting System Security—Access Control and Authentication Strategies
This is the second blog post of a multi-part introductory series on Managing Security Risks in Smart Lighting Systems.
The first blog post in this series introduced the concept of a multi-tiered approach to identifying and mitigating Building Automation and Control System (BACS) cybersecurity risks and threats. We highlighted the NIST cybersecurity framework and associated security controls as best practice guidelines. U.S. Federal Information Systems and Organizations have strict security and privacy control requirements and rely heavily on the work of NIST and the guidelines published.
In this blog post, we’ll focus on two key security control families: access control and identification and authentication.
Key Security Control Strategies
A minimum security requirement is controlling physical access to the system as well as access between users (or processes acting on behalf of users). An access control strategy enables users to have access to a system function that they have privilege to access based on their role or identity. As examples, some personnel may need remote access to the lighting system for troubleshooting or remote management, while only a select group of privileged users should have access to the server in a server room. Only a system administrator should have the permissions to configure user rights.
Access Control Policies, Procedures and Account Management
In order to operate a Smart Lighting System, the operating organization has to develop and document access control policies and procedures that define the roles and responsibilities of personnel interacting with the system. It also defines how these roles and responsibilities are managed. These roles include (but are not limited to) the following functions:
- System Administrators
- Facility Managers & Operators
- Commissioning Specialists
- Field Support and Service Specialists
All of these roles should be associated with a set of privileges or authorizations following a separation of duties and least privilege principles. Applying these principles allows users only to access and control system functions and information that are necessary to perform a certain task. For facility managers, this could mean that access is controlled to just the building operation functions of a specific asset. For instance, Facility Manager A might only have access to Building A, and Facility Manager B only access to Building B. Neither of them has access to system and security configuration functions such as user management or the configuration of system devices.
System Administrators are responsible for identifying and naming authorized users and assigning/revoking users’ group memberships and privileges. It is important that an organization has a management process in place that regularly reviews and updates defined roles and responsibilities.
User authentication and authorization provides the necessary controls to enforce the logical access to system functions and controlled assets based upon the applicable access control policy. User access can be controlled for local, remote and wireless access, with each potentially having their own policies.
Where necessary, the system may control the number of concurrent user sessions and provide mechanisms to lock and terminate sessions after a defined period of inactivity. The latter reduces the risks of providing access to unauthorized users that intend to hijack an authenticated user session.
At the same time, the Building Automation Control System denies access to users that do not have the authorization to access the system and keeps record of unsuccessful logon attempts.
Identification and Authentication
For secure operation, a BACS system must provide identification and authentication functions for users, devices and services.
Identification and authentication of system users is commonly known as user management where users either use individual or group credentials. Credentials can be either simple user name password credentials or more sophisticated authenticators such as tokens, Personal Identification Numbers (PINs), challenges or a public key infrastructure with the use of certificates. To increase security, the system may use multi- or two-factor authentication where two or more authenticators are combined, e.g. password and challenge.
Device identification and authentication ensures that only uniquely identified and authenticated devices, such as system controllers, control modules and sensors, gain access to the system. Identification can be based on IP or MAC addresses or other unique identifiers including certificate based identifiers. Similar to devices, the system has to ensure that only trusted services gain access to the system, e.g. by the use of web tokens of identified and authenticated users.
In many cases security guidelines require authenticators to be of a certain strength and to be changed on a periodic basis. When entering authenticators, systems should provide feedback and obscure the feedback.
Authentications should expire, if connections are closed, after a certain amount of inactivity or when authenticators expire. To re-gain access to the system users, devices and services will have to successfully re-authenticate.
Authentication processes should be secure and should provide record/replay protection, e.g. by the use of Transport Layer Security.
The ENCELIUM® EXTEND Light Management System has been accepted by the GSA (General Services Administration), an independent agency of the United States government, and is currently used for smart lighting in government and commercial buildings.
This blog post is the second in a series about Managing Security Risks in Smart Lighting Systems. We will cover additional best practice security control strategies and managing insider threats in future posts. If you are a subscriber to the Digital Systems Blog, you will automatically receive notification of these blog posts in your email box.