Navigating the Cybersecurity Standards

Commercial building control systems consist of mechanical and electrical equipment that controls the entire building environment. This includes HVAC, lighting, security access, surveillance, elevators, and more. These systems are aimed at creating a safe, comfortable building environment to support and even enhance the satisfaction and productivity of its tenants. At its best, it can facilitate a sense of belonging that contributes to staff retention. In the march toward smarter buildings, standalone systems using proprietary protocols with limited IT have morphed into networked digital systems that take full advantage of IT technologies, often sharing the IT infrastructure. The many advantages of these interconnected systems come at a price: cyberattacks. A successful cyberattack can have a long-lasting impact on a company's bottom line. This goes well beyond the readily quantified costs incurred by regulatory fines, litigation, public relations, and direct expenditures that accompany large-scale personal data breaches. There are many other intangible costs associated with damage to reputation, operational disruption, loss of proprietary information, and corporate strategy.

The methods hackers use to exploit known vulnerabilities, in both new and legacy installations, are numerous: malware, phishing, man-in-the-middle attack, denial-of-service, and SQL injection are but a few of them. The Cybersecurity and Infrastructure Security Agency (CISA) tracks the various cyber threats and provides advisories [1]. A system breach can lead to unauthorized disclosures of personal data, theft of proprietary information and intellectual property, violation of consumer privacy, and even loss of service. Given the dangers, cybersecurity is no longer optional for building owners and operators. A security-oriented mindset and comprehensive security mechanisms—applied to the building and its subsystems—are essential to averting and mitigating risk.

Connected devices and systems continue to grow exponentially. Forbes predicts that by the end of 2024 there will be more than 207 billion connected devices worldwide [2]. In such a deeply interconnected world, we must build and maintain a trusted environment that uses advanced technologies to offer the best possible defense against increasingly sophisticated attacks. A cybersecurity incident can cripple an organization in minutes, and so building owners need suppliers to prove that their products comply with the relevant cybersecurity standard.
 

Cybersecurity standards consist of published materials, tools, policies, safeguards, guidelines, best practices, and risk management approaches and processes. In our industry, there are several cybersecurity standards an organization can comply with. The most important of these are described below.

The ISA/IEC 62443 series of standards were developed by the ISA (International Society of Automation), a non-profit global organization founded in 1945. These standards were subsequently adopted by the IEC (International Electro-technical Commission), a non-profit organization founded in 1906. The scope of ISA/IEC 62443 is “to define the elements necessary to establish a cyber-security management system (CSMS) for industrial automation and control systems (IACS), and to provide guidance on how to develop those elements.” [3] IEC 62443-2-1

The original purpose of the IEC 62443 standards, to protect industrial control systems against cyber-threats at critical facilities like refineries, conventional power plants, and nuclear power plants, is a testament to their diligence and thoroughness. Because the IEC 63443 standards address issues that are unique to OT systems, they are preferred for smart buildings and connected lighting.
 

The ISO/IEC 27001 standard, jointly published by the ISO (International Organization for Standardization) and the IEC, defines the requirements for establishing, implementing, maintaining, and continuously improve an ISMS (Information Security Management System). This is a mature standard that works well for classic IT systems but is less suited to defining a cybersecurity system for an ICS (Industrial Control System). Because it does not cover the OT context as comprehensively as IEC 62443, it is not the ideal choice for our industry.
 

The NIST (National Institute of Standards and Technology) is part of the U.S. Department of Commerce, and its mission is “To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”[4] NIST offers a cybersecurity program focused on protecting critical infrastructure. The program comprises an extensive collection of recommendations and methodologies that cover many aspects of IT and OT systems. Although the NIST program provides broad coverage for significant areas of IT and OT systems, it is not a complete standard. As a result, a comprehensive cybersecurity system for OT cannot be established on the NIST recommendations alone. However, the NIST cybersecurity program remains an excellent supporting tool in the quest for improved risk management.
 

UL2900 is a series of standards published by UL (formerly Underwriters Laboratories), a global safety consulting and certification company. The standards present general software cybersecurity requirements for network-connectable products (UL2900-1), as well as specific requirements for medical and healthcare systems (UL2900-2-1), and for security and life safety signaling systems (UL2900-2-3). The ANSI (American National Standards Institute) has adopted UL2900-1 as a national consensus standard, and the FDA has officially recognized the UL2900 standard for connected equipment installed in healthcare facilities.

Specifically, in the lighting world, organizations such as the DesignLights Consortium (DLC) that maintain a Qualified Product List (QPL) for Networked Lighting Controls (NLC) now require that such lighting systems have a cybersecurity certification from a qualified agency to be listed on its QPL.
 

Standards and requirements are developed by a community of experts working together to find common ground, which sometimes requires compromise. As such, they are never perfect. Additionally, hackers or other bad actors continually try find ways to get unauthorized access to connected or IoT systems. Hence it is important that such connected systems are periodically assessed to identify any vulnerabilities. Here is the Cooper Lighting Solutions cybersecurity statement.

[1] https://www.cisa.gov/topics/cyber-threats-and-advisories
[2] https://www.forbes.com/sites/bernardmarr/2023/10/19/2024-iot-and-smart-device-trends-what-you-need-to-know-for-the-future/?sh=33ae8727f345
[3] https://webstore.iec.ch/publication/7030
[4] https://www.nist.gov/director/pao/nist-general-information