A poster video from the 2021 DOE Lighting R&D Workshop discussing a PNNL research project with a threat profile on a connected lighting system use case.
Video courtesy of the Department of Energy

Paul Francik, Pacific Northwest National Laboratory: Hi, my name is Paul Francik. I am a cybersecurity analyst at Pacific Northwest National Laboratory, and I will be sharing with you some key findings from a threat profile we did on a connected lighting system use case. Our primary research question was, how can a threat profile be used to identify high risk attack vectors for a CLS maintenance use case?

In anticipation of improved energy performance and cost savings, cities and building owners are increasingly considering the adoption of smart lighting initiatives. Converting or replacing once simple luminaires into intelligent connected lighting systems equipped with sensors. IoT devices, however, have historically been rife with vulnerabilities. Sometimes putting security considerations in the backseat to functionality and operability.

In 2020, low patch levels made IoT devices easy targets, 57% of which were vulnerable to medium or high severity attacks. Organizations experienced a 72% increase in IoT endpoint security incidents in the last year and 98% of all IoT device traffic was unencrypted, exposing personal and confidential data. What are the cybersecurity threats that will impact this emerging industry as what some may think of as formerly banal lighting units.

Transition into intelligent IoT devices equipped with sensors that gather data about us and our surrounding environment. We analyze the results of a threat profile performed on a fault detection use case for streetlights. Systems implementing on-premise, cloud, and hybrid architectures with different authentication mechanisms were modeled and mapped to the Microsoft STRIDE framework.

The STRIDE framework helps to categorize threats by identifying the type of attacks and the application by which it is carried out. A threat profile's main objective is to provide the knowledge to mitigate or accept threats based on the impact those threats have on the system. Not all threats must be mitigated, and not all threats can be addressed in a cost effective way.

Elevation of privilege threats represent the largest high risk attack surface category for all CLS. An attack surface is the entry point into a system. Here, the size of the bubble corresponds with the growing attack surface shown numerically inside of each bubble. Tampering threats represent the largest medium risk attack surface category for all CLS. Some threats have multiple points of entry across many CLS assets as seen in elevation of privilege threats 3, 6, and 7. Some threats are linear and lighting device specific and will scale per connected device as shown when streetlights are scaled by 1,000 and gateways times three.

Some key findings. 57 threats were identified. Most threats were not network or system architecture dependent. 77% were applicable to all six CLS. 65% of threats don't involve the lighting units but other components needed to communicate with and manage them. 63% of the primary controls to mitigate risk would be implemented at the manufacturer level, and 23% of the threats are technology or system architecture dependent.

Cloud-based systems created fewer unique threats than on-premise systems. Seven threats were specific to the interaction of the on-premise technologies and four threats were specific to the interaction of cloud-based technologies. Some final thoughts: technology choice, network configuration, and installation size will impact the total attack surface. The same threat can show up in multiple assets across the system. A threat model should be run early in the development or implementation process and when significant changes are made to a system.

There are many potential entry points into a CLS. If utilizing cloud technologies, there is shared responsibility regarding information security and access to systems. And without the proper controls in place, an organization will remain at risk. The threat profile establishes security requirements, justifies security measures, gives actionable controls, and effectively communicates risk to stakeholders. To that end, it can be effectively used by development teams, software architects, and managers to make cybersecurity a part of their ongoing culture of awareness, training, and prevention.

Contact us. Join myself, Paul Francik, or my colleague Michael Poplawski, in conversation. We both work at PNNL and would love to hear from you. Thanks to our project team. Special thanks to SSC, Chance Younkin, Patrick O'Connell, Ryan Bays, Torri Simmons, and additional thanks to Sri Nikhil Gupta Gourisetti, Garret Seppalla, and Travis Ashley.