Cybersecurity: Are Your Systems Up to Standard?

Lighting, HVAC systems and other equipment are increasingly becoming connected through the Internet of Things. Although such connected systems provide a number of potential benefits, they also bring the threat of cyberattacks. Potential forms of cyberattacks on connected systems include network side door entry (vectoring), distributed denial of service (traffic deluge) and packet interception (sniffing).

Third-party certification for cybersecurity of connected energy-using devices is critical. Several compliance standards are available for help in procurement including NIST SP 800, ANSI/UL 2900, ANSI/ISA 62443, and ISO/IEC 15408. The DesignLights Consortium is currently revising its Networked Lighting Control System Technical Requirements to incorporate cybersecurity standards such as ANSI/UL 2900.

Standard survey

Here is a brief review of these standards and how they apply to energy-using equipment in your facility.

National Institute of Standards and Technology (NIST) has developed several Special Publications (SP) valuable for government and commercial facilities. NIST SP 800-82 Rev 2: Guide to Industrial Control Systems Security applies to controls for energy end-use equipment like lighting, HVAC and motors.

Underwriters Laboratories' (UL) Cybersecurity Assurance Program provides manufacturers testable and measurable criteria for the testing of connected devices that send, store or transmit data over networked devices. The criteria help to assess product weakness, vulnerabilities and security risk controls.

The American National Standard Institute ANSI/UL 2900 Standard for Software Cybersecurity for Network-Connectable Products follows NIST Cyber Security Framework (CSF) functionality — identify, protect, detect, respond and recover.

International Society for Automation (ISA) developed (along with ANSI) the ANSI/ISA 62443 series that defines procedures for implementing Security for Industrial Automation and Control Systems (IACS). The standards fall into one of four general categories: General (metrics), Policies & Procedures (patch management), System (security levels), and Components (product development).

The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC), is an international standard (ISO/IEC 15408) for computer security certification. CC includes an assurance scale to increase confidence that the security functional requirements have been met.

The Cyber Security Evaluation Tool from the U.S. Department of Homeland Security provides a systematic approach to assess control system and network cybersecurity.

Purchasing certified products is just the beginning. Cybersecurity is dependent on how technology is managed over time as threats continue to evolve. It's important to stay current on the latest standards and upgrade products to ensure the security of your energy-using systems.