The Schréder lighting and beyond lighting solutions bring meaningful moments to people by enhancing safety, well-being and sustainability in public spaces.
TRUSTED SYSTEMS, SMARTER LIGHTING Let’s get connected
WHITE PAPER
CONTENT
OPEN AND SECURE WHY TRUSTABLE? 3 5 5 6 WHY LIGHTING?
BUILDING CONFIDENCE THROUGHT TRUST
7 7
CLOUD: BIGGER IS BETTER
A NOTES ABOUT NODES
8 9 10 11
CASE STUDY: MARITIME METROPOLIS
DDOS, DENIED
ULTIMATELY, IT’S ABOUT PEOPLE
CONCLUSION
2
At Schréder, we believe every SMART system, no matter which company supplies it, or which customer uses it, should be S imple, M odular, A utomation-driven, R esilient and T rustable. This series of five white papers explores general considerations for any organisation thinking of investing in a smart system for public lighting. WHY TRUSTABLE? Modern cities are driven by data. Network infrastructure touches every device across the city, from street lights to security cameras. From traffic lights to transit hubs, the Internet of Things (IoT) means that systems can be controlled remotely through smart data points for optimal operational efficiency. As cities become smarter, more of this vital technology is connected to the network, and these information flows are key to maintaining that efficiency. However, with opportunity always comes risk. Public infrastructure assets that are connected to the internet are all potential targets for cyber attacks. In 2018, ransomware attacks shut down crucial infrastructure in the city of Baltimore, including 911 services. Cyber attacks shut down Dublin’s light rail tram system and power plants in Johannesburg. Solar Winds struck at the very heart of the US government, while NotPetya hit some of the world’s biggest companies and brought global ports to a standstill.
3
The answer to cybersecurity risks is not to give up on the myriad benefits that smart systems can bring - people worldwide have seen their daily lives improved by connected cities. It is to mitigate risk by following industry best practices and creating trustworthy systems. Governments are well aware of this. At the heart of the EU’s Cybersecurity strategy is the NIS Directive, which was launched in 2016 and ensures countries supervise cybersecurity in critical sectors, such as transport. And in April 2023, the US Cybersecurity and Infrastructure Security Agency and peers worldwide issued new guidance on cybersecurity best practices for smart cities.
The answer to cybersecurity risks is not to give up on the myriad benefits that smart systems can bring - people worldwide have seen their daily lives improved by connected cities.
“Smart cities are an attractive target for criminals and cyber threat actors to exploit vulnerable systems to steal critical infrastructure data and proprietary information, conduct ransomware operations, or launch destructive cyberattacks,” the paper notes. Trusted, secure systems have never been more important.
4
WHY LIGHTING?
BUILDING CONFIDENCE THROUGH TRUST
Smart Lighting provides better driving environments, safer pavements, visibility for first responders, and an infrastructure for sensors that can collect and provide helpful insights for cities. Over the past few decades, it has become best practice to connect these lights. Software controls enable better lighting schedules, energy savings, lighting that adapts to the environment and can help predict service issues. It is clear why lighting controls should be a part of any city - and therefore, its cybersecurity plan, as well. You may ask: why would someone want to hack my lights? In 2007, two men in Los Angeles were charged with hacking the traffic light system in the city. They hacked into the computers at the traffic commission and turned off four traffic lights. They also locked the city out of the system so they couldn’t turn them back on. This resulted in gridlock and traffic problems for days, in a city that already had traffic management issues. Consider the potential impact on your city. What are the risks? Highways that are well lit at night suddenly going dark. Zebra crossings in a busy area without light. Pedestrians hoping the drivers can see them with their headlights. These are the consequences of lights being controlled by the wrong individuals and the accidents that could happen as a result. The dangers are even greater when you consider software security. Let’s examine the vulnerabilities of networks, applications, and specifically lighting control systems and how you can better protect this essential infrastructure in your city.
Your lighting control software is not only responsible for controlling the lights in your city, but is also likely to be connected to and collaborate with other data sources that inform lighting decisions as well, such as weather and traffic monitoring. A secure system will only grant access to relevant people. Permission levels should decide not just access, but capabilities within the software as well. All of this should come as standard with any critical infrastructure software application. Inappropriate access to this system or damage to the data flowing through it could cost your city valuable time and money. Recommissioning lights can take weeks and can be a labour-intensive process. Software that communicates across your entire city should be at the top of your protective priority list.
5
OPEN AND SECURE Cities are open spaces, where people come to live, explore and exchange ideas. As the natural home of innovation, nothing about cities should be locked in. But some infrastructure systems can do just that, shutting down options rather than opening up choices. Look for a system that is interoperable with existing lighting systems and assets . Interoperability is vital for trust and security: assets that do not integrate properly are a weak spot for potential attacks. Smart systems should include the highest levels cybersecurity, and be regularly tested and audited to ensure the data remains private, safe and secure. Firmware needs to be regularly updated, ideally remotely, to minimise risk and maintenance costs. There should be secure policies and rules at every layer of the solution: device, communication, data, and the app used by the customer to control the luminaires. This is called “end-to-end security”. It is also worth checking whether a system is ISO 27001 certified. ISO 27001 is the world’s most wisely recognised standard for Information Security Management Systems (ISMS). It provides organisations with guidance for establishing, implementing, maintaining and continually improving an information security management system.
6
CLOUD: BIGGER IS BETTER Many Central Management Systems (CMS) rely on external clouds such as Microsoft Azure, Google Cloud Platform, IBM Cloud or Amazon Web Services. There is an ongoing debate in the infrastructure sector about what is more secure: on-premises servers, or a cloud-based solution. The common misconception is that lighting providers, such as cities, can better protect an on-premises application than one hosted in the cloud. Ask yourself: who can afford better security? Who can afford an international team of people to maintain servers and update security protocols? Cloud systems sound less secure to the average person, but the reason that cloud infrastructure has grown exponentially over the years is due to the security measures in place. Companies like Microsoft protect their Azure servers with top-of-the-line cybersecurity, ensuring that customers hosting their platforms are in the most secure environment imaginable. Just one example: Azure’s servers analyse 8 trillion threat signals daily. Schréder EXEDRA is based on Microsoft Azure and makes the most of Microsoft’s cloud security. We can accommodate the deployment of our cloud-based platform to comply with specific local requirements/policies aiming to reinforce security and/or data privacy. A NOTE ABOUT NODES The cloud may keep data secure, but it is not the whole system. The edge of the control system is the node. This is your communication device that gives you control over the light and feeds information back to your software to allow you to better manage the asset. The node might be cellular, talking directly to your system, or in a mesh configuration where a group of nodes send information through a cellular node close by. Regardless of the configuration, wireless communication is the first vulnerability to note. “Sniffing” attacks are where the flow of wireless data is intercepted and the hacker can gain access to devices or a network to control part of your lighting system. The industry has countered this by encrypting these devices. The most common encryption is 128-bit, and although 256-bit is possible, the trade-off in power consumption for greater encryption is unnecessary. Similar to other IoT devices, firmware updates are a regular occurrence. This allows the manufacturer to update security protocols as they become aware of vulnerabilities or changes in technology. The Schréder EXEDRA solution safeguards security from one end to the other, applying secure policies and rules on each layer of the solution: device, communication, data, and the app used by the customer to control the CMS.
7
CASE STUDY Smart Solutions for a Maritime Metropolis
Bristol, one of the UK’s biggest and most vibrant cities, is making a £12 million upgrade to its lighting system , including converting around 29,000 street lights to low-energy LED luminiares, and installing the Schréder EXEDRA CMS. Having declared a climate emergency in 2018, the council is upgrading to LEDs to support carbon reduction and achieve cost savings in the longer term. One key consideration is cybersecurity. In the UK, public realm and street lighting is treated as critical infrastructure, and Schréder has built security by design into all our systems. Having Schréder on board means that customers have access to a wealth of cybersecurity experience. For example, in June 2023, a vulnerability was discovered in the MOVEit app , which the council had been using. Thanks to Schréder EXEDRA , we were able to swiftly show that their data hadn’t been compromised. This responsiveness is part of the ongoing customer relationship that makes Schréder different. Schréder EXEDRA has ISO 27001 certification, meaning we continually improve our cybersecurity processes and ensure our staff are up-to-date with the latest best practices in the field. Worldwide, more than 500,000 luminaires and other assets are controlled by Schréder EXEDRA; we learn from every data point and always put cybersecurity first.
8
DDoS, DENIED
Distributed denial of service (DDoS) attacks first came to global attention in 2007, when Estonia was hit by an unprecedented cyber attack that shut down government, financial and media web sites in what Wired magazine called “Web War One.” Bank machines stopped working and crucial internet infrastructure ground to a halt. Over several weeks, the country learnt vital lessons about cybersecurity. DDoS hasn’t gone away as a threat, and lighting software can create vulnerabilities to all connected devices in a city’s network, including mass communication loss. It is vital that software analyses traffic at the edge of the application before it has the chance to infiltrate. The strength of the security in the application should be constantly tested. Hackers are working to refine their methods every day, and it’s vital that your software can stand up to the rigors of external testing on a regular basis by third parties - something Microsoft Azure actively invites.
9
ULTIMATELY, IT’S ABOUT PEOPLE The failure point in smart city systems is rarely the actual servers. Two of the most common failures in cloud security are human error and weak credentials. Cast your mind back to 2001, and the Anna Kournikova virus: people will always be the weakest link in any cybersecurity strategy. There is a data breach every 39 seconds on average. System owners can counteract this by encrypting passwords, changing them frequently, and using firewalls on all devices. Hacking is a very real concern. Lighting controls should be no exception. Let’s look at a few methods to better protect your cloud applications: ● Passwords should be complex and frequently updated; ● Permissions should be controlled by a committee and audited frequently; ● Processes should be put into place when people are added to, or leave, the system; ● Logs should be kept of changes made to the system; ● Develop a back-up plan in the event of an attack so your system can be restored quicker and reduce downtime; ● Educate employees. Phishing emails are the most common entry point, so have a system and training in place to reduce these risks. More than 90% of all cyber attacks begin with phishing. No-one is standing at a terminal trying to hack your system like we see in the movies. They are waiting for someone to click on a bad link or open a file and then they wait. They let the program run in the background, gathering every keystroke and every password. Months later, they have what they need to carry out their attack. Proper training and prevention practices are key to effective cybersecurity.
10
CONCLUSION Being a smart city doesn’t have to mean being a vulnerable city. Urban centres around the world are targets for cybercrime because they house vital data from their citizens. Protecting that data means updating your cybersecurity at every turn. As a city’s IoT device count grows, with new applications to control and analyse the data from these devices, so should network security requirements.
The tender process should take into account the system’s certification, compatibility with existing assets, cloud provider, security of the system’s edges, and include robust training for all those with access. Audit your cybersecurity on a regular basis and choose technology partners that place importance on the security of their applications. When your data is safe, then you can truly grow as a smart city.
Eric Talley Business Development Manager - Smart Cities
11
www.schreder.com
Copyright © Schréder S.A. 2023 - Executive Publisher: Stéphane Halleux - Schréder S.A. - rue de Mons 3 - B-4000 Liège (Belgium) - The information, descriptions and illustrations herein are of only an indicative nature. Due to advanced developments, we may be required to alter the characteristics of our products without notice. As these may present different characteristics according to the requirements of individual countries, we invite you to consult us.
Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12Powered by FlippingBook