newsletter link
mondo arc

Are you really in control?

Issue 75 October / November 2013

The real innovation in lighting was never about LEDs, it was always about smart and intelligent lighting which is a fusion of lighting and controls. This month Dr Geoff Archenhold takes a look at the rise in lighting network control and its security issues.

LED lighting is everywhere today and after fifteen years in the industry I find it a little amusing that most people have now become full LED converts. There is little or no disputing the right way to go is to implement LEDs in the majority of lighting applications. The revolution has happened and the majority of lighting goliaths are stating that LEDs represent up to 25% of turnover already and on a recent trip to the US, one manufacturer claimed 45% of turnover was already derived from LED revenues with close to 100% of turnover being LEDs before 2020.

Actually, LEDs are not the revolution everyone thought because if you stand back and reflect, LEDs are really only a new light source so there is nothing more than a new set of rules to build LED light fixtures. The real revolution in lighting is yet to come! Most LED light fixtures are simple and don’t include advanced or smart features and this is where the main lighting revolution lies, because LEDs offer a digital alternative that can be easily controlled. In fact, once LED lighting becomes smart there is a need for it to be networked so that fixtures create their own personalities that describe their capabilities or features onto a system that can then utilise those features to the maximum benefit. Indeed, a recent market report by Navigant states that networked lighting controls will grow from $1.7 billion annually in 2013 to more than $5.3 billion by 2020.This rapid growth will be driven by building owners and managers, who are accustomed to the idea of centrally monitoring and managing their heating, ventilation, and air conditioning systems, beginning to expect the same level of control from lighting systems.   
You may question this but here are a few examples of how systems can be smart:

1) Integrated control systems Currently lighting systems utilise separate controllers that are an additional expense both in capital expenditure terms and installation/commissioning terms. The future of smart lighting systems will be to integrate lighting and controls to allow reduced energy consumption through daylight harvesting or occupancy detection without the need to install or commission additional system components.
2) Human health functions Smarter fixtures will include Real Time Clocks and a range of sensors to allow different types of lighting throughout the day and year automatically to allow for the human circadian rhythms to be catered for, allowing improved productivity during work and rest times as well as precise colour and intensity control.
3) Information systems The use of data transfer to devices within our lighting environments adds a new dimension to being in a wirelessly connected world. I have talked about VLC or LI-FI previously but this technology is rapidly moving from laboratory to production!
4) Building management Smarter fixtures will integrate sensors so that they can be used to provide aggregated building occupancy and provide integration with heating and ventilation by regulating temperatures. For example, fixtures can detect how many people are on a floor within a building and if they include a temperature sensor the fixture can ask the heating control system to switch down or off the heating on a floor if there is no one on it.
5) Simple or no commissioning Current lighting control solutions usually require experts charged at horrendous rates to go to site to commission schemes, which adds complexity and costs. New lighting systems will require little or no commissioning setups and are so easy to work with an end-user should be able to configure what they want from a simple application on your mobile or tablet.

Of course the aim of technical revolutions are to wipe away traditional practices with new features at a lower price and this is what I think is going to happen very shortly. Over the next couple of years the lighting industry will see advanced integrated control systems being deployed in lighting schemes that, in combination, will reduce the capital expenditure costs of the scheme and provide features and facilities that were usually ignored because of budget constraints. The road to such a future is still undecided because there are different technical routes that could be taken to get there and I have learnt in the past that sometimes revolution needs evolution to take place so there isn’t such a leap in thought processes required by industry.

Figure 1 - Traditional type of lighting network installation.

Figure 1 - Traditional type of lighting network installation.

Today most lighting schemes have numerous types of interfaces and components. Here, individual drivers or ballasts are controlled by lighting interface units/controllers such as DALI/KNX routers which are then controlled by a building lighting controller. There are multiple components, all of which are cost optimised and there are always potential compatibility or wiring issues that can occur during installation.

A recent method being adopted for lighting installations is that of centralised driver solutions pioneered by companies such as Tryka LED, IST and more recently Redwood Systems.

Here, the definition of centralised LED control systems can mean the drivers are placed within rooms or on individual floors of buildings or within a single location for a complete building. There are several advantages for utilising centralised driver solutions:

Installation Cost Reduction
• Reduced number of drivers to install or commission.
• Simple low voltage wiring required between driver and fixtures.
• Quick set-up and commissioning times.

Higher Quality LED Solutions
• Significantly improved functionality compared to single driver solutions.
• Healthier lighting solutions - very low ripple current as better driver components become available.
• Improved protection circuitry including over voltage, over current, over power and over temperature.
• High performance step-less pseudo analogue dimming with 8 and 16 bit resolutions available.
• Significantly higher efficiency and PFC - each output stage can be >98% efficient and maintains efficiency when being dimmed and the summation of output power means that PFC should be on average higher than individual drivers.
• Taking out redundant components from individual drivers means that higher quality components can be used. For example, replacing the AC/DC stages of 24 drivers with just one large AC/DC stage means the components are higher quality with improved performance and potentially longer lifetimes.
• In a similar manner, adding supports for multiple dimming protocols in a 24 channel centralised driver means that the cost is divided by 24 times thus making it cost effective to add additional protocols where it would be cost prohibitive to add these in a single driver topology.

Maintenance & Lifetime

• Centralised LED drivers are usually located in ambient temperatures of 25ºC, which significantly improves lifetime compared to single driver solutions with electronics that operate between 80º and 110ºC.
• Higher quality components mean no electrolytic capacitors are used on the output stages; only solid-state polymer capacitors which have lifetimes of 100Ks hours compared to traditional driver solutions that use electrolytic capacitors of 5000 hours.
• Higher quality components are used in the AC/DC conversion process, ensuring longer life solutions.
• Spare output channels within a driver can be easily used to support additional requirements, or back up in the event of a channel failure.
• Centralised drivers are easy to access in the event of changes to the system, unlike traditional drivers located by the fixture often in the ceiling void.
• Centralised drivers can be located up to hundreds of metres away from fixtures, enabling drivers to be placed indoors even if fixtures are outdoors, thus mitigating the need to source IP rated drivers.

Figure 2 - Far right Centralised driver and control system with reduced complexity.

Improved Functionality
• Multiple control protocols in one product removes the need and therefore expense of several intelligent driver products.
• Ability to include Ethernet and WI-FI interfaces to allow Internet based communication.
• Complete monitoring, maintenance and management of project installations.
• The ability to connect occupancy and daylight sensors directly to drivers and enable them to be virtual units.

Centralised drivers offer an excellent bridge between a fully integrated solution and the common standalone driver systems yet a fully integrated solution offers an alternative set of advantages which include:

Integrated sensor systems within the fixture itself
• Sensors can control LED outputs in real-time.
• No need for separate sensor installation or wiring as these are built directly into the fixture, saving material and installation costs.
• Ability to provide active feedback for tuneable white control or ambient light sensing without network traffic.

Integrated DC Driver output stages

• Smaller output stages that contain a microprocessor to allow flexibility at the fixture level such as changing forward currents for constant lumen applications.
• Microprocessor that can handle a dimming control protocol.

Centralised power units
• The units just distribute DC voltage power lines so is safe electrically
• Very easy to configure and move fixtures as it just needs to be hooked up to the power DC power lines and whatever control bus protocol.
• Similar to constant voltage applications in that units are all powered in parallel, so easy to install.

Clearly LED fixtures still require power to be provided to them but some network topologies are easier to use than others from a control bus prospective. For example, standalone driver solutions require a dimming protocol bus to be connected to each LED driver, which adds a considerable installation burden. However, using a centralised driver solution reduces the amount of control protocol cabling as the driver handles multiple LED fixtures but requires just one control connection per driver.

Indeed, it is possible to connect IP enabled LED drivers to standard WI-FI routers and allow drivers to be connected wirelessly without a great deal of expense. For example, a quality WI-FI, 4 port router can be purchased for £50 (and as low as £9.95 for lower quality versions) that could control four different centralised drivers that in-turn can control up to 144 separate fixtures wirelessly. Therefore, for an extra 35 pence per output an installation can make each fixture wireless enabled, which is not possible if the drivers were standalone as adding wireless would add several pounds to the cost of each driver.

Specify safe control solutions

There are clearly significant advantages to networked control systems. However, a big potential pitfall to their future exploitation is network security. Lighting is critical to physical security and as smart lighting begins to be installed across current and new residential and corporate constructions. An abuse case such as the ability of a network intruder to remotely shut off lighting in locations such as hospitals and other public venues could result in serious consequences or at least provide significant embarrassment.

There have already been many examples recently of network security being compromised across different applications including:
Philips hue system – The system uses Internet and ZigBee protocols to control light bulbs and the system has shown to be easily compromised.
Edward Snowden - Leaked documents which highlight that the NSA and GCHQ have been able to successfully decode key online security protocols using PRISM that renders all internet traffic to be easily captured no matter what encryption keys are used.

Encryption flaws - US intelligence agency, the NSA, subverted a standards process to be able to break encryption more easily. It had written a mathematical flaw into a random-number generator that would allow the agency to predict the outcome of the algorithm, as reported in the New York Times.

Barclays hacking attack gang stole £1.3 million - One of the gang posed as an IT engineer fixing the computer to gain access to a Barclays branch in order to fit a device that allowed the hackers to access its network remotely and transfer money into their own accounts.
These brief security flaw examples prove that no matter what security measures are takien it probably means that network enabled lighting systems will never be 100% secure. However the key aspect to remember is that as long as security is built-in from the start, your installation will most likely never be compromised. But if you don’t plan for a secure system, you leave yourself completely open and your system will be vulnerable.

There are several ways in which networked lighting systems can be compromised, but the main three are:
Network topology – where the intruder is able to take full control of a system and decrypt all data across the lighting network.
Application security – where smart application software has vulnerabilities contained within it and these vulnerabilities allow intruders to gain partial or full control over your network.
Denial of Service (DoS) attack – where an intruder cannot control a networked lighting system but can stop the system from operating as it should. It is similar to when you see websites from global brands taken offline for a period because the DoS overloads the system.
I will try and explain each of the issues without becoming too technical and I believe you will be surprised at what gets highlighted.

Figure 3 - A standard network topology with potential security flaws.

Lighting Network Control Topology
A typical lighting network control topology is shown above right where the network consists of a number of LED drivers with fixtures attached to a central hub which could be a switch or WI-FI router that enables a mobile device or PC system to control the drivers. The system can be expanded with other components such as wall switches or indeed control via devices connected to the Internet. This topology may be based upon any type of control protocol but the majority of future systems will utilise standard ethernet technology because it is not only widely available, but low cost and a wide number of IT departments are familiar with configuration and setup because security features are directly built in.

The main security issue with this topology is that the information is transferred across the network using User Datagram Protocol (UDP) packets. UDP uses a simple transmission model with a minimum of protocol mechanisms so it has no handshaking dialogues, and thus exposes any unreliability of the underlying network protocol to a user’s program. Time-sensitive applications such as lighting controls often use UDP because dropping packets is preferable to waiting for delayed packets, which may not be an option in a real-time system.
The use of unprotected UDP packets allows an attacker to compromise network traffic and hence obtain full access to any of the LED drivers.  All that an attacker needs to do is to access the local network via a variety of ways to gain control, such as:

• Compromise the mobile device software by placing a virus or Trojan on it.
• Join the Network or WI-FI router using standard packet sniffer software to gain username and passwords.
• Access the network via the Internet connection externally.

In order to improve security of this type of topology it would be better to split the lighting network control onto its own separate network as shown above left. Here, the advantage is the lighting network is self-contained but obviously another router will be required so additional system costs are incurred.

The local network is not connected to the internet, so any attacks from the Internet are excluded and as networks 1 and 2 are not connected to each other, any security breaches in the customer’s network or even if network 1 is public and there is no security at all a network attacker has no chance to access the lighting system from it. Thus, the only possible flaw in this topology is the physical security of the networking device itself, but it will have nothing to do with the software.

In order to add further security to a network it is possible to encrypt the UDP data packets across the network and between devices. Fortunately, such encryption and decryption can be achieved using public and private key solutions (although this has supposedly been compromised by the US and UK intelligence community!).

This key based security solution requires every controller to have a private key. The bigger the key size the better in terms of security so 2048-bits provides an optimum balance between performance and security. The RSA 1024-bit keys are not considered reliable and the 4096-bit keys are very long so it requires a great deal of CPU resources to decrypt each message.

Every lighting fixture control request will need to be authenticated and in order to create a secure connection the controller needs to encrypt the message using its private key and the LED drivers which store the public key pair allows the driver to decrypt the messages successfully. All this together makes it almost impossible to break into the system even if an attacker is listening to the UDP packets across the network as they are encrypted using the public/private keys. If messages are not valid then the driver simply ignores or destroys the packets.

Figure 4 -  Lighting network control with separation from corporate network.

Application Security   
This is a very common way security systems can get compromised and it is no different from when a virus or Trojan malware installs itself on your PC and captures all your important data such as passwords and ID codes without you knowing. For example, if you can control your lighting network using a PC across the Internet then if you need to login to your control portal this information can be transmitted to an attacker which could then gain access to your lighting network using your own username and password. This vulnerability isn’t limited to PCs and can also occur in mobile phone and tablet applications.

For example, the biggest smart phone operating system by far is Android which is an open source system. Android being open source means that it can pose significant security risks to users and one little known fact is that any Android application can be completely reversed engineered without exception, so it’s important that the Android application does not contain any information used to maintain security eg; keeping public/private keys hardcoded in software.  This is not the same for Apples’ iOS which has more security features.

Denial of Service 
The DoS attack doesn’t actually need to encrypt or decrypt data across a network as its aim is not to control the network. However, an attacker’s main aim is to overrun the lighting network with so many packets that the system cannot cope and will shut down rendering the system inoperable. Such an attack still causes a significant amount of inconvenience to the user who, for example, may want to switch on or off a fixture but as the system is shut down cannot control the fixture at all.

In reality DoS attacks using standard network topologies are exceptionally hard to achieve because significant amounts of UDP traffic has to be generated and directed to the network and this usually requires thousands of devices to be controlled concurrently. However, certain wireless network protocols that are not high speed could easily suffer DoS attacks so it does depend on the infrastructure and technology used to build the lighting network.

Wireless protocols are susceptible to vulnerabilities

An interesting trend that is being seen in the controls market is to use wireless as a control solution which has the added advantage of not having to wire control busses to each driver saving installation time and material costs. The utilisation of wireless technologies for building refits is compelling. However it is important to ensure the right protocol is implemented as certain solutions are inherently insecure.

Penetration testers have been focusing on wireless technologies for over a decade, and various families of wireless protocols are evolving through a roller coaster ride of security issues, half-baked encryption schemes, and mitigation tactics.

While the standard 802.11 wireless protocol used in most wireless hubs is by far the most popular, other wireless protocols have become the focus of security researchers and hackers alike. One protocol that can arguably be placed at the top of the list, and is an area of growing concern, is the 802.15.4 protocol that ZigBee wireless rides on. The ZigBee protocol is becoming popular and is used more and more within lighting controls including within the Philips hue system.

The ZigBee protocol differs from traditional 802.11 wireless in many ways, most notably the simplicity, low cost, and elegant function. ZigBee was designed to provide short–distance wireless solutions in which running wires to transfer data is infeasible or cost prohibitive. ZigBee does not provide the bandwidth and advance error checking provided by protocols such as 802.11. This stripped-down approach to networking has many advantages including ease of setup, low power consumption, and simple integration into other devices.

ZigBee devices can be used in lots of different ways, but they have built-in protocol support for both mesh and star-based network topologies. Given some very basic configuration settings, a ZigBee device (node) can be joined to an existing mesh network or be assigned as the controlling device to manage the interaction of other ZigBee nodes. As you can imagine, there are lots of security attack potentials here.

ZigBee and the 802.15.4 framework were designed with security in mind, but security is only effective if it’s implemented properly. While there are numerous types of attacks that have been successfully leveraged against ZigBee devices, they generally fall into three categories: physical attacks, key attacks, and replay and injection DoS attacks.

A recent white paper by the leading telecommunications company, Cisco, highlights the security flaws found within ZigBee based solutions so its important to understand which solutions and protocols should be utilised in networked lighting control systems moving forward.

Networked lighting system benefits significantly outweigh the potential disadvantage of network security. However it is clear that a new class of lighting system engineers will be required to allow the lighting community to design highly flexible, safe and easy-to-use lighting solutions in the future. It isn’t just going to be “Well, I will stick with the good old methods of using control systems”, because even these systems will have security flaws if not setup correctly and as the Barclays bank heist recently showed, someone could quite easily enter a lighting installation posing as a maintenance engineer who could then re-programme traditional controllers.

The key aspect is to work with technology companies that understand the new networked controlled environment as well as specific network IT security principles to provide a degree of assurance that two years down the line your high profile lighting installation doesn’t get hijacked because of poor security design.

It is also important not to be fobbed off with technical jargon which makes you feel secure. For example, if someone states that their system is secure because it uses 1024 or 2048-bit network keys that doesn’t mean the system is secure as we have seen in relation to the Zigbee protocol whereby to provide a denial of service (DOS) attack on the Zigbee lighting system doesn’t actually need packets to be encrypted or decrypted but just injected at high frequency into the network!

It looks like the future of lighting is going to require mathematicians, IT support and Network Engineers. “Oh no!”, I hear you cry...

Dr. Geoff Archenhold is an active investor in LED driver and ficture manufacturers and a lighting energy consultant.

The views expressed in this article are those of the author and do not necessarily represent the views of mondo*arc.


Dr Geoff Archenhold
Related Articles


Follow us on…

Follow Mondo Arc Magazine on Twitter Follow Mondo Arc Magazine on Facebook Follow Mondo Arc Magazine on Linked In

mondo arc india

darc awards DWLF IALD PLDC LRO