Your internet browser isn't supported.

For security reasons, we no longer support Internet Explorer. Please upgrade to an alternate browser to see all functionality and content on the website.


Navigating the Cybersecurity Standards

Navigating the Cybersecurity Standards


Building owners and operators are tapping into the power of smart building systems at an accelerating pace. This trend of increasing connectivity is driven by the wealth of new data it unlocks, the benefits of improved insight into building operations, and the opportunity to differentiate tenant spaces. These advantages, however, are accompanied by a heightened concern around cybersecurity quality and potential vulnerabilities.

To help their customers, OT manufacturers have started to build cybersecurity into their connected products. This white paper provides an overview of the various cybersecurity threats and the different cybersecurity standards.

Cybersecurity Threats

Commercial building control systems consist of mechanical and electrical equipment that controls the entire building environment. This includes HVAC, lighting, security access, surveillance, elevators, and more. These systems are aimed at creating a safe, comfortable building environment to support and even enhance the satisfaction and productivity of its tenants. At its best, it can facilitate a sense of belonging that contributes to staff retention. In the march toward smarter buildings, standalone systems using proprietary protocols with limited IT have morphed into networked digital systems that take full advantage of IT technologies, often sharing the IT infrastructure. The many advantages of these interconnected systems come at a price: cyberattacks. A successful cyberattack can have a long-lasting impact on a company's bottom line. This goes well beyond the readily quantified costs incurred by regulatory fines, litigation, public relations, and direct expenditures that accompany large-scale personal data breaches. There are many other intangible costs associated with damage to reputation, operational disruption, loss of proprietary information, and corporate strategy.

The methods hackers use to exploit known vulnerabilities, in both new and legacy installations, are numerous: malware, phishing, man-in-the-middle attack, denial-of-service, and SQL injection are but a few of them. The Cybersecurity and Infrastructure Security Agency (CISA) tracks the various cyber threats and provides advisories [1]. A system breach can lead to unauthorized disclosures of personal data, theft of proprietary information and intellectual property, violation of consumer privacy, and even loss of service. Given the dangers, cybersecurity is no longer optional for building owners and operators. A security-oriented mindset and comprehensive security mechanisms—applied to the building and its subsystems—are essential to averting and mitigating risk.

Connected devices and systems continue to grow exponentially. Forbes predicts that by the end of 2024 there will be more than 207 billion connected devices worldwide [2]. In such a deeply interconnected world, we must build and maintain a trusted environment that uses advanced technologies to offer the best possible defense against increasingly sophisticated attacks. A cybersecurity incident can cripple an organization in minutes, and so building owners need suppliers to prove that their products comply with the relevant cybersecurity standard.

Cybersecurity Standards

Cybersecurity standards consist of published materials, tools, policies, safeguards, guidelines, best practices, and risk management approaches and processes. In our industry, there are several cybersecurity standards an organization can comply with. The most important of these are described below.

cybersecurity lock

ISA/IEC 62443

The ISA/IEC 62443 series of standards were developed by the ISA (International Society of Automation), a non-profit global organization founded in 1945. These standards were subsequently adopted by the IEC (International Electro-technical Commission), a non-profit organization founded in 1906. The scope of ISA/IEC 62443 is “to define the elements necessary to establish a cyber-security management system (CSMS) for industrial automation and control systems (IACS), and to provide guidance on how to develop those elements.” [3] IEC 62443-2-1

The original purpose of the IEC 62443 standards, to protect industrial control systems against cyber-threats at critical facilities like refineries, conventional power plants, and nuclear power plants, is a testament to their diligence and thoroughness. Because the IEC 63443 standards address issues that are unique to OT systems, they are preferred for smart buildings and connected lighting.

ISO/IEC 27001

The ISO/IEC 27001 standard, jointly published by the ISO (International Organization for Standardization) and the IEC, defines the requirements for establishing, implementing, maintaining, and continuously improve an ISMS (Information Security Management System). This is a mature standard that works well for classic IT systems but is less suited to defining a cybersecurity system for an ICS (Industrial Control System). Because it does not cover the OT context as comprehensively as IEC 62443, it is not the ideal choice for our industry.


The NIST (National Institute of Standards and Technology) is part of the U.S. Department of Commerce, and its mission is “To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”[4] NIST offers a cybersecurity program focused on protecting critical infrastructure. The program comprises an extensive collection of recommendations and methodologies that cover many aspects of IT and OT systems. Although the NIST program provides broad coverage for significant areas of IT and OT systems, it is not a complete standard. As a result, a comprehensive cybersecurity system for OT cannot be established on the NIST recommendations alone. However, the NIST cybersecurity program remains an excellent supporting tool in the quest for improved risk management.


UL2900 is a series of standards published by UL (formerly Underwriters Laboratories), a global safety consulting and certification company. The standards present general software cybersecurity requirements for network-connectable products (UL2900-1), as well as specific requirements for medical and healthcare systems (UL2900-2-1), and for security and life safety signaling systems (UL2900-2-3). The ANSI (American National Standards Institute) has adopted UL2900-1 as a national consensus standard, and the FDA has officially recognized the UL2900 standard for connected equipment installed in healthcare facilities.

Specifically, in the lighting world, organizations such as the DesignLights Consortium (DLC) that maintain a Qualified Product List (QPL) for Networked Lighting Controls (NLC) now require that such lighting systems have a cybersecurity certification from a qualified agency to be listed on its QPL.


Standards and requirements are developed by a community of experts working together to find common ground, which sometimes requires compromise. As such, they are never perfect. Additionally, hackers or other bad actors continually try find ways to get unauthorized access to connected or IoT systems. Hence it is important that such connected systems are periodically assessed to identify any vulnerabilities. Here is the Cooper Lighting Solutions cybersecurity statement.