Navigating the Cybersecurity Standards

By: Soroush Amidi, Director, Product Management

Building owners/operators and business owners are tapping into the power of smart building systems at a rapidly accelerating pace to improve their buildings’ operations and occupants experience. These smart building systems require OT (Operational Technology) devices to share their data, which is achieved by connecting those devices to IT networks. This leads to the integration of IT infrastructures residing in OT environments, which in turn introduces novel security threats across IT and OT. Business leaders have tasked their security and risk management leaders to develop strategies and policies that address the security ramifications of IT/OT convergence.

To help their customers, OT manufacturers have started to build cybersecurity into their connected products. At Cooper Lighting, thanks to our secure by design philosophy, cybersecurity is embedded in every connected product and platform we bring to market. Our secure development approach helps us manage cybersecurity risk throughout the product life cycle, from threat modeling and requirements analysis to verification and ongoing maintenance.

In 2018, we became the first lighting manufacturer to offer UL 2900-1 certified products. In 2020, we adopted the IEC (International Electrotechnical Commission) 62443 standards as an end-to-end framework for developing secure products and systems. With this transition, we become the first and only one in our industry to achieve dual certifications for the rigorous IEC and UL product certifications. While others might be satisfied just to meet these demanding global cybersecurity standards, at Cooper Lighting we see it as a stepping stone to exceeding customer expectations.

This white paper provides an overview of the different cybersecurity standards, the reasoning behind our adoption of the IEC 62443 series of standard, and our approach to applying it.

Commercial building control systems consist of mechanical and electrical equipment that controls the entire building environment. This includes HVAC, lighting, security access, surveillance, elevators, and more. These systems are aimed at creating a safe, comfortable building environment to support and even enhance the satisfaction and productivity of its tenants. At its best, it can facilitate a sense of belonging that contributes to staff retention.

In the march toward smarter buildings, standalone systems using proprietary protocols with limited IT have morphed into networked digital systems that take full advantage of IT technologies, often sharing the IT infrastructure. The many advantages of these interconnected systems come at a price: cyberattacks. A successful cyberattack can have a long-lasting impact on a company's bottom line. This goes well beyond the readily quantified costs incurred by regulatory fines, litigation, public relations, and direct expenditures that accompany large-scale personal data breaches. There are many other intangible costs associated with damage to reputation, operational disruption, loss of proprietary information, and corporate strategy.

The methods hackers use to exploit known vulnerabilities, in both new and legacy installations, are numerous: malware, phishing, man-in-the-middle attack, denial-of-service, and SQL injection are but a few of them. A system breach can lead to unauthorized disclosures of personal data, theft of proprietary information and intellectual property, violation of consumer privacy, and even loss of service. Given the dangers, cybersecurity is no longer optional for building owners and operators. A security-oriented mindset and comprehensive security mechanisms—applied to the building and its subsystems—are essential to averting and mitigating risk.

Connected devices and systems continue to grow exponentially. IDC predicts that by 2025 there will be more than 55 billion connected devices worldwide. In such a deeply interconnected world, we must build and maintain a trusted environment that uses advanced technologies to offer the best possible defense against increasingly sophisticated attacks.

A cybersecurity incident can cripple an organization in minutes, and so building owners need suppliers to prove that their products comply with the relevant cybersecurity standards. That is why, at Cooper Lighting, we are committed to establishing cyber-secure processes and developing secure products.

Cybersecurity standards consist of published materials, tools, policies, safeguards, guidelines, best practices, and risk management approaches and processes. In our industry, there are several cybersecurity standards an organization can comply with. The most important of these are described below.

The ISA/IEC 62443 series of standards were developed by the ISA (International Society of Automation), a non-profit global organization founded in 1945. These standards were subsequently adopted by the IEC (International Electro-technical Commission), a non-profit organization founded in 1906. The scope of ISA/IEC 62443 is “to define the elements necessary to establish a cyber-security management system (CSMS) for industrial automation and control systems (IACS), and to provide guidance on how to develop those elements.” IEC 62443-2-1

The original purpose of the IEC 62443 standards, to protect industrial control systems against cyber-threats at critical facilities like refineries, conventional power plants, and nuclear power plants, is a testament to their diligence and thoroughness. Because the IEC 63443 standards address issues that are unique to OT systems, they are preferred for smart buildings and connected lighting.
 

The ISO/IEC 27001 standard, jointly published by the ISO (International Organization for Standardization) and the IEC, defines the requirements for establishing, implementing, maintaining, and continuously improve an ISMS (Information Security Management System). This is a mature standard that works well for classic IT systems but is less suited to defining a cybersecurity system for an ICS (Industrial Control System). Because it does not cover the OT context as comprehensively as IEC 62443, it is not the ideal choice for our industry.
 

The NIST (National Institute of Standards and Technology) is part of the U.S. Department of Commerce, and its mission is “To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”[2] NIST offers a cybersecurity program focused on protecting critical infrastructure. The program comprises an extensive collection of recommendations and methodologies that cover many aspects of IT and OT systems. Although the NIST program provides broad coverage for significant areas of IT and OT systems, it is not a complete standard. As a result, a comprehensive cybersecurity system for OT cannot be established on the NIST recommendations alone. However, the NIST cybersecurity program remains an excellent supporting tool in the quest for improved risk management.
 

UL2900 is a series of standards published by UL (formerly Underwriters Laboratories), a global safety consulting and certification company. The standards present general software cybersecurity requirements for network-connectable products (UL2900-1), as well as specific requirements for medical and healthcare systems (UL2900-2-1), and for security and life safety signaling systems (UL2900-2-3). The ANSI (American National Standards Institute) has adopted UL2900-1 as a national consensus standard, and the FDA has officially recognized the UL2900 standard for connected equipment installed in healthcare facilities.

Signify, Cooper Lighting’s parent company, has a CCoE (Cybersecurity Center of Excellence) team that maintains guidelines and requirements for all Signify products and development processes, including its Cooper Lighting division products.

The Signify guidelines and requirements are a collection of the security requirements defined in various industry standards, including: NIST SP 800-53; NIST SP 800-82; FIPS 140-2; NIST SP 800-124; IEC 62443; UL 2900; and local regulations such as California Bill SB-327. These requirements provide a unified way to develop a product that complies with multiple security standards.

The cybersecurity team works with all product development teams to ensure our cybersecurity requirements are met. They conduct product design reviews while the product is in its infancy to make sure the design includes security best practices and recommendations. A product review is used to walk through the concept of the product. Based on this, a data flow diagram is created to depict the overall flow of data in the product, and an architectural analysis is performed to identify the criticality of components. The team also identifies sensitive and personal data, and verifies compliance with applicable data protection regulations, including the GDPR (General Data Protection Regulation) and California Consumer Privacy Act (CCPA).

After these reviews, the team performs a threat modeling and security requirements analysis. Threat modeling allows the team to assess the risks related to components identified in the architectural analysis. These risks are used to prioritize security requirements and additional mitigations for the product. Identifying issues at the design stage lowers the odds of finding flaws in later stages.

As the NIST suggests, operational control systems such as industrial control systems, " have many characteristics that differ from traditional IT systems, including different risks and priorities. Some of these include significant risks to human lives' health and safety, serious damage to the environment, and financial issues such as production losses and negative impacts on a nation's economy. ICS systems have different performance and reliability requirements, and also use operating systems and applications that may be considered unconventional in a typical IT network environment. Security protections must be implemented in a way that maintains system integrity during normal operations as well as during times of cyber attack.”[3]

Cooper Lighting’s cybersecurity framework is based on technical requirements from the NIST, IEC, and UL 2900 cybersecurity standards. The products we develop are tested against these requirements by our CCoE, an independent, non-development team.

Knowing that a certified lab has validated our cybersecurity claims gives our customers increased peace of mind. These certifications are typically expensive, and many manufacturers would prefer not to bear that cost. By pursuing such rigorous industry standard certification, particular in the cost-conscious lighting industry, we demonstrate our resolve not only to take security very seriously but also to deliver the most secure solutions to our customers. Manufacturers, such as Cooper Lighting, that include third-party certification in their development process would certify against one of the many standards.

There are many cybersecurity certifications in the market, but a survey conducted by Cooper Lighting showed that UL 2900 and IEC 62443 are the most recognized cybersecurity standards in the automation industry.  In 2018, based on UL’s recognition for safety in the lighting and electrical community, we opted to certify our products against UL 2900-2. In 2020, two years after launching the world’s first UL 2900-1 lighting control system, we decided to reassess our third-party certification requirements.

The Signify CCoE recently carried out an analysis revealing that a product conforming to IEC 62443-4-1 and IEC 62443-3-3 would be 90% compliant with UL 2900-1 technical requirements. Conversely, a product conforming to UL 2900-1 would be just 50% compliant with IEC 62443-4-1 technical requirements, and only 60% compliant with IEC 62433-3-3 technical requirements. In addition, a Cooper Lighting survey showed that the IT community were unaware of UL 2900-1, relying on the NIST framework and IEC standard instead.

The IEC 62443 series of standards go beyond product and system technical security requirements to encompass process security requirements. For example:

• 62443-4-1, Product security development life-cycle requirements – Specifies process requirements for the secure development of products used in IACS and defines a secure development lifecycle (SDL) to develop and maintain secure products. 
  
  
• 62443-4-2, Security for Industrial Automation and Control Systems: Technical Security Requirements for IACS Components – Provides cybersecurity technical requirements at the component level, including embedded devices, network components, host components, and software applications.
  
  
• 62443-3-3, System security requirements and security levels – Provides detailed technical control System Requirements (SRs) associated with the seven Foundational Requirements (FRs) described in ISA-62443-1-1 (99.01.01), including the requirements for control system capability security levels, SL C (control system).

Based on the coverage provided by the IEC 62443 standards, the acceptance of IEC standards by both OT and IT communities, and the ability to certify processes in addition to products and systems, Cooper Lighting has decided to get its development process and products certified by an IEC 62443 authorized certification lab.

Standards and requirements are developed by a community of experts working together to find common ground, which sometimes requires compromise. As such, they are never perfect. The Cooper Lighting CCoE identified a risk with IEC 62443 certification in that, despite the rapid evolution of cybersecurity threats, a certification was valid for three years. To address this, we have elected to have our certification assessed annually by an independent third-party certified lab.

Third-party certification to IEC 62443, the most recognized international cybersecurity standard, by an authorized cybersecurity lab will provide the accredited and independent proof our customers need for peace of mind. They can rest more easily knowing that when Cooper Lighting products are installed in their facility, those products meet globally recognized security standards.

[1] IEC 62443-2-1 https://webstore.iec.ch/publication/7030
[2] https://www.nist.gov/director/pao/nist-general-information
[3] Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82 Revision 2,” NIST