PNNL

Abstract

Cities are upgrading their infrastructure and converting traditional indoor and outdoor luminaires to Connected Lighting Systems equipped with sensors in an aggressive effort to reduce energy consumption, increase sustainability, and improve the quality of life. When you take something seemingly benign like a lighting system and connect it to the internet, if improperly secured a potential attack vector for hackers is created. Hackers could then access sensitive information, pivot into other networks, shut down services, or enslave devices to do their bidding. In attempt to close this attack vector and secure these systems, this paper extends previous work that investigated, compared and contrasted authentication vulnerabilities in Connected Lighting Systems that identified the need for additional testing and improved test method documentation. One additional authentication test and four new authorization tests were developed utilizing the Open Web Application Security Project (OWASP) as a test development and documentation guide. The new tests were integrated with the previous work to develop an updated test method with a focus on describing test procedures to make them easy to understand and repeat. In addition, a first Connected Lighting System use case was established to begin developing threat profiles that will aid in the identification of vulnerabilities whose focus areas extend beyond authentication and authorization. This use case describes the generation and flow of CLS data which assists in specifying methods to harden CLSs from outside interference and exploitation that can be implemented immediately on existing CLSs and as new products come to market.