The Fabric of our Society

March 2024

Lighting System Cybersecurity in the Age of AI 

Michael Mehl
Director, LightBox Studios

Digitization continues to evolve lighting controls and lighting fixture componentry at a rapid clip. Already, nearly all of today’s lighting systems possess multiple layers of intelligence. As threats from malicious actors escalate, AI-driven decision-making is becoming more deeply embedded in various systems. The risks are evolving rapidly, but old-school methodologies and analog solutions are available now.

At the current apex, building- or campus-wide control systems with cloud-based connections can program, monitor, and diagnose system functions. These lighting systems can auto-optimize energy performance with adaptive analysis of ongoing operations. Even simple, standalone room controls can deliver a personalized experience by sharing sensor data. This can include lighting, HVAC, security, employee ID counting and tracking, and diagnostics. Then for truly responsive lighting, add a layer of information-exchange and actuations among these other building systems. This represents significant interoperability, impacting and accessing multiple systems.

Distributed logic – where devices throughout the system participate in computing or decision-making – can be found in LED drivers, manual wall controls, sensors, shades motors, panels, gateways, servers, or centralized cloud-based connections. Remember when we had simple power-based worries from, say, a brownout impacting control chip function? Now there is significantly greater vulnerability and more avenues of failure. Vulnerability is the price of having such capable technology within lighting systems and componentry.   

We’ve been hacked!
I’ll bet we’ve all experienced social media hacks/impersonations, Zoom call intrusions, website hacks or denial of service, personal password theft, or exposure of confidential information through corporate databases. There’s an alarming increase in threats from bad actors who seek access through IT networks, the “front door.”

But these are not the only means of lighting system exposure. Less obvious “back doors” include the IOT (Internet of Things), wired and wireless connectivity, and system interoperability. If left accessible or unchecked, these avenues can and do invite serious harm to a company’s operations. You can imagine.

Once the lighting system is compromised, risks escalate: theft of personal or corporate data, manipulation of lighting system functions, or locking out access to lighting and other building systems – or worse, complete systems crash. An immediate impact on building/space function can turn into lasting effects on a corporation’s reputation and bottom line. Take care to ensure that the corporation is not your client.

Enter AI
Consider the most current AI models, with their significant advancements in logic and “polymath” capabilities, trained on vast amounts of data. AI excels at interpreting user intentions and providing sophisticated answers. Lightning fast!

It’s easy to see how, with access to AI, a system disruptor or cybercriminal can overcome rudimentary barriers of lighting system access. Simultaneously, and more concerning, AI is integrating into system functions. As conditional logic takes over daily operations, it removes reliance on human control, even human access to controls.

This may sound futuristic or alarmist. And some may shrug and say there’s no use shutting the barn door once the horse has bolted. But it’s not alarmist to acknowledge potential threats. Here, especially, an ounce of “analog” prevention may be a valuable first step toward mitigating risk.

Some companies have always maintained a serious cybersecurity posture. “Hardening” leaves no device with an open USB, and no wireless access or off-premises cloud storage (regardless of vendors’ claims about security). Maybe the threats are not as significant as compromised client data, as IT and building systems are usually separated. But consider a hack that simply induces an annoying lighting system flicker; or worse, renders a space unoccupiable. The corporate image is: We’ve been compromised. Now apply that image to your financial institution or healthcare client. There could be lives and livelihoods at stake.

So what’s to be done?
Certainly, doing something is preferable to doing nothing. We need to ensure that systems are hardened. Ask the client how connected their systems need to be. Really, how useful is remote access? And exactly how important is that cloud-based connection?

There are already multiple forms of log-ins with different permissions, along with multiple levels of encryption and authentication. Lighting system manufacturers should be collaborating with cybersecurity experts and participating in security audits. Both lighting systems designers and customers need ongoing education. We could also contemplate “unplugging.” Going analog, just for a while, will allow systems to develop more robust and adaptive security. The means and methodologies to secure systems from unsolicited access are evolving quickly.

The point is, there are definitely solutions. It’s a new world out there, and we must be brave, and cautious, in our approach.