“There are not many standards in place to address cyber- security concerns for connected lighting products.”
testing & evALUAtions
Testing throughout the product development process is an iterative process that must be under- taken. If security testing is spread throughout the early stages and no issues are found, the product and manufacturer will be ok. However, if it fails as a result of testing initiated at the end of the develop- ment lifecycle, there could be a fundamental design  aw that requires the project to begin again...from scratch. Whenever possible, test for cyber-security early and o en to ensure risks are mitigated along the way such as testing for so ware weaknesses, potential backdoors, interoperability concerns, functionality and performance, code analysis, and other evaluations.
As mentioned previously, there are not many standards in place to address cyber-security con- cerns for connected lighting products. Here are a few options; however, selecting the right one will depend on the objective of your testing and the intended use of your product:
The ISA/IEC62443 (formerly ISA-99) series of standards. The IEC has published a conformity assessment scheme for an industrial cyber-security program intended to provide a framework for the
assessment of industrial automation controls through a series of standards. An assessment under this standard evaluates security capabilities and ensures these capabilities have been applied to either a speci c component, system, or operating environment.
ANSI/UL 2900 family of standards. This family of standards for so ware cyber-security for network- connectable products requires that products be evaluated for vulnerabilities, so ware weaknesses, and malware. Under this standard, product docu- mentation, risk management, the application of security controls, and the elimination of product weakness and vulnerabilities must be illustrated to show compliance.
Common Criteria. This international set of guidelines and speci cations were developed for evaluating information security products to en- sure they meet an agreed-upon security standard for government use. They are internationally ac- cepted, providing a methodology for evaluating security features and can be applied to hardware, so ware,  rmware, or a combination thereof. Com- mon criteria allow vendors to describe products’ security functionality with proof to support the claims. Today, there are 28 members of the Com- mon Criteria Recognition Arrangement (CCRA); 17 are certi cate-authorizing members, who autho- rize ISO 17025-accredited labs and 11 consuming members.
California IoT Bill. Approved in September 2018, this bill takes e ect in January 2020 and will re- quire manufacturers of connected products to equip devices with reasonable security features or features appropriate to the nature and function of the device; the information it may collect, contain, or transmit; and designed to protect the device and any information contained therein from un- authorized access, destruction, use, modi cation, or disclosure, as speci ed. To ful ll these require- ments, manufacturers will need to demonstrate reasonable security to protect data contained in the device, in transit, and when stored in back-end services. All copies of client data must be deleted upon termination of device or service and manu- facturers must ensure that access to client data is protected from modi cation and disclosure.
SMARTER HOMES BIGGER SALES
HOW CAN SMART PRODUCTS BE SAFE IN A CYBER-CRIME WORLD?
64 enLIGHTenment Magazine | March 2019
www.enlightenmentmag.com