What Does Australia’s New Data Breach Notification Legislation mean for Smart Building Systems?

17 January 2018

Electrical Engineers, Engineering Consultants and Lighting Designers are on notice to ensure the lighting control systems they select are secure, to mitigate risk and minimise brand and reputation damage from cyber attacks in 2018.

Federal Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017, last year. This means that from February 22nd 2018 all Australian entities that are covered under the law must comply to the Privacy Act 1988 with respects to Data Breaches.

Essentially what this means is that businesses (and Government Departments) generating revenue of $3,000,000 AUD per annum must comply, as must some that do not meet this revenue benchmark but are in particular industries that collect personal information.

Cyber criminals are relentless and inventive. It’s not a matter of if an organisation will be attacked, but when, so mitigating this risk by selecting secure building system solutions, such as secure lighting controls is one essential practice engineers can implement to protect themselves and their clients.

Data breaches are not just an IT problem anymore and now pose significant reputational and financial risk to any consumer-facing brands and public companies.

Preparation and response need to be driven by the top of the organisation ensuring robust policies and processes are in place and actively adhered to with respects to selecting and specifying secure systems for clients.

“It was the building management systems that jumped out as the most vulnerable. In all cases, pretty much without fail, these systems had been procured without thought to how to make them secure. I was absolutely shocked.”

Source: Tomorrow’s Buildings: Help! My building has been hacked

As lighting control systems now share integrated communication networks and infrastructure with a range of other services when they are not secure they are an open invitation to cybercriminals to access the IT infrastructure.

Additionally, the lighting control system is integrated to a range of critical building service such a BMS, security access, HVAC and more.

Whilst hacking lighting control systems do have some very real dangers associated such as impacting human safety and productivity, operating costs and physical building security; its these connected systems and the networks on which they reside where the greater concern lies due to the increased threat surface.

Legacy lighting control systems that are older than 10 years are not prepared for the current reality or the future of security and they cannot be retrograded to fix this weakness.

Knowingly specifying and installing these old systems is to not work in your client’s best security interests, especially considering these new declaration requirements under the legislation, when an attack happens.

The intent of providing a secure lighting control system is to prevent and limit risk, damage, and consequences from potential unauthorised system access for the purpose of:

  1. unauthorised control of the system;
  2. preventing legitimate use of the system;
  3. unauthorised monitoring of the system;
  4. unauthorised modifications to the system

Further, the security protocols of the lighting control system should be capable of preventing and limiting the risks associated with the following attack vectors:

  • Impersonation attacks,
  • Replay attacks,
  • Man in the Middle (MITM) attacks,
  • DoS / DDoS attacks,
  • Site-wide field bus attacks

Tools To Protect Yourself and Your Clients

Specification of the lighting control system is only one very small part of the activity undertaken by electrical engineers, consulting engineering firms and lighting designers so expecting a migration away from now obsolete and old (unsecured) lighting control systems typically ranks low on their ‘must-do’ lists.

This new legislation skyrockets these reviews and changes to the top of these lists to do best by their clients and protect their organization from potential damage when an attack occurs through an unsecure system they specified.

Engineers and lighting designers can spend minimal time in achieving this protection, simply by adopting a lighting control system that is secure-out-of-the-box such as RAPIX and updating their lighting control specifications provided below.

Alternatively, electrical engineers and lighting designer who are reviewing and updating their existing lighting control specifications can do so easily with the Lighting Control Specification Security Addendum as a way to publish a more agnostic lighting control specification and demand the lighting control system encompasses best practice security implementations.

With standards such as DALI, lighting dimming, and control performance is normalised, especially when those DALI lighting control systems are DALI compliant to the DALI standard with certification.

With this new legislation, secure systems are the only viable future for specified lighting control systems in Australia.