There is more to smart building cybersecurity than you think! Early adoption of strong cyber security standards is key to reduce hacking, market delays, or reputational brand damage.  

While network-connected products can produce extraordinary value, it is also prone to security risks and data privacy. 

DLC (DesignLights Consortium) has identified a number of cybersecurity standards and services that meet cybersecurity criteria in the NLC5 technical requirement. All these standards aim at creating a safe, comfortable building environment to support and enhance the satisfaction and productivity of occupants.  

This article explains everything about the cybersecurity standards listed by DLC. 

Want to know more on DLC’s NLC5. Check out our blog.

Cybersecurity Standards Recognized by the DLC 

• ANSI/UL 2900-1 
• ANSI/ISA/IEC 62443 
• SOC 2 (Service Organization Control 2) 
• ISO 27001 
• ISO 27017 (with 27001)  
• FedRAMP 
• CSA STAR  
• ioXt 
• PSA Certified 
• UL IoT Security Rating (UL 1376) 
• Cybersecurity Verification Program (CVP) (CSA T200)  
• Intertek Cyber Assured 

ANSI/UL 2900-1

Addresses vulnerabilities, software weaknesses, and malware attacks for network-connectable products.

This standard involves: 

• The description of requirements for the software developer (vendor or other supply chain member) and risk management process for their product. 
• Methods for evaluating and assessing a product for vulnerabilities, software weaknesses, and malware attacks 
• Security risk controls must be present in the architecture and design of a product.

The standards present general software cyber security requirements for network-connectable products (UL 2900-1), as well as requirements specifically for medical and healthcare systems (UL 2900-2-1), industrial control systems (UL 2900-2-2), and security and life safety signaling systems (UL 2900-2-3).  

IEC 62443 –

Enhances Industrial Automation and Control Systems (IACS)

Includes guidelines and practices for: 

• Product security development life cycle – Consists of a set of requirements for a product developer’s security development lifecycle.  
• Technical security requirement for IACS (Industrial Automation and Control System) components – Describes the requirements for IACS components based on security level. IACS Components include embedded devices, host devices, network devices, and software applications. The principal audience includes product suppliers of IACS component products.    
• System security requirements and security levels– addresses cybersecurity risk assessment and system design for IACS. The intended audience includes control systems suppliers, system integrators, and asset owners. 

SOC 2 (Service Organization Control 2) –

Help organizations establish trust and confidence in their service delivery processes and controls.

SOC 2 reports are unique to each organization (different principles, controls, and tests of controls) and are intended to meet the needs of a broad range of users.  

This report contains detailed information about whether: 

• Description of the system is fairly presented in accordance with the description criteria 
• Controls are suitably designed and operate effectively based on the applicable trust services criteria (security, availability, and processing integrity of the systems used to process users’ data and the confidentiality and privacy of the information processed by these systems) 

ISO 27001 –

Systematic and cost-effective information protection through an Information Security Management System.

The ISO/IEC 27001 certification usually involves a three-stage external audit process: 

Stage 1 – a preliminary, informal review of the ISMS for example, checking for the existence and completeness of key documentation, such as the organization’s information security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP). This stage is all about familiarizing the auditors with the organization and vice versa. 

Stage 2 – a more detailed and formal compliance audit that independently tests the ISMS against the requirements specified in ISO/IEC 27001. The auditors will seek proof to confirm that the management system has been adequately designed and implemented and is currently in operation.  

Ongoing – involves follow-up reviews or audits to confirm that the organization complies with the standard. Certification maintenance requires periodic reassessment audits to confirm that the ISMS continues to operate as specified and intended. 

You can learn more about ISO 27001 on our product page. 

ISO 27017 (with 27001) – This international standard contains guidelines for cloud service customers who implement the controls and for cloud service providers to support the implementation of those controls.  

Some guidelines are for cloud service customers who implement the controls, while others are for cloud service providers who assist with control implementation. 

This standard gives guidelines for information security controls applicable to the provision and use of cloud services by providing:  

• Additional implementation guidance for relevant controls specified in ISO/IEC 27002 
• Additional controls with implementation guidance that specifically relate to cloud services. 

Lumos Controls is now ISO 27001 certified. Click to know more

FedRAMP (Federal Risk and Authorization Management Program)

Standardizes security assessment and authorization for cloud products and services used by U.S government. 

This standard is mandatory for federal agency cloud deployments and service models at the low, moderate, and high-risk impact levels. 

The objective of FedRAMP is to: 

• Ensure that cloud systems used by government entities have adequate safeguards 
• Eliminate duplication of effort and reduce risk management costs, and  
• Enable rapid and cost-effective government procurement of information systems/services. 

CSA STAR (Cloud Security Alliance Security Trust, Assurance and Risk)

Offers cloud security-specific research, education, certification, events and best practices

The CSA Cloud Controls Matrix (CCM) program creates a meta-framework of cloud-specific security controls that are mapped to leading standards, best practices, and regulations for cloud computing information security. 

STAR enables organizations to validate their cloud security and offer current and future customers proof of the controls in place. 

IoXt

An IoT alliance and cybersecurity certification program that makes IoT products secure and safe. 

The ioXt Alliance is comprised of key players in the Internet of Things (IoT) industry looking to build confidence in IoT products through multi-stakeholder, international, harmonized and standardized security and privacy requirements, product compliance programs, and public transparency of those requirements and programs. 

• The program is based on eight principles, which map back to US and EU regulations.  
• These principles are further broken into multiple levels per principle, with over 60 test cases covering topics such as security, upgradability, and transparency.  
• Device profiles are being developed to capture the unique security requirements for specific devices and markets.  
• Process, components, and systems are covered, and future expansion will cover cloud services. 

PSA Certified

A comprehensive IoT security assurance framework for secure digital transformation 

PSA Certified puts security at the heart of your IoT product while minimizing risks and guarantees compliance to standards  

There are three certification scopes: 

• The Chip – providing security features such as immutable storage, protection of debug features.  
• The RTOS (Real-Time Operating System) – software only component for the Non-Secure Processing Environment and any related libraries. 
• The Device – software components including Applications and libraries developed by an OEM and the confirmation of the RTOS for the device 

UL IoT Security Rating – 

A highly efficient evaluation process that assesses critical security aspects of smart products against common threats and vulnerabilities. 

Intertek Cyber Assured 

Complete Cybersecurity Certification, testing, assurance, and inspection services, assuring your product is cyber secure 

Key features includes 

• Real time vulnerability monitoring 
• Comprehensive security testing covering the 3 corners of IoT products 
• Consumer reassurance and brand advantage 
• Helping meet regulatory requirements 

Why cybersecurity compliance? 

For manufacturers, services and utilities, end users, ensuring your connected lighting system is verified against cybersecurity best practices is vital. 

Here is why: 

Services and utilities: 

• Reduce system vulnerability to common cyber risks 
• Increase the transparency and accessibility of product security for buyers and end users. 
• Stay ahead of regulatory developments and potential security liability 
• Be listed on the Lighting Control DLC Qualified Product List 

Manufacturers: 

• Stay ahead of the game before lighting controls become a target for hackers. 
• Have your product’s security capabilities analyzed by an independent third party to gain user confidence and a competitive market edge. 
• DLC “mark” for cybersecurity on your DLC Lighting Control QPL product enables your product for utility incentives and perceived higher quality 

End-users 

• Reduce the chance that your connected lighting items and systems will become a point of attack for malicious software. 
• Have the confidence that a UL qualified security expert has checked the product’s security posture to ensure cybersecurity industry best practices 
• Verify that your connected lighting system adheres to cybersecurity best practices. 

And finally… 

Integrity and security of your lighting network is not an option- it’s a necessity! DLC’s current technical criteria (NLC5) safeguards connected lighting from cyber-attacks and helps achieve wider adoption of this greatly under-utilized technology.  

We now know that DLC’s latest NLC requirements are the best ones, yet-but an update doesn’t make your network secure until it’s adopted and implemented at the local level.  

Why wait? The time is now for action and to ensure better buildings for years to come. 

Want to secure the cyber threats that affect your business? We can help!