Repeated stakeholder feedback highlighted the need for research to examine the risk that arises from the deployment of systems that produce increased amounts of data, and potential exposure of that data to other systems, including the internet in general. Multiple PNNL studies addressed these risks and explored controls and technologies for mitigating them. Research on vulnerability assessments and threat profiles is highlighted below.
- Assessing Cyber Risks in Networked Buildings (Article, November 2023)
Cybersecurity Landscape Assessments. Driven by various data-driven use cases, there is increased interest in networking and integrating lighting and other building systems (e.g., HVAC, security, scheduling) that were previously not internet-facing, and equipping them with sensors that collect information about their environment and the people that inhabit it. This paper explores tools available to system designers and integrators that facilitate a cybersecurity landscape assessment – or more specifically the identification of threats, vulnerabilities, and adversarial behaviors that could be used against these networked systems. These assessments can help stakeholders shift security prioritization proactively toward the beginning of the development process.
- Connecting the Dots: An Assessment of Cyber-risks in Networked Building and Municipal Infrastructure Systems (Proceedings of the 56th Hawaii International Conference on System Sciences article, January 2023)
Vulnerability Assessments. A collaboration with Underwriters Laboratory led to development of a set of tests focused on authentication vulnerabilities and execution of those tests in PNNL’s test bed to evaluate four commercially available lighting systems.
- An Authentication Vulnerability Assessment of Connected Lighting Systems (Report, March 2020)
- Cybersecurity Lessons Emerge from a Recent Study of Connected Lighting (Article, June 2019)
Threat Profiles. PNNL researchers also collaborated with in-house cybersecurity experts to develop threat profiles for multiple connected lighting systems with varying system architectures and technologies.
- A Cybersecurity Threat Profile for a Connected Lighting System (Report, February 2022)
- Assessing the Threat: Weaving cybersecurity into the building development process (Article, June 2022)
- Threat Profile of a Fault Detection Use Case (Video with transcript, February 2021)