9
Network and IT Guidance Technical Guide
www.eaton.com/lightingsystems
Cloud connectivity is required to support value added applications and data storage such as the Space application. The lighting control
functionality will always be maintained on premises
Security
Eaton views security as a cornerstone of a safe, dependable and reliable electrical system. Accordingly, the LumaWatt Pro wireless network
employs current industry best practices to reduce, identify, contain and manage security risks. LumaWatt Pro has been designed and
engineered with wireless security as a key requirement with flexibility to accommodate improvements if new security attack surfaces are
identified. The Eaton Product Cybersecurity Center of Excellence (PCCoE) provided guidance throughout the implementation of LumaWatt
Pro and offers Eaton customers an Internet accessible portal to identify emerging threats, find ways to secure products against them and
help customers deploy and maintain Eaton product solutions in a secure environment. More information on the Eaton PCCoE can be found
at www.eaton.com/cybersecurity
The LumaWatt Pro System uses a multi-tiered approach to addressing industry best practices for security risk management and utilizes
guidelines promulgated by the Department of Homeland Security (DHS), National Institute of Standards and Technology (NIST) and industry
standards organizations to achieve a secure and adaptable lighting control platform.
Physical security
LumaWatt Pro sensors are a hardened environment and thus even if removed from the ceiling, they cannot be broken. The key information
stored in a sensor cannot be retrieved by direct inspection of the persistent storage in the sensor or by tracing the execution logic. The
LumaWatt Pro Energy Manager is typically installed in a physically secure location, and the LumaWatt Pro communication network is
physically isolated from IT networks.
Onsite network security
All wired communication in the LumaWatt Pro system utilizes strong encryption techniques. Communication between the Energy Manager
and the Gateway utilize SSL (TLS) encryption. Communication between the Energy Manager and web clients is HTTPS.
Wireless communication security
To prevent intrusion from external networks and being used as an intrusion point, the LumaWatt Pro Wireless Network is isolated from all
IT-managed networks. The LumaWatt Pro Energy Manager maintains a strict separation between the wireless network and any external,
IT-managed networks. No LumaWatt Pro Wireless Network traffic is ever routed to the IT networks, and no host on the IT network can
communicate with sensors on the LumaWatt Pro Wireless network.
In addition to isolation from IT networks, the LumaWatt Pro Wireless Network provides security against tampering through the wireless
network itself. All LumaWatt Pro Wireless Network traffic is AES128 encrypted to prevent snooping and tampering. The commissioning
process of the wireless network assigns a network key and network ID. The value of both the network key and network ID must be known
(as well as the wireless 802.15.4 channel) to be able to communicate with commissioned devices in an LumaWatt Pro wireless network.
Thus, it is not possible to take a commissioned sensor from one LumaWatt Pro wireless network where the network ID and key are known
and use it in another LumaWatt Pro wireless network where the network ID and key are not known. Additionally, the likelihood of tampering
with the LumaWatt Pro Wireless Network is low due to the lack of availability of 802.15.4 interfaces for laptops and hand-held devices.
Multi-site security
LumaWatt Pro supports very large campuses consisting of multiple buildings and energy managers. These can be viewed and administered
seamlessly at the campus level viewed via the Global Energy Manager. There are two commonly used architectures. These are listed below
as Options A and B. All communication between nodes uses SSL (TLS) or Secure Shell encryption. Communication between the Global
Energy Manager and web clients is HTTPS. Further, there is an on-premises option for customers who wish to connect their LumaWatt Pro
System to their BMS for monitoring and/or advisory HVAC Control.
Cybersecurity reporting and mitigation plans
Eaton’s Cybersecurity Center of Excellence (COE) involvement and guidance is key as part of all current and future development to ensure
our product incorporate industry and governmental network security best practices.
Eaton considers latest available best industry practices (DHS, NIST, FIPS) to reduce, identify, contain and manage risks: Deter, Protect,
Detect, React, Recover
The COE also provides a publically accessible site for information and feedback concerning cybersecurity threats and responses, as well as a
method for you to monitor network breach risks.
See
www.eaton.com/cybersecurity
for more detail.
Cybersecurity or functionality issues and reporting
Issues found in the field can be reported to Eaton service and support group, who will attempt to replicate the issue. If the issue can be
replicated it is reported through internal issue tracking software which assigns the issue to the engineering team for resolution.
Depending on the severity and priority of the reported issue, this could include standard firmware or software updates published to the
website or a proactive service visit by Eaton service and support group.
