®
S P E C I F I C AT I O N S U B M I T TA L
Page
Job Name:
Job Number:
Model Numbers:
Vive
HMS-0, HMS-1, HMS-2
Wireless Hub
3691044-04g 9 03.23.21
Vive Security Statement
Lutron takes the security of the Vive Lighting Control System very seriously.
The Vive Lighting Control System has been designed and engineered with attention to security since its inception.
Lutron has engaged security experts and independent testing firms throughout the entire development of the Vive
Lighting Control System. Lutron is committed to security and continuous improvement throughout the Vive
product lifecycle.
The Vive Lighting Control System uses a multi-tiered approach to security.
They include:
1. An architecture that isolates the wired Ethernet network from the wireless network, which strictly limits the
possibility of the Vive Wi-Fi being used to access the corporate network and gain confidential information
2. A distributed security architecture with each hub having its own unique keys that would limit any potential breach
to only a small area of the system
3. Multiple levels of password protection (Wi-Fi network and the hubs themselves), with built-in rules that force the
user to enter a strong password
4. ISO-recommended best practices including salting and SCrypt for securely storing usernames and passwords
5. AES 128-bit encryption for network communications
6. HTTPS (TLS 1.2) protocol for securing connections to the hub over the wired network
7. WPA2 technology for securing connections to the hub over the Wi-Fi network
8. Azure provided encryption-at-rest technologies
The Vive hub can be deployed in one of two ways:
• Dedicated Lutron Network
• Connected to the corporate IT network via Ethernet. The Vive hub must be connected via Ethernet to access
certain features such as BACnet
®
for BMS integration or OpenADR
R
integration. Lutron advises following best
practices in this instance, including separating the business information network and the building infrastructure
network. Use of a VLAN or physically separated networks is recommended for secure deployment.
Dedicated Lutron Network Deployment
The Vive hub is not connected to the building network. Wi-Fi is used to connect to a smart device such as a
phone, tablet, or PC for commissioning and configuration only. The Vive hub serves web pages for setup and
maintenance via a password-protected connection. The Wi-Fi SSID can be set to not broadcast. The Vive hub
Wi-Fi may be disabled if desired.
Corporate IT Network Deployment
The Vive hub may be deployed with a fixed Ethernet IP address or served over DHCP. Once the IT network is
operational, the Vive hub will serve password-protected web pages for access and maintenance. The Vive hub
Wi-Fi may be disabled if desired. The Vive hub reserves the IP subnet 192.168.3.0/24 for its Wi-Fi, so the hub
cannot be assigned an Ethernet IP address in that range.
The Vive hub acts as a Wi-Fi access point purely for the configuration and commissioning of the Vive system. It is
not a substitute for your building’s normal Wi-Fi access point. The Vive hub does not act as a bridge between
wireless and wired networks.
It is strongly recommended that local IT security professionals be involved with the network configuration and
set-up to ensure the installation meets their security needs.
9
