Bringing Cybersecurity to the Heart of Casambi

Vesa Vainio, Cloud Architect, provides a high-level lowdown on the company’s top priorities. 

Cybersecurity is key to ensuring that the transformative potential of wireless networking can be fully realized and enjoyed by all. The proliferation of IoT devices and the growing interconnectedness of smart building systems are expanding the cyber threat landscape within these environments.  

The primary concern relates to devices with an IP address (Internet Protocol concerns the rules governing the format of data sent over the internet), which communicate outside the building – for example when an embedded controller collects data and sends it up to the cloud either directly or via a gateway. As this data travels from a network to the cloud, the risk of interception and data theft becomes very real.  

Data coming out of smart lighting networks could give an adversary information on, for example, occupancy patterns. But, by and large, cybercriminals might try to target connected products to gain entry to a building management system (BMS) and then attempt to access other systems controlling, for example, operational technology. We interviewed Vesa Vainio, Casambi’s Chief Cloud Architect, for a very high-level lowdown on the company’s top cybersecurity priorities.  

Internet and non-Internet 

Casambi is based on Bluetooth Low Energy, which is a wireless personal area network – meaning that it can function without being connected to the internet. In other words, no perilous journey to the cloud is required to use a Casambi network.   

‘Casambi devices, and the Casambi mesh network they form, are not internet-facing. They don’t have IP addresses. We use a proprietary protocol over which the Casambi nodes can communicate – across Bluetooth bandwidth. But we are working on an IP gateway product. This will become a gateway between the Casambi network (the lighting devices) and our backend systems. So, this, indeed, will be a device with an IP address that can talk over the internet’.  

Should building management personnel, for example, wish to remotely monitor their lighting networks and analyze performance dashboards in real-time, a gateway is deployed to aggregate communication from light controllers and backhaul data via the cloud to a central management platform.  

‘Such a gateway enables the integration between building management systems and our systems – that’s where cybersecurity comes into even sharper focus for us. We already offer a Cloud API (Beta), which allows software developers to integrate with BMS and in doing so, open the doors to remote monitoring of Casambi networks. This includes access to sensor, diagnostics, and usage data. As this is internet-facing, we pay great attention to keeping our security configuration up to date.’ 

Protected credentials 

The most common attack vectors include compromised or weak user credentials, missing encryption, software vulnerabilities, and misconfigured devices. Casambi’s system architecture has been built to maximize resiliency against attack.  When it comes to preventing attacks whereby hackers might wish to use a Casambi network to access third-party BMS, Vesa maintains that it’s about protecting the credentials we issue to our customers.  

With Casambi, it is possible to control access rights to your network and to define who interacts with the lights. When utilizing the API, security essentially boils down to the credentials we issue to customers.  The only way to access the data is if you have the proper credentials’. 

 ‘To manage security and the integrity of data, we provide different levels of access. API credentials are granted on user-specific accounts. However, even though you would have API access, you would still need login credentials for the specific network. Security is about working in layers – it’s about adding additional barriers to entry. We also recommend that our clients protect their credentials according to industry-standard practices.’  

Full encryption 

Full encryption of communications and security measures for authorization means all data that is transmitted is protected and safe. Over-the-air programming allows us to push new security features and software patches out to the entire fleet of installed devices at once.  

‘Encryption helps prevent ‘Man in the Middle’ attacks, whereby a hacker may attempt to modify commands in transmission from app to network. Here, there are two different connections to protect. Firstly, the app – or the gateway device – which is connected to the Casambi network. This is connected to our backend systems. Secondly, the BMS, which is connected to the backend system. Both connections are encrypted and secured.’ 

‘Our approach to encryption starts by considering what exactly we build a device to do, and the communications that we design the device to take into effect. That’s where we design the communication to be encrypted, and all the connections to be properly authenticated’.  

‘A gateway is in essence a computer. We have a Linux operating system running ours, and we primarily use industry-based practices to keep it up to date and secure. It can be remotely updated with security patches’.  

Since Casambi offers a multitude of solutions – from APIs, mobile apps, and different solutions that participate in how we manufacture devices – the company uses various encryption algorithms and techniques for securing data. 

There are lots of different pieces in the puzzle and connections between them. On the one hand, we have an algorithm that the Casambi devices use when they are communicating with each other as nodes within a Casambi network. But when it comes to encryption of backend systems – BMS calling our API – a negotiation happens. When two computers establish communication, they negotiate which algorithm to use (this is how the internet works) by choosing an option that supports both. We have different types of functionality and different methods that we use for different pieces. It’s complex.’ 

Engaging the ethical hacker community  

‘With all the above said, cybersecurity is a complex pursuit. We never stop investigating and innovating to stay ahead of evolving threats. Our engineering team is dedicated to responsible vulnerability management and has a solid reputation for continuously strengthening our security posture against any potential threats’.  

Casambi highly values the work that security researchers and ethical hackers undertake in good faith to secure the cyber world. We have a Vulnerability Disclosure Policy, which provides clear guidelines for conducting vulnerability discovery activities and for the process of reporting potential vulnerabilities in our systems.  

And the company recently launched a collaboration with HackerOne, a leading vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers.  

‘I’m really pleased with our co-operation. HackerOne will ensure the quality of reporting is top-notch. And their setup will ensure that rightful rewards are paid to the researchers who help us. For our customers and partners, they can feel confident that any vulnerability we discover is safely disclosed and dealt with in accordance with global standards and best practices’. 

Alongside the recent receipt of our ioXt Alliance cybersecurity certification, we are validating to customers the importance that cybersecurity is taking in our platform, products, and processes.  

‘The work is never completed, but it’s certainly central to our strategy and mindset.’