Security and privacy statement for connected products

      Security and privacy

       

      At Signify, connected lighting systems are core to our business.

       

      Connected lighting systems combine connected luminaires, sensors, and other lighting system devices with Interact software and services.

       

      Because they embed two-way data communications, connected lighting system devices participate in the Internet of Things (IoT). As such IoT-enabled devices proliferate, and as connected lighting systems become more deeply embedded in core building and street lighting networks, security implementations, processes and responsibilities become more crucial and therefore more valuable.

       

      Security is embedded in all aspects of our innovation, products, systems, and services—from secure system development, to device, network and cloud security, system monitoring, and secure device updates.

       

      Our security processes are built on a strong foundation of industry standards, governance, and procedures. When selecting Signify as a partner, you can trust that we have dedicated abundant attention to security across all of products, systems, and services, and that Signify will support you throughout the entire lifecycle of a connected lighting system.

      Governance, education, and training

       

      At Signify, the Corporate Security Office manages security governance. The Product Security Leadership Team, which includes members from the Corporate Product Security organization, business groups, and Product Innovation team coordinates our security efforts. A network of security architects and security champions embedded in the development teams supports security activities related to product development.

       

      Signify policies and processes are aligned with global standards such as ISO/IEC 2700x—Information Security Management Systems (ISMS) and the ISA/IEC 62443 standards suite for product development. Through our Standards and Regulation department, we collaborate with many worldwide standardization organizations, such as IEC, ANSI, and CENELEC, and with industry alliances such as the IoT Security Foundation. Signify business processes are internally and externally audited on a regular basis.

       

      All Signify employees are required to attend regular cybersecurity and privacy awareness trainings. System architects and development engineers must also receive specific additional training and internal security certifications.

       

      Signify security experts hold various industry certifications such as Certified Information Systems Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP), Certified Information Security Manager (CISM), and Certified Information Systems Auditor (CISA).

      Security by design

       

      All of our internal and external development activities follow the Signify Security Development Lifecycle (SDL), which codifies industry accepted best practices. The major components of the SDL are security risk analysis and threat modeling, code analysis and review, and vulnerability management. We apply the SDL to all of our hardware products, systems, services, software, and cloud solutions.

       

      In accordance with the SDL, Signify takes the following actions during design, development, and testing:

       

      • A security risk analysis, based on Signify security requirements aligned with the ISA/IEC 62443 standards suite, is performed for every new project and for every significant change to an existing project.
      • Automated code analysis and manual code reviews are regularly performed during development. These analyses and reviews are based on, but not limited to, such frameworks as OWASP IoT Project and the OWASP Top Ten Project. 
      • Third-party code, including open source code, is automatically analyzed to identify and mitigate vulnerabilities. 
      • Hardening of the operating system is performed for embedded devices and cloud-based solutions.
      • Appropriate network security and firewall rules are implemented and reviewed regularly. 
      • Encryption of data in transit and at rest is implemented according to generally accepted industry standards as described in the Federal Information Processing Standard Publication 140-2 (FIPS 140-2). 
      • Penetration tests by internal and/or external parties are performed before each customer release, at a minimum.

       

      The Innovation team is responsible for evaluating the latest IoT security technologies, and supports the development team in making the right choices when introducing new security algorithms, solutions, and technology partners.

       

      Signify regularly audits its partners and supply chain to maintain the appropriate level of security in the manufacturing process.

      Operations and maintenance

       

      Signify partners with leading global cloud service providers to deliver a resilient platform for our cloud-based systems. Deployment of those cloud-based services within data centers across various geographical areas, in accordance with data jurisdiction requirements, enables business continuity.

       

      Our cloud-based systems are managed by a specialized global operations team to ensure proper segregation of duties for system administration purposes. Responsibilities of the team include producing operational specifications and performing maintenance, security updates, vulnerability management, backup, logging, monitoring, and management of events and incidents. The team also performs periodic review of network and application security.

       

      Signify has a strict protocol for deploying updates to cloud-based systems, which defines a formal test, development, and acceptance process prior to approving systems for production.

      Incident management

       

      Signify addresses security as an integral part of our quality process. Assigned responsibilities and established procedures ensure an adequate response to suspected security events and incidents. Each suspected security event is assessed against a set of criteria to determine whether it qualifies as a security incident. When security incidents occur, immediate and appropriate mitigation measures are taken.

       

      Lessons-learned activities are conducted periodically, and additionally after major incidents, to improve security measures in general and the incident handling in particular.

      Privacy

       

      At Signify, we take privacy very seriously. Respect for privacy guides our choice of business partners, the way we design products and services, and our approach to dealing with personal data. We ensure that all Signify employees, consumers, customers, and business partners maintain control over how their data is managed, processed, and stored.

      For more information on our commitment to data privacy, visit the Signify Privacy center.

      The customer’s role in product security

       

      Signify recognizes that the security of our products and services is an important part of our customers’ in-depth security strategy. In practice, however, security is a responsibility shared by manufacturers and providers of products and services and their customers.

       

      Appropriate evaluation of risks and proper care in installation, maintenance, and operations are essential to mitigate internal and external threats.

      Coordinated vulnerability disclosure page

       

      Signify supports responsible vulnerability disclosures and encourages researchers and ethical hackers to report identified vulnerabilities.

       

      For more information on Signify responsible disclosure, visit our Product Security page.

      Signify security: selected best practices

       

      Selected best practices for ensuring the security of IoT connected lighting products, systems, and service include (but are not limited to) the following:

      Governance, education and training

      • Dedicated Product Security Office oversight
      • Alignment to standards such as ISO 2700x and IEC 62443 and IoT Security Framework
      • Segregation of duties
      • Least privileged access
      • Participation in standardization bodies such as IEC, ANSI, and CENELEC
      • Security certification and training for all employees
      • Specific training and certification for security architects and development engineers
      • Security champions embedded throughout the organization
      • Industry-standard certifications, including CISSP, CISM, CISA, and CSSLP for employees in key roles

       

      Design and development

      • Industry accepted practices for security development lifecycle processes for all product and services development
      • Threat modeling and security risk assessment
      • Automated and manual code analysis and review
      • Third-party open source code automated vulnerability assessment

       

      Device and physical security

      • Mechanisms designed to ensure only trusted code is executed (secure boot wherever possible)
      • Remove hardware debug interfaces
      • Restricted communications with debug interfaces
      • Authentication to protect firmware updates
      • Resistance to side channel attacks
      • Operating system hardening
      • OWASP and OWASP IoT frameworks applied

       

      Wireless and wired interfaces

      • Latest version of application layer protocols
      • Use WPA2 with AES encryption for Wi-Fi
      • Unique device identity and certificates
      • Latest Bluetooth protocols
      • Zigbee protocol with enhanced security features

       

      Device authentication and authorization

      • Unique device identity and certificates
      • Multi-factor authentication available
      • Authentication using pre-shared keys and passwords
      • Change default password at installation (first login)
      • Role-based access control

       

      Encryption and key management

      • Cryptographically secure random number generation
      • Crypto functions designed for expected product lifetime
      • Secure data at rest and transit with industry accepted standards (e.g. FIPS 140-2)
      • Sensitive information in tamper-resistant location
      • Data in transit encrypted with latest technologies (e.g. TLS 1.2)
      • Data at rest encrypted with industry accepted standards when needed (e.g. AES 256)

       

      Mobile applications

      • Android and Apple iOS security guidelines and standards
      • Restricted access to databases and files
      • Data in transit encrypted with latest technologies (e.g. TLS 1.2)
      • Use secure certificates for communications with remote servers
      • Data validation for all inputs

       

      Cloud services

      • Cloud security best practices as recommended by cloud service providers
      • CIS benchmarks and other hardening frameworks
      • Alignment with Cloud Security Alliance best practices
      • Cloud and container security

       

      Business continuity and resilience

      • Deployment in various geographically distinct data centers
      • Distinct Test/acceptance/production environments
      • Rigorous approval process for updating production systems

       

      Supply chain and manufacturing

      • Rigorous process for distribution of keys and secrets
      • Controlled distribution of firmware and updates
      • Dedicated supplier security team

       

      Innovation and research

      • Dedicated team to research new IoT security technologies
      • Support to development team in deploying new security algorithms and technologies
      • Rigorous approval process for updating production systems

       

      Device ownership

      • Complete removal of all personal data upon ownership transfer or service termination
      • Secure device de-registration

       

      Privacy

      • Privacy coordinated by Chief Privacy Officer
      • Privacy impact assessment performed for each system
      • Alignment with EU GDPR and applicable privacy regulations

      This information is provided for informational purposes only. It represents the current Signify product development practices as of the date of publication. These are subject to change without notice.

      Customers are responsible for making their own independent assessment of Signify products or services and the use thereof. This information is provided “as is” without warranty of any kind, whether express or implied. This information does not create any warranties, representations, contractual commitments, conditions, or assurances from Signify, its affiliates, suppliers, or licensors. The responsibilities and liabilities of Signify and its customers are defined in the agreements between Signify and its customers. This information is not part of, nor does it modify, any agreement between Signify and its customers.