about this document - cooper industries · web view– wavelinx features, such as the construction...

Technical Guide

WaveLinx Network and IT Planning Guide

Contents1 – About this Document.........................................................................1

1.1 – Key Terms...................................................................................................................11.2 – Related Documentation..............................................................................................1

1 – WaveLinx System Overview...............................................................21.1 – Introduction................................................................................................................21.2 – The WaveLinx Wireless Protocol.................................................................................2

2 – System Architecture..........................................................................22.1 – Device Types..............................................................................................................2

2.1.1 – Output Devices.....................................................................................................32.1.2 – Input Devices.......................................................................................................32.1.3 – Wireless Area Controller (Gateway)......................................................................42.1.4 – Insight Manager (Supervisory System).................................................................42.1.5 – Software and Interfaces.......................................................................................4

2.2 – System Topologies......................................................................................................42.2.1 – Standalone Topology............................................................................................52.2.2 – Networked Topology.............................................................................................7

3 – Software/Firmware Compatibility Matrix.............................................84 – IT Network Information......................................................................8

4.1 – LAN/WLAN...................................................................................................................84.2 – VLAN...........................................................................................................................84.3 – Network Ports and Usage............................................................................................9

4.3.1 – Wireless Area Controller.......................................................................................94.3.2 – Insight Manager....................................................................................................9

4.4 – IP Address Assignment..............................................................................................104.4.1 – IPv6 Readiness...................................................................................................11

5 – WaveLinx Wireless Network.............................................................115.1 – Wireless Network Overview......................................................................................115.2 – Coexisting with Wi-Fi networks.................................................................................12

5.2.1 – WaveLinx Channel Selection..............................................................................125.2.2 – Low Air time Consumption..................................................................................135.2.3 – Interference Tolerance.......................................................................................13

5.3 – Potential Causes of Signal Disruption........................................................................136 – Configuration and Maintenance........................................................14

6.1 – Standalone Topology................................................................................................146.1.1 – Internal Web Pages............................................................................................146.1.2 – Mobile application..............................................................................................14

6.2 – Networked Topology.................................................................................................146.2.1 – Lighting Xpert Insight.........................................................................................14

6.3 – SSL Certificates.........................................................................................................156.4 – User management, Roles and Access.......................................................................15

6.4.1 – Standalone Topology..........................................................................................156.4.2 – Networked Topology...........................................................................................15

6.5 – Backup and Restore..................................................................................................156.5.1 – Standalone Topology..........................................................................................156.5.2 – Networked Topology...........................................................................................15

6.6 – Firmware and Software updates...............................................................................166.6.1 – Standalone Topology..........................................................................................166.6.2 – Networked Topology...........................................................................................16

www.eaton.com/lightingsystems

6.7 – Remote support........................................................................................................166.8 – Firewalls - Packet Filtering, Stateful Inspection, Proxy Gateways..............................166.9 – Communication Failure to the WAC..........................................................................166.10 – Third Party Integration............................................................................................16

6.10.1 – BACnet/IP.........................................................................................................176.10.2 – Public (REST) API..............................................................................................17

6.11 – Demand Response..................................................................................................177 – Security..........................................................................................17

7.1 – Introduction..............................................................................................................177.2 – Physical Security.......................................................................................................177.3 – Customer Security....................................................................................................177.4 – Device Communication Security...............................................................................177.5 – Network Communication Security.............................................................................187.6 – Network Segmentation Security...............................................................................187.7 – OTA Update Security.................................................................................................187.8 – Eaton Product Cybersecurity Center of Excellence...................................................187.9 – OSI Model Security....................................................................................................187.10 – Cybersecurity Reporting and Mitigation Plans.........................................................197.11 – Cybersecurity or Functionality Issues and Reporting..............................................19


1 – About this DocumentThis document is intended for Lighting Control Systems and IT professionals. It describes the planning and security considerations for a WaveLinx system.IMPORTANTAppropriate network security professionals must be engaged to ensure that the Wavelinx lighting control system is secure.

1.1 – Key TermsThe following terminology is used in this document:

API – Application Programming Interface DHS – Department of Homeland Security FIPS – Federal Information Processing Standards HTTPS – Hypertext Transfer Protocol IEEE – Institute of Electrical and Electronics Engineers IM – Insight Manager IoT – Internet of Things LAN – Local Area Network LCS – Lighting Control System. A computer-based control system installed in a building to

control and monitor lighting equipment such as controllers, ballasts, drivers, keypads, and sensors. An LCS consists of hardware and software.

LXI – Lighting Xpert Insight NIST - National Institute of Standards and Technology OTA – Over the Air OSI – Open Systems Interconnection OT – Operational Technology PCCoE – Product Cybersecurity Center of Excellence REST – Representational State Transfer SSL – Secure Sockets Layer TLS – Transport Layer Security VLAN – Virtual LAN WAC – Wireless Area Controller WLAN – Wireless LAN

1.2 – Related DocumentationDocument Description

Cybersecurity Considerations for Electrical Distribution Systems, Eaton White Paper, Nov 2016

The document provides more detail on the cybersecurity implications for networked systems. It is available on the www.eaton.com/cybersecurity Web site.

www.eaton.com/lightingsystems 1

http://www.eaton.com/cybersecurity

1 – WaveLinx System Overview

1.1 – IntroductionWaveLinx is a wireless lighting control system that is easy to install, enables energy code compliance, and provides a platform for future smart building features. A WaveLinx system can scale from one Wireless Area Controller (WAC) that controls the lighting of a single floor, to several interconnected WACs that manage the lighting across several buildings.The WaveLinx system offers the following advantages:

Reduce commissioning time – WaveLinx features, such as the construction group and the auto-creation of dimming and receptacle zones when an area is created, reduce commissioning time by 40% or more compared to other addressable lighting systems. The WaveLinx Mobile App offers an intuitive user interface that lets an installer to program the lighting system from their smart phone.

Improve data collection for better decision making – Fixtures with the WaveLinx integrated sensor let you to gather more granular data on how a space is being used, which can be used to make more informed decisions around space and energy use.

Monitor the health of your system – The Alarms console with Smart Tips allows facility manager to monitor the health of their WaveLinx system and quickly address issues using troubleshooting tips aggregated from Eaton’s insight of its lighting systems. Alarms can also be sent to facility managers as emails.

Easily connect your lighting system to other systems – The BACnet/IP interface and Public (REST) API allows system integrator to easily integrate networked WaveLinx area controllers with a Building Automation System. The BAS can read and write to the WaveLinx areas, zones and devices.

1.2 – The WaveLinx Wireless ProtocolThe WaveLinx wireless network uses the Institute of Electrical and Electronics Engineers (IEEE) 802.15.4 standard and follows strict IEEE guidelines for sustainable and reliable operation. This standard is used to exchange data between Eaton’s WaveLinx input and output devices – such as sensors, receptacles, wallstations – and the WACs. The wireless network is used to control the light fixtures and receptacles, as well as to gather energy and occupancy data.

2 – System ArchitectureThis architecture of a WaveLinx system is described in the topics that follow.

2.1 – Device TypesThe following device types are found in a WaveLinx system:

Output devices – A device that directly controls the voltage of the lighting load. This is typically a driver, ballast, relay, or another load control device such as a receptacle.

Input devices – A device that signals an output device, either directly or via a WAC, to control a lighting load. This may be an occupancy sensor mounted in a ceiling or within the fixture, a wallstation, or a contact closure.

Programmable Controller – A device that communicates wirelessly with input and output devices to control one or more spaces using code-compliant control strategies.

Software Application– A user software application for configuring and managing standalone or networked programmable controllers. The application aggregates data from the various controllers and exposes it to other systems through various interfaces.

The diagram below shows as a typical WaveLinx system:


2.1.1 – Output DevicesThe WaveLinx output devices are described below.Wireless Relay Switchpack with 0-10V (Relay zone control) – This device offers 120-277 VAC, 20A zero-crossing relay control and continuous 0-10V dimming control of LED and non-LED loads. It is powered by the 120-277 VAC circuit it is controlling and can also be used to control 20 A plug loads. The Switchpack communicates wirelessly with the WaveLinx WAC. The Wireless Relay Switchpack participates in the WaveLinx network according to the IEEE 802.15.4 standard.Wireless Receptacle (Wall-mounted power outlet) – The wireless receptacle provides simplified wireless plug load control. Plug load control is required now in many building codes as part of an energy saving control strategy. The wallbox mounted wireless duplex receptacle provides a constantly powered bottom outlet and a wirelessly controlled top outlet. The NEMA wireless receptacle includes the NEMA symbol for identifying a controlled receptacle as well as tamper resistant outlets for safety. The Wireless Receptacle operates on the WaveLinx network based on IEEE 802.15.4 standards.Wireless Integrated Sensor (Fixture Integrated Occupancy Sensor, Ambient Light Sensor and Control) – The integrated sensor adds control features to a light fixture, reducing the time to design and install a system while still meeting energy codes. The small integrated sensor combines Passive Infrared (PIR) technology for occupancy control with photocell technology for daylight harvesting. The Integrated Sensor operates on an IEEE 802.15.4 wireless mesh network and directly controls the light fixture that houses it.

2.1.2 – Input DevicesThe WaveLinx input devices are described below.Wireless Wallstation (Manual Lighting and Scene control) – Eaton WaveLinx wallstation is a multi-scene, single area dimming wireless wallstation that provides customized light level for each area. The wallstation provides a default set of operations including 50% light level, 100% light level, scene light levels between 30-70%, and fully off. Many wallstation configurations also feature scene raise/lower buttons. Each button is configurable using the Eaton WaveLinx Mobile Application to


provide local and multi-level control in each area. The Wallstation is line-voltage powered and operates on an IEEE 802.15.4 wireless mesh network. Wireless Tile-Mount Daylight Sensor (Fixture with Remote Ambient Light Sensor and Control) – The WaveLinx Tile-Mount Daylight Sensor offers a 120-277 VAC, 3 A zero-crossing relay control and continuous 0-10V dimming control for LED and non-LED loads. It is intended to provide daylight dimming and control for connected downlight luminaires, or other luminaires that do not support the WaveLinx Integrated Sensor. The WaveLinx Tile-Mount Daylight Sensor operates on an IEEE 802.15.4 wireless mesh network.Wireless Ceiling Sensor – The Wireless Ceiling Sensor offers Passive Infrared (PIR) occupancy sensing with a coverage pattern of up to 1500 square feet. The sensor is battery powered and is one of the smallest ceiling-mounted room-based wireless occupancy sensors on the market. The sensor operates on the WaveLinx network based on IEEE 802.15.4 standard.

2.1.3 – Wireless Area Controller (Gateway)The Wireless Area Controller hosts the Wireless Network Manager, Wireless Network Security Manager, Wireless Network Gateway and Area Controller applications. The WAC coordinates the communication between the wireless input and output devices. The user configures the control strategy for the areas and zones covered by the WAC using the WaveLinx Mobile App. A single WAC can coordinate up to 16 areas. It provides centralized coordination of multiple areas for partial ON/partial OFF scheduling, demand response, lighting, occupancy and daylight settings, and scene control. Multiple WACs can reside on a single network and scale to hundreds of areas – each one accessible for setup, configuration and control through the WaveLinx Mobile App.

2.1.4 – Insight Manager (Supervisory System)The Insight Manager is an on-premise hardware platform that hosts the Lighting Xpert Insight (LXI) software. LXI is used to manage the lighting system as well as the BACnet/IP and Public (REST) API integration interfaces. Eaton offers the following Insight Manager platforms to optimize the return on investment of a connected lighting system:

Lighting Insight Manager Pro will handle WaveLinx systems with up to 20 WACs. Insight Manager Enterprise is designed for systems with as many as 500 WACs. Virtual Insight Manager Enterprise is aimed at customers who want to host their building

automation systems on a VMWare vSphere environment.

2.1.5 – Software and InterfacesWaveLinx Mobile App – The WaveLinx Mobile App lets users set up, configure and maintain a WaveLinx system from a smartphone. They can easily define Areas, Zones, Occupancy Sets and Daylight Sets, and associate devices to them. Users can define the time-based control strategies for the spaces controlled by the WAC and actions for WaveLinx Wallstation buttons.Lighting Xpert Insight – The LXI application offers enterprise-level functionality to WaveLinx system users. It is possible to centralize data from up to 500 networked WACs and expose that data using BACnet and Public API (REST). LXI provides system-wide user management, security management, alarm and event management, and system backup functions. BACnet/IP Interface – The LXI BACnet/IP Interface integrates a WaveLinx system with any BACnet/IP-compatible Building Automation System (BAS). BACnet is a data communication protocol for Building Automation and Control Networks developed by the American Society of Heating Refrigeration and Air Conditioning Engineers (ASHRAE). Public REST API – The LXI Public API enables third-party Internet of Things (IoT) platforms to take control of Eaton connected devices such as integrated sensors to create a tailored customer experience. The Public REST API allows third-party developers to send control commands to areas, zones and devices, and to read lighting information from the areas, zones, devices and the lighting building hierarchy.


2.2 – System TopologiesThe WaveLinx system can be installed either with standalone area controller or as a distributed lighting control system, i.e., networked area controllers with a supervisory system. The section below explains the Dedicated and Network installation methods.

2.2.1 – Standalone Topology The standalone topology shown below is recommended for facilities and spaces where there is no need for a supervisory system, i.e., typically a small to medium size buildings.

In a standalone topology, the WACs installed in the building are not connected to a wired or wireless LAN. Each Wireless Area Controller would communicate to up to 200 wireless input/output devices1 in star-mesh topology. The WACs are centrally located above the ceiling in the spaces they to control. Power can be provided via a POE switch or the POE Injector shipped with each WAC as shown in above illustration.In a standalone topology, the WAC acts as a network coordinator, security manager, area controller and gateway. Each of these roles is described below.Network CoordinatorThe WAC is responsible for overall 802.15.4 network management. Each WAC only supports one 802.15.4 network. As a network coordinator, the Wireless Area Controller performs the following functions:

Selects the channel to be used by the network Starts the network Manage devices addresses Permits other devices to join the network Holds a list of neighbors and routers Transfers application packets

1 Eaton best practices recommend designing with 100 wireless input/output devices per Wireless Area Controller.


Security ManagerThe WAC provides security management, security key distribution, and device authentication for the 802.15.4 wireless network.Area ControllerThe WAC manages the control algorithm for the devices connected to it. It sends the control commands to the output devices based on received data from the input devices (e.g., occupancy sets, daylight sets, wallstations). The WAC acts as the master system clock, coordinating time-based actions while occupancy and daylight-based actions are executed by the ceiling or integrated sensor. The WAC also monitors the health of connected devices.GatewayThe WAC connects the wireless network to other networks, i.e., LAN and WLAN. It also acts as the Wi-Fi access point for a system installer to configure and monitor the areas covered by the connected devices. The installer can configure the system using a smartphone with the WaveLinx Mobile Application, using WPA2 wireless encryption and a secure network username and password. The system installer also uses the WAC’s secure HTTPS (TLS1.2) Web pages to set up its network settings.


2.2.2 – Networked TopologyThe networked topology shown below is recommended for facilities or spaces where

Users want to manage the WaveLinx system from a central location, and/or The WaveLinx system needs to exchange data with other building systems such as the

Building Automation System, security system, Audio Visual (AV) system, and shades system. The networked topology is commonly required for medium-to-large size buildings.

In a networked topology, the WACs and Insight Manager are connected to a LAN. The Insight Manager only supports wired Ethernet connections, while the WAC supports both wired and wireless connections2. The LAN may be dedicated to the lighting control system or shared with the other building automation systems. Like the standalone topology, each WAC acts as the device network coordinator, security manager, zone controller and gateway for the up-to-200 devices connected to the wireless network. A networked topology also includes the Insight Manager, a supervisory computer that hosts the LXI application. The Insight Manager in a networked topology acts as a supervisory software host, system repository, system manager and gateway. Each of these roles is described below.Supervisory Software HostThe Insight Manager hosts the LXI application, Eaton’s supervisory software for its connected lighting systems. LXI includes a Web-based interface enabling users to configure and manage the lighting system. System repositoryThe Insight Manager gathers and stores device data, limited to system faults, from the WACs. 2 Eaton recommends using the LAN to connect the WACs to the Insight Manager.


System ManagementThe Insight Manager governs the lighting system and all connected devices from one location. It monitors the health of the system components and alerts users if any issues arise.GatewayThe Insight Manager acts as the IoT hub for the WaveLinx system. It hosts the BACnet/IP and Public (REST) API interfaces used by third-party systems to read and write the WaveLinx system.Security ManagerThe Insight Manager restricts data access to authorized users, making the WAC data available to third-party systems over BACnet and Public API (REST). It also provides backup and user management features.The Insight Manager is connected to the LAN by a hardwired Ethernet port. Unlike the WAC, the Insight Manager does not offer a wireless Ethernet interface. The Insight Manager is typically installed in the server/IT room. If the network switch provided by the customer is PoE-enabled (Power Over Ethernet), that is an additional incentive to use the PoE ports to power and connect the WACs. If there are no PoE ports available or the distance between the switch and the WAC exceeds the 300-foot limit for PoE, the POE Injector shipped with each WAC can power the WAC (refer to standalone topology to learn more about the PoE injector). In a networked topology, the WAC will obtain the IP addresses for their wired Ethernet address automatically via DHCP. Alternatively, the IT administrator can assign a static IP address to any WAC. For the Insight Manager, the IT administrator need to assign a static IP address to use for Insight Manager configuration. At the discretion of the building IT staff, the WaveLinx system may be set up on a dedicated lighting network LAN/VLAN (Virtual LAN) or be part of the building automation network LAN/VLAN.Once connected to the LAN, user can integrate their WaveLinx system via the Insight Manager to third-party systems such as Building Automation Systems, shades control, and AV control. Please refer to the third-party system integration section to learn more about network considerations. In a networked topology, the user will program the WACs using the WaveLinx Mobile App while monitoring the system using LXI. If the WaveLinx system is connected to a WLAN, the user can connect their smartphone to the WLAN to program the WACs. They could also connect their smartphone to an individual WAC Wi-Fi access point to program the areas it controls.IMPORTANTThe networked topology does not support peer-to-peer control nor virtual areas/zones spanning multiple WACs.

3 – Software/Firmware Compatibility MatrixTo ensure that the WaveLinx system is operating efficiently, the user shall ensure that all the Insight Managers and Wireless Area Controllers have compatible software/firmware. Please refer to the software/firmware compatibility matrix included in the software release notes.

4 – IT Network Information

4.1 – LAN/WLANA LAN or WLAN is only required in the case of a networked topology where third party systems need to exchange data with the WaveLinx system and users need to monitor the system from a central location using the Lighting Xpert Insight application hosted on the Insight Manager. Eaton recommends using the LAN to connect the WACs to the Insight Manager. If a WLAN is used, Eaton recommends a dedicated WLAN.


4.2 – VLANThe WaveLinx system support multiple VLAN topology, i.e. where the Wireless Area Controllers and Insight Manager are located on different VLANs. When implementing in a multiple VLAN environment, you must ensure that all the IP based WaveLinx devices, i.e. Insight Manager, Wireless Area Controllers, computing devices (laptop, smart mobile), can exchange data across the VLANs. Please refer to the network ports section to ensure that the network switches/firewalls are properly configured to allow the data flow between these devices.

4.3 – Network Ports and Usage

4.3.1 – Wireless Area ControllerTo ensure proper system operation, the following network ports and protocols must be available to allow users to interact with the Wireless Area Controllers via the LAN.

Protocol PortWaveLinx Device

Use Status Security

TCP 80 WAC Redirects to Configuration Webpages

Always Open

TLS 1.2

TCP 443 WAC Configuration webpages Always Open

TLS 1.2

TCP 52725 WAC SSL secured Common API (CAPI) web services

Always Open

TCP 52425 WAC SSL secured CAPI web socket Always Open

TLS 1.2

UDP 67 WAC DHCP Server Only open in Standalone Topology.Closed when in Connected Topology.

UDP 68 WAC DHCP Server

UDP 546 WAC DHCPv6

UDP 547 WAC DHCPv6

UDP 5353 WAC mDNS (Avahi) Always Open

TCP 22 WAC SSH Closed by default. Admin may webservice request

TLS 1.2

4.3.2 – Insight ManagerThe following inbound and outbound ports are used by the Insight Manager in a networked topology.Inbound Protocol to IM

Inbound Port to IM

Outbound Protocol from IM

Outbound Protocol from IM Usage Status

TCP 443 Web Application HTTPS. Always Open

TCP 443 Public API HTTPS. Always Open


Inbound Protocol to IM

Inbound Port to IM

Outbound Protocol from IM

Outbound Protocol from IM Usage Status

UDP – Broadcast

47808 BACnet BACnet. Open when BACnet is enabled.Same subnet or a BACnet router is needed.

UDP – Multicast 5353 Discovery (mDNS) of the Wireless Area Controllers (optional)

Always open.Same subnet otherwise enable multicast over subnets using L3 switch by bridging/forwarding.

TCP 8761 Web Eureka Access

HTTPS. Always open for troubleshooting.

TCP 52425 Connection to WAC

Secure WebSocket to WAC

TCP 25 or 465 or 587 or any other port

SMTP Access Depends on the SMTP server used

UDP 123 NTP Client if configured

TCP/UDP 53 DNS If configured.

4.4 – IP Address AssignmentThe following table identifies how the various WaveLinx components obtain their TCP/IP address.

DeviceInterface

Dynamic Addressing Static Addressing Notes

Wireless Area Controller

LAN Interface

Supported (default)

Supported (default is 192.168.1.XXX)

The WAC is the controller and gateway to the WaveLinx devices.The WAC separates the IT and OT networks.The WAC is centrally located in the space above the ceiling (preferred) to wirelessly communicate to the OT WaveLinx devices via IEEE 802.15.4192.168.100.XXX subnet is reserved for the Wi-Fi AP interface

WLAN Interface

Supported Supported (default is 192.168.1.XXX)

The 192.168.100.XXX subnet cannot be used as it is reserved for the Wi-Fi AP.


DeviceInterface

Dynamic Addressing Static Addressing Notes

Wi-Fi Access Point

Not Supported 192.168.100.1

Smart Device (phone or tablet)

Supported Not Supported DHCP address provided by WAC when installed as a dedicated WaveLinx installation.DHCP address provided by building IT wireless access point when installed as a network WaveLinx installation

Insight Manager

Not Supported Supported (default, address is 192.168.2.100)

DHCP server can be used to reserve an IP address for the Insight Manager.

4.4.1 – IPv6 ReadinessThe WAC and Insight Manager hardware are IPv6 capable. The input and output devices, currently using IEEE 802.15.4 MAC/PHY, are Thread and IPv6 capable.

5 – WaveLinx Wireless Network

5.1 – Wireless Network OverviewThe WAC communicates wirelessly with the lighting control devices, such as wallstations and receptacles. WaveLinx wireless ecosystem uses the IEEE) 802.15.4 standard and follows strict IEEE guidelines for sustained, reliable operation. The IEEE, a non-profit organization, is the world’s leading professional association for the advancement of technology. IEEE is a globally respected standards development group whose members are volunteers working in an open and collaborative manner. Other well-known technologies like Bluetooth® (802.15.1) and Wi-Fi® (802.11) are also part of the IEEE 802 standards family. The IEEE 802 group continually evaluates its standards to identify areas of ambiguity or concern, and works to improve its standards to ensure robustness and long-term success. To be approved as an IEEE 802 standard, IEEE 802 wireless standards must develop a Coexistence Assurance Document and implement a plan as part of the standard that ensures that all 802 wireless standards can operate and coexist in the same space.The 802.15.4 standard is a low duty cycle, narrow‐band standard that operates in the 2.4GHz ISM band with 16 channels for the 2.4GHz band. Each WAC and associated wireless devices can be configured to use a specific channel to avoid co‐channel interference with other installed devices communicating over the 2.4 GHz ISM band. Channels 11‐25, corresponding with 5 MHz‐wide frequency bands from 2.405 GHz to 2.480 GHz, may be assigned to specific wireless mesh networks. The wireless communication is secured and encrypted using AES 128‐bit encryption. Other wireless specifications:

Radio: 2.4GHz Standard: IEEE 802.15.4 Transmitter Power: +7dBm Range: 50m (150ft) LOS Number of Walls: 2 interior walls standard construction

Please contact Eaton if you plan to use Zigbee HA-based devices that are from another vendor, to ensure compatibility.


5.2 – Coexisting with Wi-Fi networksThe 2.4GHz ISM band has become sufficiently popular such that households, and virtually all commercial buildings, are likely to have equipment that operates in this band. In today’s commercial buildings, one will find many of the following users within the 2.4GHz spectrum that are potential sources of interference:

802.11b networks 802.11g networks 802.11n networks Bluetooth 802.15.4-based Personal Area Network (PAN) Wireless headsets

IEEE policies require each standard to include a coexistence statement. A standard is not approved until this coexistence statement has been deemed satisfactory. The IEEE 802.15.4 – 2003 specification provides support for coexistence at both the physical (PHY) layer and the MAC sub-layer. With so many 2.4 GHz devices, however, it remains possible for crowding to pose a problem in the 2.4 GHz band.The WaveLinx system employs three techniques to co-exist with the IEEE 802.11 (Wi-Fi) networks in the 2.4 GHz frequency spectrum within the building:

Channel Selection: Identifying the IEEE 802.15.4 communication channels that do not overlap the deployed IEEE 802.11a/b/g (Wi-Fi) deployment.

Low Airtime Consumption: Decreasing wireless communications during steady state operation, greatly reducing the probability of collision with Wi-Fi traffic.

Interference Tolerance: Work reliably despite interference by detecting and retransmitting lost communication packets.

5.2.1 – WaveLinx Channel SelectionWaveLinx devices have access to 16 separate 5MHz channels in the 2.4GHz band, several of which do not overlap US or European versions of Wi-Fi. As illustrated below, channels 15, 20 and 25 fall within the gaps of the common use. When a wireless network is formed, the WAC is required to scan through the list of available channels using the features provided by 802.15.4, and automatically select the best channel with the least interference. In most instances, the WAC selects channels that do not overlap the IEEE 802.11b/g/n channels. This means that IEEE 802.11 Wi-Fi and IEEE 802.15.4 wireless devices can co-exist without interference if they are use the correct channels.


5.2.2 – Low Air time ConsumptionWaveLinx recognizes that it is not always possible to select non-overlapping channels. Many Wi-Fi access points aggressively use all available spectrum to maximize performance. To coexist, WaveLinx sends two messages every five minutes per sensor. The WaveLinx airtime consumption per minute can be calculated as follows:

SensorCount * MessagesPerSensor * AirtimePerMessage = AirtimeMillisecondsPer5MinutesAirtimeMillisecondsPer5Minutes / 5 = AirtimeMillisecondsPerMinuteAirtimeMillisecondsPerMinute / 1000 = AirtimeSecondsPerMinute (AirtimeSecondsPerMinute / 60) * 100 = % Airtime Consumption

ExampleA 50,000 square foot installation has 500 sensors sending 2 messages every 5 minutes, each with 1.5 milliseconds of airtime. The airtime consumption would be calculated as follows:

500 sensors X 2 messages X 1.5 milliseconds = 1500 AirtimeMillisecondsPer5Minutes1500 / 5 = 300 AirtimeMillisecondsPerMinute300 / 1000 = 0.3 AirtimeSecondsPerMinute (0.3 / 60) * 100 = 0.5% Airtime Consumption

The duty cycle of the WaveLinx network is therefore extremely low. This means that relatively few data packets are transmitted, which reduces the likelihood of an unsuccessful transmission. With such low airtime consumption, a WaveLinx system can easily coexist with other Wi-Fi networks, with or without overlapping channels.

5.2.3 – Interference ToleranceThe WaveLinx system must not only be tolerant of interference by other Wi-Fi and IEEE 802.15.4 networks, but also avoid any impact on Wi-Fi installations. The selection of non-overlapping channels mitigates this potential problem. WaveLinx is loss tolerant and increases communication reliability by using packet acknowledgment and retransmission. Lost packets are detected and corrected with retransmission. Finally, the WaveLinx system is designed to perform lighting control without requiring network communication at all. Lighting control will continue to operate in the event of a complete wireless failure.

5.3 – Potential Causes of Signal DisruptionThe WaveLinx system will normally be able to coexist with Wi-Fi installations. However, there are many potential causes of interference and degradation that go beyond the scope of this document. Some steps that can be taken during the design phase to minimize these challenges are outlined below.DistanceReview the network range and the distance between the devices. The greater the distance between wireless devices, the lower the signal strength. Both IEEE 802.15.4 wireless and IEEE 802.11 Wi-Fi have a maximum unobstructed “line of site” range of 150 ft (50 meters). ObstaclesIt is important to consider obstacles that are prevalent in indoor spaces. A common consideration is the number of walls between the transmitting and receiving devices, and the construction materials in each wall. Wireless signals can have trouble communicating through these and other solid objects, which reduces the effective wireless range. PlacementThe placement of transmitting and receiving devices should be planned carefully as location is critical to optimizing the coverage range and device function. Review all device manufacturer information for specific range recommendations.


If transmitters are placing too close together in one space, even if they are on different frequencies and channels, interference can occur. Each one could increase their signal to “shout” over the other transmitters, which may impair the ability of devices to listen or respond. Wireless products typically an air gap of 5 to 10 feet between wireless transmitters to prevent this type of interference.QuantityThe number of devices on the network can also be a factor in signal degradation. Different network types may support different device counts and the quantity may slow or degrade the signal. Review the manufacturer documentation for any device quantity limitations and incorporate these into the design.

6 – Configuration and Maintenance

6.1 – Standalone Topology In a standalone topology, the user will be using the WaveLinx internal webpages to configure the WAC and the WaveLinx Mobile App to program the WAC control logic.

6.1.1 – Internal Web PagesThe WaveLinx Web interface offers the following WAC configuration features to the user:

Network settings for all three IP interfaces (Wi-Fi AP, WLAN and LAN:o WLAN/LAN DHCP/Statico Wi-Fi AP SSID, Password

Time settingo Manual or NTP

User settingo Administrator – user name and passwordo User – username and password

Certificate management Backup and restore Firmware update for WAC and all connected devices End User License Agreement (EULA)

6.1.2 – Mobile applicationThe WaveLinx mobile application permits the following configuration settings:

Create and modify Areas Create and modify Zones Add and identify discovered devices Create and modify Occupancy Sets Configure Occupancy sensors attributes Create and modify Daylight Sets Create and modify schedules Configure Demand Response % Configure wallstations and program their buttons

6.2 – Networked TopologyThe WACs are connected to the Insight Manager, which hosts the LXI application, in a network topology. Users continue to configure the WAC using its Web interface and program the WAC using the WaveLinx Mobile App.


6.2.1 – Lighting Xpert Insight The LXI application supervises the WaveLinx system, and offers the following features:

Network settings for the Insight Manager System settings for the Insight Manager (discover WACs, import system information such as

devices) Time settings for the Insight Manager (static IP address) User access settings for the Insight Manager BACnet/IP interface configuration Public (REST) interface configuration WaveLinx alarms and events display

6.3 – SSL CertificatesWaveLinx uses Eaton-provided SSL certificates to secure the communication between the WAC and the Mobile App, and between the WACs and the Insight Manager. These certificates are installed at the Eaton factory.Customers can create their own SSL certificates to allow the secure communication between the Mobile devices, WACs and the Insight Manager.

6.4 – User management, Roles and Access

6.4.1 – Standalone TopologyUser authentication is required for a user to configure the WAC using its Web interface, and to program the control logic using the WaveLinx Mobile application. The WAC currently supports two roles:

Administrator User

Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) access are not supported.

6.4.2 – Networked TopologyUser authentication is required for a user to configure the WAC using its Web interface, to program the control logic using the WaveLinx Mobile application, and to configure the Insight Manager using the Lighting Xpert Insight. The Insight Manager current supports the following roles:

System Administrator IT Administrator Facility Manager Tenant Viewer Third Party Integration Demand Response

Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) access are not supported on the building network. The WAC users and roles are different than the Insight Manager users and roles.

6.5 – Backup and RestoreThe system allows users to back up WAC and Insight Manager data, and to restore from those backups. A temporary backup is recommended prior to a firmware update to the system. Once a successful firmware update is complete, a permanent backup made and stored per standard building IT processes.


6.5.1 – Standalone TopologyIn a standalone topology, the user must back up each WAC manually using the WAC’s Web interface. Each WAC performs its own backup of all programming and network data. The restore function is available in the event of a WAC failure and replacement, or to revert to previous version of the programming.

6.5.2 – Networked TopologyIn a networked topology, the user must back up each WAC manually using the WAC’s Web interface, and back up the Insight Manager using the LXI application. The Insight Manager and each WAC perform their own backup of all programming and network data. The Insight Manager and the WAC both support the restore function in the event of an Insight Manager or WAC failure and replacement, or to revert to previous version of the programming.

6.6 – Firmware and Software updatesUsers can update WaveLinx device software and firmware. For wireless devices, the firmware is updated Over-The-Air (OTA). Firmware and software updates are typically semi-annual, and software patches are handled as needed.If the user has registered to mycb.eaton.com, they will get an automatic notification of firmware and software updates. Additional information will be provided through Web site.

6.6.1 – Standalone TopologyIn a standalone configuration, the user updates the software and firmware of the WAC and all devices connected to the WAC using its Web interface. The device files are encrypted for each product, for example wireless wallstations and switchpacks.Firmware updates for the WAC and its connected wireless devices are handled using the WAC internal web pages. The firmware update package is uploaded to each WAC, which manages the update distribution and installation for to all connected wireless devices, such as integrated sensors and wallstations.Mobile application updates are handled through standard application updates through Android and iOS stores.

6.6.2 – Networked TopologyIn a networked setup, the user updates the Insight Manager software with the LXI application. The firmware update package is uploaded to the Insight Manager and the update process is then initiated by the user.

6.7 – Remote supportFor some configuration and diagnostics purposes our technical services staff may offer remote access services. This may be accomplished in several ways depending on the customer's network configuration and IT requirements. Most often temporary access is provided by the facility’s IT department via a VPN access to the building automation network. In some facilities, Eaton has installed 4G modem that would allow its technical support team to access the system’s programming. Please contact Eaton to learn more about Eaton’s technical support and after-market services.

6.8 – Firewalls - Packet Filtering, Stateful Inspection, Proxy GatewaysFirewall components should be managed by the local building IT department. The implementation of security features is the responsibility of the IT network administrator and should not interfere with the lighting system communication.


The WaveLinx WAC/Gateway includes its own firewall that isolates the IEEE 802.15.4-based device communication from the IEEE 802.3/IEEE 802.11-based LAN/WAN network.

6.9 – Communication Failure to the WACIf communication between the WAC and its associated devices is lost, the light fixtures will remain at their current light level for at least 1 hour. After 1 hour without communication, the wireless devices will operate in out-of-the-box mode, with individual luminaire occupancy being the primary control method.The WaveLinx system is compliant with UL924 emergency lighting standards provided the appropriate devices are included in the system design.

6.10 – Third Party IntegrationThe Insight Manager hosts the BACnet/IP interfaces and Public (REST) API that enables third-party systems to integrate with the WaveLinx system using read and write operations.

6.10.1 – BACnet/IP The BACnet/IP Interface hosted by the Insight Manager enables the integration between WaveLinx and BACnet-compatible systems such as Building Automation Systems (BAS). BACnet is a data communication protocol for Building Automation and Control Networks developed by the American Society of Heating Refrigeration and Air Conditioning Engineers (ASHRAE). Using BACnet/IP, users can change the light levels for individual devices, zones and areas. From their BAS console, the user can also read the value of the individual devices such as occupancy sensors, drivers, ballasts and daylight sensors, as well as individual space outputs such as zone light levels and area scenes.

6.10.2 – Public (REST) APIThe Public (REST) API hosted by Insight Manager enables third-party applications to communicate with the LXI. The API does not provide the ability to change system programming – they are used for status and override of the current state.

6.11 – Demand ResponseDemand Response is supported through an IP connection to each WAC from the building management or other third-party system. See the WaveLinx Demand Response application note for more information.

7 – Security

7.1 – IntroductionEaton views security as the cornerstone of a safe, dependable and reliable electrical system. The WaveLinx system therefore employs industry best practices to reduce, identify, contain and manage security risks. WaveLinx has been designed and engineered with wireless security as a key requirement, including the flexibility to accommodate improvements if new security attack surfaces are identified.The WaveLinx system uses a multi-tiered approach to incorporating industry best practices for security risk management, following guidelines from the Department of Homeland Security (DHS), National Institute of Standards and Technology (NIST) and other industry standards organizations to deliver a secure and adaptable lighting control platform.

7.2 – Physical SecurityPhysical security requires an architecture that isolates the wired Ethernet network from the wireless network, which strictly limits the possibility of the WaveLinx wireless being used as an access point to the corporate network.


Physical access also involves the customer location. This includes not allowing unauthorized personnel in areas where they do not belong, or access to devices for which they are not authorized.

7.3 – Customer SecurityCustomer security is a partnership between Eaton and the customer and involves multiple levels of password and network access protection. Beyond physical access, the customer provides an additional layer of security with strong authentication to access their corporate wired or wireless networks, and limiting the devices that can access those networks. Eaton provides additional protection with unique username and password requirements for each WAC that are securely stored per NIST-recommended best practices.

7.4 – Device Communication SecurityEncryption is key to secure device-to-device communications, reducing the potential of unauthorized read access to network data. All WaveLinx communications use AES 128-bit encryption, recommended by NIST as part of FIPS publication 197.

7.5 – Network Communication SecurityWaveLinx uses secure HTTPS (TLS1.2) protocols to protect connections to the WAC over the wired network. It also employs secure WPA2 Enterprise technology for protect connections to the WAC over the Wi-Fi network when acting as an access point. This is disabled if the WAC is connected to a wired network.The WaveLinx Mobile application uses HTTPS (TLS1.2) as part of its communications to the WAC regardless of connection method, meaning that only our mobile application can send data to a WaveLinx system.

7.6 – Network Segmentation SecurityEach WAC has its own unique keys to limit any potential breach to a small area of the system. The WaveLinx WAC provides segmentation between the lighting Operational Technology (OT) network and the enterprise Information Technology (IT) network.The IT/OT network segmentation is a barrier to any potential IT network attack surface exposure. Even if an attack within the lighting (OT) network and its devices is successful, the WAC isolates the enterprise IT network from potential attack.

7.7 – OTA Update SecurityWaveLinx provides a method for digitally signed/encrypted firmware update files to be sent to the devices Over-The-Air (OTA). It is imperative that OTA updates are digitally-signed firmware images from their manufacturer, so devices can recognize valid updates from that manufacturer and not malicious.

7.8 – Eaton Product Cybersecurity Center of Excellence The Eaton Product Cybersecurity Center of Excellence (PCCoE) provided guidance throughout WaveLinx development and offers Eaton customers a Web portal to identify emerging threats, find ways to secure products against them, and help customers to securely deploy and maintain Eaton product solutions. Visit www.eaton.com/cybersecurity for more information on the Eaton PCCoE.

7.9 – OSI Model SecurityWaveLinx supports a seven-layer approach to security. The diagram below illustrates how WaveLinx supports security through the entire seven layers of the OSI model and not just the WaveLinx application.


7.10 – Cybersecurity Reporting and Mitigation PlansEaton considers latest available best industry practices (DHS, NIST, FIPS) to reduce, identify, contain and manage risks: Deter, Protect, Detect, React, RecoverThe PCCoE public Web site contains information and feedback concerning cybersecurity threats and responses, as well as a method to monitor network breach risks. See www.eaton.com/cybersecurity for more information.

7.11 – Cybersecurity or Functionality Issues and ReportingIssues found in the field can be reported to the Eaton service and support group, which will attempt to replicate the issue. If the issue can be replicated, an internal issue tracking application assigns the issue to the engineering team for resolution.Depending on the severity and priority of the reported issue, a resolution could include standard firmware or software updates published to the Web site or a proactive service visit by Eaton service and support group.


OSI Layers

Application

Presentation

Session

Transport

Network

Data Link

Physical

Security Mitigation

User Authentication

SSL Certificate

TLS 1.2, SSH, SSL

TLS 1.2, SSH, SSL

Building IT ACL's

WPA2, AES 128, WAC Segmentation &VLAN

IT physical access policy

Eaton 1000 Eaton Boulevard Cleveland, OH 44122 United States Eaton.com

EatonLighting Solutions1121 Highway 74 SouthPeachtree City, GA 30269 www.eaton.com/lightingsystems

© 2018 Eaton

All Rights ReservedPrinted in USAPublication No. AP503024EN16-May-23 D4

Eaton is a registered trademark.

All trademarks are property of their respective owners.

about this document - cooper industries · web view– wavelinx features, such as the construction...

Documents