WLC-4150 Lighting Control Unit
LCU CYBERSEC
Considerations for Customers
User Manual
WLC-4150 Lighting Control Unit
LCU Cybersec
The Dialog Network Lighting Control system is a digitally addressable lighting control system that runs on its own proprietary protocol for day-to-day lighting controls operation and communications. For remote override and configuration changes via a computer, there may be a desire to connect the system to a facility network or LAN.
The Dialog Networked Lighting Control system is designed to run without requiring a connection to the internet or building LAN. However certain features may require such connections.
- Remote access
- View and Control of outputs
- Add/Edit Groups and Presets
- Schedule Changes
- Daylighting Adjustments
- BACnet IP Integration
- Remote Support and Diagnostics downloads
- CheckLight™
- Cloud Access
- Energy Management
- OpenADR
Basic Security Considerations
- Physical Security
In all cases Lighting Control Units (LCU) such as the WLC-4150, Global Webservers (GWS), and any network switches connecting them should have a layer of physical security protecting them. They should be in locked cabinets inside access controlled electrical/telecom closets. - Digital Security: Firewalls
The Lighting Control Ethernet Network (LCEN) and GWS ‘internet’ port must be protected by a firewall. The LCU and GWS must never be connected directly to the internet.
When connecting the LCEN to a corporate LAN, a Layer 7 firewall is required. This firewall is available as a feature of many managed routers, or as an separate appliance placed in between the LCEN and the corporate LAN. Care should be taken to only expose the necessary ports used in the day-to-day operation of the lighting control system. See Table 1 and Table 2 for more details on each individual TCP/UDP port.
Typical Network Security Configurations
There are 5 basic configurations:
- Single WLC-4150 to a corporate LAN
- CheckLight™ – Cloud Connection
- Global Web Server to LAN, with a lighting controls sub-network
- Global Web Server to LAN, with a lighting controls VLAN
- Global Web Server to LAN, with BACnet IP connectivity
*BACnet functionality can be paired with any of these, but requires special considerations. See WLC-4150 BACnet Connection instructions for more details.
Single WLC-4150 to a corporate LAN
The LCU should not be exposed directly to the corporate LAN, a firewall is required. Care should be taken to only expose the necessary ports. See Table 1.
CheckLight™ Cloud Managed LCUs
This configuration is suitable for CheckLight™ energy monitoring, OpenADR and BMS Integration through the cloud API. A GWS is not used, and the LCEN must not be connected to any other devices.
The LTE modem performs IP filtering which allows connections with the CheckLight™ cloud only.
Lighting Control Ethernet Network
Corporate LAN
BACnet Network
Internet Connection or Public LAN
Note:
- CAT5e or higher wiring is required for all Ethernet connections.
- Ethernet switches may be provided by others.
- LCUs only support static IPv4 address assignments.
- LCUs and GWS (“internet”) must be on the same subnet. The GWS ‘internet’ port can be on a different subnet.
- Typical only. See project information for system specific diagrams.
Global Web Server to LAN, with isolated lighting control network
The GWS has 2 ports, one for the LCEN, and one for the Corporate LAN. Communication on the LCEN is not secure and must be isolated from the corporate LAN.
The GWS ‘internet’ port does not provide an encrypted web interface and must not be connected to an untrusted network directly. It must be protected by a Layer 7 firewall.
Global Web Server to LAN, with a lighting controls VLAN
The GWS has 2 ports, one for the LCEN, and one for the Corporate LAN (labelled ‘internet’). Communication on the LCEN is not encrypted and must be isolated from the corporate LAN. If it is not possible to run dedicated cabling for the LCEN, this can be accomplished by using a VLAN enabled switch.
The GWS ‘internet’ port does not provide an encrypted web interface and must not be connected to an untrusted network directly. It must be protected by a Layer 7 firewall.
Global Web Server to LAN, with BACnet IP connectivity
The LCU has 2 Ethernet ports, but they are internally connected with a built-in layer 2 switch to allow a daisy-chained topology.
The BACnet IP protocol does not have any security or encryption. To separate a BACnet network from the LCEN, a small layer 3 router is installed for each LCU. The routers perform address translation and filtering so that the LCUs can effectively be on two subnets at once. BACnet traffic is separated out from the LCEN, improving security.
Note:
- CAT5e or higher wiring is required for all Ethernet connections.
- Ethernet switches may be provided by others.
- LCUs only support static IPv4 address assignments.
- LCUs and GWS (LCEN) PHY must be on the same subnet. The GWS ‘internet’ port can be on a different subnet.
- Typical only. See project information for system specific diagrams.
Lighting Control Ethernet Network
Corporate LAN
BACnet Network
Internet Connection or Public LAN
WLC-4150 Lighting Control Unit (LCU) Networking Specifics
- The WLC-4150 LCU does not support DHCP.
- BACnet communication is switched off by default for security reasons.
Table 1: WLC-4150 LCU TCP/UDP Ports
| Protocol (TCP/UDP) | Encrypted? | Inbound Port | Description |
| TCP | no | 80 | LCU web interface and Checklight™ power monitoring data uploaded from LCU |
| TCP | TLS 1.1 | 443 | LCU web interface encrypted and Checklight™ Connection. |
| TCP | no | 5000 | GWS communication to the LCU |
| TCP | no | 5655 | Debug |
| TCP | no | 7070 | LCU remote update |
| UDP | no | 137 | NetBIOS name service |
The WLC-4150 must be protected by a Layer 7 firewall to achieve a secured connection to a corporate LAN.
Global Webserver (GWS) Network Specifics
The GWS is based on Windows Server 2016, but must remain static in its configuration to ensure product stability. Windows Update, Firewalls, and Auto Back-ups must remain disabled. As this poses a security risk, the GWS must be isolated from the corporate LAN using a Layer 7 firewall.
There are 2 Ethernet ports on the GWS:
- Lighting Control Ethernet Network (LCEN)
- Internet” (Not to be connected directly to an unsecured network)
Table 2: Global Webserver TCP/UDP Ports
| Protocol (TCP/ UDP) | Encrypted? | Inbound port (LCEN) | Inbound port (“Internet”) |
Description |
| TCP | no | 80 | 80 | GWS web interface |
| TCP | no | 6000 | LCU communication to GWS | |
| TCP | no | 13000 | Main traffic between LCU and GWS |
The GWS must be protected by a Layer 7 firewall to achieve a secured connection to a corporate LAN.
This product is designed to be connected to and to communicate information and data via a network interface. It is Customer’s sole responsibility to provide and continuously ensure a secure connection between the product and Customer network or any other network (as the case may be). Customer shall establish and maintain any appropriate measures (such as but not limited to the installation of firewalls, application of authentication measures, encryption of data, installation of antivirus programs, etc) to protect the product, the network, its system and the interface against any kind of security breaches, unauthorized access, interference, intrusion, leakage and/or theft of data or information. Douglas Lighting Controls and its affiliates are not liable for damages and/or losses related to such security breaches, any unauthorized access, interference, intrusion, leakage and/or theft of data or information.
Learn More at www.universaldouglas.com
It’s EASY to REACH US
universaldouglas.com
UniversalDouglasSupport
Douglas Lighting Controls
877-873-2797
techsupport@universaldouglas.com
Universal Lighting Technologies
800-225-5278
tes@universaldouglas.com
universaldouglas.com
Documents / Resources
 |
universal douglas WLC-4150 Lighting Control Unit [pdf] User Manual WLC-4150 Lighting Control Unit, WLC-4150, Lighting Control Unit, Control Unit, Unit |
