Smart lighting is often positioned as a straightforward efficiency upgrade – a way for cities to reduce energy consumption while modernising an essential public service such as street illumination. That’s absolutely true, but there’s a very specific element to be considered: once streetlights are connected to a city’s IoT network, they become one of the most widely distributed and physically exposed digital systems a municipality operates. This fundamentally changes how cybersecurity risk should be understood and treated.
“Unlike systems installed in controlled environments, streetlights are physically accessible in public space. Even if devices are mounted several meters above ground, they remain exposed to physical inspection, tampering attempts, and environmental stress. Also, being connected to the city’s digital infrastructure, they are potential entry points for cyber attackers. From a governance perspective, physical and digital exposure cannot be separated,” says Fabio Mauri, Head of Technology Operations and Cybersecurity at Paradox Engineering.
One of the most immediate risks concerns the core function of public lighting itself. If an attacker gains control over lighting operations, they could cause partial or widespread outages. Even short disruptions can have consequences for road safety, public security and emergency response, and directly impact trust in city administrations.
There is also a second, less visible but increasingly important risk. If compromised, lighting nodes can be misused beyond their intended purpose. They can be enrolled into botnets or used as pivot points to access other municipal systems, or form a powerful platform for coordinated cyberattacks. In this scenario, the risk extends well beyond lighting operations to the broader urban digital environment.
“It is important for city leaders to be realistic about cybersecurity expectations. Absolute security is not achievable, in smart cities or anywhere else. The objective is risk reduction and impact limitation“, adds Mauri. “From our experience, effective protection for smart lighting requires a combination of technology, processes and people“.
On the technology side, protection means secure-by-design IoT devices, strong identity and authentication mechanisms, encrypted communications, and monitoring architectures suited to large, distributed environments. Our latest Hybrid Zhaga and Cellular Zhaga nodes were developed with cybersecurity in mind and support deployment models that minimise exposure by avoiding unnecessary interfaces on the public internet, reducing the overall attack surface.
Processes are equally critical. Secure deployment procedures, controlled maintenance workflows, and continuous network and security monitoring are essential to maintaining protection over the full lifecycle of a lighting system.
People remain a decisive factor. As technical controls improve, many security incidents stem from human error. Configuration mistakes, procedural shortcuts, social engineering or simple inadvertent behaviour can all lead to system exposure. In urban IoT deployments, this risk is amplified by the number of stakeholders involved, including city departments, system integrators, operators and maintenance teams. Awareness and training programmes help reduce this exposure by ensuring that security is understood and consistently applied in day-to-day operations.
For city leaders, the message is clear. Smart lighting can deliver long-term value only if cybersecurity is treated as a foundational requirement, not a secondary consideration. Treating connected lighting as low-risk infrastructure is no longer compatible with the realities of digital cities.
Read more on Cities Today and contact our experts to deep dive cybersecurity for smart lighting infrastructures.
Photo source: Adobe Stock