AthenaCommercial Lighting Control SystemIT Implementation GuideRevision C16 June 2021
Lutron Security Statement
Lutron takes Cybersecurity very seriously We vigorously monitor the threat landscape and take a proactive approach to security and privacy, continuously working to update and enhance our systems and processes.At Lutron, we call our approach to cyber security “Secure Lifecycle,” and we would like to present the following steps we take to protect your security and privacy:
- Security by Design. When building a new system, Lutron utilizes a dedicated security team to ensure best practices are implemented Security is built in It is not an afterthought or add-on
- Third-Party Validation. Security is complicated Lutron has a dedicated team of internal experts, but we also leverage external experts to double- and triple-check our work, and to make security recommendations
- Continuous Monitoring and Improvements. Security is a constantly moving target Lutron uses a dedicated security team to continuously monitor the market for potential threats and, when needed, send out security patches to update installed systems
- Ongoing Support. Lutron has the resources you need to answer questions about security when they ariseWe incorporate a variety of security features into our product designs These features include recommendations from the National Institute of Standards and Technology (NIST) among others, and they are aimed at meeting our Secure Lifecycle protections While we do not publish a comprehensive list of our security features, the following list is a small example of some of the techniques employed in our system design for Lutron Athena processors and associated ervices (such as mobile applications and cloud resources):
- Secure and authenticated remote access with unique keys for every system’s processor
- A secure hardware element (“chip”) on every processor to guard the keys used for secure communication and authentication
- We are enforcing industry-standard encrypted communication and techniques for our integration protocols
- Secure commissioning – all communication between the system programming software tool/app and the processors is encrypted and authenticated Programming a system requires permission to access that system
- Security updates pushed out automatically to the processors for urgent security patches
- Use of industry-standard techniques for integrations, such as OAuth2 0
- Signed processor firmware to ensure a firmware update is authentically from Lutron If you have additional questions, feel free to reach out via our 24/7 Technical Support line at 1 844 LUTRON1 or email [email protected]
Glossary and Abbreviations
Athena Edge Processor – This is the basic Athena controller supporting an embedded Linux operating system and will be the main Athena component onnected to any network Each Athena processor has two RJ45 female connectors – one for the Athena LAN/VLAN connection and the other for serviceability The two ports in the processor are connected via an unmanaged switchAthena Hub – Metal enclosure containing the Athena Edge processors Wall-mounted vertically, predominantly located in electrical closets The QP5 enclosure houses up to two Athena processors and may also house a Lutron-provided a 8 port unmanaged layer 2 network switch with PoE (Power over Ethernet) for connectivity PoE is provided to power devices such as Clear Connect Gateways – Type X and Athena touchscreensAthena Touchscreen – This is a wall-mounted digital control that manages Athena-connected lights and shades through the wired Athena Edge processor This device is required to be on the samenetwork as the Athena Edge processor, but maybe on a different subnet if desired It is Ethernet connected and utilizes power over Ethernet for power andcommunication These touchscreens are powered by PoE switches included in the Athena hub or may be powered by customer provided Ethernet PoE switchesClear Connect Gateway – Type X (Q-RF) – This is an optional controller that supports communication between the Athena system and 2 4 GHz Clear Connect – Type X devices such as Ketra wireless fixtures and lamps This controller is required to be on the same network as the Edge processor This controller is ethernet connected and utilizes PoE for power These gateways are powered by PoE switches included in the Athena hub or may be powered by customer provided Ethernet switchesField Service Engineer (FSE) – Is a Lutron Services Company representative that is tasked with programming and commissioning a system.
Networking Overview
System Startup and Commissioning
For new system startup, electricians will typically interconnect the various Athena hubs and gateways to create a standalone network that is used by Field Service Engineers (FSE) to start up and commission an Athena system without the need for a building network These interconnections utilize unmanaged PoE Ethernet switches, such as those contained in QP5 hubs In typical applications Lutron processors and hubs are placed on their own LAN/VLAN FSEs can work withIT to configure DHCP-provided custom IP addresses on each processor Information on IP address requirements can be obtained from the FSE In certain instances, some system features require the processors to have Internet accessFor customers who do not wish to have unmanaged Ethernet switches on their network, customerprovided managed Ethernet switches may be used Each processor and gateway shall have a single connection from the processor to the Ethernet switch For Q-RF gateways and Athena touchscreens in a system, anEthernet switch supporting IEEE 802 3af or 802 3at is required to power them
In a QP5 hub there may be two processors enclosed While the Athena Edge Processor has two Ethernet ports, the second port may not be used for daisy chaining to other processors Edge processors with a single Ethernet port may also be present depending on the specification of your system The Ethernet port should be used to connect the processor to the network, and every processor must have a dedicated Ethernet cable home run back to the switch.When the customer-provided network becomes available for use with the lighting system, a transition from the network used for commissioning to the customer network can be scheduled and carried out, see “Commissioning Internet Connection” below for details Because of this anticipated network transition, IP addresses set via DHCP are recommended Refer to the firewall and routing table in this document for information on ports required for communication betweenthe Athena processors and Cloud connectivityNetwork Architecture OverviewThe typical Athena system network architecture contains Athena Edge processors, optional Clear Connect Gateways – Type X (Q-RF), Athena touchscreens, and client devices (e g , PC, laptop, tablet, mobile device, etc )The Athena network architecture does NOT include the lighting actuators, sensors, and load controllers This includes keypads, wired and wireless daylight sensors, wired and wireless occupancy sensors, load controllers, dimmers, switches, lighting panels, fluorescent lamp ballasts, or LED drivers These devices communicate on a Lutron proprietary wired or wireless communication network
RF Considerations
While Lutron’s Radio Powr Savr RF occupancy sensors, daylight sensors and Pico controls operate on a frequency outside of Wi-Fi, Clear Connect Gateway – Type X and Ketra fixtures and lamps operate in the 2 4 GHz band 2 4 GHz Wi-Fi networks deployed on standard channels (1-6-11), or that operate in the 5 GHz band, will not interfere with communication between Clear Connect gateways – Type X and other Clear Connect – Type X devices There are five Clear Connect – Type X channels that are preferred for Athena system deployment because they avoid or minimize interference from standard Wi-Fi channels; these will be used by default unless other requirements are communicated to the FSE
- Channel 25 (2475 MHz)
- Channel 11 (2405 MHz)
- Channel 24 (2470 MHz)
- Channel 20 (2450 MHz)
- Channel 26 (2480 MHz)Clear Connect gateways – Type X should be kept at least 5 ft (1 5 m) away from 2 4 GHz Wi-Fi access points, routers, hotspots, or other devices ommunicating via 2 4 GHz Wi-Fi Other Clear Connect – Type X devices should be kept at least 3 ft (1 0 m) away from 2 4 GHz Wi-Fi access points, routers, hotspots, or other devices communicating via 2 4 GHz Wi-Fi myLutron users can access Lutron App Note #745 (P/N 048745) at www.lutron.com for further detailsPhysical MediumIEEE 802.3 Ethernet – Is the physical medium standard for the network between Athena processors.CAT5e – The minimum network wire specification of the Athena LAN/VLAN.IP AddressingIPv4/IPv6 – The Athena system supports communications and IP addressing over IPv4/IPv6 Either static IP or DHCP can be used DHCP is the enabled default setting Link Local IP addresses are not permitted to be used as static IP addresses If a DHCP server is not present on the network, the processors will self-assign link-local IP addressesClass D addressingMulticast communication is required and provides communication in order to share events between Athena processors This communication is based on UDP multicast groups
- Each group of Athena processors that need to share events will need a unique and common class D address The class D multicast address can be field set by the FSE and specified by the customer
- Any source multicast is used because any Athena processor may be enacting the event
- Multicast communication in the Athena system is primarily event based (e g , system trigger or change in state for monitoring) Polling is not a basis of communications in an Athena systemNote: Multicast communication is always required for communication among the processors within an Athena systemLatency Requirements for Managed NetworksNote that for managed networks, the maximum latency between any two Athena processors should be less than 10 msCommunication Speed and Bandwidth100 BaseT full duplex – Is the maximum link speed supported by the Athena processor communications1.88 Mbps – Worst case bandwidth in a fully loaded system Most systems include only 1 to 4 processors
Other Protocols Supported
IGMP – Athena supports IGMP versions 1, 2, and 3 for multicast communication between the Athena processors Any possible flooding of multicast traffic can be constrained to a set of interested ports by using IGMP snoopingmDNS – Multicast DNS is used by the Athena design software or Athena touchscreen and the Lutron mobile app to discover the processor and gateway devices The processors and gateways will respond to any mDNS discovery requests sent by any compatible device These responses are used to discover the IP address, version and other information required to allow the design software and mobile app to operate with the lighting system For proper system operation, mDNSmust be routed through the entire subnet, both wired and wireless networksSSH/SCP – Secure Shell is used by both the Athena design software and Lutron mobile app The Athena design software utilizes this protocol for database transfer and diagnostic log download from the processors and gateways The mobile app utilizes this protocol for diagnostic log download only Connections using this protocol can only be made by an authorized/paired device using the mobile app, or computer with the design software and current system configurationdatabaseTLS – Transport Layer Security is used specifically for external integration with the Athena system This is used by the Lutron mobile app to allow control of lights In addition, this is used by AV integration systems to make a connection to the processor/gateway device to allow control Access to this is either certificate-based with approved vendors, or with custom username/ passphrase logins Custom logins may be configured by the FSE during system commissioning Lutron’s Athena system supports TLS 1 2Telnet – a Lutron QSE-CI-NWK-E can be added to the system for Telnet AV integration This device provides a RS232 or Telnet connection for system integration For Telnet integration, the QSE-CI-NWK-E is not required to be connected to the same Network/VLAN as the Athena processors For limitations, see the QSE-CI-NWK-E specification submittal (P/N 369373) at www.lutron.comSystem Internet ConnectivityThe Lutron Athena system is enhanced when coupled with Internet connectivity This connectivity provides the following enhancements:
- Lutron App connectivity to the system for control and monitoring
- Automatic firmware updates of the Athena processors
- Remote factory service options provided by LutronA permanent network connection provided by the customer is recommended for Athena systems to provide the processor with Internet connectivityIf there is no Internet connection provided to the Athena system, the following is true:
- Local physical controls of the system will continue to operate as expected, and existing timeclockevents will continue as scheduled
- The Athena processor will not receive firmware updates
- There will be no control or reprogramming of the system via the Lutron AppCommissioning Internet ConnectionDuring the startup of an Athena system, an LTE modem may be provided by Lutron to facilitate ease of commissioning by Lutron Field Service Engineers (FSE) This device may be installed by the electrical contractor as part of the system The modem will not be used to connect any non-Lutron components to the Internet This LTE modem will be removed or deactivated by the Lutron FSE within 30 days of the end of jobsite startup.If the customer network is already up and running when a Lutron FSE is scheduled for startup, the temporary LTE modem will not be used.
Internet/Cloud Services and Mobile App Connectivity
- DNS Resolution– The processor will use the IT-specified DNS server to resolve IP addresses to access Internet connected services The DNS server’s IP address can be set either manually by the Lutron FSE or via DHCP
- Internet connectivity test– The processor will ping public DNS servers to verify Internet connectivity:o 8 8 4 4, 8 8 8 8, 208 67 220 220, 208 67 222 222, 209 244 0 3, 209 244 0 4– The processor will also attempt to make an HTTP connection to www.google.com
- Time Sync– The processor will reach out the below list of Internet time servers NTP is used to allow accurate execution of automatic timeclock and other scheduled events In the event that a time server is not available, the clock on the processor is set during system programming and is retained during power outages When Internet connectivity is available, the processors will reach out to time iot lutron io, which may resolve to one or more of the following NTP servers:o 0 pool ntp org, 1 pool ntp org, 2 pool ntp org 3 pool ntp org, 0 north-america pool ntp org
- Automatic Firmware Updates– The processor will attempt automatic firmware upgrades by establishing an HTTPS connection to firmwareupdates lutron com which may resolve to one or more s3 amazon aws com addresses– This feature is enabled by default
- Cloud App Connectivity– The optional Lutron mobile app is an app that is available on iOS and Android mobile device platforms This app is typically used by facility managers to allow control of lighting loads including Ketra color selection and window shade position The app will also allow creation and editing of timeclock events, as well as scene editing In the mobile app, Floors and Rooms are presented to users in a tree format, allowing access to control all of the lighting and shadezones in each area Use of the mobile app also requires that a myLutron cloud-based account be created which is then paired to the lighting processors If more than one user is to utilize the mobile app, the single myLutron cloud account which was created will need to be logged into the app on each device Note: If the password on the shared cloud account is changed, devices which were already logged in with an old password will retain access to the system– Initial setup of the app requires the mobile device to be on the same subnet as the Athena processors so that discovery and secure authentication can be performed Following initial setup of the mobile app, the mobile device will no longer be required to be on the same network as the Athena processors as long as the processors have an Internet connection– If the mobile app is on the same subnet as the processors, direct communication is used If the subnet is different, mobile app to processor communication routes through Lutron’s cloud services– Device-login lutron com & * iot * amazonaws com are used for cloud connectivity– All cloud connectivity functions utilize outbound connections only Both the processor hardware and the mobile app originate connections to the cloud servers to exchange messagesNo inbound connections are made from the cloud server to the processor
Firewall/Routing Requirements (continued)
Required for System Startup and ProgrammingThese ports are used for system startup and database transfer to processors and gateways After the system has been started up these ports may be closed if desired If changes to the system are needed to be made, these ports will need to be re-opened to allow upload of programming changes to the system
Source | Destination | Port | Protocol | Description |
Athena Commissioning Device’ | 224.0.0.251 | 5353 | UDP IPv4 Multicast | mDNS is utilized for processor discovery and initial configuration |
All Athena Edge Wired Processors and Clear Connect-Type X Wireless Gateways | 224.0.0.251 | 5353 | UDP IPv4 Multicast | This is the mDNS discovery response sent from the processor/gateway back to the Athena configuration software |
Athena Commissioning Device’ | All Athena Edge Processors and Type X Gateways | 80838081 | TCP IPv4APv6 | These ports are used to configure processors |
Athena Commissioning Device’ | All Athena Edge Processors and Type X Gateways | 22 | TCPIPv4 | Used for database transfer, support file generation and diagnostics |
Athena Commissioning Device’ | Sqltofb.lutron.com Firmwareupdates.lutron.com | 443 | TCP IPv4APv6 | Allows Lutron software to obtain the Latest processor firmware |
Athena Commissioning Device’ | All Athena Edge Processors and Clear Connect — Type X Wireless Gateways | 51023 | TCP IPv4APv6 | Unicast communication between design software and processors |
Athena Commissioning Device’ | Athena Touchscreens | 8080 | TCPIPv4 | Touchscreen diagnostics |
Required for System RuntimeThese ports are required for system runtime, and must remain open for system functionality
Source | Destination | Port | Protocol | Description |
All Athena Edge Processors and Clear Connect – Type XWireless Gateways | Multicast Address of the Athena system(239.0.38.1 – 239.0.38.m)2 | 2056-3055 | UDPIPv4Multicast | Used to share events andstatus of lights between Athena processors and gateways |
All Athena Edge Processors and Clear Connect – Type XWireless Gateways | All Athena Edge Processors and Clear Connect – Type X Wireless Gateways | 443 | TCP IPv4/1Pv6 | Used to share events andstatus of fights between Athena processors and gateways |
Athena Touchscreen | 224.0.0.251 | 5353 | UDP IPV4 Multicast | mDNS is utilized for AthenaEdge processor discovery by the Athena touchscreen |
Athena Touchscreen | All Athena Edge Processors | 80838081 | TCP IPv4 | These ports are used to communicate between the Athena Edge processors and Athena touchscreens |
- The Athena Commissioning Device is the IP address of the computer used to commission the Athena system This is typically a laptop operated by the Lutron FSE during system startup
- Multicast addresses by the system will be configured by the FSE during system startup
Optional Features and FunctionsThese are optional feature ports used for integration and are outbound from the Lutron processor only
Source | Destination | Port | Protocol | Description |
AV Integration System IP | IP Address of OSE-CI-NWK | 23 | TCPIPv4 | For integration systemswhich utilize Telnet, an NWK is the only means for Telnet integration to Athena |
AV Integration System IP | IP Address of the Athena Edge Processor | 8081 | TCP IPv4/IPv6 | For third-party externalintegration with a processor via TLS |
Mobile App, Internet and Cloud Connectivity FeaturesThese ports are used for various cloud, app, and Internet connectivity functions All are optional, but may result in limited or no use of the Lutron mobile app for system monitoring or adjustment if not permitted
Source | Destination | Port | Protocol | Description |
Mobil Device on Local Processor Network | 224.0.0.251 | ULM’IPv4Multicast | MUMS IS utiliZed for processor discovery during setup and system pairing | |
Mobile Device on Local Processor Network | All Athena Edge Processors and Type-X Gateways | TCP IPv4/1Pv6 | Lutron mobile app authentication and configuration and local connection on same network | |
Mobile Device on Local Processor Network | All Athena Edge Processors and Type-X Gateways | 22 | TCPIPv4 | SSH is used for support file generation and diagnostics |
All Athena Edge Processors and Type X Gateways | *.ior.amazonaws.com | 8883 | TCP IPv4/1Pv6 | Lutron Cloud connectivity for mobile app runtime on network other than processor network. The destination address can be dynamic based on region. For example, it could look like: a32jcyk7azp7b5-ats.iot.us-east-1. amazonaws.com |
All Athena Edge Processors and Type X Gateways | firmwareupdates.lutron.com | 443 | TCP IPv4/IPv6 | Used for automatic firmwareupgrades, may resolve to one or more s3.amazonaws.com addresses |
All Athena Edge Processors and Type X Gateways | Device-login.lutron.com | 443 | TCP IPv4/1Pv6 | Device Registration and secure processor remote access |
All Athena Edge Processors and Type X Gateways | 8.8.4.4208.67.220.220209.244.0.3209.244.0.48.8.8.8208.67.222.222 | ICMP | ICMP | Processor Internet connectivity check |
All Athena Edge Processors and Type X Gateways | google.com | 8 | TCP IPv4/1Pv6 | Processor Internet connectivity check |
All Athena Edge Processors and Type X Gateways | Customer Specified DNS Server | 53 | UDP IPv4/1Pv6 | DNS resolution is required for cloud connectivity and NTP time sync |
All Athena Edge Processors and Type X Gateways | 0.pool.ntp.org1.pool.ntp.org2.pool.ntp.org3.pool.ntp.org0.north-america.pool.ntp.orgtime.iot.lutron.io | 123 | UDP IPv4 | NTP is used for automatic time sync which allows time based events to trigger accurately |
Configuration Examples
The following diagrams depict some of the various configurations of an Athena systemSystem Deployment Utilizing Built-in Unmanaged Ethernet SwitchesThis diagram shows Ethernet interconnections between Lutron panels using built-in unmanaged Ethernet switches, which may be included in QP5 processors The interconnected panels are then connected to the building’s IT network, allowing the Athena Edge processors, Clear Connect gateways – Type X and Athena touchscreens to communicate to the Internet and the Lutron mobile app Each wired processor may contain two RJ-45 Ethernet jacks, which should not beused for daisy-chaining (the second port is used for FSE diagnostics) Each processor shall have a single connection to an Ethernet switch
System Deployment Utilizing Customer-Provided PoE Ethernet Switches
Customer AssistanceIf you have questions concerning the installation or operation of this product, call the Lutron Customer Assistance.Please provide the exact model number when calling Model number can be found on the product packagingExample: SZ-CI-PRG.
U S A , Canada, and the Caribbean: 1 844 LUTRON1Other countries call: +1 610 282 3800Fax: +1 610 282 1243Visit us on the web at www.lutron.comLutron, Lutron, Clear Connect, Pico, Radio Powr Savr and Athena are trademarks or registered trademarks of Lutron Electronics Co , Inc in the US and/or other countriesKetra is a trademark or registered trademark of Lutron Ketra, LLC, in the US and/or other countriesAll other product names, logos, and brands are property of their respective owners
Lutron Electronics Co , Inc7200 Suter RoadCoopersburg, PA 18036 USA© 2020-2021 Lutron Electronics Co , IncP/N 040453 Rev C 06/2021
[xyz-ips snippet=”download-snippet”]