I don’t know about you, but every time I hear “cybersecurity” I start to nod off. However, sometimes a headline grabs my attention and reminds me of its importance, such as a recent one from my area: “Cyberattackers Release Rhode Island Data [to the dark web!], affecting 650,000 people.”

Keep cybersecurity top of mind

Cybersecurity is the art of protecting networks, devices and data from unauthorized access or criminal use and the practice of ensuring information confidentiality, integrity and availability. Think of cybersecurity as guarding against virtual theft.

It seems everything relies on computers and the internet now—from communication, shopping and entertainment, to more practical systems such as navigation, healthcare and, of course, fire alarm systems. 

Cybersecurity is defined in NFPA 72-2025, Section 3.3.72 as, “The protection of systems from theft or damage of data, or damage to hardware or software, as well as from unauthorized command or control or access to any information of any services the systems provide.” 

This definition parallels the Department of Homeland Security’s and is used in the code for consistency. 

In the code

Cybersecurity was first addressed in Chapter 11 of the 2022 edition, which contained no requirements users had to follow, but directed them to relevant material in Annex J.

The 2025 edition has now moved much of the material to the chapter as requirements or added guidance information in Annex A.

Cybersecurity measures are only required for network-connectible equipment using shared pathways. Requirements include all data connections to external networks, specifically any data connection made from the system to an external network. When this type of connection is encountered, it must be protected by a gateway or firewall that ensures only trusted traffic can pass.

“Cybersecurity is not required for every system or application; it is only required when other sections of the Code, authorities, or regulations mandate that cybersecurity be incorporated into the systems. Generally, there are greater cybersecurity concerns when systems are connected to external networks,” according to Annex A for Section 11.1.1.

As with any safety issue, you must always practice situational awareness. Make sure you are aware of the owner’s intentions regarding system integration and whether the fire alarm, two-way communication enhancement or mass notification system (MNS) will be connected to an external network.

A hacker could disable a fire alarm system for malicious purposes. For example, someone could hinder communication in a voice fire alarm, two-way radio enhancement system or MNS by either disabling communication or sending misleading messages to building occupants. Additionally, information transmission to first responders could be compromised. A hacker could disrupt or manipulate the HVAC controls to intensify a fire in the building or potentially increase the smoke transmission to nonfire areas.

Obviously, a breach to these life safety systems compromises the systems’ integrity and poses severe risks to occupants. Be sure to ask questions of the fire alarm and MNS designers as to whether they have included cybersecurity as an integral component of the systems’ designs. This includes providing safeguards such as software encryption, ensuring regular software updates are made and including other security measures to mitigate potential cyberattacks, such as installing the systems control units in a protected, secure space.

There is a new strategy evolving in risk management called cyber threat modeling. You may not believe you need to know anything about risk management, but it is a growing necessity and could lead to additional business. 

You will already need to coordinate with the owner’s IT team to ensure you are aware of your system’s cybersecurity issues. 

You should discuss with the building owner how you and your team can support their risk management strategies above and beyond the fire alarm, MNS or two-way communication systems’ cybersecurity measures.

For more information, review the white paper, “Grand Challenges in Digitalization, Artificial Intelligence, & Cybersecurity,” by the Society of Fire Protection Engineers at SFPE.org, as well as Intertek’s “Guide to Cyber Threat Modeling” at Intertek.com.

There is no question that cybersecurity will be a growing concern in the future. Stay aware of the effect it poses on the fire alarm and MNS systems you design, work on and install.

Siasart Stock / stock.adobe.com