Advertisement

Advertisement

Cybersecurity and Fire Alarms: New requirements in the 2025 edition of NFPA 72

By Thomas P. Hammerberg | Jan 15, 2025
Cybersecurity and Fire Alarms: New requirements in the 2025 edition of NFPA 72

It’s a crazy world we live in with all the data hacking, scam messages and service disruptions. You would think that having a fire alarm and emergency communications system in a building would not be a threat, but anything that connects to the outside world can become of point of entry to access other information in the facility.

Advertisement

Advertisement

Advertisement

Advertisement

It’s a crazy world we live in with all the data hacking, scam messages and service disruptions. You would think that having a fire alarm and emergency communications system in a building would not be a threat, but anything that connects to the outside world can become of point of entry to access other information in the facility.

I remember when Class N was added to NFPA 72 in 2016. I was on the Protected Premises chapter technical committee at the time, and I initially saw this as a way for IT to become more involved with fire alarms. The world revolves around computers, and it would be naive to think fire alarm systems would stay separate from the building management networks as time moves forward. I don’t claim to be an expert in cybersecurity by any means, and this article is meant to serve as an introduction to the new Chapter 11, “Cybersecurity,” in the 2025 edition of NFPA 72.

NFPA began considering this addition about 10 years ago, and Chapter 11 was new in the 2022 edition. This was more or less a placeholder and a way to add information in Annex A on the subject. In the 2025 edition, much of the Annex A information for Chapter 11 was modified to make this language enforceable and moved to Chapter 11. This will all be applicable when the 2025 edition is adopted in a jurisdiction. It not only applies to manufacturers and how they design and build their equipment, it will apply to installation and testing companies and facility management operations.

The definition of cybersecurity in 3.3.72 is “The protection of systems from theft or damage of data, or damage to hardware or software, as well as from unauthorized command or control or access to any information of any services the systems provide.”

Key requirements

Here is some key information from Chapter 11. No minimum cybersecurity level is required for systems with no network connectable equipment and no uploadable software configuration. All interfaces used to communicate with network-connectable equipment shall be protected using one of three security levels. 

A.11.3 provides good information to better explain each security level: “An example of a Security Level 1 (SL1) system consists of a fire alarm system with notification appliances and initiating devices that are connected using a proprietary protocol two-wire interface and that is not connected to the internet. An example of a Security Level 2 (SL2) system consists of a signaling system with devices connected to a control unit using internet protocol communications on a dedicated network that do not connect to the internet. An example of a Security Level 3 (SL3) system consists of internet gateway module for off-premises transmission of signals from a fire alarm system with notification appliances and initiating devices that are connected using a proprietary protocol two-wire interface. In this case the gateway is SL3, and the remainder of the system is SL1.”

Interconnecting conductors, cables or other physical pathways for use in Security Level 2 or higher applications in locations accessible to the public shall be protected by metal raceways or metal armored cables.

Requirements for shared pathways

We have had requirements for shared pathways in NFPA 72 for a few years now. This is the next step. Shared pathways have four levels described in 12.5: 

  • Level 0 pathways are not required to separate or prioritize life safety data from non-life-safety data. 
  • Level 1 pathways are not required to segregate life safety data from non-life-safety data, but shall prioritize all life safety data over non-life-safety data. 
  • Level 2 pathways must segregate all life safety data from non-life-safety data. 
  • Level 3 pathways must use equipment that is dedicated to the life safety system. When any data connection is made from the system to an external network, the connection has to be protected by a gateway or firewall that ensures that only trusted traffic is allowed to pass.

Although it seems that most of the requirements fall on the manufacturers, there are still risks of intrusion when signals are transmitted off-site or if a technician uses a laptop to update the system software. Everyone involved with the fire alarm or mass notification system needs to be trained to help ensure proper procedures are followed.

This is just a sample of the new information in the 2025 NFPA 72, but it is important to be aware of what is coming. My interest on this subject was piqued when I recently attended a webinar on cybersecurity hosted by the Automatic Fire Alarm Association (AFAA) and presented by Michael Pallett, an expert in this field. I’m sure AFAA and NFPA will be hosting many other similar webinars in the future since a lot of this is new to many of us. I recommend you find the time to attend one.

stock.adobe.com / LOMOSONIC / darsi

About The Author

HAMMERBERG, SET, CFPS, is an independent fire alarm presenter and consultant currently residing in The Villages, Fla. Tom represented the Automatic Fire Alarm Association on multiple NFPA technical committees as well as actively participating in the ICC code making process for many years. He is NICET Level IV certified in fire alarm systems and a Certified Fire Protection Specialist. He can be reached at [email protected]

 

Advertisement

Advertisement

Advertisement

Advertisement

featured Video

;

Advantages of Advertising with ELECTRICAL CONTRACTOR in 2025

Learn about the benefits of advertising with Electrical Contractor Media Group in 2025. 

Advertisement

Related Articles

Advertisement