Advertisement

Advertisement

Preparing for Digital Threats: Fire alarm systems and cybersecurity

By Wayne D. Moore | Aug 14, 2024
Preparing for Digital Threats
We are on the road to systems integration. Although this provides many benefits for collaborative building, there are potholes along the way. A major one is cybersecurity.

Advertisement

Advertisement

Advertisement

We are on the road to systems integration. Although this provides many benefits for collaborative building, there are potholes along the way. A major one is cybersecurity.

Hearing news about cyberattacks, with the knowledge that fire alarm equipment is computer-based, we have the responsibility to protect customers from such a threat.

The SFPE Foundation’s Grand Challenges Initiative characterizes this time as a “transformative shift in how we operate” in its white paper, “Digitization, Artificial Intelligence, and Cybersecurity.” 

The National Fire Protection Association Journal is reporting on artificial intelligence (A.I.) operating on camera systems. It can detect minute visual changes from up to 110 miles away at night, and could be used to suggest a forest fire has started.

“Cloud connectivity and remote access are driving significant changes in the development of life-safety systems,” said Rodger Reiswig, vice president of industry relations for Johnson Controls, Milwaukee. “With the adoption of National Fire Protection Association (NFPA) Code 72 updates implemented in 2022, manufacturers are now able to integrate enhanced technologies that enable installers, technicians and facilities teams to remotely log in to their systems and conduct testing, programming and maintenance.”

NFPA 72 requirements

NFPA 72 contains requirements for fire alarm and emergency communications systems that can be affected by cyberthreats. Coordinating cybersecurity frameworks to protect these functions is necessary. The code states that when the system needs to interface with the internet or other systems, it makes sense to provide a secure firewall or gateway. 

The recommendations for cybersecurity are included in Chapter 11 and Annex J of the 2022 edition of NFPA 72. The technical committee decided that, in lieu of establishing specific cybersecurity requirements, it would be best to provide guidance. Annex J was created to provide this framework for cybersecurity in fire alarm and signaling systems.

In his article “Cybersecurity: Beyond the Manufacturers” in the Q2 edition of the SFPE’s Fire Protection Engineering magazine, Michael Pallet states that “There are three fundamental pillars of NFPA 72 Chapter 11:

  • Cybersecurity is enforceable only where it is required by other governing laws, codes, standards, or other parts of NFPA 72.
  • Chapter 11 is for the most part manufacturer-centric.
  • Chapter 11 arguably is not overly prescriptive because it relies heavily on other cybersecurity standards that are fundamentally risk-based in nature.”

Risk analysis

In fire alarm and mass notification systems requirements, there is a move toward risk analysis to determine a system’s needs. In reviewing a facility’s risk, you also need to discuss the owner’s cybersecurity needs. The more options that use Bluetooth, the intranet or internet for access to the fire alarm system operation or its information, the more important cybersecurity becomes.

NFPA 72 suggests that where cybersecurity provisions are required by other codes or specifications, those involved should provide security measures as outlined in Annex J.

Annex J states that “systems should be designed, installed, and maintained in accordance with one or more of the following cybersecurity standards:

  1. ANSI/ISA IEC-62443-4-2, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for ACS Components
  2. NISTIR 8259, Foundational Cybersecurity Activities for loT Device Manufacturers
  3. NIST Framework for Improving Critical Infrastructure Cybersecurity
  4. UL 2900-2-3, Software Cybersecurity for Network-Connectable Products Part 2-3: Particular Requirements for Security and Life Signaling Systems
  5. Other standard(s) or published documents acceptable to the authority having jurisdiction.”

Annex J also suggests that evidence of cybersecurity compliance should include one or more of the following: “(1) Certification of compliance by a nationally recognized test laboratory, (2) Manufacturer certification for the specific type and brand of system provided, [or] (3) An assessment or certification program acceptable to the authority having jurisdiction.”

“To achieve and maintain compliance, manufacturers face significant challenges,” Pallet said. “One challenge is how fast cybersecurity threats can emerge. A good example is artificial intelligence. A year ago, most of us weren’t using large language model-based generative A.I. in our daily routines. Now threat actors and cybersecurity companies are investing heavily in A.I.”

Not every system you install requires a cybersecurity review, but you should be aware of the issues presented with the new equipment and potential code requirements as they appear on the market.

The code will never be able to keep up with the changes in the threat environment, so you have the responsibility of ensuring the systems you install meet the most current cybersecurity standards.

stock.adobe.com / Siam / CarryLove

About The Author

MOORE, a licensed fire protection engineer, was a principal member and chair of NFPA 72, Chapter 24, NFPA 909 and NFPA 914. He is president of the Fire Protection Alliance in Jamestown, R.I. Reach him at [email protected]

Advertisement

Advertisement

Advertisement

Advertisement

featured Video

;

New from Lutron: Lumaris tape light

Want an easier way to do tunable white tape light?

Advertisement

Related Articles

Advertisement