Cybersecurity for Fire Alarm Systems
Active
fire protection typically requires some sort of input, such as a person
triggering a fire alarm. Where it is automatic, such as with sprinklers or
alarms which detect smoke and fire, these systems are usually localised,
operating only within a certain vicinity. To turn them off, you usually have to
access a valve or control panel and make the change manually.
From cell
phones to refrigerators, we live in an interconnected world. The Internet of
Things (IoT) is the network of physical objects — such
as cars, thermostats and watches — that have the ability to exchange data
and interoperate with existing network infrastructure. They transmit data to
manufacturers, owners or other devices, and can be sensed and controlled
remotely. It provides us with real-time control and information from
IoT-enabled products and systems.
Networked
fire Alarm systems have a number of advantages over these traditional ones. If
an alarm goes off, for instance, a networked system can tell you exactly where
it is and when it was activated, giving you more information that you can use
to take action. It can also allow you to link different parts of a building or
site without running cables between them, and can allow you to operate it
remotely, either to turn it off or for testing.
Today’s IoT smart buildings include two types of connected
technologies: information technology (IT) and operational technology (OT).
Fire alarm control units, intrusion detection systems, mass notification systems and access control systems reside on the OT side usually managed by facilities operations. Both systems have vulnerabilities that commonly include equipment tampering as well as inside and outside threats. Firewalls and other cyber protection processes and devices can help mitigate the potential for a widespread attack and protect the individual components of the IT or OT systems.
Cyber vulnerabilities can have a dramatic consequence if these products and systems are not properly protected. Building sensors can provide early detection of unwanted events such as intrusion or fire. Cameras are used for monitoring and remote surveillance that may communicate with alarm control units that can in turn provide information to end users and monitoring stations. Historically these products were hardwired, but technology has enabled us to communicate either wirelessly or wired through an IT infrastructure that is also linked to the internet. Electronic life safety and physical security infrastructures include emergency communications systems, fire alarm systems, alarm receiving systems, automated teller machine systems, access control systems, surveillance cameras, DVRs, NVRs and the like.
There are
a variety of codes, standards and best practice guidelines that can help guide
creation of a cybersecurity program. Fire alarm control units may include
two types of software: executive software and site-specific software. These
applications are covered by UL 864, the Standard for Safety of Control
Units and Accessories for Fire Alarm Systems, and NFPA 72. Under part
of UL 864, third-party certifiers execute and test the equipment’s software for
integrity of normal operation. UL 5500, the & Standard for Safety for
Remote Software Updates, covers best practices for software patches and
updates. UL 5500 offers guidance on technical attributes necessary for the
remote connection to smart devices and safe functionalities and securely
executing remote software downloads. Most smart systems rely on the ability to
update software remotely or onsite. UL 5500 applies to these applications in
conjunction with the product’s end standard. To evaluate through
tests, the cybersecurity of critically connected life safety and
electronic physical security systems, Underwriters Laboratories
has published UL 2900-2-3, the Standard for Software Cybersecurity for
Network-Connectable Products, Part 2-3: Particular Requirements for Security
and Life Safety Signaling Systems. This newest addition to the UL 2900 series
of cybersecurity Standards was developed as a bi-national (U.S. and
Canada) consensus Standard and with industry input. It provides a
foundational set of cybersecurity performance and evaluation requirements that
manufacturers of network connectable products can use to establish a baseline
of cyber protection against known vulnerabilities, weaknesses and malware. UL
2900-2-3 was developed specifically for security and
life safety equipment and systems. It is a testable standard (not
limited to audit-based investigations) applicable to IoT connected equipment
such as fire alarm control units, mass notification systems, access control
equipment and smoke alarms. For UL 2900-2-3, a three-tiered security approach
was developed with an increasing level of security requirements for each tier.
The
National Fire Protection Association (NPFA) Code 72 (National Fire Alarm and
Signaling Code) describes reacceptance testing of equipment and systems when
site-specific or executive software changes have been made and the equipment is
commissioned and already in use. Site specific software update requires a 100%
test of all functions known to be affected by the change. Currently, 10% of
initiating devices that are not directly affected by the change (up to 50
devices) must be tested to verify correct system operation and a record of
completion must be kept. These commonsense requirements help ensure full
integrity of software changes. However, it would be challenging for any end
user or code authority to directly verify that the software changes did not
affect the integrity or operation of the system or equipment without additional
testing or investigation. Third-party validation, reconfirmation and field
testing is crucial. The work on the 2022 edition of NFPA 72, National Fire
Alarm and Signaling Code is at the halfway point. The work on the first draft
has been completed. In NFPA 72 2022 edition cybersecurity has been added.
This is in addition to requirements to be added to 72 addressing cybersecurity
that will be included in a new Chapter 11 and references the associated Annex J
to address cybersecurity guidance. The Technical Committee on Fundamentals has
been tasked with the development of the new chapter on cybersecurity. This
chapter is still in development and will not be finalized until the second
draft meeting to be held later this year. There is a task group made up of
members from a number of the technical committees that are working on the
requirements for cybersecurity.
At the
time of the first draft this was still located in Chapter 10. At the close of
the first draft, the following text was added:
This is not the final version.
I
recommend the use of the EST4, which is an industrial or commercial life safety
system with a firewall solution from EDWARDS. The EST4 Life Safety System is a
state-of-the-art system with a firewall built to add several layers of
protection to your systems. The EST4 comes with a 4-FWAL firewall, which blocks
all traffic not needed for EST4 operation. It also features impenetrable 256
bit AES encryption securing the traffic through the EST4, including emails and
communication with fire operation centres.
At SSA Integrate are ready for migration from EST3 to EST4 without
changes of field component, with minimising financial impact.
Conclusion
In today’s connected world, the variety of available devices offers numerous points of entry for cyberattacks. Now is the time for software developers and manufacturers to understand a system's vulnerabilities and to harden their product against cyberattacks. Verifying that alarm systems meet appropriate standards can help ensure the performance and reliability of a product’s software to decrease downtime and mitigate cyber risks. A safety system with a firewall is the most viable solution for this problem. A firewall is a comprehensive cybersecurity solution able to protect a fire alarm system and its IT infrastructure from unauthorized access.
If your
Fire Alarm connect with IoT devices / Internet, then only your FACP is get
entry for cyberattacks. If your FACP use as standalone basis or not connected
with Internet any more than your FACP is completely safe for cyberattacks. In
India most of FACP not connect with Internet so it’s safe from cyberattacks. Lots
of customer having Control remotely Like: Two EST3 panel are in Kolkata, One
EST3x in Bangalore & one EST3 in Delhi, Customer control via FireWorks all
panel from Kolkata, in this case you must consider cyber security part for your
estimate organization. Responsible System Integrator or OEM can’t offer you
cyber vulnerable product.