Cybersecurity for Fire Alarm Systems

 Cybersecurity for Fire Alarm Systems

Active fire protection typically requires some sort of input, such as a person triggering a fire alarm. Where it is automatic, such as with sprinklers or alarms which detect smoke and fire, these systems are usually localised, operating only within a certain vicinity. To turn them off, you usually have to access a valve or control panel and make the change manually.

From cell phones to refrigerators, we live in an interconnected world. The Internet of Things (IoT) is the network of physical objects — such as cars, thermostats and watches — that have the ability to exchange data and interoperate with existing network infrastructure. They transmit data to manufacturers, owners or other devices, and can be sensed and controlled remotely. It provides us with real-time control and information from IoT-enabled products and systems.

Networked fire Alarm systems have a number of advantages over these traditional ones. If an alarm goes off, for instance, a networked system can tell you exactly where it is and when it was activated, giving you more information that you can use to take action. It can also allow you to link different parts of a building or site without running cables between them, and can allow you to operate it remotely, either to turn it off or for testing.  Today’s IoT smart buildings include two types of connected technologies: information technology (IT) and operational technology (OT).

Fire alarm control units, intrusion detection systems, mass notification systems and access control systems reside on the OT side usually managed by facilities operations. Both systems have vulnerabilities that commonly include equipment tampering as well as inside and outside threats. Firewalls and other cyber protection processes and devices can help mitigate the potential for a widespread attack and protect the individual components of the IT or OT systems. 

Cyber vulnerabilities can have a dramatic consequence if these products and systems are not properly protected. Building sensors can provide early detection of unwanted events such as intrusion or fire. Cameras are used for monitoring and remote surveillance that may communicate with alarm control units that can in turn provide information to end users and monitoring stations. Historically these products were hardwired, but technology has enabled us to communicate either wirelessly or wired through an IT infrastructure that is also linked to the internet. Electronic life safety and physical security infrastructures include emergency communications systems, fire alarm systems, alarm receiving systems, automated teller machine systems, access control systems, surveillance cameras, DVRs, NVRs and the like.

There are a variety of codes, standards and best practice guidelines that can help guide creation of a cybersecurity program. Fire alarm control units may include two types of software: executive software and site-specific software. These applications are covered by UL 864, the Standard for Safety of Control Units and Accessories for Fire Alarm Systems, and NFPA 72. Under part of UL 864, third-party certifiers execute and test the equipment’s software for integrity of normal operation. UL 5500, the & Standard for Safety for Remote Software Updates, covers best practices for software patches and updates. UL 5500 offers guidance on technical attributes necessary for the remote connection to smart devices and safe functionalities and securely executing remote software downloads. Most smart systems rely on the ability to update software remotely or onsite. UL 5500 applies to these applications in conjunction with the product’s end standard. To evaluate through tests, the cybersecurity of critically connected life safety and electronic physical security systems, Underwriters Laboratories has published UL 2900-2-3, the Standard for Software Cybersecurity for Network-Connectable Products, Part 2-3: Particular Requirements for Security and Life Safety Signaling Systems. This newest addition to the UL 2900 series of cybersecurity Standards was developed as a bi-national (U.S. and Canada) consensus Standard and with industry input. It provides a foundational set of cybersecurity performance and evaluation requirements that manufacturers of network connectable products can use to establish a baseline of cyber protection against known vulnerabilities, weaknesses and malware. UL 2900-2-3 was developed specifically for security and life safety equipment and systems. It is a testable standard (not limited to audit-based investigations) applicable to IoT connected equipment such as fire alarm control units, mass notification systems, access control equipment and smoke alarms. For UL 2900-2-3, a three-tiered security approach was developed with an increasing level of security requirements for each tier.

The National Fire Protection Association (NPFA) Code 72 (National Fire Alarm and Signaling Code) describes reacceptance testing of equipment and systems when site-specific or executive software changes have been made and the equipment is commissioned and already in use. Site specific software update requires a 100% test of all functions known to be affected by the change. Currently, 10% of initiating devices that are not directly affected by the change (up to 50 devices) must be tested to verify correct system operation and a record of completion must be kept. These commonsense requirements help ensure full integrity of software changes. However, it would be challenging for any end user or code authority to directly verify that the software changes did not affect the integrity or operation of the system or equipment without additional testing or investigation. Third-party validation, reconfirmation and field testing is crucial. The work on the 2022 edition of NFPA 72, National Fire Alarm and Signaling Code is at the halfway point. The work on the first draft has been completed. In NFPA 72 2022 edition cybersecurity has been added. This is in addition to requirements to be added to 72 addressing cybersecurity that will be included in a new Chapter 11 and references the associated Annex J to address cybersecurity guidance. The Technical Committee on Fundamentals has been tasked with the development of the new chapter on cybersecurity. This chapter is still in development and will not be finalized until the second draft meeting to be held later this year. There is a task group made up of members from a number of the technical committees that are working on the requirements for cybersecurity.

At the time of the first draft this was still located in Chapter 10. At the close of the first draft, the following text was added:

Systems shall be designed and installed in accordance with one or more of the following cybersecurity standards:

(1) ANSI/ISA-62443 Series

(2) NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1.1

(3) UL 2900 Series

(4) or other standards accepted by the authority having jurisdiction.

This is not the final version.

I recommend the use of the EST4, which is an industrial or commercial life safety system with a firewall solution from EDWARDS. The EST4 Life Safety System is a state-of-the-art system with a firewall built to add several layers of protection to your systems. The EST4 comes with a 4-FWAL firewall, which blocks all traffic not needed for EST4 operation. It also features impenetrable 256 bit AES encryption securing the traffic through the EST4, including emails and communication with fire operation centres.  At SSA Integrate are ready for migration from EST3 to EST4 without changes of field component, with minimising financial impact.

 

Conclusion 

In today’s connected world, the variety of available devices offers numerous points of entry for cyberattacks. Now is the time for software developers and manufacturers to understand a system's vulnerabilities and to harden their product against cyberattacks. Verifying that alarm systems meet appropriate standards can help ensure the performance and reliability of a product’s software to decrease downtime and mitigate cyber risks. A safety system with a firewall is the most viable solution for this problem. A firewall is a comprehensive cybersecurity solution able to protect a fire alarm system and its IT infrastructure from unauthorized access.

If your Fire Alarm connect with IoT devices / Internet, then only your FACP is get entry for cyberattacks. If your FACP use as standalone basis or not connected with Internet any more than your FACP is completely safe for cyberattacks. In India most of FACP not connect with Internet so it’s safe from cyberattacks. Lots of customer having Control remotely Like: Two EST3 panel are in Kolkata, One EST3x in Bangalore & one EST3 in Delhi, Customer control via FireWorks all panel from Kolkata, in this case you must consider cyber security part for your estimate organization. Responsible System Integrator or OEM can’t offer you cyber vulnerable product.