Cybersecurity for Fire Alarm Systems

 Cybersecurity for Fire Alarm Systems

Active fire protection typically requires some sort of input, such as a person triggering a fire alarm. Where it is automatic, such as with sprinklers or alarms which detect smoke and fire, these systems are usually localised, operating only within a certain vicinity. To turn them off, you usually have to access a valve or control panel and make the change manually.

From cell phones to refrigerators, we live in an interconnected world. The Internet of Things (IoT) is the network of physical objects — such as cars, thermostats and watches — that have the ability to exchange data and interoperate with existing network infrastructure. They transmit data to manufacturers, owners or other devices, and can be sensed and controlled remotely. It provides us with real-time control and information from IoT-enabled products and systems.

Networked fire Alarm systems have a number of advantages over these traditional ones. If an alarm goes off, for instance, a networked system can tell you exactly where it is and when it was activated, giving you more information that you can use to take action. It can also allow you to link different parts of a building or site without running cables between them, and can allow you to operate it remotely, either to turn it off or for testing.  Today’s IoT smart buildings include two types of connected technologies: information technology (IT) and operational technology (OT).

Fire alarm control units, intrusion detection systems, mass notification systems and access control systems reside on the OT side usually managed by facilities operations. Both systems have vulnerabilities that commonly include equipment tampering as well as inside and outside threats. Firewalls and other cyber protection processes and devices can help mitigate the potential for a widespread attack and protect the individual components of the IT or OT systems. 

Cyber vulnerabilities can have a dramatic consequence if these products and systems are not properly protected. Building sensors can provide early detection of unwanted events such as intrusion or fire. Cameras are used for monitoring and remote surveillance that may communicate with alarm control units that can in turn provide information to end users and monitoring stations. Historically these products were hardwired, but technology has enabled us to communicate either wirelessly or wired through an IT infrastructure that is also linked to the internet. Electronic life safety and physical security infrastructures include emergency communications systems, fire alarm systems, alarm receiving systems, automated teller machine systems, access control systems, surveillance cameras, DVRs, NVRs and the like.

There are a variety of codes, standards and best practice guidelines that can help guide creation of a cybersecurity program. Fire alarm control units may include two types of software: executive software and site-specific software. These applications are covered by UL 864, the Standard for Safety of Control Units and Accessories for Fire Alarm Systems, and NFPA 72. Under part of UL 864, third-party certifiers execute and test the equipment’s software for integrity of normal operation. UL 5500, the & Standard for Safety for Remote Software Updates, covers best practices for software patches and updates. UL 5500 offers guidance on technical attributes necessary for the remote connection to smart devices and safe functionalities and securely executing remote software downloads. Most smart systems rely on the ability to update software remotely or onsite. UL 5500 applies to these applications in conjunction with the product’s end standard. To evaluate through tests, the cybersecurity of critically connected life safety and electronic physical security systems, Underwriters Laboratories has published UL 2900-2-3, the Standard for Software Cybersecurity for Network-Connectable Products, Part 2-3: Particular Requirements for Security and Life Safety Signaling Systems. This newest addition to the UL 2900 series of cybersecurity Standards was developed as a bi-national (U.S. and Canada) consensus Standard and with industry input. It provides a foundational set of cybersecurity performance and evaluation requirements that manufacturers of network connectable products can use to establish a baseline of cyber protection against known vulnerabilities, weaknesses and malware. UL 2900-2-3 was developed specifically for security and life safety equipment and systems. It is a testable standard (not limited to audit-based investigations) applicable to IoT connected equipment such as fire alarm control units, mass notification systems, access control equipment and smoke alarms. For UL 2900-2-3, a three-tiered security approach was developed with an increasing level of security requirements for each tier.

The National Fire Protection Association (NPFA) Code 72 (National Fire Alarm and Signaling Code) describes reacceptance testing of equipment and systems when site-specific or executive software changes have been made and the equipment is commissioned and already in use. Site specific software update requires a 100% test of all functions known to be affected by the change. Currently, 10% of initiating devices that are not directly affected by the change (up to 50 devices) must be tested to verify correct system operation and a record of completion must be kept. These commonsense requirements help ensure full integrity of software changes. However, it would be challenging for any end user or code authority to directly verify that the software changes did not affect the integrity or operation of the system or equipment without additional testing or investigation. Third-party validation, reconfirmation and field testing is crucial. The work on the 2022 edition of NFPA 72, National Fire Alarm and Signaling Code is at the halfway point. The work on the first draft has been completed. In NFPA 72 2022 edition cybersecurity has been added. This is in addition to requirements to be added to 72 addressing cybersecurity that will be included in a new Chapter 11 and references the associated Annex J to address cybersecurity guidance. The Technical Committee on Fundamentals has been tasked with the development of the new chapter on cybersecurity. This chapter is still in development and will not be finalized until the second draft meeting to be held later this year. There is a task group made up of members from a number of the technical committees that are working on the requirements for cybersecurity.

At the time of the first draft this was still located in Chapter 10. At the close of the first draft, the following text was added:

Systems shall be designed and installed in accordance with one or more of the following cybersecurity standards:

(1) ANSI/ISA-62443 Series

(2) NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1.1

(3) UL 2900 Series

(4) or other standards accepted by the authority having jurisdiction.

This is not the final version.

I recommend the use of the EST4, which is an industrial or commercial life safety system with a firewall solution from EDWARDS. The EST4 Life Safety System is a state-of-the-art system with a firewall built to add several layers of protection to your systems. The EST4 comes with a 4-FWAL firewall, which blocks all traffic not needed for EST4 operation. It also features impenetrable 256 bit AES encryption securing the traffic through the EST4, including emails and communication with fire operation centres.  At SSA Integrate are ready for migration from EST3 to EST4 without changes of field component, with minimising financial impact.

 

Conclusion 

In today’s connected world, the variety of available devices offers numerous points of entry for cyberattacks. Now is the time for software developers and manufacturers to understand a system's vulnerabilities and to harden their product against cyberattacks. Verifying that alarm systems meet appropriate standards can help ensure the performance and reliability of a product’s software to decrease downtime and mitigate cyber risks. A safety system with a firewall is the most viable solution for this problem. A firewall is a comprehensive cybersecurity solution able to protect a fire alarm system and its IT infrastructure from unauthorized access.

If your Fire Alarm connect with IoT devices / Internet, then only your FACP is get entry for cyberattacks. If your FACP use as standalone basis or not connected with Internet any more than your FACP is completely safe for cyberattacks. In India most of FACP not connect with Internet so it’s safe from cyberattacks. Lots of customer having Control remotely Like: Two EST3 panel are in Kolkata, One EST3x in Bangalore & one EST3 in Delhi, Customer control via FireWorks all panel from Kolkata, in this case you must consider cyber security part for your estimate organization. Responsible System Integrator or OEM can’t offer you cyber vulnerable product.

Future smart plugs to be Fire Risk

Future smart plugs to be ‘fire risk’ 

Whether it’s an internet-connected thermostat, lighting that responds to voice commands or a refrigerator that can control the rest of the kitchen appliances, chances are that most of your customers have at least one smart product in their homes.

Many of these devices use intelligence algorithms to do their jobs—for instance, a robot vacuum is programmed to avoid chair legs, or a smart doorbell camera automatically begins filming when someone steps onto the porch.

Utilities can play a role in helping customers design smart homes that fit their needs, simply by letting customers know how many smart-home technologies are available and how easy they can be to use.

For instance, if a customer has a smart phone or smart speaker like Alexa or Google, they can operate the following smart home technologies:
• Wireless thermostats
• Smart lighting programs that turn lights on and off or dim them on command
• Smart security systems, including indoor and outdoor cameras
• Security lights that turn on and off at dusk and dawn
• Automatic door locks and garage door openers
• Smoke alarms and carbon dioxide detectors that are connected to a single hub
• Smart outlets that can automatically turn appliances on and off
• Smart water monitors that can detect leaks and automatically shut off the water supply.

Utilities should work with trade allies that can install all or some of these smart home devices in customers’ homes and interconnect them so they can be operated by a single smart-phone app.

picture copyright Hictkon

A sensible plug on the market on Amazon poses a hearth threat and other people ought to instantly cease utilizing it, an investigation by client watchdog Which? suggests.

Amazon stated it had eliminated the Hictkon sensible plug with twin USB ports from sale, pending investigation.

Its dwell connection was too near an energy-monitoring chip, Which? discovered.
And this might trigger {an electrical} discharge between two electrodes, posing a hearth threat significantly in properties with older wiring.

AN INVESTIGATION by consumer watchdog Which? found that a smart plug available for purchase on Amazon ‘poses a fire risk and people should immediately stop using it’.

BBC News reported on the investigation of the Hictkon smart plug with dual USB ports, with Which? establishing that the plug’s live connection ‘was too close to an energy-monitoring chip’, which could ‘cause an electrical discharge between two electrodes’, posing a fire risk ‘particularly in homes with older wiring’. As a result, customers who have bought the plugs ‘should immediately stop using’ them, Which? warned.

Additionally, the product’s CE mark ‘normally associated with having passed rigorous European safety standards’ was ‘misleading’, as some Chinese companies use a similar CE mark to designate that the product is a “China export”, while others ‘simply fake the safety mark’ as there is no ‘central database to check whether it has been verified and it can be self-declared by companies’.

In response, Amazon said it had removed the plug from sale ‘pending investigation’, and that customers concerned about purchases should contact customer service. It added: ‘We monitor the products sold in our stores for product-safety concerns. When appropriate, we remove a product from the store, reach out to sellers, manufacturers and government agencies for additional information or take other actions.’

Clever Compliance chief executive Max Stralin said that many companies ‘get away with it until they don’t, adding that ‘the same issue arose with the burning hoverboards back in 2015’. Which? Computing editor Kate Bevan commented: ‘Too often we’ve seen dangerous products being sold on online marketplaces from unknown brands - in many cases originating from China’s electronics capital, Shenzhen - that appear to have little accountability and are virtually impossible to contact.

‘This raises big concerns around safety checks and monitoring carried out by online marketplaces like Amazon. Currently, consumers face a lottery regarding the safety of the products they buy from online marketplaces and whether they meet required safety standards in the UK. That’s why it’s vitally important that the government gives online marketplaces more legal responsibility for preventing unsafe products from being sold on their sites.’

She called in turn for both government legislation and an ‘enforcement body with teeth’ to help ‘crack down on rogue devices’.

REF:
https://www.businessinsider.com/ces-top-smart-home-trends-2019-1
https://www.homeadvisor.com/r/smart-home-trends-from-ces/
https://www.independent.co.uk/life-style/smart-plugs-amazon-fire-risk-consumer-watchdog-which-b739044.html