Cyber Security for Fire Protection Systems

Authored by: Lou Chavez 

From cell phones to refrigerators, we live in an interconnected world. The Internet of Things (IoT) is the network of physical objects — such as cars, thermostats and watches — that have the ability to exchange data and interoperate with existing network infrastructure. They transmit data to manufacturers, owners or other devices, and can be sensed and controlled remotely. It provides us with real-time control and information from IoT-enabled products and systems. According to research firm Gartner, 21 billion things are connected to the IoT in 2020.   

The convenience of IoT is accompanied by cyber risks and weaknesses that must be adequately addressed. Cyber threats can range from small-scale personal attacks to large sophisticated attacks affecting society and critical infrastructures.     

Building resilience

Today’s IoT smart buildings include two types of connected technologies: information technology (IT) and operational technology (OT). The backbone for all systems, IT protects sensitive corporate data, connects critical IT infrastructures and is normally managed by IT experts. OT includes the connection of smart devices and other critical building functions that rely on the IT, and provides information through connected devices. Typically fire alarm control units, intrusion detection systems, mass notification systems and access control systems reside on the OT side usually managed by facilities operations. Both systems have vulnerabilities that commonly include equipment tampering as well as inside and outside threats. Firewalls and other cyber protection processes and devices can help mitigate the potential for a widespread attack and protect the individual components of the IT or OT systems.      

The cyber protection of connected building components and systems is an important part of a resilience strategy. A building resiliency plan should include initial and ongoing technical assessments of components and systems to mitigate known risks. Most smart buildings and smart systems rely on a building’s IT infrastructure for communication. Today’s resilient buildings include sensors and systems that continually share information about the overall status of the environment and other monitored aspects. Fire alarm systems may communicate with HVAC systems, or security systems may interconnect with fire alarm equipment. Doors and windows can also be a part of the overall smart system. With everything so connected, the individual parts of a smart system must incorporate compatible communication protocols and an ongoing cybersecurity program to mitigate risks of cyber threats. Smart devices must be properly designed so that any remote software upgrades or downloads are executed properly and securely, and the functionality does not change and IoT connections are secured. 

Cybersecurity for life safety systems

In the security and life safety space, the security of connected devices and systems is especially important. Cyber vulnerabilities can have a dramatic consequence if these products and systems are not properly protected. Building sensors can provide early detection of unwanted events such as intrusion or fire. Cameras are used for monitoring and remote surveillance that may communicate with alarm control units that can in turn provide information to end users and monitoring stations. Historically these products were hardwired, but technology has enabled us to communicate either wirelessly or wired through an IT infrastructure that is also linked to the internet. Electronic life safety and physical security infrastructures include emergency communications systems, fire alarm systems, alarm receiving systems, automated teller machine systems, access control systems, surveillance cameras, DVRs, NVRs and the like. 

This interconnectedness can also be a tremendous cybersecurity risk. Each connected device can be an open doorway. Stolen personal information, intellectual property and trade secrets are a major concern, but there is also a real risk to life and limb, especially in the life safety and security space. A hack could impair or disable alarm systems, leading to a malfunction in the event of a real emergency. A distributed denial of service (DDoS) attack could overwhelm a server, service or network and take down the entire alarm system or affect other infrastructure. These attacks could be malicious, directed or simply the result of poor cybersecurity implementation. While most breaches target personal or commercial outlets, any hack that affects a life safety system can be a real hazard. For example, in 2017, hackers accessed the early warning system in Dallas, setting off more than 150 emergency sirens in the middle of the night. While no one was injured, the disruption was significant and the potential for harm was clear. Another example is electronic thermostats connected with smoke alarms that have had to launch a massive DDoS attack has also happened.

How to address the challenge

Cyber risk must be addressed through an ongoing security vulnerabity assessment (SVA). Not all cases are the same, and some SVAs can take on reasonable risks while others require increased attention to mitigate calculated or known risks.  Architects, engineers, code authorities, manufacturers and end users should consider all risks and ensure that reasonable actions are taken.    

Incorporating cybersecurity is best accomplished at the product development stage, rather than attempting  to add it on with a software patch later in the process. This may help reduce cost and improve overall system performance, compatibility and reliability. Manufacturers should plan and design for  it, and end users should be aware that cybersecurity  is part of a good secured product development life cycle.  

Codes and standards

There are a variety of codes, standards and best practice guidelines that can help guide creation of a cybersecurity program. Codes and standards may require validation of software integrity through functional system testing to determine that the software is functioning as intended without any software glitches that can affect the intended operation of the equipment.

The National Fire Protection Association (NPFA) Code 72 (National Fire Alarm and Signaling Code) describes reacceptance testing of equipment and systems when site-specific or executive software changes have been made and the equipment is commissioned and already in use. Site specific software update requires a 100% test of all functions known to be affected by the change. Currently, 10% of initiating devices that are not directly affected by the change (up to 50 devices) must be tested to verify correct system operation and a record of completion must be kept. These commonsense requirements help ensure full integrity of software changes. However, it would be challenging for any end user or code authority to directly verify that the software changes did not affect the integrity or operation of the system or equipment without additional testing or investigation. Third-party validation, reconfirmation and field testing is crucial. NFPA 72 is currently undergoing a public revision process for its 2022 edition. Topics of interest may include adding a new cybersecurity section and retesting of existing equipment upon software updates that may relate to cybersecurity functionalities.

To help evaluate through tests, the cybersecurity of critically connected life safety and electronic physical security systems, Underwriters Laboratories has published UL 2900-2-3, the Standard for Software Cybersecurity for Network-Connectable Products, Part 2-3: Particular Requirements for Security and Life Safety Signaling Systems. This newest addition to the UL 2900 series of cybersecurity Standards was developed as a bi-national (U.S. and Canada) consensus Standard and with industry input. It provides a foundational set of cybersecurity performance and evaluation requirements that manufacturers of network connectable products can use to establish a baseline of cyber protection against known vulnerabilities, weaknesses and malware. UL 2900-2-3 was developed specifically for security and life safety equipment and systems. It is a testable standard (not limited to audit-based investigations) applicable to IoT connected equipment such as fire alarm control units, mass notification systems, access control equipment and smoke alarms. For UL 2900-2-3, a three-tiered security approach was developed with an increasing level of security requirements for each tier. Tests include fuzz testing, known vulnerability detection, code and binary analysis, risk control analysis, structured penetration testing and security risk controls assessment. UL 2900-2-3 is one of several UL cybersecurity standards. Others include cybersecurity documents for medical equipment and industrial control systems. 

Fire alarm control units may include two types of software: executive software and site-specific software. These applications are covered by UL 864, the Standard for Safety of Control Units and Accessories for Fire Alarm Systems, and NFPA 72. Under part of UL 864, third-party certifiers execute and test the equipment’s software for integrity of normal operation. UL 5500, the& Standard for Safety for Remote Software Updates, covers best practices for software patches and updates. UL 5500 offers guidance on technical attributes necessary for the remote connection to smart devices and safe functionalities and securely executing remote software downloads. Most smart systems rely on the ability to update software remotely or onsite. UL 5500 applies to these applications in conjunction with the product’s end standard.

On the international side, the International Electrotechnical Commission(IEC) has written a series of cybersecurity standards. IEC 62443-4-2 applies to industrial automation and control systems. This document applies to many of the IT and OT systems that should be considered for building cyber resiliency of smart buildings and systems.

The National Institute of Standards and Technology (NIST) has published several documents and frameworks that advise on best practices for interconnected industrial equipment and critical infrastructures.

Conclusion 

In today’s connected world, the variety of available devices offers numerous points of entry for cyberattacks. Now is the time for software developers and manufacturers to understand a system's vulnerabilities and to harden their product against cyberattacks. Verifying that alarm systems meet appropriate standards can help ensure the performance and reliability of a product’s software to decrease downtime and mitigate cyber risks.

We live in a connected world and the IoT will continue to accelerate innovation of security and life safety products support smart cities, commercial builds automation systems, smart homes and help protect our critical infrastructure. In the digital age, no company is completely safe from hackers with prying eyes. Companies must do all that they can to be properly trained on the risks and design products that are resilient to threats that exist in the cyber world.

To learn more about how you can minimize your cyber risks with standardized, testing criteria for finding software vulnerabilities, visit us at UL Cybersecurity Assurance Program (UL CAP) and Cybersecurity Assurance and Compliance.