Cybersecurity for Fire Protection Systems

What does cybersecurity have to do with fire protection? Plenty, finds a new webinar from the NFPA Research Foundation.

In “Cybersecurity for Fire Protection Systems: A Panel Discussion,” panelists report hackers investigate, enumerate and exploit weak fire protection systems continually. Ken Donaldson, principal of Nevada Cyber Solutions, stressed, “Cybersecurity has become a paramount need and topic of discussion. It’s up to us to look at how we can protect our systems from cyber threats.”

Donaldson notes this is a paradigm shift from the past. Traditionally, fire protection and life safety systems were standalone and comprised simple electronics and a control panel. Hard wiring externally connected these systems to other building systems. And companies once integrated and designed systems “without security in mind,” Donaldson says. “Because at that time [late 1970s and early 1980s], there wasn’t any type of cyber threat.”

Now standard fire alarms communicate with other building systems wirelessly, presenting heightened cybersecurity risk. “We need to be asking what kinds of risks and vulnerabilities integration brings to the table?” he says. “Should fire alarm traffic be on the same network as your email or Voice Over IP communications? You need to look at the vulnerability that exists when you connect fire and safety alarms to other things in a smart building.”

All connections must be secure. Consider and comply with existing standards as you integrate technologies, he says. Ask:

• How do you know if everything is secure?
• What security levels meet compliance standards?
• What standards exist for fire protection and life safety systems?

Hackers can wreak havoc on critical infrastructure when cyber vulnerabilities exist. Consider a healthcare facility. If hacker gains entry to a hospital network through fire alarms and life safety systems, they can shut down elevators, HVAC systems, and computer technology to interfere with hospital operations. The same scenario can happen in a manufacturing plant, where hackers can stop production by shutting down manufacturing systems, HVAC systems, and more.

“We are at a precipice where there are hackers who do not care about life and safety,” says Tyler Robinson, founder of Dark Element, a company that provides cybersecurity services for organizations. “They will go against anyone to get that ransom, even hospitals.”

How to Consider Cyber Risk

“Manufactures have a unique perspective,” says Alan Manche, vice president of external affairs for Schneider Electric. “We design, develop, evaluate and put products on the market that have cybersecurity in place. But we also use these systems to protect our own facilities.”

As facilities integrate fire protection and building controls, all systems must be considered in cybersecurity assessments. This helps companies identify weaknesses hackers might exploit.

Manufacturers and end-users also must consider product life cycle and updates to fire protection systems. “We think about design, installation, and maintenance with regard to cybersecurity,” Manche says. “But codes and standards also will play a significant role in securing our infrastructure.”

Mindsets must change across the board. “It’s about changing the culture from manufacturers to integrators to building operators. Cybersecurity must be at the forefront of everything we do,” Manche says.

Know Who Accesses the System

Companies must consider everyone who accesses fire protection systems and make sure they practice good cybersecurity hygiene.

Consider the integrators who maintain fire protection systems. Many of them will plug into a facility’s network to maintain or upgrade the fire protection system. These professionals often bring in laptops to perform the work and it’s an opportunity for hackers to infiltrate the system. Some locations, Manche says, are very secure and have policies in place to protect their systems. “But that’s not the norm,” he says.

Joshua Brackett of Banner Health says he’s seen this play out on the job. A hospital he works with added a new fire protection system. Leadership, he says, put a lot of thought into making the system secure. Everyone had new passwords and specific authorizations for access. “One day I saw a technician access a panel, plug in with his own laptop, and bypass the security in place,” he says. “We also have a hospital with an incredibly old fire alarm system. There is only one computer that works with that system, and the hospital has not updated it in eight years. I am waiting for the day when a bug [in that computer] corrupts the entire system. It definitely doesn’t have the latest security protocol.”

Identify What’s Connected to the Internet

A search engine known as https://www.shodan.io/ shows all embedded devices connected directly to the Internet. A search for fire alarms will show which systems are connected to the Internet at any given time. This knowledge can help keep a system secure.

“We have developed systems that use this site and other Internet-wide scans,” Robinson says. “We have some that scan the Internet regularly, looking for a misconfiguration or someone adding something to the network. We once watched someone plug in the wrong cable to a power grid and the entire power grid appeared on the Internet!”

Knowing when fire safety systems are connected to the Internet can help companies protect them. Robinson explains, ransomware groups start scans by looking for vulnerabilities in technology, such as fire protection systems, connected to the Internet. “If it’s exposed to the Internet, they can bang away to access it,” he says. “These are entry points for attackers.

If you are connecting things to the Internet, that can provide direct access for a hacker to get in and compromise the rest of the organization.”

There also needs to be a good system of checks and balances, he adds. Someone needs to look at credentials of maintenance technicians and others to make sure they are authorized to access specific areas. Escort these individuals to secure areas and even to the HVAC system. “The HVAC systems are sometimes the oldest and easiest ways to gain access,” Robinson explains.

Consider the Standards

Quite a few codes and standards exist for connected fire protection and life safety systems. NVPA 72 or 70, IEC 62443, UL 2900 or ISO 27001, and NERC, the power grid cybersecurity standard, are just some of them. The Department of Defense and other agencies also have standards for facility control systems or embedded control systems.

“I’m a huge advocate for using industry standards and codes in the cyber security space,” says Manche. “Codes say we need to be cyber secure and drive activities that require secure components, systems and policies.”

Robinson says codes drive the motivation to improve cybersecurity. “Without regulation and without codes, there can be no real advantage for companies to push and do better,” says Robinson. “Codes enforce a lot of what we have to do. We have seen this with PCI regulations. But we need to understand this is just a baseline. We need to do better. We need to drive a cybersecurity mindset and cultural shift so that people want their systems to be secure.”

Training and Education Matters

Facility operators, integrators and manufacturers must work together to build a cyber secure fire protection system. Then, organizations must backup these safety protocols with sound policies and procedures.

“I don’t know that there is a CFO out there who says, ‘Let’s spend a million dollars on a fire safety system,’” says Brackett. “We need to educate them on why we need to adopt new codes. How do we progress the industry, change codes, and make it so that it’s not a burden for facilities to get the things they need?”

Enforcement that’s driven through code can quicken the pace toward better cybersecurity. But it must begin with education, Brackett adds. “We have a long way to go. A large chunk of our industry doesn’t understand [connected] fire alarm systems and how they work,” he says. “We need to evolve and educate people on complex systems in a way that everyone understands.”

Robinson advises using cyber awareness training developed for IT (information technology) for OT (operational technology). “A lot of the fundamentals are already available and well thought out,” he says. “We don’t have to tell people cybersecurity is important. It’s in the news everywhere. This is something people realize they must spend money on. We also need to get IT and OT to work together. Establishing those partnerships early on gives them someone to lean on.”

Trade organizations for installers, integrators, designers and engineers already recognize the need to enhance cybersecurity. “These organizations are ready to step up and provide education,” Manche adds.

Cybersecurity awareness already exists. Users know not to give out their passwords or to use common passwords. They know what phishing is and are aware of common threats. All this information must transfer to the OT side of the house to protect integrated systems, like fire alarms, from hackers bent on doing harm.

Click here to access the entire NFPA webinar and learn more about how to enhance cybersecurity in your facility’s fire protection and life safety systems.