NFPA Journal

In recent years, the NFPA 72 Technical Committee has focused increasingly on cybersecurity. There have been plenty of reasons for this attention, among them the major data breach experienced by Target stores in 2013. Cyber criminals were able to exploit a previously unknown flaw in the retailer’s point-of-sale encryption and gained access to Target’s network to syphon off consumer credit card data. The activity went undetected for almost a month. More than 41 million of the company’s customer payment card accounts were affected.

The connection between cybersecurity and NFPA 72®, National Fire Alarm and Signaling Code®, exists because all new fire alarm and mass notification systems (MNS) rely on computer technology. As a result, these systems may present similar vulnerabilities to a cyberattack. That’s why the NFPA 72 Technical Committee has initiated a proposal for a new Chapter 11, Cybersecurity, for the 2022 edition of the code. The chapter states that “where cybersecurity is required by a risk analysis by federal, state, or local regulation, or by the authority having jurisdiction, systems shall be in accordance with this chapter.” 

Although many other fields have utilized the risk analysis concept, it remains relatively new to those involved in the design, installation, and approval of an MNS. In the 2019 edition of the code, the risk analysis section in Chapter 24 expanded specifically to include the planning of an MNS design and installation. The code defines risk analysis as a process to “characterize the likelihood, vulnerability, and magnitude of incidents associated with natural, technological, and manmade disasters and other emergencies that address scenarios of concern, their probability, and their potential consequences.” 

Additionally, the code helps with this process by providing a risk analysis checklist in the form of Annex A.7.3.6. Although the code does not mandate the use of the checklist, stakeholders can use it to initiate the thought process for identifying hazards in a facility. One item on the checklist, for example, covers “human-caused intentional events.” This category breaks down further to “terrorism (explosive, chemical, biological, radiological, nuclear, cyber).” 

It may be last on that list, but cybersecurity has grown exponentially in importance over the past few years. Today, cybersecurity issues happen so fast that the Department of Homeland Security publishes the Certified Information Systems Auditor Weekly Vulnerability Summary Bulletin, which is created using information from the NIST National Vulnerability Database. The Internal Revenue Service recently launched its “Identity Theft Central” webpage to provide 24/7 access to online information regarding tax-related identity theft and data security protection. Tax-related identity theft occurs when someone steals personal information to commit tax fraud.

These problems continue to grow in their scope and complexity, and cybersecurity will likely be an active part of the code for many editions to come. The proposed new chapter for NFPA 72 includes sections on standards, compliance, documentation, and operations and maintenance. At the moment, it is a short chapter. But its intent is to make anyone associated with fire alarms, emergency communications, and mass notification systems aware of the threat of a cyberattack, and to ensure that hackers or any other bad actors cannot use these systems as entry points to building network systems. 

Wayne D. Moore is vice president at Jensen Hughes. NFPA members and AHJs can use the Technical Questions tab to post queries on NFPA 72 at nfpa.org/72.