Published on October 19, 2021.

In Compliance | NFPA 72

Cyber Safe

A past NFPA Journal column asked whether fire protection systems are the ‘soft underbelly’ of cybersecurity. Now, the 2022 edition of NFPA 72 is expected to feature enhanced cybersecurity requirements.


In May, we saw how vulnerable companies can be to cyber threats when hackers gained access to the computer networks of Colonial Pipeline Co. and demanded it pay a multimillion-dollar ransom. The attack prompted the company to shut down its 5,500-mile pipeline, halting the delivery of refined petroleum products along much of the East Coast of the United States.

RELATED COLUMN: Are built-in, interconnected fire protection systems the soft underbelly of the cyber safety infrastructure?

According to Bloomberg, Colonial paid the hackers, identified as an affiliate of a Russian-linked cybercrime group known as DarkSide, a $4.4 million ransom using cryptocurrency, much of which has since been recovered by federal agents. Bloomberg reported that the hackers were able to launch the successful cyber assault on Colonial using a single compromised password.

As cyberattacks on Colonial and other companies demonstrate, the more technology advances the more integrated it becomes. It is common for multiple systems within a building or organization to be integrated over the internet or an intranet. A building’s fire alarm and signaling systems can be integrated with many other systems and therefore exposed to the same type of cyber threats as other computers or networks.

That’s why the 2022 edition of NFPA 72®, National Fire Alarm and Signaling Code®, will provide guidance on cybersecurity. Chapter 11 will require that cybersecurity be provided for equipment, software, firmware, tools, installation methods, physical security of and access to equipment, data pathways, testing, and maintenance when other sections of NFPA 72, or other governing laws, codes, or standards, require it. While NFPA 72 will not include any mandatory requirements related to cybersecurity, a new Annex J will provide guidance on how cybersecurity can be increased for fire alarm and signaling systems. It is important to note that, as with all NFPA codes and standards, the annexes provide additional information and do not constitute specific requirements.

The 2022 edition of NFPA 72 will be issued this fall.

All fire alarm and signaling systems are not created equal. Because of that, there is no one-size-fits-all approach to providing cybersecurity measures for these systems. In the new Annex J, for example, there is no specific guidance on exactly what needs to be done to provide acceptable cybersecurity for a system. Instead, the annex provides guidance and a framework for what should be considered.

The annex outlines some existing cybersecurity standards that should be used when designing, installing, or maintaining fire alarm and signaling systems. Additionally, it calls for evidence of cybersecurity compliance for the system provided, evidence that can come from a nationally recognized test laboratory, a manufacturer, or a certification program. Evidence of compliance should be checked annually.

The annex also recommends that all system-related documentation associated with cybersecurity be included with the documentation that is required for the system in Chapter 7 of NFPA 72. The annex also outlines cases in which functional testing of a system is not required for changes made to that system’s software for cybersecurity as long as specific criteria are met. Finally, the annex adds that software changes to a system or system component that are related to cybersecurity are permitted to be completed via remote access.

This cybersecurity information within the annex is provided to give manufacturers, users, installers and maintainers, enforcing authorities, and insurance groups the ability to review the requirements. It is unknown if the annex will be brought into the body of future editions of NFPA 72 as requirements, or if it could become its own standalone NFPA standard. What we know for now is that the threat of cyberattacks is not going away anytime soon. We must protect all of our systems, including our fire alarm and life safety systems.

SHAWN MAHONEY, PE, is a technical services engineer at NFPA. NFPA members and AHJs can use the Technical Questions tab to post queries on NFPA 72 at Top photograph: Getty Images