Making Sense of NFPA 72’s New Cybersecurity Chapter

At the August 2021 NFPA Standards Council meeting, the 2022 edition of NFPA 72 was approved for publication. Copies may now be obtained through the association. There are several changes I will be reviewing in the next couple of columns. This month I shall cover one of the more controversial additions to the standard: cybersecurity.

This is a hot topic within a number of technical committees, not only for NFPA 72, but others as well.  Depending on some possible decisions by the Standards Council, there may be a project and technical committee that is dedicated to cybersecurity that other technical committees could then reference. At the time of this writing, I am aware of no decision being made.

There also may be a new technical committee formed within the 72 project that is dedicated to this subject that will be responsible for the new Chapter 11 that is in the 2022 edition, Cybersecurity. For the 2022 edition, two primary technical committees took on the bulk of this topic.

They were Fundamentals of Fire Alarm and Signaling Systems (SIG-FUN) and Single- and Multiple-Station Alarms and Household Signaling Systems (SIG-HOU). The two committees went in different directions.

SIG-FUN took a more conservative approach for the first reference of cybersecurity and placed all the requirements within the Annex to a new Chapter 11, Cybersecurity. There is a single paragraph within this chapter:

11.1*  Cybersecurity.

Where required by governing laws, codes, or standards, or other parts of this Code, cybersecurity shall be provided for equipment, software, firmware, tools, installation methods, physical security of and access to equipment, data pathways, testing, and maintenance.

There is however an indication that there is annex material to paragraph.

A.11.1 

Cybersecurity is not required for every system or application; it is only required when other sections of this Code, authorities, or regulations mandate that cybersecurity be incorporated into the system(s). Generally, there are greater cybersecurity concerns when systems are connected to external networks.

Cybersecurity recommendations are contained in Annex J.

The annex is clear that not every system may require cybersecurity measures to be taken. The requirements may come into play where an AHJ may require such measures, or when the system is connected to an outside network. It is the latter that is of the greatest concern. Once a system is connected to a network, it is open to attack.

Most if not all fire alarm systems that are being installed today do have some sort of connection to the outside world. While this is typically through either the public switched telephone network or cellular transmitters, it may also be through the Internet. This is the most troubling source of a possible attack.

Within this paragraph, there is reference to a new Annex J, Guidelines for Cybersecurity. This was originally to be within the main body of the standard, with the “should” being “shall.” The committee, after discussions and task group work between the First Draft Meetings and Second Draft Meetings, made the decision to place the requirements into an annex for at least one cycle of the standard.

The reason for this is found within Section J.1:

The Technical Committee has determined that, in lieu of establishing requirements in Chapter 11 on cybersecurity at this time, it is appropriate to provide such guidance and framework in this annex. This allows the industry and the public the ability to gain experience with cybersecurity measures and provide constructive feedback for future editions of this Code.

While in most jurisdictions the 2022 edition will not be adopted for a while, I would recommend that all who install fire alarm systems take a look at Annex J, that can be found at no cost on the NFPA website and then go to the Codes and Standards tab.

While the fundamentals committee went the route just described, the household committee made a determination to place cybersecurity requirements within the main body of the standard. The requirements are found within the new Section 29.10.10 Cybersecurity:

 29.10.10 Cybersecurity.

29.10.10.1 * 

All control units shall be designed for cybersecurity as determined by the manufacturer.

29.10.10.2 

All devices that are connected wirelessly to a control unit and rely on the control unit for occupant notification activation shall not diminish the cybersecurity of the control unit.

29.10.10.3 

All system or software updates required or initiated by the manufacturer shall not diminish the cybersecurity of the control unit.

29.10.10.4 * 

All alarms that use IP or cellular communication shall be designed for cybersecurity as determined by the manufacturer.

Within this section, the requirements for cybersecurity are placed with the manufacturer. There is no general timeline as to when these requirements may be determined by the manufacturer as the provisions for this are rather open.

The work on the 2025 edition of NFPA 72 has already started. Public inputs are due by June 1. Now is the time to send in any proposals to the standard, not only on the topic of cybersecurity,  but other areas within 72 that you may feel need to be amended.

Comments are closed.