Cybersecurity for Fire Protection Systems
By: Victoria Hutchison, Fire Protection Research Foundation
Globally, cybercriminals are having great success. During the coronavirus pandemic alone, cybercrime rose by approximately 600% across diverse industries. In 2020 alone, Trend Micro reported identifying and blocking 62.6 billion cyber threats, which equates to approximately 119,000 threats introduced every minute. According to a 2021 Cyberwarfare report by Cybersecurity Ventures, the financial implications are keeping pace as well. The average cost of a data breach is around $3.86 million, which has steadily increased by approximately 15% each year [1, 2]. If current trends continue, it is estimated that cybercrime could collectively cost businesses $10.5 trillion annually .
Many of the world’s most critical industries have been targets of devastating cyber-attacks in recent years. For example, many shipping and global trade conglomerates, such as Maersk, MSC, and others have suffered the impacts of ransomware attacks that caused global operations and communication to shut down, leaving billions in damages. Meanwhile, healthcare facilities have become one of the top cyber targets, with a rise of 45% of attacks since 2020. Restricted access to patient files, lab results and other crippling interruptions are just a few of the impacts the healthcare industry is facing. But they do not stop there. Cybercriminals are now targeting public safety organizations, such as fire and police departments, by holding data for ransom and even intercepting public safety calls to prevent response. Two recent incidents in the US – the attacks on the colonial pipeline and the attempted attack on Florida’s water system – shows that public health, safety and the delivery of essential services are increasingly becoming targets of cybercriminals. Thus, public safety is now at risk, as well.
These incidents emphasize that cybersecurity can no longer just be a checkbox. It must be at the forefront during all stages of design and use by the manufacturer, facility, and workforce. While the objective of every hacker is different, any weak point in a building’s IT infrastructure, building systems, IoT devices or other systems can be exploited and used as a pathway for attack.
While fire and life safety systems used to be standalone systems, today, Building Control Systems (BCS) and others are commonly connected to fire and life safety systems. This can include systems like clean agent or special hazard systems, smoke control, bi-directional amplification, access control, building automation, security systems, and other internet-connected devices. Fire protection systems are being exposed to more cyber risks as they continue to be networked to systems and devices that are exposed to the public-facing internet, whether by design or oversight. A quick search for two popular internet protocols on the most popular ports uncovered over 43,000 BCS exposed to the open internet, leaving the BCS and connected fire systems vulnerable to cyber-attacks. These vulnerabilities expose holes or weaknesses in applications, hardware components, or networks that allows attackers to cause harm or command a system or component to act in an unauthorized manner . These attacks have the potential to compromise safety.
Attack Surfaces for Fire, Life Safety, and other connected systems
To help navigate the emerging landscape of cyber threats impacting facilities’ fire protection equipment, the Fire Protection Research Foundation, the research affiliate of the NFPA, began a research program on cybersecurity for fire protection systems in the summer of 2020 to better understand the vulnerabilities, severity of consequences, and the awareness issues within the fire protection community.
The preliminary results identified a number of threat surfaces – facets of a system which are vulnerable to an attacker – on fire protection and related systems. While integration has distinct benefits, it is not without issues. The threat surface increases as fire and life safety systems are interconnected with outside networks. System components which are exposed to both IT (Information Technology) and OT (Operational Technology) networks, such as servers, are typically the most vulnerable .
For fire alarm systems, the points where the fire alarm system touches IP pathways or has any external access ports, connects to other networks, or shares data with other systems, are known as the network perimeter. These connection points are common targets of cybercrimial due to their high vulnerability. If these connection points are not properly secured with the appropiate and updated hardware, firmware, software and physical access controls, the opportunity for a bad actor to access the system and cause harm is increased. .
The attack methods described below provide a few strategies implemented by cyber criminals to expose software, hardware, connectivity, security or human vulnerabilities regarding fire safety systems:
Some attack methods include, but are not limited to:
- Radio frequency jamming – a type of denial of service (DoS) attack when an adversary can introduce a powerful radio frequency signal to overwhelm the system and block the wireless communication between different components to interfere with data transmission. In the case of fire, this attack could cause the sensor to be unable to communicate the detection of the fire .
- Remote code execution (RCE) is when an adversary is able to gain access to a computing device remotely, execute malicious code, make changes, and take control with administrative privileges .
- Theft is when an adversary performs a theft operation, digitial or physical, to gain access to a building system.
- Man-in-the-middle attack is when an adversary intercepts the exchange between systems, pretends to be the original sender and implements an attack while tricking the recipient into believing they are still receiving a legitimate message from the original sender .
- Physical Infestation is physically accessing the building (e.g., such as by tailgating another person into the building). Once inside, they can execute the attack.
- Social Engineering is when an attacker utilizes human interaction or social skills to obtain confidential information about an organization or its systems. By the attacker pretending to be someone else and asking the right questions, they can often obtain enough information to infiltrate the organization’s networks .
Regardless of the method, cyber-attacks directly on fire safety systems or indirectly through connected systems can result in serious consequences. These attacks can cause a loss of communication – preventing the alarm system from being able to communicate the detection of the fire to the occupants or other systems. Conversely, cyber-attacks can also create false alarms, with the purpose of encouraging egress to perhaps draw occupants to another hazard or to create a lack of trust in safety systems. Other motives include denial of service to cause systems to not operate as intended, or to prevent sensors from detecting fires or recognize ignition. Further, cyber criminals are hacking into equipment or systems to make the system unstable and present fire or explosion hazards. In summary, these attacks can compromise life safety or cause a distrust of fire protection systems.
The underpinning objective of fire protection has always been to ensure the fire and explosion hazards are appropriately protected and the safety systems operate as intended, when needed. However, the cyber threat landscape for fire protection systems has the potential to compromise these goals.
In the presence of these threats, it is important to implement security controls and mitigation strategies to reduce the attack surface. Ten actions that can be taken to reduce the probability and consequence of cyber-attacks are provided below :
- Network segmentation. Segmenting computer networks divides the network into smaller parts, which not only improves performance, but it also restricts how far a cyber-attack can spread.
- Update Malware/virus protection. Software security, virus, and malware protection are items that often fall through the cracks for fire protection systems, due to the division of responsibility the fire protection profession and IT and the technical expertise of those responsible for the systems. However, keeping technology up to date with appropriate protection against malware and viruses is critical for reducing cyber risks.
- Training –Having a trained workforce that is aware of vulnerabilities introduced with interconnectivity and their role in reducing the threats is crucial for protecting critical systems. Many threats, such as phishing, piggybacking, and data theft, exploit human behaviors. But a well-trained workforce can implement and execute common cybersecurity best practices.
- Disabling insecure and unused protocols reduces the attack surface and in-turn improves cybersecurity.
- Change Default Passwords – Passwords are a common way for cyber criminals to prey on weaknesses. Changing the admin password and increasing its strength can slow or deter cyber-attacks on fire alarm systems.
- Manage Permissions
- Manage permissions and disable guest accounts – The attack surface can be reduced by managing permissions. Disabling guest accounts and updating passwords are two simple ways to do this. As a result, it increases system security and forces technicians to request permission for programming changes to a fire alarm system and ensures all programming requests and functions impacted by the changes are tested, verified, and documented through a change management process.
- Manage access – Beyond remote access, another way to reduce cyber risks in a facility is through proactive physical access management. If there is turnover with employees or vendors, terminate their access to systems, both physically and remotely.
- Firewalls– Firewalls are an available means of providing enhanced IT security to protect systems from attack, blocking unauthorized access while still allowing valid users access to the systems and functions necessary to perform their jobs.
- Baselining – To be able to identify abnormal behavior, it is important to understand the baseline behavior on particularly networks or systems. Establishing a baseline can help improve the security stance of an organization or network.
- The principle of least privilege – This strategy reduces the attack surface by only permitting users, systems, or processes access to the resources necessary to perform their job.
- Threat, Vulnerability and Risk Assessments (TVRA) – One of the best strategies for reducing the risk of cyber-attacks is to be aware of the present threats, system vulnerabilities and the organization’s overall risk, which can be achieved through a threat, vulnerability, and risk assessment. TVRA’s can be conducted to assess an organization’s need to protect their respective assets and minimize cybercrime and security breaches. The risk of the identified threats can then be classified by a combined assessment of the facility’s vulnerability and the impact of the potential loss. This information can be used to inform a customized cybersecurity strategy.
While cyber-attacks pose one of the greatest challenges to organizations today, the threats can be reduced through active management. By analyzing the systems in place, soliciting help from technical experts, implementing risk reduction strategies, and educating respective workforces, the threat of cyber-attacks on fire safety can be minimized.
- Security Experts. (2021, March 17). Cybercrime to cost over $10 trillion by 2025. Security Boulevard. Retrieved from https://securityboulevard.com/2021/03/cybercrime-to-cost-over-10-trillion-by-2025/
- Chevreaux, J., Owen, P., Donaldson, K., Bright, K., Largen, A., Meiselman, D., . . . Uribe, A. (2021). Cybersecurity for Fire Protection Systems. Quincy: Fire Protection Research Foundation.
- Chivers, K. (2020, March 26). What is a man-in-the-middle attack?
- Cybersecurity and Infrastructure Security Agency (CISA). (2020, August 25). Security Tip (ST04-014): Avoiding Social Engineering and Phishing Attacks. Washington, DC, United States.
- Driz, S. E. (2018, June 16). What is Remote Code Execution Attack and How to Prevent this Type of Cyberattack.
- Kalluri, B., Kivac, A., & Rosenqvist, H. (2020). A Taxonomy for Cross-Domain Fire Hazards in Buildings. Singapore: Research Publishing.
- Scarfone, K., Tibbs, C., & Sexton, M. (2010). NIST Special Publication 800-127: Guide to Securing WiMAX Wireless Communication. Gaithersburg: National Institute of Standards and Technology.
- Penemon Institute. (2020). Cost of a Data Breach Report 2020. Armonk: IBM Security.