In November 2013, computer hackers found their way into the computer systems of a major retailer and made off with information on more than 40 million credit cards and other critical personal data of customers. The resulting financial losses for the retailer soared into the millions of dollars, while the lost time and dollars for consumers affected by the breach was significant.
It is noteworthy that the hackers did not directly attack the retailer’s financial or personal data systems. Instead, they broke into the networks of a Pennsylvania-based HVAC contractor with direct links to the retailer’s system in order to remotely monitor and control the retailer’s building systems. This is not uncommon in today’s age of the Internet of Things (IoT), where everything is ‘smart’ and interconnected.
Today, built-in fire-protection systems are everywhere, including fire-alarm systems, sprinkler systems, special suppression systems and so on. To improve their capabilities, these systems are becoming more and more interconnected – the ability of these systems to actively communicate with other systems is critical to their functionality and effectiveness. But this interconnectedness also raises a great concern: are fire-protection systems being exposed as the soft underbelly of the cyber-safety infrastructure?
We go to great lengths to harden today’s fire-protection systems to make sure they’ll always function as intended under any scenario of duress, including the worst natural disasters. But how well are we watching the many back doors into these supposedly secure cyber kingdoms? What’s more, is it possible for cyber hackers to incapacitate many or all these systems remotely? Can false alarms be sent at random times simply to tax resources? Can multiple systems be activated to serve as a distraction to allow another nefarious act to proceed unchecked? We need to be doing more to understand and to protect today’s modern fire-protection systems from these threats.
We are not starting from zero. Most emergency response agencies have already increased their focus on cyber threats on their systems, with law enforcement, the fire service and EMS all recognising that they are direct targets. This general topic isn’t entirely new in fire protection, either, which has historically played an active role protecting critical elements of our civilized world. Perhaps most symbolic in this regard is the disastrous 1959 Pentagon fire that wiped out a US Department of Defense central computer centre, and which directly led to the creation of NFPA 75, Standard for the Fire Protection of Information Technology Equipment.
But more is needed before we are caught off guard. At this time, research projects to address this topic are in their conceptual stage. Later this year, the Fire Protection Research Foundation, the research affiliate of the NFPA, hopes to have a new research project underway to quantify the magnitude of cyber threat, understand the trends, expose the vulnerabilities and establish recommendations for designers, installers, users and others responsible for reliable built-in fire-protection systems.
Interestingly, we are further learning about the importance of this issue as we strive to address new concepts like Power over the Ethernet, where ethernet cabling is being viewed as a viable alternative to conventional wiring. While ethernet-savvy companies are learning essential parameters from fire-protection and electrical professionals such as system reliability and physical resiliency, the fire-protection community is likewise learning the critical importance of cybersecurity.
The Internet of Things and the interconnectedness of fire-protection systems are bright lights on tomorrow’s horizon and hold enormous promise. But just as we do for other perceived threats and hazards, we must prepare for the worst and make sure our built-in fire-protection measures are never intentionally compromised.
This column/article originally appeared in the NFPA Journal. For more information go to www.nfpa.org/journal