Cybersecurity for Fire Protection Systems: a compliance and risk based approach
Recently SFPE Europe released a publication on the topic of cybersecurity for fire protection systems. This article, based on a recent research of the Fire Protection Research Foundation, highlights just and accurate reasons regarding the importance of cybersecurity for fire protection systems. At Kiwa we are convinced that appropriate cybersecurity is essential to ensure correct functioning, safety and security of fire protection systems. It is something that is necessary to be addressed properly for fire protection systems to be deemed qualified for usage and deployment.
As stated, fire protection systems can be part of a larger structure also called the building control systems (BCS). This means that these fire protection systems are interconnected, in one way or another with other systems such as the HVAC systems and alarm and security systems. Moreover, the BCS are connected to the internet in one shape or another. Remote access and operation and notification of occupants or other systems are both examples of functionality which are made possible by leveraging the possibilities offered by the internet. In essence, this means that the complexity of which fire protection systems are a part of, allow for a lot of things to go wrong when cybersecurity is compromised.
Successful cyberattacks can lead to fire protection systems not fully guaranteeing life safety or result in distrust in the effectiveness of these systems. These outcomes can have grave consequences on themselves which should be avoided as much as possible. And even more worrisome, an improperly cyber-secured fire protection system can be used as a pivot or doorway to the rest of the systems it is (indirectly) connected to. This can potentially be as much as harmful if not more. The aforementioned building control systems consist of several other systems which work narrowly together. In general terms, this means that improper cybersecurity of fire protection systems could potentially lead to other (vital) systems being compromised with all the adverse outcomes and consequences potentially causing additional harm or damage. For example, at a manufacturing plant adversaries could get access to sensitive information or systems by means of an insecure fire protection system. If sensitive information or a system is compromised this could be used as leverage in ransomware attacks causing disruption in daily operations etc.
A mix of risk based measures
There are several cyberthreats which could potentially harm fire protection- and other systems and assets which are either directly or indirectly connected. The daily newsflashes covering cyberattacks in all forms and varieties just emphasize that this is a prevalent issue and it is essential to properly get cybersecurity of systems arranged. The approach for good cybersecurity we advocate for at Kiwa is one where there is a good mix of compliance based and risk based measures. Additionally, it is as important to do periodical or regular checks on the status of your cybersecurity to see if the taken measures are still effective.
Diving deeper into compliance-based approach we can see it has to do with topics such as legislation and standardization regarding the arrangement of cybersecurity. There are several standards, guidelines and relevant legislative write downs which suggest cybersecurity measures depending on the area of application. The international standards IEC 62443 and ISO 27001 are two concrete examples of the compliance approach. Respectively, these two standards provide guidelines for a compliance-based approach to cybersecurity in OT (operational technology) and IT systems respectively. Since a fire protection system is a building control system (BSC), the IEC 62443 cybersecurity for Industrial Automation & Control systems (IACS) is a very helpful standard .
On the other hand, in a risk-based approach the risks that threaten cybersecurity are taken into account. This is carried out on the basis of tests and or assessments which check how well the cybersecurity of organizations or companies can cope with possible cyber threats. For risk-based approaches regarding cybersecurity penetration tests and bug bounty hunting are two good examples which are also offered as services by Kiwa.
- A penetration test, also known as a pen test or ethical hacking, is a simulated cyberattack on a system or organization that is conducted to assess the system's cybersecurity to detect cybersecurity threats. By finding these threats an organization or business can take specific measures to mitigate the found risks.
- Bug bounty programs provide the opportunity for individuals (who could be ethical hackers or security researchers) to report bugs or vulnerabilities, for monetary rewards (also called bounties), particularly those which could compromise the security of organizations or businesses. At Kiwa the bug bounty program of an organization is put up on a platform with reliable and adept security researchers who look for bugs and vulnerabilities in an ethical way.
It’s rather straightforward to imagine that the combination of a compliance based approach and the risk based approach offers ample grip on the cybersecurity of systems and organizations. The solid guidelines found in a compliance based approach offer good support on arranging the cybersecurity of systems and organizations which can be quite a challenge due to its complexity. The risk based approach offers possibilities to address the dynamic and ever-evolving nature of cybersecurity.
For the cybersecurity of fire protection systems the same approach applies. These systems used to be standalone systems with one goal to fulfill: protection against and alarming in event of a fire. However, as elaborated on, this is not the case nowadays. Fire protection systems are part of a complex integral ecosystem of several interworking and interconnected systems. The duality here is that each system has its own targets, goals and purpose while at the same time being part of a larger whole. On top of that, these systems are all fueled by digitalization which on itself is dynamic and constantly advancing.
Though digitalization offers a lot of possibilities cybersecurity is an essential part of digital systems. It needs to be addressed in such a way that systems and organizations are well protected while making use of the possibilities of digitalization. A combination of the compliance- and risk based approach is a fitting way to address the different challenges regarding the cybersecurity of fire protection systems.