How to Understand NEC 2023 Cybersecurity Requirements
Recent cyberattacks highlight the growing importance of integrating cybersecurity into organizational maintenance strategies, especially when emergency power systems have the potential to be compromised.
Secure emergency power systems should be a top priority because these systems are designed to support critical life safety systems such as exit lighting, fire alarms, ventilation and security when an unexpected outage occurs.
As these life safety systems become increasingly connected to building control systems and the Internet of Things (IoT), it is possible to expose vulnerabilities that could have significant consequences. That means it’s time to make sure any possible attack surface is properly secured and any new equipment added to the system meets measurable cybersecurity criteria.
But where and how do you start securing emergency power systems? The 2023 update of the National Electric Code (NEC) now provides guidance. Let’s examine the code’s scope, highlight the practical applications and explore ways to extend its impact to ensure secure connections for your critical life safety systems.
NEC 2023 Addresses Cybersecurity for Connected Life Safety Systems
The concept of cybersecurity has been added to NEC 2023 Sections 110.3(A), 240.6(D), 708.7 and 708.8(A), which includes a list of considerations electrical system inspectors use to evaluate the overall safety of an electrical system.
The eighth and newest consideration notes that inspectors should assess equipment for its resilience to a potentially malicious cyberattack. This guidance is applicable for network-connected life safety equipment, which could include generator controls, automatic transfer switches or intelligent relays.
This update was made because cyberattacks are now a threat to network-connected building life safety equipment and other critical systems and could negatively affect their ability to carry out essential life safety functions.
Now, when evaluating an emergency power system installation, inspectors and plan examiners will begin to ask for evidence that connected electrical equipment has been assessed and complies with industry cybersecurity requirements.
How Can You Build More Cyber Secure Life Safety Systems?
An informational note in NEC Section 110.3 points toward widely recognized product standards that provide a framework to mitigate current and future cybersecurity vulnerabilities. These standards, which include the UL 2900 series for cybersecurity, establish what is called “measurable cybersecurity criteria.”
When choosing components to secure emergency systems, these standards allow you to look for products that are secure by design and also have the ability to detect malicious firmware updates. Vendors should also be able to show they maintain a secure development lifecycle (SDLC) for their products and have that SDLC validated by an independent organization.
Another important consideration is that any components added to the system should have the ability to restrict access and support multifactor authentication. The use of a separate OT-specific active directory server can make managing these accounts easier. You can set specific accounts for personnel who need access and disable accounts once access is no longer needed. The fewer open accounts, the fewer opportunities attackers have to enter the system.
Other items to think about when selecting equipment include:
- Are the devices capable of using secure encrypted communication?
- Can the product transmit activity logs to a central log aggregation server (like a System Incident and Event Manager, or SIEM)? If this isn’t possible, ensure the device can be installed in an environment where network monitoring is possible.
- Can the device’s configuration be backed up? This ensures full functionality can be recovered quickly.
Consider the Full Cybersecurity Lifecycle
A robust cybersecurity lifecycle program requires much more than simply buying a product certified for cybersecurity. To prevent operational vulnerabilities, life safety networks must be constantly monitored and capable of adapting to changes.
Ensuring the functionality of a system is one thing, but true security goes beyond mere operation. It involves a meticulous approach to enhance security measures. Picture this: You've set up your protection relay to functionally work seamlessly, but have you considered the cybersecurity factors? Have you reviewed and optimized protection relay and cybersecurity configurations, ports, services and passwords? This additional layer of attention to security details is what sets apart a well-installed system from one that is functional and fortified against potential risks.
Safeguarding emergency systems is an ongoing process, not a one-time task. Regular monitoring and updates are essential to address evolving threats. Continual assessments of people, processes and technology throughout their lifecycle ensures they remain aligned with the latest security standards. Proactively training and making individuals aware of emerging threats further enhances a system's resilience, actively adapting to the dynamic landscape of potential risks.
At Eaton, we recommend creating a specific plan for monitoring and evaluating your cybersecurity posture:
Yearly
- Asset inventory and baseline generation
- Network topology and drawing review
- Vulnerability assessment
- Cybersecurity training and response readiness evaluation
Monthly
- Configuration baseline (baselines should also be done before and after any changes are made to a device)
- Backup system assets
- Vulnerability review (vendor and public)
- Deploy patches and firmware updates
- Deploy “security” updates (e.g. AV definitions)
- Review access control lists
- Review user accounts and controls
- Cybersecurity awareness and communication
Biweekly
- Logging review and analysis
- Time synchronization verification
- Redundancy, resilience and failure modes
- Overall system health check
Building a Safer, More Secure Future
The NEC 2023 cybersecurity requirements are a great step forward to standardize cybersecurity and safety across the entire electric industry. However, cybersecurity is not a one-size-fits-all endeavor; it's a journey—and organizations are at various stages in that journey. Factors such as industry, region and unique company-specific situations can influence the approach to cybersecurity.
In this dynamic environment, it is important to recognize when you should comply with and go beyond the NEC’s new codes. I believe it's crucial to consider the full cybersecurity lifecycle to ensure the security of life safety systems. In addition to selecting secure products and configuring them properly, cybersecurity involves building a program that proactively identifies and responds to cyber threats, contributing to a holistic improvement in an organization's security posture.
At Eaton, we advocate for the development of a cybersecurity lifecycle framework tailored to your organization's unique needs. Whether you're just getting started or seeking to enhance existing measures, your cybersecurity program should align with industry standards, including the NIST Cybersecurity Framework, NIST SP800-82, IEC 62443, SANS and the Center for Internet Security (CIS) Critical Security Controls (CSCs).