NFPA Journal - Spring 2021 - 29

attacks in the United States alone cost an estimated $7.5
billion in 2019, according to a report by the cybersecurity
company Emsisoft, and are expected to grow.
Experts are concerned that cybercriminals could use fireand life-safety protection systems as means of attack, either
as backdoors into larger corporate networks or as targets to
disable or manipulate. Triggering a fire alarm, for instance,
could unlock external emergency doors, giving bad actors
physical access to a building in order to steal data or to disable systems.
Even more alarming, it's possible that hackers could gain
control of systems with the intent of hurting people or
destroying property. Researchers have shown, for instance,
that it might be possible to hack a large energy storage
system and intentionally cause it to become unstable and
perhaps even explode. These worries aren't all hypothetical:
in 2014, hackers infiltrated the controls of a German steel
mill and disabled the shutdown of a blast furnace, causing
widespread damage to the plant.
While brazen physical attacks are uncommon, the breadth
of attacks against building systems appears to be on the rise
[see " Knowledge Race, " page 31]. That has given officials in
the fire protection industry pause-and led to action. Last
year, NFPA's research arm, the Fire Protection Research
Foundation (FPRF), launched a project called " Cybersecurity
for Fire Protection Systems " to begin discussions on preparing the industry to defend against such attacks. The project
is spearheaded by Donaldson's employer, M.C. Dean, which
specializes in intelligent building systems and security. A
literature review of past research and the standards that
address the topic will be published in early 2021, followed by
a workshop where experts in related fields will meet to map
out the actions that should come next.
" Cybersecurity is such a broad topic that we really needed
a starting point, and I look at this project as a great start, "
said Jens Alkemper, research area director for equipment,
cyber, and materials science at the insurance company FM
Global and an advisor to the FPRF project. " We are hoping
that the project will influence thinking and bring much more
awareness to the issue. In my mind, education and awareness are the two biggest issues we have right now. Everything
else flows from them. "

System vulnerabilities
For seasoned hackers like Tyler Robinson, breaking into
building systems can sometimes be embarrassingly easy.
Robinson is known in industry parlance as a white hat
or ethical hacker. Companies hire him to try to infiltrate
their systems and report back on the vulnerabilities he
finds. " I get paid to break into stuff, and I don't have to
go to jail, " he told me, grinning. What he finds is often his
clients' worst cybersecurity nightmares. Robinson claims
that, during his more than two decades in the business, he's
never failed to take down a mark, whether by physically
entering a building to steal data or hacking it remotely. He's
broken into power grids, data centers, factories, and car
manufacturers, among other targets.

BIG TARGETS
MOST ORGANIZATIONS that fall victim to cyberattacks aren't keen on advertising it to the world
because such events can hurt stock prices, brand
perception, and customer security, and are simply
embarrassing. " The attacks reported in the media are
the ones that are really big, that a lot of people know
about, and that can't be contained, " said Phil Owen,
a cybersecurity expert with the firm M.C. Dean. Here
are a few of the largest.

Target targeted

In May 2013, hackers stole the log-in credentials of a
third-party HVAC vendor and used them to infiltrate
the customer database of retailer Target. An estimated 40 million payment card records were stolen,
along with 70 million other records with customer
information including addresses and telephone
numbers.

Nuclear sabotage

A sophisticated computer worm called Stuxnet was
deployed on an Iranian uranium enrichment plant
in 2007. A first-of-its-kind " digital weapon, " the program secretly collected information on the plant's
control systems and caused widespread damage to
its centrifuges until it was finally discovered in 2010.
The governments of Israel and the United States
are widely believed to have carried out the attack,
though neither has acknowledged or confirmed it.

Industrial attack

Cyberattackers used an email phishing scheme to
infiltrate and seize control of " a multitude " of systems
at an undisclosed German steel mill, according to a
2014 report from Germany's Federal Office for Information Security. As a result, the plant was " unable
to shut down a blast furnace in a regulated manner, "
resulting in " massive damage to the system. "

Hospital hacks

A historic wave of ransomware attacks in September and October 2020 impacted more than 200
US hospitals, crippling facilities in the midst of the
coronavirus crisis. Doctors from New York to California told news outlets that they were forced to
resort to pen and paper, that patient files couldn't
be accessed, and that many critical systems such
as x-ray machines, CT scanners, and telemetry
monitors were dark. Wait times at emergency rooms
ballooned to more than six hours in some hospitals. Although details of breaches in hospitals are
rarely disclosed, experts have said that hackers are
increasingly targeting medical devices and buildings
systems as a means to gain entry.

Utility power grid

In 2015, a cyberattack on a utility company in Ukraine
cut power to nearly a quarter million people for up to
six hours. The hackers infiltrated the utility's system
through an email phishing attack and were able to cut
power to about 30 substations and disable the company's automated systems, forcing workers to fix the
systems manually. It was the first known successful
attack on a power grid. A year later, a similar attack cut
power to more than 200,000 people near Kiev. -J.R.

N F PA . O R G / J O U R N A L * NFPA JOURNAL

Cybersecurity feature_1Q 2021 SJS APPROVED FINAL.indd 29

| 29

1/29/21 2:19 PM

http://nfpa.org/JOURNAL

NFPA Journal - Spring 2021

Table of Contents for the Digital Edition of NFPA Journal - Spring 2021