Cybersecurity & Network Resilience for Fire & Security Systems

Hardening Life Safety Systems Without Compromising Function

Why IT Security Models Fail for Fire & Security

Availability trumps confidentiality in life safety systems.

Traditional IT cybersecurity prioritizes data confidentiality and integrity, often at the expense of system availability through reboots, patches, or aggressive port blocking. For fire and security networks, this model is inverted. An alarm that is delayed, blocked, or obscured by a security control is a direct threat to life and property. Security must be implemented with a deep understanding of operational protocols, timing constraints, and failure modes unique to life safety.

The challenge is to contain threats - whether malicious or accidental - within defined zones while guaranteeing that safety-critical communication paths remain open, deterministic, and observable at all times.

Strategic Segmentation as the First Control

Physical and logical segmentation prevents fault and threat propagation.

A flat network where fire panels, security cameras, access control, and building management systems all communicate freely is indefensible. A malfunction, misconfiguration, or breach in any one system can cascade, affecting the availability of others. Strategic segmentation creates bounded zones - for example, separating fire alarm loops, security surveillance, and corporate IT onto distinct network segments.

Effective segmentation uses managed industrial switches with VLANs and access control lists (ACLs) to enforce communication policies. Crucially, the firewall or router controlling traffic between these segments must be configured to understand and prioritize life safety protocols, not treat them as generic data.

Defining and Protecting the Safety Enclave

The most critical assets must reside in a dedicated, hardened enclave.

The safety enclave contains the core components whose failure would directly impact life safety: fire alarm control panels, critical notification appliances, and security system controllers. This enclave has the highest level of protection and the simplest possible ruleset: allow only essential, authorized traffic in and out. All other access is denied by default.

Protecting this enclave involves both network controls and physical security. Unauthorized devices cannot join this network segment. Management access is strictly controlled and logged. Communication with less-trusted zones (like a BMS or monitoring workstation network) passes through a inspection point that validates traffic content and rate.

Secure Remote Access Without Backdoors

Remote maintenance is necessary, but traditional VPNs are a liability.

Technicians require remote access for diagnostics and updates, but standard VPNs grant broad network access, creating a large attack surface. A compromised technician's laptop could provide a direct path into the safety enclave. The solution is a zero-trust, application-layer remote access system.

This modern approach does not place the remote user on the network. Instead, it brokers a secure, encrypted session to a single, authorized device or service for a limited time. The technician sees only the specific HMI or configuration tool they need, with no lateral movement possible. All sessions are recorded and require multi-factor authentication.

Device Hardening and Patch Management Reality

Many life safety devices cannot be patched like IT servers.

Fire panels, PLCs, and legacy security controllers often run on proprietary, closed operating systems with infrequent firmware updates. Applying IT-style patch management cycles is impossible. Security, therefore, must focus on containment and monitoring.

Network controls must assume these devices are vulnerable. They are placed in segments with strictly limited communication paths. Traffic to and from these segments is monitored for anomalies - sudden changes in flow, unexpected connection attempts, or protocol violations - that might indicate compromise, rather than relying on the device's own defenses.

Resilience Through Redundant, Diverse Paths

True resilience requires multiple independent paths for critical signals.

Cybersecurity is not just about preventing attacks; it's about ensuring function during and after an incident. A single network cable cut by construction or a switch disabled by a malware outbreak should not silence all alarms. Resilience is designed through redundancy.

For highest-criticality links, this means diverse physical paths and redundant, autonomously switching network devices. Protocols like PRP (Parallel Redundancy Protocol) or HSR (High-availability Seamless Redundancy) can provide hitless failover for Ethernet networks, ensuring that alarm and control traffic always has a path, even during a hardware failure or targeted attack on network infrastructure.

Monitoring for Anomalies, Not Just Outages

Life safety networks have predictable traffic patterns - deviations are clues.

Unlike enterprise IT with highly variable traffic, fire and security control networks are deterministic. A fire panel polls its detectors at fixed intervals; an access control system sends door events in a specific format. An industrial network monitoring tool can establish this "baseline of normal."

Monitoring then focuses on deviations: unexpected new connections, unusual traffic volume, protocol violations, or communications occurring outside of maintenance windows. These anomalies can indicate malware propagation, unauthorized access attempts, or device malfunction, allowing intervention before a safety function is impacted.

Physical Security of Network Infrastructure

A network switch in an unlocked closet is a physical backdoor into the safety system.

Cybersecurity begins with physical access control. Network switches, routers, and gateways that form the backbone of the life safety network must be housed in secured cabinets or rooms. This prevents unauthorized connection of devices, tampering with cables, or hard resets that could cause outages.

For distributed field networks, this means using ruggedized, lockable enclosures for edge switches and ensuring fiber or conduit runs are not easily accessible. Physical and logical security are layers of the same defense-in-depth strategy.

Secure Lifecycle Management and Decommissioning

Security extends from commissioning through to system replacement.

Default passwords left on devices, undocumented configuration changes, and forgotten test accounts are common weaknesses. A secure lifecycle management process enforces password policies, maintains a secure configuration baseline, and rigorously removes access for departed personnel or decommissioned systems.

When devices are retired, they must be securely wiped of configuration data that could reveal network topology or access credentials. A disciplined, documented process for every change reduces the "configuration drift" that slowly erodes security over a system's decades-long lifespan.

Integrating Cybersecurity into Operational Response

Security events must trigger operational procedures, not just IT tickets.

A detected intrusion attempt on the fire alarm network is not just an IT incident; it is a potential threat to life safety. Security monitoring must be integrated with operational response. Alerts should go to security operators *and* the life safety control room, with clear procedures on how to assess potential impact on system availability.

Drills should include scenarios where a cybersecurity event (e.g., a malware outbreak on the corporate network) coincides with a physical incident, testing the resilience of communication paths and the clarity of joint response protocols between IT, security, and facilities teams.

Security must be built in, not bolted on.

Throughput Technologies advises on cybersecurity architectures that protect fire and security systems without introducing new risks to availability.

Talk with a Solutions Specialist to conduct a resilience review of your life safety network.

---

Answered – Some Frequently Asked Questions

---

You May Also Be Interested In ...

---