Historically, the National Electric Code (NEC) laid out sets of standards and regulations exclusively surrounding “electrical installations” and “safety” in the United States. Things are changing. Cybersecurity has gained traction and is being incorporated into the NFPA 70, 2023 National Electric Code; Section 110.3(8) in the most recent version reads in part:
“Cybersecurity for network-connected life safety equipment to address its ability to withstand unauthorized updates and malicious attacks while continuing to perform its intended safety functionality.”
As time goes on and the tactics and strategies of bad actors advance, the protection against cyber threats and vulnerabilities is now becoming an essential aspect of all modern critical infrastructure systems and installations in the United States. This latest NEC update brings attention to safety equipment and its requirement to perform as intended even in the midst of a cyberattack.
As the threat landscape continues to evolve for OT/ICS environments, we will see more and more systems incorporating these baseline cybersecurity elements and policy into the very core of every industrial design and installations moving forward. This is no longer a ‘nice to have’ but rather a ‘must have’.
Actions and/or Recommendations
While the actions taken with existing and new environments may vary, the anticipated results must remain the same. Consequently, the following actions are recommended:
- Perform a vulnerability assessment of your existing safety systems and business continuity objectives to ensure viability and resilience even in the midst of a cyberattack.
- Review current and planned projects for compliance with most recent facility requirements as well as safety, regulatory, and standards adherence.
- Develop and implement a risk mitigation strategy that meets the intent of the NEC 2023, Section 110.3(8).
- Comply with NEC 2023 section 708.7 to assess the Critically Operated Power System (COPS) cybersecurity network at not more than five years interval.
- Develop, implement, and regularly test a disaster recovery program that incorporates electrical safety as well as current standards and regulations.
About REAL Matters and Mangan Inc.
REAL Matters advisories are published to communicate cybersecurity threats and risks within the Operational Technology (OT) environment and where Critical Infrastructure vulnerabilities are identified. The purpose of this newsletter is to inform, propose suggested approaches to mitigate the risk as well as provide feedback on how Mangan Cybersecurity is approaching the issue(s) addressed.
Mangan Inc. is a nationally-recognized Specialty Engineering, Automation, and Integration company, providing a full-range of services to the Oil & Gas, Refining, Pipeline, Chemicals, and Life Sciences Industries. Established in Long Beach, California in 1990, Mangan’s multiple office locations include sites in California, Georgia, New Hampshire, North Carolina, Texas, and Louisiana. Mangan’s 350+ employee-owners bring expertise, innovation, and safety as their core mission to some of the largest companies in the world.