110.3(A)(8) Cybersecurity.

Cybersecurity is critical for network-connected life safety equipment to address its ability to withstand unauthorized updates and malicious attacks while continuing to perform its intended safety functionality.
Click to Enlarge
Cybersecurity is critical for network-connected life safety equipment to address its ability to withstand unauthorized updates and malicious attacks while continuing to perform its intended safety functionality.

Code Change Summary: The concept of Cybersecurity has been added to Section 110.3(A).

During the 2023 code cycle, a public input to add cybersecurity to the laundry list of items in Section 110.3(A) was initially denied at the first revision stage, but then accepted during the second revision process.

Section 110.3(A) provides a 9-item list of considerations for those examining electrical equipment. This section is heavily used by electrical inspection authorities.

Previous item 8 (now item 9) suggests considering “other factors that contribute to the practical safeguarding of persons using or likely to come in contact with the equipment”. “Other factors” is way too broad of a phrase to try and spin it to apply to threats caused by cyberattacks. Now, item 8 applies to judging equipment for its suitability when there is potential for malicious cyberattacks.

Newer technologies such as Power Over Ethernet (POE) emergency lighting that uses data cables to power and control emergency systems in a building has many benefits but can also bring vulnerabilities since these systems have provisions to be accessed, monitored, and tested from a computer.

Cyberattacks are now a threat to network connected building life-safety equipment and other critical systems which can negatively affect their ability to operate in their essential roles.

At the first draft stage of the 2023 NEC®, 19 out of 22 eligible voters on the code panel accepted a public input to add new Section 700.9 to address cybersecurity vulnerabilities for emergency systems that are connected to a communication network and have the capability to permit control of any portion of the premises emergency electrical system. During the public comment stage, the code panel voted to remove the new section on cybersecurity. The committee statement supporting the deletion of the new code section noted that Panel 13 agrees that cybersecurity is an important aspect of overall system reliability, but the requirements are better suited in Article 110 where they would apply generally.

When considering accepting an installation that is vulnerable to cyberattacks, inspectors and plans examiners will likely begin to ask for assurance that the electrical equipment has some sort of framework to mitigate current and future cybersecurity vulnerabilities and address the integrity of the software that will be used for the installation.

The new informational note references product standards available for software cybersecurity pertaining to network-connectable products.

Below is a preview of the NEC®. See the actual NEC® text at NFPA.ORG for the complete code section. Once there, click on their link to free access to the 2023 NEC® edition of NFPA 70.

2020 Code Language:

Cybersecurity was not mentioned in the NEC®.

2023 Code Language:

110.3 Examination, Identification, Installation, Use, and Listing (Product Certification) of Equipment.

(A) Examination. In judging equipment, considerations such as the following shall be evaluated:

(1) Suitability for installation and use in conformity with this Code

(2) Mechanical strength and durability, including, for parts designed to enclose and protect other equipment, the adequacy of the protection thus provided

(3) Wire-bending and connection space

(4) Electrical insulation

(5) Heating effects under normal conditions of use and also under abnormal conditions likely to arise in service

(6) Arcing effects

(7) Classification by type, size, voltage, current capacity, and specific use

(8) Cybersecurity for network-connected life safety equipment to address its ability to withstand unauthorized updates and malicious attacks while continuing to perform its intended safety functionality

Informational Note No. 3: See the ANSI/ISA 62443 series of standards for industrial automation and control systems, the UL 2900 series of standards for software cybersecurity for network-connectable products, and UL 5500, Standard for Remote Software Updates, which are standards that provide frameworks to mitigate current and future security cybersecurity vulnerabilities and address software integrity in systems of electrical equipment.

(9) Other factors that contribute to the practical safeguarding of persons using or likely to come in contact with the equipment

Did You Like This? Let Us Know With A Like! Thanks!

110.3(A)(8) Cybersecurity.

Below is a Real Question from our Electrical Continuing Education Courses for Electrical License Renewal:

Based on the 2023 NEC, which of the following is true when judging equipment for its suitability?

A: Cybersecurity is important for line voltage electrical equipment that is NOT connected to the internet.
B: Cybersecurity is important for network-connected life safety equipment.
C: Cybersecurity should NOT be considered for network-connected life safety equipment.
D: Cybersecurity is important for line voltage wiring methods that is NOT connected to the internet.
Please register or sign in for electrical continuing education courses.

If you were already signed in, your session probably expired, please sign back in.