In Compliance | NEC
NEC, connectivity, and the problem of cybersecurity
BY DEREK VIGSTOL
As our lives become increasingly connected and complex, cybersecurity has become a major concern. It can be difficult to carry out even the simplest tasks, like checking emails or using the Internet, without having cybersecurity at the forefront of our thoughts. Ransomware, malware, and other forms of cyberattacks lurk around every corner of our electronic worlds. As the electrical infrastructure grows in connectivity, these attacks become a very real threat to the electrical grid and businesses everywhere—imagine hackers gaining access to our service equipment and holding it hostage until we pay a ransom. It seems like something to drive the plot of a science-fiction novel, but it’s happening as we speak.
Recently, the code-making panels for NFPA 70®, National Electrical Code® (NEC®), convened for the first-draft meetings for the 2023 edition of the code. Many of the panels had to review multiple public inputs involving the idea of assessing the cyberattack vulnerability of systems that have a connection to the network, and providing certification that these systems have been designed to handle any attack. This generated a great deal of discussion during the meeting. It also raises the question whether the NEC is the right place for requiring these types of cybersecurity measures. While we won’t know the results until later next year when the revision cycle is complete, we can look at what this might mean for installing and inspecting electrical equipment connected to a network.
The NEC exists to protect people and property from the hazards that arise from the use of electricity. We have long heard how the NEC is an installation code and therefore must only contain requirements for the installation and removal of electrical equipment. But that raises a number of questions. Does that scope leave room for cybersecurity, which is something that happens after the installation of electrical equipment? If the goal of the NEC is to provide requirements that result in an installation that is essentially free from hazards, what are the adverse effects of a cyberattack on electrical infrastructure—and do they constitute a hazard that the NEC aims to protect us from?
Take the example of a hospital, where inadvertent interruption of power can be life threatening. In fact, many hospitals have traditionally pushed for energized work due to the additional hazards that de-energization might create. If the electrical system in a hospital connects to the building automation network and can be controlled by this network, this opens the door for hackers to shut the system down and hold the hospital hostage. In this instance, the ability to keep the hackers out of the system and prevent them from controlling the electrical equipment in a hazardous manner certainly seems as though it is protecting the people in the hospital from the hazards that arise from the use of network-connected electrical equipment. Requiring cybersecurity measures here wouldn’t be too far off from requiring the essential electrical system to have a capacity large enough to supply the connected equipment. It can be argued that hazards such as these that stem from cybersecurity threats are part of the scope of the NEC.
Protecting electrical equipment from cyberattacks is a necessity when the equipment is connected to the network with the ability to be controlled remotely. What has yet to be determined is the extent to which cybersecurity will find its way into the NEC. Like it or not, more and more of our electrical systems will fall into this category in coming years as the very real threats posed by cyberattacks continue to grow. Equipment will need protection, whether it’s in the form of listing requirements or through requirements mandating assessment and certification. Either way, the issue is here, it’s substantial, and it isn’t going away. Stay tuned.
DEREK VIGSTOL is an NFPA technical lead, Electrical Tech Services. NFPA members and AHJs can use the Technical Questions tab to post queries on NFPA 70 at nfpa.org/70next. Top photograph: Getty Images