Cybersecurity Manual

Product Security

Document LS10217-000NF-E Rev: B

05/15/2019 ECN: 19-0712
 Fire Alarm & Emergency Communication System Limitations
While a life safety system may lower insurance rates, it is not a substitute for life and property insurance!
An automatic fire alarm system—typically made up of smoke Heat detectors do not sense particles of combustion and alarm
detectors, heat detectors, manual pull stations, audible warning only when heat on their sensors increases at a predetermined rate
devices, and a fire alarm control panel (FACP) with remote notifica- or reaches a predetermined level. Rate-of-rise heat detectors may
tion capability—can provide early warning of a developing fire. Such be subject to reduced sensitivity over time. For this reason, the rate-
a system, however, does not assure protection against property of-rise feature of each detector should be tested at least once per
damage or loss of life resulting from a fire. year by a qualified fire protection specialist. Heat detectors are
An emergency communication system—typically made up of an designed to protect property, not life.
automatic fire alarm system (as described above) and a life safety IMPORTANT! Smoke detectors must be installed in the same
communication system that may include an autonomous control room as the control panel and in rooms used by the system for the
unit (ACU), local operating console (LOC), voice communication, connection of alarm transmission wiring, communications, signal-
and other various interoperable communication methods—can ing, and/or power. If detectors are not so located, a developing fire
broadcast a mass notification message. Such a system, however, may damage the alarm system, compromising its ability to report a
does not assure protection against property damage or loss of life fire.
resulting from a fire or life safety event. Audible warning devices such as bells, horns, strobes, speak-
The Manufacturer recommends that smoke and/or heat detectors ers and displays may not alert people if these devices are located
be located throughout a protected premises following the on the other side of closed or partly open doors or are located on
recommendations of the current edition of the National Fire another floor of a building. Any warning device may fail to alert peo-
Protection Association Standard 72 (NFPA 72), manufacturer's ple with a disability or those who have recently consumed drugs,
recommendations, State and local codes, and the alcohol, or medication. Please note that:
recommendations contained in the Guide for Proper Use of System • An emergency communication system may take priority over a
Smoke Detectors, which is made available at no charge to all fire alarm system in the event of a life safety emergency.
installing dealers. This document can be found at http:// • Voice messaging systems must be designed to meet intelligibility
www.systemsensor.com/appguides/. A study by the Federal requirements as defined by NFPA, local codes, and Authorities
Emergency Management Agency (an agency of the United States Having Jurisdiction (AHJ).
government) indicated that smoke detectors may not go off in as
many as 35% of all fires. While fire alarm systems are designed to • Language and instructional requirements must be clearly dis-
provide early warning against fire, they do not guarantee warning or seminated on any local displays.
protection against fire. A fire alarm system may not provide timely or • Strobes can, under certain circumstances, cause seizures in
adequate warning, or simply may not function, for a variety of people with conditions such as epilepsy.
reasons: • Studies have shown that certain people, even when they hear a
Smoke detectors may not sense fire where smoke cannot reach fire alarm signal, do not respond to or comprehend the meaning
the detectors such as in chimneys, in or behind walls, on roofs, or of the signal. Audible devices, such as horns and bells, can have
on the other side of closed doors. Smoke detectors also may not different tonal patterns and frequencies. It is the property
sense a fire on another level or floor of a building. A second-floor owner's responsibility to conduct fire drills and other training
detector, for example, may not sense a first-floor or basement fire. exercises to make people aware of fire alarm signals and
Particles of combustion or “smoke” from a developing fire may instruct them on the proper reaction to alarm signals.
not reach the sensing chambers of smoke detectors because: • In rare instances, the sounding of a warning device can cause
• Barriers such as closed or partially closed doors, walls, chim- temporary or permanent hearing loss.
neys, even wet or humid areas may inhibit particle or smoke A life safety system will not operate without any electrical power. If
flow. AC power fails, the system will operate from standby batteries only
• Smoke particles may become “cold,” stratify, and not reach the for a specified time and only if the batteries have been properly
ceiling or upper walls where detectors are located. maintained and replaced regularly.
• Smoke particles may be blown away from detectors by air out- Equipment used in the system may not be technically compatible
lets, such as air conditioning vents. with the control panel. It is essential to use only equipment listed for
service with your control panel.
• Smoke particles may be drawn into air returns before reaching
the detector. Telephone lines needed to transmit alarm signals from a premises
to a central monitoring station may be out of service or temporarily
The amount of “smoke” present may be insufficient to alarm smoke disabled. For added protection against telephone line failure,
detectors. Smoke detectors are designed to alarm at various levels backup radio transmission systems are recommended.
of smoke density. If such density levels are not created by a devel-
oping fire at the location of detectors, the detectors will not go into The most common cause of life safety system malfunction is inad-
alarm. equate maintenance. To keep the entire life safety system in excel-
lent working order, ongoing maintenance is required per the
Smoke detectors, even when working properly, have sensing limita- manufacturer's recommendations, and UL and NFPA standards. At
tions. Detectors that have photoelectronic sensing chambers tend a minimum, the requirements of NFPA 72 shall be followed. Envi-
to detect smoldering fires better than flaming fires, which have little ronments with large amounts of dust, dirt, or high air velocity require
visible smoke. Detectors that have ionizing-type sensing chambers more frequent maintenance. A maintenance agreement should be
tend to detect fast-flaming fires better than smoldering fires. arranged through the local manufacturer's representative. Mainte-
Because fires develop in different ways and are often unpredictable nance should be scheduled as required by National and/or local fire
in their growth, neither type of detector is necessarily best and a codes and should be performed by authorized professional life
given type of detector may not provide adequate warning of a fire. safety system installers only. Adequate written records of all inspec-
Smoke detectors cannot be expected to provide adequate warning tions should be kept.
of fires caused by arson, children playing with matches (especially Limit-D2-2016
in bedrooms), smoking in bed, and violent explosions (caused by
escaping gas, improper storage of flammable materials, etc.).

Cybersecurity Manual P/N LS10217-000NF-E:B 05/15/2019 2

Installation Precautions
Adherence to the following will aid in problem-free installation with long-term reliability:
WARNING - Several different sources of power can be con- Like all solid state electronic devices, this system may operate
nected to the fire alarm control panel. Disconnect all sources of erratically or can be damaged when subjected to lightning induced
power before servicing. Control unit and associated equipment may transients. Although no system is completely immune from lightning
be damaged by removing and/or inserting cards, modules, or inter- transients and interference, proper grounding will reduce suscepti-
connecting cables while the unit is energized. Do not attempt to bility. Overhead or outside aerial wiring is not recommended, due to
install, service, or operate this unit until manuals are read and an increased susceptibility to nearby lightning strikes. Consult with
understood. the Technical Services Department if any problems are anticipated
CAUTION - System Re-acceptance Test after Software or encountered.
Changes: To ensure proper system operation, this product must be Disconnect AC power and batteries prior to removing or inserting
tested in accordance with NFPA 72 after any programming opera- circuit boards. Failure to do so can damage circuits.
tion or change in site-specific software. Re-acceptance testing is Remove all electronic assemblies prior to any drilling, filing,
required after any change, addition or deletion of system compo- reaming, or punching of the enclosure. When possible, make all
nents, or after any modification, repair or adjustment to system cable entries from the sides or rear. Before making modifications,
hardware or wiring. All components, circuits, system operations, or verify that they will not interfere with battery, transformer, or printed
software functions known to be affected by a change must be 100% circuit board location.
tested. In addition, to ensure that other operations are not inadver-
tently affected, at least 10% of initiating devices that are not directly Do not tighten screw terminals more than 9 in-lbs. Over-tighten-
affected by the change, up to a maximum of 50 devices, must also ing may damage threads, resulting in reduced terminal contact
be tested and proper system operation verified. pressure and difficulty with screw terminal removal.

This system meets NFPA requirements for operation at 0-49º C/ This system contains static-sensitive components. Always
32-120º F and at a relative humidity 93% ± 2% RH (non-condens- ground yourself with a proper wrist strap before handling any cir-
ing) at 32°C ± 2°C (90°F ± 3°F). However, the useful life of the sys- cuits so that static charges are removed from the body. Use static
tem's standby batteries and the electronic components may be suppressive packaging to protect electronic assemblies removed
adversely affected by extreme temperature ranges and humidity. from the unit.
Therefore, it is recommended that this system and its peripherals Units with a touchscreen display should be cleaned with a dry,
be installed in an environment with a normal room temperature of clean, lint free/microfiber cloth. If additional cleaning is required,
15-27º C/60-80º F. apply a small amount of Isopropyl alcohol to the cloth and wipe
Verify that wire sizes are adequate for all initiating and indicating clean. Do not use detergents, solvents, or water for cleaning. Do
device loops. Most devices cannot tolerate more than a 10% I.R. not spray liquid directly onto the display.
drop from the specified device voltage. Follow the instructions in the installation, operating, and pro-
gramming manuals. These instructions must be followed to avoid
damage to the control panel and associated equipment. FACP
operation and reliability depend upon proper installation.
Precau-D2-11-2017

FCC Warning
WARNING: This equipment generates, uses, and can radi- Canadian Requirements
ate radio frequency energy and if not installed and used in This digital apparatus does not exceed the Class A limits for
accordance with the instruction manual may cause interfer- radiation noise emissions from digital apparatus set out in
ence to radio communications. It has been tested and found the Radio Interference Regulations of the Canadian Depart-
to comply with the limits for class A computing devices pur- ment of Communications.
suant to Subpart B of Part 15 of FCC Rules, which is
designed to provide reasonable protection against such Le present appareil numerique n'emet pas de bruits radio-
interference when devices are operated in a commercial electriques depassant les limites applicables aux appareils
environment. Operation of this equipment in a residential numeriques de la classe A prescrites dans le Reglement sur
area is likely to cause interference, in which case the user le brouillage radioelectrique edicte par le ministere des
will be required to correct the interference at his or her own Communications du Canada.
expense.

HARSH™, NIS™, and NOTI•FIRE•NET™ are all trademarks; and Acclimate® Plus™, eVance®, FlashScan®, FAAST Fire Alarm Aspiration Sensing Technology®,
Honeywell®, Intelligent FAAST®, NOTIFIER®, ONYX®, ONYXWorks®, SWIFT®, VeriFire®, and VIEW® are all registered trademarks of Honeywell International Inc.
Microsoft® and Windows® are registered trademarks of the Microsoft Corporation. Chrome™ and Google™ are trademarks of Google Inc. Firefox® is a registered
trademark of The Mozilla Foundation.
©2019 by Honeywell International Inc. All rights reserved. Unauthorized use of this document is strictly prohibited.

3 Cybersecurity Manual P/N LS10217-000NF-E:B 05/15/2019

Software Downloads
In order to supply the latest features and functionality in fire alarm and life safety technology to our customers, we make frequent
upgrades to the embedded software in our products. To ensure that you are installing and programming the latest features, we
strongly recommend that you download the most current version of software for each product prior to commissioning any system.
Contact Technical Support with any questions about software and the appropriate version for a specific application.

Documentation Feedback
Your feedback helps us keep our documentation up-to-date and accurate. If you have any comments or suggestions about our online
Help or printed manuals, you can email us.
Please include the following information:
• Product name and version number (if applicable)
• Printed manual or online Help
• Topic Title (for online Help)
• Page number (for printed manual)
• Brief description of content you think should be improved or corrected
• Your suggestion for how to correct/improve documentation
Send email messages to:
[email protected]
Please note this email address is for documentation feedback only. If you have any technical issues, please contact Technical
Services.

Cybersecurity Manual P/N LS10217-000NF-E:B 05/15/2019 4

 LEGAL NOTICES

Disclaimer

In no event shall Honeywell be liable for any damages or injury of any nature or kind, no matter how caused, that arise from the use of
the equipment referred to in this manual.

Strict compliance with the safety procedures set out and referred to in this manual, and extreme care in the use of the equipment, are
essential to avoid or minimize the chance of personal injury or damage to the equipment.

The information, figures, illustrations, tables, and specifications contained in this manual are believed to be correct and accurate as of the
date of publication or revision. However, no representation or warranty with respect to such correctness or accuracy is given or implied
and Honeywell will not, under any circumstances, be liable to any person or corporation for any loss or damages incurred in connection
with the use of this manual.

The information, figures, illustrations, tables, and specifications contained in this manual are subject to change without notice.

In no event shall Honeywell be liable for any equipment malfunction or damages whatsoever, including (without limitation) incidental,
direct, indirect, special, and consequential damages, damages for loss of business profits, business interruption, loss of business informa-
tion, or other pecuniary loss, resulting from any violation of the above prohibitions.

Copyright Notice

Microsoft, MS and Windows are registered trademarks of Microsoft Corp.

Other brand and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and
are the sole property of their respective holders.
NOTIFIER is a registered trademark of Honeywell International Inc.

Find out more at www.notifier.com

5 Cybersecurity Manual P/N LS10217-000NF-E:B 05/15/2019

 Table of Contents
Section 1: Introduction ..................................................................................................................................................... 7
1.1: Assumptions and Pre-requisites .........................................................................................................................................................................7
1.2: Applicable NOTIFIER Products........................................................................................................................................................................7
1.3: Applicable Physical Connections ......................................................................................................................................................................7
Section 2: General ............................................................................................................................................................. 8
2.1: Threats ...............................................................................................................................................................................................................8
2.2: Unauthorized Access .........................................................................................................................................................................................8
2.3: Viruses and Other Malicious Software Agents ..................................................................................................................................................8
2.4: User Access and Passwords ...............................................................................................................................................................................8
2.5: Memory Media ..................................................................................................................................................................................................8
2.6: Software and Firmware Updates .......................................................................................................................................................................8
2.7: Computers and Access.......................................................................................................................................................................................8
2.8: Networks, Firewalls & VPN Connections.........................................................................................................................................................9
2.9: VPN Setup .......................................................................................................................................................................................................10
2.9.1: Digital Signing:.....................................................................................................................................................................................11
Section 3: Product Information ...................................................................................................................................... 13
3.1: NCD .................................................................................................................................................................................................................13
3.2: PC NFN Gateways...........................................................................................................................................................................................13
3.3: ONYXWORKS-WS ........................................................................................................................................................................................13
3.4: Embedded Gateways .......................................................................................................................................................................................13
3.5: N-WEBPORTAL ............................................................................................................................................................................................13
3.6: NFC-50/100 .....................................................................................................................................................................................................14
3.7: SWIFT .............................................................................................................................................................................................................14

Cybersecurity Manual P/N LS10217-000NF-E:B 05/15/2019 6

 Section 1: Introduction
This guide is intended to provide information on security risks and solutions associated with day to day use of NOTIFIER products.

1.1 Assumptions and Pre-requisites

This guide assumes a high degree of technical knowledge and familiarity with:
• PC administration and operations systems
• Networking systems and concepts
• Security issues and concepts

1.2 Applicable NOTIFIER Products

• NCA-2
• NCD
• NFS-320/SYS
• NFS2-640
• NFS2-3030
• DVC
• ONYXWORKS-WS
• NFN-GW-PC-W
• NFN-GW-PC-F
• NFN-GW-PC-HNSF
• NFN-GW-PC-HNW
• BACNET-GW
• MODBUS-GW
• NWS-3
• NFN-GW-EM-3
• N-WEBPORTAL
• LEDSIGN-GW
• CAP-GW
• VESDA-HLI-GW
• NFC-50/100
• SWIFT

1.3 Applicable Physical Connections

Physical connections referred to in this manual include:
• Touch Screen/Front Panel
• USB Ports
• RS-232 Port
• RS-485 Port

7 Cybersecurity Manual P/N LS10217-000NF-E:B 05/15/2019

 Section 2: General
2.1 Threats
Security threats applicable to networked systems include unauthorized access, communication snooping, viruses and other malicious
software agents.

2.2 Unauthorized Access

This threat includes physical access to the controller and intrusion into the network to which NOTIFIER equipment is connected. Unau-
thorized external access can result in the following:
• Loss of system availability
• Incorrect execution of controls causing damage to the equipment
• Incorrect operation and/or spurious alarms
• Theft or damage to the contents of the system
• The capture and modification, or deletion of data causing possible liability to the install site and Honeywell
Unauthorized access can result from lack of security of user name and password information. Uncontrolled access to the equipment, and
uncontrolled, unsecured access to the network.

2.3 Viruses and Other Malicious Software Agents

Malicious Software includes the following:
• Viruses
• Spy ware
• Worms
• Trojans
These may be present on a computer which is used for PC configuration software, such as VeriFire Tools or on a USB stick that is used
to upload/download on an FACP.
The intrusion of malicious software agents can result in performance degradation, loss of system availability, and the capture, modifica-
tion, or deletion of data, including configuration, and device logs. Viruses can be transferred by USB devices from other infected sys-
tems on the network or malicious Internet sites.

2.4 User Access and Passwords

Good password security practices should be followed. This includes ensuring the physical security of passwords and keeping passwords
secure. For password protected products, observe the following good practice:
• Ensure physical security of passwords. Avoid writing user names and passwords where they can be seen by unauthorized
personnel
• Make sure passwords contain characters, numbers, and a mix of lower and uppercase letters
• Passwords should be complex enough as to not be easily guessed, and should not contain phrases used in common speech
• Do not use personally identifiable information as a password, such as social security numbers, addresses, birth dates etc.
• Set the minimum level of access for each user. Do not provide users with privileges they do not need
• Ensure that users only use their credentials when accessing the programming level of the FACP
• Periodically audit user accounts and remove any that are no longer required

2.5 Memory Media

Use only authorized removable media that has been scanned and checked for viruses and malware using up to date anti-virus software.
Ensure that memory media is not used for other purposes to avoid risk of infection. Control access to media containing backups to avoid
risk of tampering.

2.6 Software and Firmware Updates

System software and firmware updates may be offered from time to time. Ensure that your local representative has up to date contact
details and periodically visit the NOTIFIER web site for up to date product information.

2.7 Computers and Access

Good security practice should be observed on any PC connecting to NOTIFIER equipment. Operating systems and software should be
kept up to date by installing the manufacturers updates, as well as maintaining up to date anti-virus software on all computers which may
be directly connected or via a network. Ensure that the computers are regularly scanned for viruses. Only allow files and software from
trusted sources to be installed and used on associated computers to avoid malicious software installs. Use only authorized removable
media, e.g. CD, DVD, external hard drives, USB memory sticks that have been scanned using up to date anti-virus software.

Cybersecurity Manual P/N LS10217-000NF-E:B 05/15/2019 8

General Networks, Firewalls & VPN Connections

2.8 Networks, Firewalls & VPN Connections

Physical access to network nodes and infrastructure should be limited to authorized personnel to prevent tampering. Where access from
untrusted networks is required, such as Internet access, NOTIFIER strongly recommends the use of a VPN to ensure the security of the
connection.

Protected Premises Control Unit

NFN Network NFN Network

Embedded
Gateway

VPN Router

VPN Connection
Internet

Tunnel

Workstation acting as a Proprietary

Receiving Unit
VPN Client running
Proprietary Receiving Unit is VPN software
UL-listed for monitoring only

Figure 2.1 VPN Type 1

9 Cybersecurity Manual P/N LS10217-000NF-E:B 05/15/2019

VPN Setup General

Embedded Gateway
VPN connection VPN Router
NFN Network

Tunnel
Internet
VPN Router PRU

Workstation

Secure Network 2
Secure Network 1
PRU NFN Network

Workstation/PC
Gateway

NOTE: VPN SOFTWARE MUST BE RUNNING ON THE WORKSTATION PC

Figure 2.2 VPN Type 3

2.9 VPN Setup

A Virtual Private Network (VPN) must be set up for any external (i.e. outside the site’s intranet) communications including those for all
gateways and remote workstations. A VPN protects the data from being seen or tampered with by bad actors via a secure connection
across an insecure network such as the Internet. Set up a VPN as follows:
1. Use the VPN infrastructure provided by the IT department at your site.
2. Get the VPN services and respective credentials configured on the PCs with the help of the IT department.
3. Ensure that the VPN is turned-on (enabled) and running before starting or using any applications.
4. The end user or the commissioning engineer who configures the system should provide the following information to the IT
department, so that these things are properly managed in the Firewall and/or VPN routers for external communications.
• All the IP addresses and port information that are set up in the system such as the IP address of workstation(s), gateway-cards(s)
and any other IPs like time sync server etc.
• The following workstation IP Port Settings
The workstation IP Port settings are in the following table:
Table 2.1 IP Port Settings:

Port Type Direction Purpose

25 TCP Out SMTP
123 UDP In and Out SMTP
2004 TCP N/A (Internal) Workstation Plug-in Access
2014 TCP Out Connection to DACR Gateway
2017 TCP Out Connection to NFN Gateway
2029 TCP Out Workstation Output Appliances (Signs)
4016 TCP In Database Import/Export

Cybersecurity Manual P/N LS10217-000NF-E:B 05/15/2019 10

General VPN Setup

2.9.1 Digital Signing:

The application setup package is digitally signed using a certificate. A digital signature certificate is used to authenticate the identity of
the sender/signer of a document/file and ensure that the original content of the document/file that has been sent is unchanged in transit.
The certification authority used for signing the product installer package is DigiCert® (DigiCert, Inc.).
Website URL: www.digicert.com
If an installer package is digitally signed, perform the following steps:
1. Right click the setup file and select Properties. Go to the Digital Signatures tab in the properties window. If you see signatures
listed on the tab, you know that the file has been signed digitally.

2. Under Signature list, select the signature, and click Details.

11 Cybersecurity Manual P/N LS10217-000NF-E:B 05/15/2019

VPN Setup General

3. You will see information regarding the Code Signing certificate that was used to sign the executable. On the next tab under
Countersignatures, it will list an entry for a timestamping. If this field is blank, no timestamp exists on this code.

4. You may click on View Certificate to display the signature or click on the Advanced tab to display signature details as well.

Windows installer verifies the Digital Signatures of the installer packages before installing. To verify the signature manually, use the
SignTool that comes with Windows SDK or the utility provided by DigiCert available for download at
https://www.digicert.com/util/DigiCertUtil.exe

Cybersecurity Manual P/N LS10217-000NF-E:B 05/15/2019 12

 Section 3: Product Information
CAUTION: CYBERSECURITY RISK
! FAILURE TO COMPLY WITH THE RECOMMENDED SECURITY PRACTICES MAY PLACE YOUR SYSTEM AT RISK.

3.1 NCD
The following Cybersecurity practices are highly recommended for the NCD:
• When connecting VeriFire Tools to the NCD, or connecting the NCD to the NCM, visually inspect the USB and/or RS-232 port
and cables to ensure it has not been tampered with as sensitive information is transmitted over these wires.

3.2 PC NFN Gateways

The following Cybersecurity practices are recommended for the PC NFN Gateways
NFN-GW-PC-W, NFN-GW-PC-F, NFN-GW-PC-HNMF, NFN-GW-PC-HNSF, and NFN-GW-PC-HNW
• The operating system should be set to download Windows updates, but not install them. This ensures that the update installation
does not interfere with fire protection. A site-specific plan should be created that allows for the installation of the updates while
minimizing impact to fire protection.
• Software updates should be installed as they become available. A site-specific plan should be created that allows for the
installation of the updated software while minimizing impact to fire protection.
• Installation of any additional software is not recommended by Honeywell and requires the approval of the AHJ. If additional
software is installed, a site-specific risk assessment should be performed to ensure the additional software does not compromise
fire protection. If the additional software can restart the system, a plan must be developed to ensure fire protection is maintained.
• The IT infrastructure utilized for life safety communication should be physically or logically isolated from non-life safety
infrastructure. Examples of such isolation could include a VLAN, VPN, or dedicated network. Refer to Figure 2.1, “VPN Type
1” on page 9 and Figure 2.2, “VPN Type 3” on page 10.

3.3 ONYXWORKS-WS
The following Cybersecurity practices are highly recommended for ONYXWORKS-WS
• The operating system should be set to download Windows updates, but not install them. This ensures that the update installation
does not interfere with fire protection. A site-specific plan should be created that allows for the installation of the updates while
minimizing impact to fire protection.
• Workstation software updates should be installed as they become available. A site-specific plan should be created that allows for
the installation of the updated software while minimizing impact to fire protection.
• An anti-virus program should be utilized with this system.
• Installation of any additional software is not recommended by Honeywell and requires the approval of the AHJ. If additional
software is installed, a site-specific risk assessment should be performed to ensure the additional software does not compromise
fire protection. If the additional software can restart the system, a plan must be developed to ensure fire protection is maintained.
• The IT infrastructure utilized for life safety communication should be physically or logically isolated from non-life safety
infrastructure. Examples of such isolation could include a VLAN, VPN, or dedicated network. See Figure 2.1, “VPN Type 1” on
page 9 and Figure 2.2, “VPN Type 3” on page 10.
• Each user of the workstation software should have their own user account so that actions taken by a user can be audited.
• The user accounts should be periodically reviewed to verify that users have the minimum access level required to perform their
duties.
• The workstation database should be backed-up at regular intervals.

3.4 Embedded Gateways

The following Cybersecurity practices are highly recommended for Embedded Gateways
BACNET-GW, MODBUS-GW, NWS-3, NFN-GW-EM-3, N-WEBPORTAL, LEDSIGN-GW, CAP-GW, and VESDA-HLI-GW
• Gateway application software updates should be installed as they become available. A site-specific plan should be created that
allows for the installation of the updated software while minimizing impact to fire protection.
• The IT infrastructure utilized for life safety communication should be physically or logically isolated from non-life safety
infrastructure. Examples of such isolation could include a VLAN, VPN, or dedicated network. See Figure 2.1, “VPN Type 1” on
page 9 and Figure 2.2, “VPN Type 3” on page 10.

3.5 N-WEBPORTAL
The following Cybersecurity practices are highly recommended for the N-WEBPORTAL
• Web portal application software updates should be installed as they become available. A site-specific plan should be created that
allows for the installation of the updated software while minimizing impact to fire protection.
• The IT infrastructure utilized for life safety communication should be physically or logically isolated from non-life safety
infrastructure. Examples of such isolation could include a VLAN, VPN, or dedicated network. See Figure 2.1, “VPN Type 1” on
page 9 and Figure 2.2, “VPN Type 3” on page 10.

13 Cybersecurity Manual P/N LS10217-000NF-E:B 05/15/2019

NFC-50/100 Product Information

3.6 NFC-50/100
The following Cybersecurity practices are highly recommend for the NFC-50/100:
• Install the NFC-50/100 panel in a secure location considering both software and hardware vulnerabilities.
• Change the default password to a unique password.
• Securely configure networks and firewalls.
• Develop a Disaster and Recovery Plan.
• Develop a Backup and Recovery Strategy.
• Install, configure, and maintain anti-virus software on all computers which access the panel.
• Keep the operating system updated and maintain version compatibility with the panel.
• Deliver all required system information upon delivery to the system owner.
• Train end-users on security maintenance tasks upon system delivery.
• For decommissioning, dispose of data securely.
• Ensure the Ethernet cable is removed from the NFC-50/100 when not being utilized for configuration.

3.7 SWIFT
The following Cybersecurity practices are highly recommended when using SWIFT Tools
• When using SWIFT Tools to update the firmware of the gateway or gateway devices, ensure updates are preformed on a
secure/encrypted Wi-Fi Network.
• Ensure the PC running SWIFT Tools has full disk encryption. Full encryption of any backed-up data is also recommended.
• The wireless gateway should be secured in a location which is only accessible to authorized personnel.
• When any SWIFT gateway or device is decommissioned from service, return the equipment to the factory default state.

Cybersecurity Manual P/N LS10217-000NF-E:B 05/15/2019 14

 Manufacturer Warranties and Limitation of Liability
Manufacturer Warranties. Subject to the limitations set forth herein, Manufacturer
warrants that the Products manufactured by it in its Northford, Connecticut facility
and sold by it to its authorized Distributors shall be free, under normal use and
service, from defects in material and workmanship for a period of thirty six months
(36) months from the date of manufacture (effective Jan. 1, 2009). The Products
manufactured and sold by Manufacturer are date stamped at the time of production.
Manufacturer does not warrant Products that are not manufactured by it in its
Northford, Connecticut facility but assigns to its Distributor, to the extent possible,
any warranty offered by the manufacturer of such product. This warranty shall be
void if a Product is altered, serviced or repaired by anyone other than Manufacturer
or its authorized Distributors. This warranty shall also be void if there is a failure to
maintain the Products and the systems in which they operate in proper working
conditions.
MANUFACTURER MAKES NO FURTHER WARRANTIES, AND DISCLAIMS ANY
AND ALL OTHER WARRANTIES, EITHER EXPRESSED OR IMPLIED, WITH
RESPECT TO THE PRODUCTS, TRADEMARKS, PROGRAMS AND SERVICES
RENDERED BY MANUFACTURER INCLUDING WITHOUT LIMITATION,
INFRINGEMENT, TITLE, MERCHANTABILITY, OR FITNESS FOR ANY
PARTICULAR PURPOSE. MANUFACTURER SHALL NOT BE LIABLE FOR ANY
PERSONAL INJURY OR DEATH WHICH MAY ARISE IN THE COURSE OF, OR AS
A RESULT OF, PERSONAL, COMMERCIAL OR INDUSTRIAL USES OF ITS
PRODUCTS.
This document constitutes the only warranty made by Manufacturer with respect to
its products and replaces all previous warranties and is the only warranty made by
Manufacturer. No increase or alteration, written or verbal, of the obligation of this
warranty is authorized. Manufacturer does not represent that its products will
prevent any loss by fire or otherwise.
Warranty Claims. Manufacturer shall replace or repair, at Manufacturer's discretion,
each part returned by its authorized Distributor and acknowledged by Manufacturer
to be defective, provided that such part shall have been returned to Manufacturer
with all charges prepaid and the authorized Distributor has completed Manufacturer's
Return Material Authorization form. The replacement part shall come from
Manufacturer's stock and may be new or refurbished. THE FOREGOING IS
DISTRIBUTOR'S SOLE AND EXCLUSIVE REMEDY IN THE EVENT OF A
WARRANTY CLAIM.

Warn-HL-08-2009.fm

Cybersecurity Manual P/N LS10217-000NF-E:B 05/15/2019 15

NOTIFIER
12 Clintonville Road
Northford, CT 06472-1610 USA
203-484-7161
www.notifier.com