• 110.3(A)
• 240.6(D)
• 708.7
• 708.8(A) 

The first requirement for cybersecurity can be found in 110.10(A), examination. List item number 8 was added in the 2023 Code cycle requiring that cybersecurity for network-connected life-safety equipment be evaluated to address its ability to withstand unauthorized updates and malicious attacks while continuing to perform its intended safety function. This is a general requirement found in Article 110, which is titled General Requirements for Electrical Installations. Section 110.3 is titled Examination, Identification, Installation, Use and Listing of Equipment. The requirements found in this section are for evaluating equipment when installed. Adding cybersecurity in this location is a general requirement that applies to all electrical installations. 

The next location that you’ll find a reference to cybersecurity requirements is in Article 240, which focuses on overcurrent protection. Section 240.6, Standard Ampere Ratings, has a new first level subdivision D titled Remotely Accessible Adjustable Trip Circuit Breakers. It is here that we find requirements such that a circuit breaker that can be adjusted remotely or have its settings modified remotely can have an ampere rating that is equal to the adjusted current setting. This is the long-time pickup setting of the device and is a setpoint that may be modified remotely. An additional requirement in this section states that remote access can only be achieved by two basic methods. First, the circuit breaker can be connected directly through a local non-networked interface. A good example of this is the electronic trip unit that may be on the circuit breaker. Second is when the device is connected through a networked interface that complies with one of two methods:

1. The circuit breaker and associated software for adjusting the settings to be listed and identified as being evaluated for cybersecurity. And, informational note points to UL 2900 standard titled Cybersecurity Standards Series.

2. When a cybersecurity assessment of the network is completed, documentation of the assessment and certification must be made available to those authorized to inspect, operate, and maintain the system. 

Examples of commissioning certification are provided in informational note 2 that demonstrates the system has been investigated for cybersecurity vulnerabilities. These include: 

• The ISA Security Compliance Institute conformity assessment program

• Certification of compliance by a nationally recognized test laboratory

• Manufacture certification for the specific type and brand of system provided 

The next location for cybersecurity requirements is found in Article 708, Critical Operations Power Systems. In Section 708.7, critical operation power systems that are connected to a communication network and have the capability to permit control of any portion of the premises’ critical operation power system must comply with one of the following two requirements: 

1. The ability to control the system is limited to a direct connection through a local non-networked interface. 

2. If there is a connection through a network interface, it must comply with one of two methods: 

    a. The system and associated software are identified as being evaluated for cybersecurity. This is a listing requirement. The standard that is referenced again is UL 2900.

    b.  A cybersecurity assessment must be conducted on the connected system to determine vulnerabilities to cyberattacks. This is not a requirement of a performance perspective; it is simply identifying vulnerabilities to cyberattacks. The assessment must be conducted when the system configuration changes and in no more than five-year intervals. Documentation of the evaluation, assessment, and certification must be made available to those who are authorized to inspect, operate, and maintain the system. 

Section 708.8 of this same article includes commissioning requirements and requires that a commissioning plan be developed and documented. In addition, there is an informational note referencing 708.7, which implies that the commissioning plan must include a cybersecurity assessment.

The 2023 edition of the NEC added new requirements focused on cybersecurity to the following sections:

110.3(A): Requires that when examining the installation and judging equipment installation, cybersecurity must be considered for network-connected life safety equipment to address its ability to withstand unauthorized updates and malicious attacks while continuing to perform its intended safety functionality

240.6(D): This new section places requirements to protect from cyber attacks for those devices that can have their settings adjusted over a network.

708.7: This new section for critical operation power systems includes requirements to address cybersecurity concerns for those systems that are connected to a communication network and that have the capability to permit control of any portion of the premises COPS.

708.8(A):  Now includes an informational note reminding us that we must consider cybersecurity during commissioning of a system. 

Cybersecurity is a real threat to power distribution systems. This threat has grown dramatically over the years in many areas, including your home. Cybercrime statistics indicate:

• One in three homes with computers are infected with malicious software

• 65% of Americans who went online received at least one online scam offer

• Worldwide consumers lost $358 + 21 hours on average per year dealing with online crime

• 47% of American adults have had their personal information exposed by cyber criminals

• 600,000 Facebook accounts have been hacked or are attacked every single day

Cybersecurity is a threat to the electrical power distribution systems that provide life-saving power. The National Electrical Code has begun its work on researching, developing, and implementing requirements for this important topic.

There are other NFPA documents such as NFPA 72, National Fire Alarm and Signaling Code, and NFPA 1225, Standard For Emergency Services Communications, that have cybersecurity requirements. The National Electrical Code is not the only document, code, or standard that includes cybersecurity requirements.

What are the 2023 NEC updates pertaining to cybersecurity?