There has been no shortage of cyber breaches, if you’re keeping track. Recent targets include CNA Financial Corp., a municipal water treatment site in Florida, the Molson Coors Beverage Co. and a host of high-profile customers, including Tesla, hit by a surveillance takeover involving IP camera maker Verkada. Experts agree that this type of risk from new threat vectors will continue to rise.
So how do access control systems stack up when it comes to secure transmissions? Manufacturers continue to take steps to reduce potential points of vulnerability between credentials, readers, control panels and the cloud. However, once access control systems become linked with other smart systems in the internet of things (IoT), the cloud and big data, systems integrators will face new security challenges.
“The world of loT is much like a two-headed snake,” said Scott Lindley, vice president and general manager, Farpointe Data Inc., San Jose, Calif. “While one head promises and delivers greater productivity, the other opens the system to greater risk of attack. Every sensor added to the system is another gate to a hacker with bad intentions.”
Since networking appliances and other objects is relatively novel, product design has not yet fully incorporated security, he said. “loT products are often sold with inadequate operating systems and software. Furthermore, systems integrators don’t change the default passwords on smart devices, segment their networks or have network access restricted,” Lindley said.
Users are increasingly concerned about the potential for system compromise.
“We know that by implementing a rigorous access control system as part of our physical security we will be able to help secure our properties from unauthorized access, keep our assets and employees safe and prevent damage or loss,” said Brian Gyorkos, corporate safety and security leader at Rubrik, a cloud data management company in Palo Alto, Calif.
Rubrik, a customer of Brivo, Bethesda, Md., said its safety and security team faces ever-changing challenges, which necessitates constant monitoring and assessment.
The Verkada incident underscores the relevance of the topic, as hackers continue to see they can have an effect on the physical security world, said Steve Van Till, Brivo’s president and CEO. Brivo pioneered the delivery of cloud-hosted access control and security management services some 20 years ago, creating its own hardware products with firmware customized for more secure communications.
Systems integrators, he said, need to verify that vendors have cybersecurity processes in place to protect data and information.
“The Open Supervised Device Protocol (OSDP), a Security Industry Association standard designed to improve interoperability between access control and security products, supports encrypted communications between the panel and the reader. But that’s only one leg of the stool—encryption during data transmission from point A to point B, or data in motion. Once the data has been received and becomes data at rest, what’s being done to protect it? Data at rest is more of a challenge and also needs to be encrypted,” he said.
Van Till said control panels should not have open ports, an architecture principle important for any loT device.
“The control panel is not listening and accepting incoming requests, which eliminates risk. Control panels should initiate the conversation to the cloud, using local data to approve/deny access,” he said.
Access control panels should continually monitor their connections and connect to specific white-listed IP addresses using service protocols. If redirected to a non-listed server, the panel would not allow the connection and issue an alert. This is to prevent a process (bot) planted on a panel from creating a cyberattack such as denial-of-service. Public key infrastructure (PKI) and mutual authentication also help guard against an invalid connection attempt and deploy digital certificates described by the ANSI X.509 specification for PKI systems, ensuring mutual authentication between the control panel and the cloud.
Lindley advised that when transmitting data, integrators should consider OSDP instead.
Other tips to bolster security protocols:
Use a higher-security handshake, or code, between the proximity card, smart card or tag and reader to ensure it only accepts information from coded credentials.
Deploy smart credentials with valid ID, letting smart card readers verify that sensitive access control data programmed to a card or tag is genuine, not counterfeit.
When installing readers on the exterior, unsecured side, use tamper-proof screws and epoxy-based potting to encapsulate the reader’s internal electronics from weather, hackers and vandals.