Protecting an organisation’s physical access control system from cyber threats requires close internal collaboration, writes HID Director, Head of Consultants and Regulations for ANZ, Europe and North APAC, Steven Commander.
Identifying and treating vulnerabilities
Cybersecurity and physical security often operate in silos within organisations, and it’s rightly so since physical access control systems have been traditionally known for simply controlling who enters and leaves the building. Yet, the data the access control systems process is crucial to protect, and more so in the current era as physical and logical access converge, driven by digitalisation and hybrid working model.
The threats – from physical employee ID card cloning to network attacks — jeopardise not just people and buildings but entire corporate networks. Therefore, recognising physical security as an essential component of corporate cyber strategy is crucial. According to Gartner[1], 41 percent of enterprises plan to converge parts of cyber and physical security by 2025, up from 10 percent in 2020.
“While organisations in New Zealand and Australia have tended to be slow to take a converged approach to managing their security risk, there are signs this is changing.”
Converged Security: Cybersecurity and Access Control
Physical access control involves the transmission of sensitive data through several components, from credentials to readers, controllers, servers, software clients and more. Unless this entire chain is protected, it is vulnerable to attacks and data breaches.
Although we tend to become a little desensitised to the alarming cyberattack cost statistics that circulate each year, these cyber-physical threats do have real-world consequences. Once your access control systems are compromised, an intruder can access restricted areas, disable alarms, alter permissions and steal proprietary corporate information.
Protecting access data means ensuring its confidentiality, integrity and availability. Yet because most organisations treat physical and cybersecurity as separate domains, they don’t have a comprehensive view of their threat-scapes. The threats literally fall through the cracks.
While organisations in New Zealand and Australia have tended to be slow to take a converged approach to managing their security risk, there are signs this is changing.
In our part of the world, the Australian government, has taken the lead in connecting the cyber-physical dots with recent changes to the Security of Critical Infrastructure Act 2018. The new regulations now require critical infrastructure organisations – including hospitals, utilities, broadcasters, data centres, energy suppliers, freight infrastructure, grocery supply chains and others – to maintain risk management plans that include the threat of unauthorised physical access alongside a range of cyber and information security threats.
The New Zealand government also has some guidance on the matter. Its Protective Security Requirements (PSR) urges organisations to keep their access control system software and hardware up to date. “Ensure your software is updated to address known vulnerabilities,” it says. “Consider updating EACS cards and readers as they age and become vulnerable to new threats.”
What’s Challenging About Securing Access Systems
While awareness may be growing, there remains confusion about what it means to strengthen the cybersecurity of access control systems. Certifications such as NIST 800-53 or TÜVIT have emerged, albeit a welcoming development, aren’t enough to address the extent of the issue.
That’s because securing access systems requires ‘systems thinking’ and examining how information travels from component to component. How is sensitive information about employee identities and authorisation privileges provisioned onto credentials? How is it stored and managed?
Evaluating these risks requires knowledge across domains like operating systems, active directories and databases, as well as knowledge about encryption protocols and algorithms. This requires close collaboration amongst different teams and internal experts – no siloes!
Making Cybersecurity a Priority
How best to ensure the cybersecurity of your access control systems? HID recommends a “good, better, best” type of framework that starts by establishing a baseline before making further upgrades and improvements.
Here’s what that might look like for different parts of an access control system.
Area of Vulnerability: Credentials
- Purpose: Securely store access control data
- Set a baseline with 13,56MHz technology cards. Data stored on the card should be protected with encryption (AES 128 is best practice). So should data that’s communicated from card to reader during the authentication process.
- Improve security by deploying key management policies. Also, look for solutions that have been penetration tested and certified by a third party
Area of Vulnerability: Readers
- Purpose: Process credentials and send them to a controller
- Set a baseline with readers that support 13,56MHz and are equipped with a secure element to store encryption keys
- Improve security by selecting a solution that offers a secure communication channel between reader and controller Manage updates and upgrades via authorised maintenance applications, not configuration cards
Area of Vulnerability: Controllers
- Purpose: Interface with readers and cards to determine whether user permissions are sufficient to grant access to an area
- Set a baseline installing controllers in a secure, tamper-proof enclosure. Connect them to a secure, dedicated VLAN and deactivate all other interfaces (like USB and SD). Remove all default configurations and ensure that firmware and patches are always up-to-date.
- Improve security by allowing only approved IP addresses to connect to the controller — and ensure that encryption is used to protect data at rest and in transit
Area of Vulnerability: Access control servers and clients
- Purpose: Serve as the system’s main database and management console, recording activity and enabling organisations to make changes and adjust settings
- Set a baseline by hosting servers and clients on a secure, dedicated VLAN. Select a solution that offers transparent Common Vulnerabilities and Exposures (CVE) reporting and complies with Secure Software Development Lifecycle (SDLC) standards like ISA/IEC 62443-4-1— and make sure to keep software and operating system patches up-to-date
- Improve security by encrypting data at rest and in transit and deploying custom TLS certificates
Ultimately, access control architecture must fit seamlessly into your broader network and IT architecture. That makes securing access systems an opportunity to increase operational efficiency and streamline broader IT strategies, as well as to decrease risk. Access control systems are the modern-day keys to the castle. Protect them by removing your organisation’s age-old security siloes and addressing each cyber-physical threat your system faces and each area of vulnerability that resides within your system.
[1] Emerging Trend: Convergence of Cyber and Physical Security — Harnessing the Disruption Opportunity. 22 February 2022
