The use of IP-based access control solutions to manage employee comings and goings has dramatically increased in recent years. The Internet of Things (IoT) has added connectivity to an abundance of devices that better facilitate access which has users – and potential users – rightfully concerned about the security of these newer technologies.
Electronic access control, mobile and cloud solutions—as well as the variety of hardware devices added to a network to facilitate access control (such as readers, controllers and electronic locks)—can make a solution vulnerable to cyber threats and cyberattacks, and potentially compromise an organization’s entire network. It’s essential when choosing an access control provider and solution, that the manufacturer and installer emphasize cybersecurity for the whole architecture, from the server down to the reader, above all else.
How Secure is Your Communication Protocol?
Many of the traditional access control systems use the Wiegand protocol for communication between the reader and controller. Because it is unsecure and unencrypted, Weigand leaves many systems vulnerable to attack. Despite using secured credentials, the sensitive info that is passed onto the controller can be tapped into over the Wiegand wire. A more cyber secure option is the Open Supervised Device Protocol (OSDP) which is the golden standard in the industry. OSDP is highly secured and encrypted making it harder for cyberattacks. It is also trusted by organizations needing the highest level of security. In fact, it meets the requirements of the Federal Identity, Credential and Access Management (FICAM) guidelines that guides how the access control industry does business with the federal government.
Using smartphones on a network-based access control solution might – and should – raise concerns about cybersecurity. Rumors continue to swirl that newer technologies like Bluetooth or Near Field Communication (NFC) are not secure. However, when properly set up and maintained, they are. Bluetooth and NFC are simply channels over which information is transmitted. Believing that Bluetooth is not secure would be like suggesting that the internet is not secure. In both cases, the security of your communication depends on the technology, protocols and safeguards put in place.
Smart Cards are Secure – If You Choose the Right Card and Take the Right Precautions
As access control has progressed, we’ve learned that certain older technologies (like magstripe and proximity cards) can be inherently insecure. When choosing smart cards for your access control solution, always pick the latest generation with the most up-to-date technology.
As alluded to earlier, your network is only as secure as the devices you attach to it. For access control, one of the most vulnerable cyberattack targets are traditional readers and controllers that facilitate your access control solution. Ensure they, too, are equipped with the latest in secure technology and that that technology is compatible with any smartcard you choose (because oftentimes they aren’t).
The Same Goes for Electronic Locks
Today, there are electronic locks that need no wiring and little more than an internet connection to facilitate access control. Sounds like the perfect storm for a cyberattack – and it can be – but reputable electronic lock manufacturers have been hard at work engineering important security protocols like encryption and authentication into these locks to help prevent malicious cyberattacks (and unauthorized access). When choosing hardware for your access control solution, only select those manufacturers that have committed to extending protection against cyberthreats all the way to the door.
Make Cybersecurity a Priority When Choosing an Access Control Solution
Use these tips when evaluating access control providers to ensure you are choosing a product that offers the best in cybersecurity protection:
- Choose a vendor that takes cybersecurity seriously. Protection against cyberthreats includes end-to-end encrypted communications for software and hardware, secure claims-based authentication, and digital certificates. They should also conduct regular penetration tests to try and catch vulnerabilities on their own before they become a threat to end users, and ensure that the entire infrastructure is secure, from the server to the reader.
- Privacy is important, too. Because access control credentials can contain private end user and confidential company data, a vendor that’s committed to privacy as well as cybersecurity should also commit to earning industry certifications (such as ISO 27001) and comply with legislations that are designed to protect privacy (such as GDPR, and the California Consumer Privacy Act).
- Unification can result in total physical security system protection. A unified physical security platform is a comprehensive software solution that manages access control, intercom, intrusion, video, ALPR and analytics through a centralized open architecture built to provide complete access to all data in a single interface. With unified solutions, cybersecurity protections for all systems are monitored and maintained on a continuous basis. Health monitoring systems within unified solutions can catch and address issues before they become fully-fledged problems.
- Choosing the right systems integrator is the best start. Systems integrators can recommend, design and install all components of a physical security solution. If you’ve chosen to deploy an access control system, be sure to ask about cybersecurity and how the system is protected against ongoing cyberthreats. There are even insurance policies offered to protect against the potentially devastating cost of a cyberattack offered through systems integrators who have demonstrated a commitment to protecting against cyberthreats and attacks.
Cyberattacks on businesses cost billions each year. One poorly secured access credential can give cybercriminals the keys to your business – literally. The best way to protect your business is to make cybersecurity a priority when choosing an access control system and remaining vigilant, and never become complacent about the security of your security.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.