ACCESS CONTROL AND IDENTITY MANAGEMENT, IT INFRASTRUCTURE
By Andrew Seldon.
Technology has done wonders for improving the security of people, organisations and assets, and it has also done wonders for criminals looking to inflict damage to the same. The problem with electronics is that those devices that communicate with a server or a control room were designed to secure people and assets, but until recently weren’t designed to be secure. And let’s be honest, even today there are many devices that pay lip service to security while offering very little in reality.
In the world of access and identity management, some may ask why it would be a big deal if something as simple as a card reader on a door gets hacked? Or if we go further afield, why would it matter if a security camera gets hacked and bad guys see your parking lot or the reception to your offices?
Apart from the inconvenience, those are not sensitive areas so it may not seem like a big deal. A common belief is that, at worst, the criminals can break a reader so people can’t log in.
But what if a criminal uses the hacked reader to gain access to your building after hours? If your reader is online and offline, that means everyone with access is stored on the reader and the database can be stolen. What if a criminal gang is monitoring your parking area and other parts of your business premises to find out the guard tour schedule or how many guards are onsite after hours? That’s a bit more serious.
The real danger in these scenarios is the connectivity. Once a device is hacked, the criminal is on your network and the possibility exists that, with a bit of patience and assistance from the thousands of hacking tools available on the Internet, they can gain access to servers and other digital areas of the business. If they gain access to payroll and the relevant logins, they also have access to your bank accounts.
In addition, with so many devices being connected to the Internet today, your hacked device may be infected with malware and become part of a botnet – a global network of infected machines that can be used to launch online attacks against anyone. So your infected reader now becomes more than an inconvenience.
Cybersecurity has become a reality for the physical security industry over the past year or two, and will become even more of an issue as the Internet of Things (IoT) grows. We will soon have billions of small devices with supposedly limited functionality vulnerable to attack. The original intent of these devices is not important, their ability to communicate unhindered over networks and the Internet is.
If one looks at the bad press Hikvision has received over supposed backdoors into its surveillance equipment you can easily see the brand damage being cyber insecure can cause. Hikvision seems to be a target for bad cybersecurity press these days, but the fact is there are no surveillance vendors that have not had vulnerabilities in their equipment – no matter which country they are manufactured in.
But what about the access control industry? Have we seen companies providing hardware, software and services related to access and identity adopting a stronger cybersecurity posture? Moreover, is it really necessary if your access control systems are all located within your building?
It’s all connected
HID Global’s Jaroslav Barton says that modern access control systems are not discrete products any longer. “They can be interconnected with other security systems, they can use and share data from IT systems, and access control data is increasingly moving to the cloud.
“RFID technology used with access cards and tokens is increasingly vulnerable to possible attacks if adequate security measures are not implemented. All this results in the need to provide robust protection against possible cyber attacks.”
“The current deployment of access control is still predominantly within a secured physical building, which is isolated on private networks,” says Impro’s Vikki Vink. “This reduces the risk of a cyber attack, but naturally relies heavily on the IT systems and governance procedures. For some access control systems, this suffices, however others, including Impro, provide additional security measures that further benefit from a well-defined security architecture typically found on enterprise networks.”
Tim Timmins from G4S Secure Solutions (SA) states quite simply, “All systems are under fire in this age of cyber attacks and there are various ways that solutions are trying to combat these attacks. One of our main approaches is edge encryption and decryption.
“This means we encode our message before sending it to the recipient and the recipient has the capability to decode and understand the message. Intercepted messages would thus not mean anything to the application or person that intercepted that message and it would be useless information.
“This is obviously an ongoing process as one has to safeguard many aspects of the system, one of them, and probably the most important one is the database.”
Leveraging proven IT security
From the HID perspective, Barton says the most vulnerable part of any access control system is the RFID identification. RFID has been used in access control for more than 25 years. “With the development of electronic and computer technologies, the early RFID technologies that used to be very secure decades ago cannot provide sufficient security today. Contactless smartcards introduced later with secured data storage and encrypted communication was a massive step forward.
“However, many smartcards were based on proprietary encryption algorithms which can be potentially dangerous. Not surprisingly, hackers have been able to crack many popular smartcards. Therefore the security trend today is using multi-layer security, open security standards for data protection and data transfer, and moving the security to a level similar to the one used in the IT industry.”
Vink adds that for those systems relying on an organisation’s back-end IT infrastructure should leverage global IT standards in protecting their access control systems as well. For example, changing default passwords, ensuring that there are no network points outside the physical building, making sure the server is suitably protected with the necessary firewalls and virus protection, and so on.
“This greatly reduces risk and should be considered standard practice, unfortunately, in our experience many sites leave themselves open to problems by not adhering to the basics. You should look at your security as an onion with multiple layers. The more layers, the greater the security. So start with the basics outlined above, and then add additional layers (either as the end-user, or from the manufacturer).”
In the case of Impro, she says the company uses global IT protocols as standard, and adds additional layers. The management software operates on HTTPS and there is a directory-based authentication model for the software, which is coupled with an additional layer of operator security. In addition, Impro is launching new encrypted solutions using TLS (Transport Layer Security), which further enhances network security.
Timmins echoes this advice, adding, “Always ensure that any network connectivity exists within a controlled and managed LAN or WAN and a secured APN into that network for mobile devices. All devices with access to the network should be controlled by company IT policies which will greatly reduce risk. Needles to say, well managed DMZs (demilitarised zones), firewalls, VPNs and antivirus are essential to keep the threats out.”
The current trend to using smartphones for access control by including a credential on the device has proven a success. However, mobile devices are not restricted to only access control and are carried with the owner wherever they go, adding another potential security headache.
Depending on how mobile phones are used for mobile access, Barton says this technology can be very secure or quite insecure. Some solutions use simple card serial number (UID) emulation on a smartphone which obviously doesn’t meet basic security requirements. UID is unencrypted and can be copied and the credential cloned as easy as it can be done with cards that use UID as an identifier.
“If the mobile solution is based on highly secure technologies, like Seos from HID, the credential is stored in a secure application sandbox of the phone’s operating system and transferred in a secure encrypted manner. For mobile access solutions, it is also essential to evaluate the security of the process for provisioning mobile credentials. Modern, secure systems enable over-the-air provisioning and they do not allow transfer of credentials from one phone to another.”
“On the mobile side, the newest innovation that we’ve adopted is the ability to use your mobile phone as a secure credential in your access control system,” says Vink. “Naturally, security has to be extremely robust to ensure the protection of the site and this has been achieved through AES-128 encryption. In addition, these credentials can be revoked in an instant, thus ensuring that should someone lose their mobile phone, their credential is quickly and easily revoked and can no longer access the site.”
Cloudy access control
Another one of the growth areas in access control is supplying the access control functionality as a service – Access Control as a Service (ACaaS). In these scenarios, one’s access control system is managed by another company and you could even have the databases and applications residing in the cloud, which brings its own cybersecurity issues.
Timmons notes that even though it is in the cloud, that only means it is ultimately on a server sitting somewhere else, whether it is a physical or virtual instance of it, so in essence all the same rules apply. “Protect your data up and downstream by strong encryption when passing through unsecured networks like the Internet, and ensure that your endpoints are well protected against attacks in all forms.”
While many people still see cloud services as insecure, Barton explains that using the cloud in the right manner is more secure than storing data on-site. “Many people that are afraid of the cloud don’t realise that we rely on cloud solutions on a daily basis. Using the best practices of cloud storage is essential of course: data should be hosted in a secure server environment and industry standard advanced security technologies implemented to prevent interference or unauthorised access. To minimise vulnerability threats, two-factor authentication for data access should be used.”
Vink expands on this, noting there are a number of standards to follow depending on the cloud model. Many access control vendors simply move their system into a hosted environment, with a secure gateway device managing the communication between the premises and the cloud. This does provide acceptable levels of security for installations where IT governance is not a business priority, but can be a costly solution.
“The Internet of Trusted Things (IoTT) aims to promote secure communication standards for devices that were previously only connected on local private networks. This means adopting industry standards and accepted, secure communications which are built into the most basic components of hardware. However, this is a challenge faced by many industries, not just access control.”
What’s happening in the real world?
In theory there are many ways to ensure your access control systems are cyber secure, but are vendors making the effort to implement these theories in the real world? While we can’t speak for everyone offering access control products and services, we can ask our interviewees what their companies are doing in this area.
“At HID Global, we apply an holistic approach to information security by considering all threat vectors and aspects,” explains Barton. “We use industry best practice guidelines, frameworks, and standards. All our solutions consist of multiple layers of security and are based on Seos credential technology.
“Seos is standards-based for secure messaging, strong authentication and data confidentiality, including NIST-approved security and NSA Suite B Cryptography, AES-128 and SHA-256. Besides security, the Seos protocol supports strong privacy, meaning that it is not possible to track the identity of a device.”
G4S, as noted above, offers ongoing encryption enhancements and changes with regards to up and downstream data, while ensuring it makes use of the latest versions of IDE technologies. Timmins adds, “We also offer monthly system health status checks to our clients to ensure that they are on the latest versions and that they do have solid disaster recovery and backup plans in place and ready to deploy.”
Impro provides consultation services to assist its customers in specifying and designing sites, which includes IT considerations. “We also advise customers to ensure the physical hardware for their access control system is within a secured environment,” explains Vink. “For example, don’t use readers that include a relay on the outside of your door as this immediately is a risk. Easy access to the relay means that if someone shorts-out the relay, the door opens. We’d also recommend for medium to large sites that their IT personnel are part of the group managing the access control system.”
Finally, Vink adds that Impro promotes global best practices from the IT sector, since these are without a doubt at the forefront of cybersecurity.
For more information contact: