How to Ensure the Cybersecurity of Your Access Control Systems
Understanding and Addressing Vulnerabilities
Cybersecurity: it’s not the first thing that comes to mind when most people think about the access control systems that prevent unauthorized entrance to buildings and other physical spaces.
Yet the data that access control systems process is crucial to protect. Threats range from card cloning to all-out network attacks, putting not just people and buildings but the entire corporate network at risk.
No wonder many organizations are looking to address these security gaps and eliminate the silos between their physical and network security operations. According to Gartner(1), 41 percent of enterprises plan to converge parts of cyber and physical security by 2025, up from 10% in 2020.
Why Cybersecurity is Important in Access Control
The process of determining whether to grant someone access to an area requires sensitive data to travel through a variety of different components, from credentials to readers, controllers, servers, software clients and more. Unless this entire chain is protected, it is vulnerable to attacks and data breaches.
What’s more, attacks can come with serious real-world consequences. These go beyond the eye-popping cost estimates that circulate each year. Once they’ve compromised your access control systems, intruders can access restricted areas, disable alarms, alter permissions and steal proprietary corporate information.
Protecting access data means ensuring its confidentiality, integrity and availability. Yet because many organizations treat physical and cybersecurity as separate domains, they don’t have a comprehensive view of the information system as a whole. That makes it harder to spot vulnerabilities, much less remediate them.
What’s Challenging About Securing Access Systems
Awareness may be growing, but there’s still a lot of confusion about what it means to strengthen the cybersecurity of access control systems. Standards have emerged. So have certifications like NIST 800-53 or TÜVIT. These are a welcome development, but they aren’t enough to address the full scope of the problem.
That’s because securing access systems means doing more than just evaluating the integrity of individual components. Instead, it means examining how information travels from component to component — and where that might introduce risks. How is sensitive information about employee identities and authorization privileges provisioned onto credentials? How is it stored and managed?
Evaluating these types of risks requires in-depth knowledge across domains like operating systems, active directories and databases — along with basic knowledge about encryption protocols and algorithms. That means it requires close collaboration amongst different teams and internal experts.
Making Cybersecurity a Priority
How, then, to ensure the cybersecurity of your access control systems? We have an on-demand webinar where we explore this in detail, but in short, the journey depends on your environment and is usually undertaken in stages. At HID, we recommend a “good, better, best” type of framework that starts by establishing a baseline before making further upgrades and improvements.
Here’s what that might look like for different parts of an access control system.
Area of Vulnerability: Credentials
- Purpose: Securely store access control data
- Set a baseline with 13,56MHz technology cards. Data stored on the card should be protected with encryption (AES 128 is best practice). So should data that’s communicated from card to reader during the authentication process.
- Improve security by deploying key management policies. Also, look for solutions that have been penetration tested and certified by a third party
Area of Vulnerability: Readers
- Purpose: Process credentials and send them to a controller
- Set a baseline with readers that support 13,56MHz and are equipped with a secure element to store encryption keys
- Improve security by selecting a solution that offers a secure communication channel between reader and controller Manage updates and upgrades via authorized maintenance applications, not configuration cards
Area of Vulnerability: Controllers
- Purpose: Interface with readers and cards to determine whether user permissions are sufficient to grant access to an area
- Set a baseline installing controllers in a secure, tamper-proof enclosure. Connect them to a secure, dedicated VLAN and deactivate all other interfaces (like USB and SD). Remove all default configurations and ensure that firmware and patches are always up-to-date.
- Improve security by allowing only approved IP addresses to connect to the controller — and ensure that encryption is used to protect data at rest and in transit
Area of Vulnerability: Access control servers and clients
- Purpose: Serve as the system’s main database and management console, recording activity and enabling organizations to make changes and adjust settings
- Set a baseline by hosting servers and clients on a secure, dedicated VLAN. Select a solution that offers transparent Common Vulnerabilities and Exposures (CVE) reporting and complies with Secure Software Development Lifecycle (SDLC) standards like ISA/IEC 62443-4-1— and make sure to keep software and operating system patches up-to-date
- Improve security by encrypting data at rest and in transit and deploying custom TLS certificates
Even with established protocols, it’s important to check best practices and manufacturer recommended specifications, because small missteps during implementation can have big consequences. Ultimately, access control architecture must fit seamlessly into your broader network and IT architecture. That makes securing access systems an opportunity to increase operational efficiency and streamline broader IT strategies, as well as to decrease risk.
Access control security is challenging, but you don’t have to do it alone! Tune in to our webinar for actionable insights on bolstering your cybersecurity strategies to safeguard your organization against evolving threats.
1. Emerging Trend: Convergence of Cyber and Physical Security — Harnessing the Disruption Opportunity. 22 February 2022