A&S International: Heightened Threat Landscape Makes Access Control Security More Important Than Ever

January 15, 2021

By William Pao Article originally posted via A&S International. Laptop with overlaid digital security lock and abstract circles and lines Cybersecurity and identity management will be two key access control trends in 2021. This note examines both in detail.  It goes without saying that access control has increasingly migrated to IP. Devices such as access control readers and controllers are in essence networked endpoints on the Internet. This offers several benefits, including giving operators more remote management capabilities and offering them more insights into the overall status of the end user entity.  Yet this also introduces new risks. As with other networked devices, IP access control systems are as vulnerable to cyberattacks and intrusion as other endpoints on the network. There were cases, for example, where hackers planted malware into networked access control devices, which then launched denial-of-service attacks against other systems. This then underscores the importance and urgency of access control security, which has become and will continue to be a dominant trend in access control. "All stakeholders in our industry have finally received and are acting on the cyber-secure message. Cyber threats can cause considerable harm to businesses, and end users know they need to invest in ensuring their deployed products, systems, and processes are not vulnerable to cyberattack," said John Davies, MD of TDSi. 
"Cybersecurity should be a core consideration for all, because all access control systems are connected these days, unless they're specifically set up as isolated, non-connected systems (SCIFs) which is rare.  Since everything/every place is connected, lack of cybersecurity means lack of physical security, period," said Steve Humphreys, CEO of Identiv.
"Cybersecurity will absolutely be one of the top concerns for buyers and users when selecting an access control system. There won't be a conversation with any new technology in an organization, whether it's access control or otherwise, that won't now engage or have info security and IT as a significant stakeholder," said Jason Hart, CEO of Safetrust.

Access control security/IAM best practices

That said, solutions providers have added various access control security features to their systems, hardening them against cyberattacks. Then, as end users place a stronger focus on data protection, especially amid COVID, identity and access management (IAM) has also become a major topic. Below we look at some of the access control cybersecurity and IAM best practices that are set to continue in the short term.

Device/system hardening

Given the heightened threat landscape, access control solutions providers are hardening products and devices to make sure they are cyber-secure. Examples including following robust credential standards for example MIFARE DESFire EV2 and the FIDO Alliance specifications. Mechanisms are in place to encrypt data communicated between the card, reader, controller and server, and the cryptographic keys are securely stored in the devices. Patches are offered to the user in the event of a detected vulnerability. The key is, whoever provides access control solutions that meet the user’s more stringent security requirements, they will have a better chance winning in the market. "Cybersecurity remains at the top of the list when it comes to selecting access control systems, and the manufacturers that commit to designing cyber-secure platforms, with a focus on continued testing and updating will see the most success and higher demand than those that don’t emphasize these practices," said Lynn Wood, Product Portfolio Manager at Vanderbilt. "Cybersecurity is becoming absolutely essential so ACS manufacturers need to make sure that all data stored and managed by the system is secure. Our recent acquisition of ISO 27001 and ISO 27701 on our access control software and rigorous penetration tests performed on our products across the board is just an example of the measures we are taking to enforce cybersecurity. These activities will continue to be enforced and strengthened as one of our top priority initiatives," said Hanchul Kim, VP of Suprema.

Physical/logical integration

The physical presence of a user inside an entity serves as a good starting point for him to access company assets/resources. That said, physical and logical access control convergence, which is already a major trend, will only see stronger demand down the road.

"Though convergence has already begun to occur in many industries, the integration of physical and IT security will only become more critical in the years ahead," Humphreys said. "One of the promises of access control is to use it as an irrefutable complement to cybersecurity. If someone is physically in a building – confirmed by tapping a badge, also possibly confirmed with a biometric like a face recognition of the person in the building – then it should be safe to let them access their cyber content. If they aren’t physically there, it isn't (as) safe, so there should be heightened cybersecurity. Integrating physical access and cyber security is a frictionless way to increase cybersecurity."

Meanwhile, the physical-logical convergence trend will be further accelerated by the ubiquity of the mobile device, which can be used both for physical and logical access. "The convergence of physical and logical/digital access control has been underway for some time. That said, the pace of convergence will no doubt increase due to widespread adoption of mobile credentials and, more importantly, multi-factor authentication (MFA)," said Vince Wenos, SVP and CTO of Allegion. "We have no doubt that the convergence of logical and physical access control will take place as these two systems are on a common IP network backbone. The direction is quite clear. However, investment for combining these systems is quite significant which deterred many from moving forward. We now live in a world where we are pretty must driven by a common personal device, a smartphone. We strongly believe mobile will play a significant role in how the convergence will occur," Kim said.

Multifactor authentication

Multifactor authentication or MFA refers to using more than one of the three major authentication factors, namely "what you have" (cards and tokens), "what you know" (pins and passwords) and "what you are" (biometrics). More and more, physical access control uses MFA, which for example may entail a two-factor authentication method using the user’s passcode and his fingerprint. Yet MFA can be applied to logical access as well to make sure the person accessing company information is really who he claims to be. Examples include logging in by way of the user’s login information, followed by entering a verification code sent to his cellphone.

Work from home

With teleworking emerging as a more and more dominant form for working, knowing who accesses what information at what time has become more important than ever. While end user entities have drafted related teleworking policies, there are certain best practices that teleworkers can follow. According to the US National Institute of Standards and Technology, these include:
  • Protect computer communications from eavesdropping – if Wi-Fi is used, make sure it is set up securely.
  • VPN – if the organization has a VPN, use that on the telework device for stronger protection.
  • If the user’s own computer or mobile device is used for telework, make sure the basic security features are enabled.
  • Keep the teleworking computers and mobile devices patched and updated.
  • If unusual or suspicious activities on the teleworking device are detected, ask for help.