While businesses continue to struggle with issues related to the lingering coronavirus pandemic, cyber criminals keep doing their thing — and these days, more of them are trying to get through the door by hacking into access control systems.

Access control was once the sleepy backwater of the electronic security industry — the last systems to be updated because of cost and complexity. Then came technological advances like the cloud, Internet of Things, mobile credentials, and integrated systems. But these same advances have also made access control more vulnerable to cyberattacks.

“Before, you almost had to have physical access to the site to break into the system,” says Francois Brouillet, product line manager for Genetec, Montreal. “This isn’t true anymore. Even if you try to isolate a system through different layers of network, there’s always an entry point someone will forget about or find a way in. That’s why you must have a 360-degree view of your cybersecurity posture and maintain it.”

In the past, an access control breach meant a criminal was literally getting through the door to steal property, says Richard Goldsobel, vice president of Continental Access, the enterprise control division of NAPCO Security Technologies, Amityville, N.Y. These days, bad actors are more likely to exploit access control to infiltrate, hack, and install malware on end-user networks — where they can help themselves to the sensitive financial or personal information housed there.

“Gone are the days of an access control system being deployed onto its own separate network, using proprietary, serial communications which cannot be accessed by anyone outside of the access control system itself,” says Jonathan Moore, vice president of product management for AMAG Technology Inc., Hawthorne, Calif. “While this type of architecture had its own share of problems, the one advantage was that it was very difficult to hack.”

While the electronic security industry has focused on improving cybersecurity for years, the coronavirus pandemic has brought it to the forefront. Remote work went from an option to a must, with even IT departments clocking in from home, opening up new vulnerabilities that change by the day.

“COVID-19 has profoundly impacted the way we live, work, and operate — especially where cybersecurity is concerned,” says Sheeladitya Karmakar, global offering leader at Honeywell Commercial Security, Melville, N.Y. “Since transitioning to work from home, employees are using more networks to access facilities. It’s important to have secure remote access wherever employees are signing into your system.”

With COVID-19, everyone started working from home immediately, with no advance notice to physical security or IT. “Suddenly the security department needed access to the security systems from home, which most IT departments didn’t predict, and may have been caught off guard a little bit,” Moore says. “COVID forced IT and physical security to find a way to let people access systems from anywhere, while at the same time keeping the organization secure. Not only is this driving cybersecurity, but it’s also driving cloud adoption.”

But while access control may be a fresh target for cyber criminals, the threats themselves are not particularly new. Cryptomining, phishing, ransomware, and trojans topped the list of security threats last year, according to Cisco’s 2021 “Cyber Security Threat Trends” report. Threat prevalence varies by industry: financial services are more vulnerable to phishing, trojans are the biggest cyber threat in healthcare, while cryptomining — malware that targets computing resources to mine cryptocurrencies like Bitcoin — is the No. 1 threat to manufacturing, the study finds.

And when hackers succeed, businesses stand to lose much more than money. “The cost of any breach is far more than just financial,” says Henry Hoyne, chief technology officer at Northland Controls, Fremont, Calif. “Brand damage, increased insurance premiums, and just the crippling effect of not being operational are enough to close many businesses.”

The “Zero Trust” Concept

Many integrators encourage customers to adopt the “zero trust” concept, where each person or device must individually prove their identity and access rights rather than simply having access to a network, says Sheeladitya Karmakar of Honeywell Commercial Security, Melville, N.Y.

“This is being driven by industry experience with how threat actors gain access to trusted networks, by increased customer awareness and sophistication, and by new technical capabilities in our products.”

A big part of zero trust is tracking and logging all decisions to know who has access, where, why, and who has authorized it, says Donald Campbell of Quantum Secure. “Also, if it wasn’t clear, track and log everything you can and then audit once these are in place,” he says. “A third-party audit ensures you apply procedures and policies consistently, update policies regularly, and that you train and comply with your internal processes.”

Henry Hoyne of Northland Controls says that integrators and businesses are increasingly focused on zero trust and getting away from believing that all threats are external. “This is much more difficult to tackle because in most instances, it may require an overhaul of network design,” he says. “So the focus has been on 2FA (two-factor authentication) when applicable, encryption in transit and rest, changing passwords and permissions, shutting off features and ports.”

The Manufacturers’ Role

Businesses of all kinds need a strong cybersecurity strategy to fend off cyber risk — and that begins with manufacturers developing products with security and privacy in mind, Karmakar says. “From a product development perspective, you must understand an attacker’s motive and potential cyber-risk scenarios,” he says. “We know that threat actors are creative and are continually innovating, so it is important to have a defense in place that also dynamically evolves.” Best practices for manufacturers include conducting product security, threat modeling, and privacy impact assessments, then using risk management to identify, track, and mitigate potential vulnerabilities as they arise throughout the product lifecycle.

One key method that is becoming the new normal in access control is multi-factor authentication, with manufacturers often integrating tools like facial or biometric authentications, Karmakar adds. “This also enables frictionless access with enhanced access control, thus making facilities more productive in a secure way.”

The current trend of access control hardware and software being part of the customer’s network increases the opportunities for a cyberattack, Moore says. That’s why manufacturers must ensure that all data “in transit” (being communicated between two devices) in their access control systems is encrypted, typically using transport layer security (TLS). Stored data that’s “at rest,” such as in a database, may also need encryption, he adds.

The access control system’s architecture must also support internet-facing servers that can be isolated from the back-end servers and database, creating a potentially more secure system. Finally, customers need to conduct independent “penetration” tests on the overall security of the manufacturer’s solution, Moore says.

“It is important to understand internal, organizational constructs are often all that separate physical and cyber security,” says Donald Campbell, vice president of products, Quantum Secure, part of HID Global and based in San Jose, Calif. “This is increasingly true as more intelligence makes its way into hardware. … Both groups need to be present at the security table and work together on improving the overall posture of the company.”

Many businesses deploy card readers and panels that don’t support newer technology like the open supervised device protocol (OSDP) developed by the Security Industry Association (SIA), says Brouillet of Genetec. Couple that with the fact that many businesses also don’t have the budget to provide employees with new badges, and there’s a big opening for cyber risk. “It’s a big overlook because if you consider the risk, it’s not just how someone can get access to a facility, but what they can do once they get in,” he says. This may be less of an issue now because of the large number of COVID-19-related remote workers, but as employees return to offices, it could have an impact on the company. “Denial of service, a common thing on the IT side, is also true on the credential and reader side,” he adds.

advanced technology

The increased use of technological advances in access control, such as mobile credentials, improves accessibility and convenience, but also increases the risk of a cyber breach. // ZEPHYR18/ISTOCK / GETTY IMAGES PLUS VIA GETTY IMAGES

The good news is, cloud technology makes it easier for manufacturers to plug security gaps that crop up in access control systems, while tech advances mean more businesses are upgrading outdated systems. “Before, you’d deploy a panel and expect it to work for 20 years,” Brouillet says. “Now, it’s worth questioning even if the board is working to determine if it’s still suitable, does it provide the right level of cybersecurity, does it support encryption? That would be a way for an integrator to show their expertise, and create added value.”

Customer education is key, and manufacturers typically provide cyber-hardening guides on how to deploy their products, says Michael S. Ruddo, chief strategy officer at Integrated Security Technologies Inc., Herndon, Va. Many also offer cyber-specific training related to their solutions with optimized cyber hygiene. Educational material can include a dedicated website with pertinent information on various hack methods and associated staff resources with the necessary expertise, he says.

However, Hoyne says, “The old saying, ‘Your mileage may vary’ applies here. I’ve seen many manufacturers do a much better job at this, while others simply put the onus on the integrator and client.” Hardening guides are a minimum, as are bulletins and email blasts updating the user on developing cyber risks, he says. However, Hoyne concedes that excessive hardening has its risks, too: “If a product is hardened out of the box and so locked down that it’s too difficult to install or get fully operational, an integrator is less likely to sell or deploy properly; thus, everyone loses.”

Something else for integrators and customers to consider is that the “latest and greatest” tech device add-ons may not be the best choice for every customer. “Access control for a long time seemed like a slow-moving dinosaur, but we also need to be cautious about new tech; not necessarily jumping into it, but first examining how is it implemented,” Brouillet says. For instance, every manufacturer has its own flavor of mobile credential. While this is a great innovation, users should investigate these methods for effectiveness and manufacturer reliability before adding to their systems rather than simply adding another gadget.

Integrators as Cyber Risk Troubleshooters

Because they sit between manufacturers and the end user, integrators are often the first to spot the unique vulnerabilities in a customer’s access control system, Goldsobel says. These include unsecured channels between readers and controllers; security gaps that arise when integrating access control hardware and software to the customer’s network; and unsecured cards and credentials. Integrators need to provide customers with education and training on cyber risk — and work closely with manufacturers for the latest software updates and patches.

In fact, this should be the first step in troubleshooting for integrators, says Karmakar of Honeywell. “Integrators may have customers who install access control and then forget about it, leaving them with older and potentially vulnerable legacy systems,” he says. “Our role is to make user-friendly upgrades that are affordable and easy to deploy.”

Ruddo adds, “Integrators should ensure that they are adhering to the manufacturer’s guidance and, in general, prioritizing cyber hygiene is paramount.” This starts with making sure that the client’s network environments and attached devices are updated with the latest firmware and software revisions.

“Performing a regular cyber-risk assessment as related to cyber hygiene of a client’s system/environment will ensure their security systems are not vulnerable,” Ruddo says. “This is an ongoing process that is not only performed at the initial deployment or takeover phase, but something that should be revisited over the life of the system.”

Because new integrated systems make access control part of an organization’s overall tech strategy, integrators should work closely with a company’s IT department to ensure cyber safety. “Access control solutions must be looked at as IT solutions, not just physical security,” Brouillet says.

However, this increased IT focus can initially be challenging for integrators to grasp, says Moore. “As IT departments get more involved with the customer’s access control system, they are starting to apply the same processes and control measures from the IT industry to access control,” he says. “While this is an excellent way to drive security within the access control systems, it creates a challenge for the integrator, who needs to quickly learn about the processes and expectations coming from IT. My first recommendation would be to keep it simple and don’t be afraid to ask questions of the IT department. Cybersecurity can be an intimidating topic with a lot of complex buzzwords, but most of the requirements are pretty simple.”

In examining a customer’s access control system, Hoyne of Northland Controls recommends starting with a complete audit — including all devices in the security ecosystem — and creating a comprehensive inventory matrix detailing each device’s make, model, and version. Once this is in place, he recommends first updating operating systems, then moving on to applications. “Update all device firmware and keep note of those that are end-of-life and no longer receiving firmware updates,” he adds. “You may need to put together a plan to have those devices removed and replaced.”

Integrators should also recommend that their customers create multiple layers of firewalls between anything internet-facing and the systems behind it. “This goes beyond putting a firewall between the internet and your product,” Karmakar says. “Integrators need to work with customers to segment networks to create multiple layers of defense.”

Businesses can achieve this with the help of integrators thoroughly reviewing product manuals, checking to make sure that unnecessary ports are closed and system communications are secure wherever possible, he adds.

The final piece of the puzzle lies in understanding that not all cyber threats come from outside the company. Many businesses have experienced large staff turnover during the pandemic, while others have removed contractors from payrolls to reduce costs during the pandemic. Still others have seen employees leave as part of the “Great Resignation,” and many of these former employees may still have access cards that let them into the company’s building, Karmakar says. “Most security breaches are perpetrated by insiders — people who have had a prior association with the organization,” he says. “If you trigger a workflow that says a person is no longer working for your company, it needs to flow down to physical security systems — including access control — so that whenever that individual is detected, it alerts security personnel or simply blocks access.”

Moore of AMAG agrees. “A customer can implement the best encryption with the most secure network and servers, but none of it can prevent an authorized user with ill-intent,” he says. “However, organizations can mitigate this threat in a variety of ways, such as automatically importing users from a trusted source, such as the company’s human resources database; this saves time and prevents someone who should not be in the system from being added manually. “Steps like these are not perfect solutions, but within security, nothing is 100 percent effective,” he says. “Adding as many layers of protection as possible, while also monitoring user activity, is the best way to mitigate the risk of a negative outcome.”