Cybersecurity is an integral part of today's security solutions. It is a multilayered effort that requires manufacturers, dealers and integrators, and end users to contribute to the protection of the system.

Additionally, access control consists of multiple components — the credential, the reader, the panel — that each need to be cybersecure.

Ahead, access control experts share insights on navigating industry standards, hardware and software updates, and educating end users on the importance of cybersecurity.

Multilayered Vulnerabilities

Security dealers and integrators need to consider each aspect of the access control system when evaluating the cybersecurity of a solution. Each piece of the whole presents vulnerabilities that need to be addressed.

“For me, it starts at the credential,” says Josh Cummings, executive vice president, technology, Paladin Technologies, New York. “As an industry, we’ve got a lot of legacy technology out there — proximity being the primary one — and it is unsecure. We’ve got too many end users that are still using prox.

“We need these users to move to an encrypted card,” he continues. “Credentials are constantly evolving — the technology keeps advancing; the standards keep getting updated; and older technology keeps getting hacked.”

Some organizations could have thousands of credentials out there in the pockets of its employees and other associates, which — in the event of a cybersecurity breach — can seriously complicate a replacement of the access control system. “When it comes to cards and readers, we’re still using symmetrical keys, which have the potential for being hacked,” Cummings says. “We can’t address it once they’ve been hacked. That’s historically been our problem with credentials and readers — once the technology is hacked, we have to abandon it and move on to another technology.”

Bad actors are constantly after the access granted by users’ credentials, and educating users on the latest in phishing and other social threats is integral to cybersecurity. “Phishing schemes targeting credentials are a primary threat,” says Justin Stearns, vice president, Chimera Integrations, Syracuse, N.Y. “We address these through employee training that emphasizes spotting phishing tactics and secure credential handling.”

Data security room
Even data at rest needs to be encrypted and protected. Image courtesy of ASSA ABLOY
Phishing attacks are among the most threatening vulnerabilities in access control. Image courtesy of AXIS Communications

Justin Stearns Dishes on Devices

Justin Stearns, vice president, Chimera Integrations, offers the following insight into the devices used by bad actors to undermine the cybersecurity of an access control solution:

In recent years, small but powerful tools like the Flipper Zero, USB Rubber Ducky, ChameleonMini, Wi-Fi Pineapple, Raspberry Pi, smartphones with NFC capabilities, and the OMG Cable have gained popularity for testing and potentially compromising access control systems. Here’s a breakdown of each, along with best practices to mitigate the risks they present:

  • Flipper Zero: This versatile device can clone access badges, simulate RFID and NFC signals, and even open certain types of wireless barriers, making it a tool of choice for penetration testers — and unfortunately, attackers. Mitigation: Implement advanced encryption for RFID and NFC systems and regularly update security protocols to limit cloning risks.
  • USB Rubber Ducky: This USB device acts like a keyboard and can inject malicious code into computers within seconds. In access control environments, it could disable security protocols or access system credentials. Mitigation: Disable USB ports on sensitive systems or implement USB security solutions that restrict unauthorized devices.
  • ChameleonMini: A compact NFC emulator, it can replicate NFC-enabled access cards, potentially giving unauthorized users access. Mitigation: Use multifactor authentication (MFA) with NFC systems and ensure regular auditing of access logs for anomalies.
  • Wi-Fi Pineapple: This device can create fake Wi-Fi networks, capturing credentials or injecting harmful software into access control devices connected to Wi-Fi. Mitigation: Use dedicated, encrypted networks for access control systems and disable Wi-Fi access on critical infrastructure where possible.
  • Raspberry Pi: Often used to set up custom NFC readers or perform targeted attacks, a Raspberry Pi is small and can be easily disguised. Mitigation: Restrict access to areas with critical hardware and regularly inspect network-connected devices for unauthorized access points.
  • OMG Cable: An unassuming USB cable that allows remote access to a connected device, executing malicious commands without detection. This is particularly risky if connected to access control hardware or admin systems. Mitigation: Implement strict device authentication for connected hardware and conduct routine physical audits to ensure no unauthorized USB devices are attached.
  • Smartphones with NFC capabilities: Common smartphones can now clone or read certain types of NFC access cards, presenting a significant risk. Mitigation: Use encrypted NFC standards and educate end users on restricting NFC usage to company-sanctioned devices only.

Adding in the reader and the panel, all three pieces of technology communicate with one another, so the most important thing to consider is that this communication is encrypted.

“The next piece is securing the communication from the reader to the panel,” Cummings says. “That involves making sure that we’re using an encrypted protocol. An Open Supervised Device Protocol (OSDP) secure channel is a mainstream ‘go-to,’ but there are other protocols that we can use based on the platform.”

How to Cybersecure the System

What measures can security integrators and the dealers take to ensure the cybersecurity of the access control solutions they are installing?

A powerful first step is to conduct a risk assessment. This is a practice that involves multiple considerations. One of the earliest may be system compatibility. “Ensuring that existing infrastructure can support new or upgraded access control systems without introducing vulnerabilities or operational risks is essential for a secure deployment is important,” Stearns says.

Another early consideration is the specific circumstance of the user — what industry are they operating in? Does that industry have its own set of standards and regulations? “Maintaining compliance with cybersecurity standards like National Institute of Standards and Technology (NIST), Health Insurance Portability and Accountability Act (HIPAA), and SOC 2 is crucial, especially for sectors such as healthcare, government, and finance,” Stearns explains.

Felipe Betances, vice president, operations, Security 101 - Phoenix, stresses, “When assessing a client system for vulnerabilities, one thing to consider is open network ports that could expose the access control system.”

Open ports are an integral part of communication, but can allow bad actors to bypass firewalls.

Stearns says these early risk assessments can help identify open ports and other risks early. “A pre-installation scan identifies potential vulnerabilities within the existing network and infrastructure,” he says. “This establishes a baseline and highlights areas that need immediate attention.”

The experts also agree that network isolation is paramount in access controls’ cybersecurity.

“We start by encouraging firewalls and network segmentation, ensuring that the access control system is isolated from other critical business networks,” says Brock Larson, information security manager, Stone Security, Salt Lake City, Utah.

Once installed, some of the chief concerns involve the users. Namely, the users protecting passwords and keeping software up-to-date. As for passwords, “Insufficient password protocols create vulnerabilities,” Stearns says. “To counter this, we enforce complex password policies, multi-factor authentication, and periodic credential updates.”

One of the primary concerns here is again phishing, and integrators need to work with end users to stress the importance of remaining vigilant with their passwords and other personal identification.

“The most frequent cyber threats we encounter include phishing attacks, and credential stuffing attacks that target weak passwords,” Larson says. “To mitigate these, we encourage multi-factor authentication, strong password policies, and end-user cybersecurity training.”

And integrators need to work with users to establish things like software update schedules. Outdated software leaves the system vulnerable to unauthorized access and needs to be kept up-to-date unquestioningly. “Outdated software can introduce weak spots,” Stearns says. “A standardized update schedule, along with prompt response to new vulnerabilities, minimizes the risk.”

Cummings agrees: “The other piece is really updating the firmware and keeping the OS current on the system. There’s firmware on almost all these devices: the panels have firmware; the card readers have firmware; the servers have operating system applications that need to be updated. We need to be making sure that all those updates are happening on a regular cadence, so that the system is being protected.”

Educating the End User

Keeping the end users informed of cybersecurity risks, best practices, hardware and software updates, and protocols can be a challenge. But it is a challenge that integrators are constantly working towards overcoming.

“It can be difficult,” Cummings says. “It needs to be apparent to them how it’s going to impact them. I can have a conversation with an end user about why they should replace their card technology. I can tell them it’s because someone can hack into it. Well, they need to understand more about that.”

We can’t address it once they’ve been hacked. That’s historically been our problem with credentials and readers — once the technology is hacked, we have to abandon it and move on to another technology.

Genetec’s Cybersecurity Checklist

Manufacturers also offer guidelines and training on cybersecurity.

To improve the cybersecurity of access control systems, Genetec recommends the following steps:

  • Upgrade the system. Older systems were not built to address today’s threats. When evaluating a new access control system or upgrading an existing system, make sure that cybersecurity is a key component of the vendor selection criteria.
  • Use advanced secure credentials and the latest communications protocols to secure data transmission since older credentials are easy to clone using readily available tools.
  • Educate employees and partners about cybersecurity best practices and ensure they are prompted to change passwords often.
  • Regularly check for firmware and software updates and install once available.
  • Use a centralized identity access management system to ensure virtual and physical authentication and authorization of employees for better control and more effective maintenance of your systems.
  • Create a dedicated network for access control systems so that there is clear segregation of networks based on their purpose.
  • Choose a security provider who can demonstrate compliance with established security certifications.
  • Ensure that the access control system uses proven data encryption standards as well as multi-factor authentication.
  • Work with a partner that has strong supply chain risk management, a dedicated team to monitor cyber threats, and ensures software is updated frequently and patched as needed.

Additionally, Genetec recently published a blog on the risks of operating a legacy access control system.

Cummings continues, “They want to talk to somebody that’s had that happen to them before, and they want to hear first-hand about the impact of that. We’ve not been very forthcoming with information in the industry when we’ve been hacked or we’ve been breached. So it can be difficult, from an end user perspective, to get feedback from their peers about when something has happened.”

Cummings often participates on panels stressing the importance of encrypted information in access control. “I do some cybersecurity presentations and classes, and I show off these little devices that you can buy for $50,” he says. “You can clip it onto the wires, and I can then wirelessly capture all of the card reads that are coming across the wire. Then I can just replay it for my iPad and unlock a door without ever having to be physically touching the door.”

Many integrators offer direct training to the end user. “We offer structured, recurring training that covers secure practices, such as proper password management, recognizing phishing attempts, and the importance of software updates,” Stearns says. “These sessions can be held quarterly and adjusted as new cyberthreats emerge.”

Larson says, “We provide comprehensive training sessions that cover password hygiene, recognizing phishing attempts, and the importance of timely software updates. We emphasize the role of user awareness in maintaining system security and provide easy-to-follow resources to reinforce these practices. Ongoing refresher courses help end users stay vigilant and minimize the risk of human errors introducing vulnerabilities.”

Stearns also emphasizes the importance of an ongoing relationship with the end user. “Security integrators should encourage clients to stay engaged, reminding them about updates and offering support for technical questions,” he says. “This promotes a proactive rather than reactive approach to system maintenance. By investing in consistent, accessible user education, security integrators help clients foster a culture of security awareness that extends to all who interact with access control systems.”

Concluding on Cybersecurity

Genetec draws attention to the layered nature of both access control and cybersecurity and the importance of considering each layer equally. “Since cybersecurity is all layers, sometimes the customer will think that by changing one piece of their ecosystem, that now they’re very much cybersecure,” says Marie-Jeanne Sauvé, product marketing manager, access control, Genetec, Montreal. “But we see that they really need to update everything — from the credential to the server to the software — to make sure that everything is cybersecure.”

Sauvé continues, “It’s always good to change one piece, but it’s also always better to change your entire system. Also, more and more threats are coming from the inside of users’ organizations. Often there they have really old systems — 15 to 20 years old — and people think, ‘It’s opening and closing my door, so it’s all good.’ There are more and more threats and they’re costing more and more money.”

Ultimately, cybersecurity is everyone’s responsibility — the manufacturers, the integrator and dealers, the end users.

“The responsibility of securing access control systems extends beyond installation,” Stearns says. “It involves continuous assessment, compliance adherence, and user education, all of which contribute to the safety and resilience of a client’s infrastructure. By implementing best practices and aligning with industry standards, integrators can confidently provide secure, reliable access control solutions that meet today’s cybersecurity demands.”