Even if the most state-of-the-art access control systems are installed in a building, it is not invincible to cyber security threats.
Even if the most state-of-the-art access control systems are installed in a building, it is not invincible to cyber security threats. For this reason, it is extremely important that organizations never underestimate the security of access control systems.
In fact, according to Daryn Flynn, Client Manager at Nedap Security Management, by underestimating the security of access control systems, it is compromised. One of the likely scenarios that could occur is that someone clones or hacks a credential, giving him or her authorized access to the building. This means that the person has unlimited access to any access controlled entrance.
“In case of a more sophisticated hack, someone could actually swap a controller and deploy one with malware that could compromise the entire system by sending false events to the server,” Flynn said. “Without knowing the device is not genuine on the network, its managers do not notice the exchange. A third option can be that the web-browser interface is not protected and by hacking a user account, someone could gain access to the system and give him- or herself unlimited rights. Any of these three options could make the most valuable assets in an organization physically vulnerable, but what is potentially worse is that the ability to deploy a cyber vulnerability is increased if the attacker can get open access to servers, PC’s, passwords, etc.”
That brings us to the question, what measures can be taken to prevent an access control system from being hacked. Flynn said that, first of all one should have a clear understanding of the weak links of a system and wherever possible, design these out of otherwise manage the risks.
“This should be followed by an implementation method that ensures that new system components are not only cyber secure, but can also be updated when required to do so,” Flynn said. “After all, what is secure today may not be secure tomorrow. One of the challenges for legacy access control solutions is that these are slow moving in terms of updates. A system is expected to last ten years, apart from an occasional software upgrade to remain up to date with operating systems. However, oftentimes little thought has been given to how each component can remain cyber secure if compromised during its life-time of use. Worse still, many legacy systems are based on systems, technologies and a design approach much the same as it was twenty years ago.”
However, while protecting access control systems from cyberattacks is critical, it is important to note that these systems control the first line of defense when it comes to cyber security. In other words, access control systems protect the locations where IT system are located.
“Most people focus on the dangers of a remote and ‘faceless’ attack delivered via network connections, but consider what additional damage can be done if an attacker has physical access to PC’s and servers,” Flynn said. “The access control system can ensure that only authorized people can enter server rooms, data-centers, operation centers and that there is an audit trail of activity. Furthermore, the access control system can have rules and features to strengthen the physical access policies to secure environments.”