printer friendly version

Secure access control installations

Installing an access control system of any type is a matter of security, controlling who comes and goes. Access systems have also been tailored over time to address other business needs, like T&A and workforce management.

But what are the key aspects to consider when installing a new access control system or upgrading to newer technology? Convenience? Touchless? T&A? People tracing? Cybersecurity? What about the security of the installation itself?

Hi-Tech Security Solutions asked two people with experience in various forms of access control installations to tell our readers what the critical components of an access control system are to ensure the system and its data are secure. Of course, any installation must also deliver the service required for an extended period of time.

It shouldn’t happen in this day and age (especially in crime-infested South Africa), but we still hear about installations where someone outside can fiddle with cables and force the door locks open, or basically bypass the access system by some means without much effort. So what are the primary security processes to follow when installing access control?

“From an installation perspective, securing your cables has to be one of the most important factors. For an experienced technician, a system can be bypassed with ease if the communications are not properly secured,” says Frazer Matchett from Enkulu Technology. “Depending on the product, it may have a configurable function to resort to a fail-secure or fail-safe mode.”

He adds that the value of the asset the installation is protecting should determine the failover functionality. Installers should always be mindful of how the system could potentially fail if a worst-case scenario should present itself. Additionally, thought should be taken on how to recover from a potential failure.

To this end, hardware and cables should always be labelled in a manner that would allow quick diagnosis should something go wrong. “This doesn’t mean that a cable should be labelled ‘FRONT DOOR MAIN SUPPLY’, making it really easy to sabotage/manipulate, but a system could be created with a set of references to the cable layout and included in the handover booklet for the end user.

“I’ve been called to sites where the product has been blamed by the installer, only to find the cable management under the surface is poorly executed (see image: What not to do).”

Saul Mabata, JHB technician at Powell Tronics, adds to this, “We advise all our clients to ensure that the installation methodology that they adopt when installing physical access control equipment and peripherals is one of ensuring that the actual relays that release or activate the locking devices are installed on the secure side of the door.

“There are also very important procedures and protocols when installing physical locks and the like, to ensure they are not able to be bypassed or tampered with. Best practice when procuring physical locks and access control is to ensure that the actual lock is being monitored by the system, thereby alerting security that the lock was released or opened via the system.”

What not to do.

Keeping sensitive data secure

Many installations keep the credentials of users on the readers, whether card, biometric or anything else. This ensures that the system works in case of a network failure and you won’t have masses of people trying to get in or out. This is, naturally, a security issue if the proper protocols are not followed.

Mabata notes that Powell Tronics recommends all systems where data is kept on the reader are encrypted in a way that only allows it to be extracted and used to authenticate the user. The process of decrypting an authentication should also be secured to ensure the whole process is safe.

Matchett has been asked this question on a number of occasions and he states that the hardware out in the field is usually populated with the credential data stored in the manufacturer’s proprietary protocol. In addition, the communication is usually encrypted and devices that authenticate a person’s information typically do not allow retrieval of credential information; if they do, they are protected by a password. They typically only send a request of an identifier to its host, which triggers the activation of the relevant checkpoint.

“Reverse engineering the data on the field devices does not yield any usable information as you’d need the relevant seed keys and the data on the host to make any sense of it. There are devices that can ‘sniff’ communications between readers and controllers on common communication protocols, however prominent manufacturers have stepped up their game and added a layer of encryption between reader and controller to negate this method of cyber access.”

Additionally, installers should always change the default manufacturer password as soon as the devices go live to prevent any unwanted tampering.

Cloud services and security

As cloud services become more popular in the access market, one needs to include these services and the connectivity associated with them in your security plans. While a cloud service may promise all the bells and whistles and security, reading your contract will more often than not absolve the service provider of any responsibility for breaches or failures. This means the customer must still make sure all security protocols are in place if they want to avoid any nasty PoPIA or GDPR surprises as well as to mitigate their cyber risks.

Cloud services are definitely becoming more popular, acknowledges Matchett.

“There unfortunately is no proven guarantee that all public domains are 100% protected, so the customer must ensure they research the industry standards of data protection. Two-factor authentication is one of the must-haves to ensure top-notch security. Make sure that you question your supplier on their disaster recovery plans should you have a data breach.”

Mabata echoes this, advising users to ensure encryption is used as well as the use of cybersecurity software to protect servers from attack.

Not forgetting physical threats

It’s not only cyber threats that access control installations need to cater for. Physical threats such as vandalism or sabotage are also on the list of issues to prepare for when installing these systems. This is not as simple as it seems since every system will require maintenance or upgrades at some stage, which will require access to the physical devices.

When installing an access control system, one needs to consider the accessibility of the equipment when doing maintenance at a later stage, advises Mabata. “Planning for this will assist in discovering the best position to place your access control point, especially with regard to the wiring to the readers. For access control hardware and in particular biometric/thermal terminals, we supply a full range of stainless steel housings to combat the threat of damage by vehicles/users and vandalism, with the added advantage of protecting these terminals from the natural elements. These bespoke housings have also proven to add many years to the longevity of the systems installed in our region, especially coastal areas.”

Matchett goes further, saying that when planning an installation, one should always prepare a short-term, medium-term and long-term plan. “Your short term plan needs to solve the ‘now problem’. Is your system limited to RFID only? Would you be able to exchange an RFID reader with a biometric reader easily? Can you install a cheap system now and easily upgrade to a better variant that supports more features later?

“Medium-term planning involves ensuring your installation is properly protected for surge and/or lightning. Are load shedding or power failures issues for you? COVID-19 was a great example of people needing to adapt extremely quickly as traditional biometric readers lost favour to face recognition readers and ingenious mobile QR code solutions with geolocation tie-ins.”

Cyber and physically secure

Summing up, Matchett and Mabata advise on what they would recommend to ensure access installations are both cyber as well as physically secure.

“You need to ensure all standard procedures are followed when doing an installation, from the cable used for wiring, the distance between the access points and their respective controllers, and in terms of the virtual server side, make sure there is an anti-malware in place to flag any unauthorised connection to the server,” says Mabata. “Additionally, one must secure external site connections via proven SSL certification as a standard procedure when deploying web-based solutions.”

“You’d be alarmed at how many systems I’ve worked on that still have the default factory password in place,” says Matchett. “Devices on a network that still have their default IP addresses/default passwords and port numbers are very easily compromised by a simple Internet search. Data security, unfortunately, is not taken seriously in South Africa, until it’s too late.”

He advises:

Ensure that all default passwords are changed.

If the devices installed on your network support any form of encryption, enable it.

If you have the ability to run a separate network and/or VLAN, do it.

Ensure only the bare minimum of ports are open on your firewall. Every open port is a potential vulnerability on your system and/or network.

Ensure that all cables are correctly protected. If someone insists on installing an armoured cable or steel piping over standard PVC, listen to the reason why, as it may save you headaches later on if the failure came from an exposed cable.

Pest control: ants, geckos, bees and rats all love the warmth of any installation, protect your equipment from all pests.

Lightning protection is necessary in any potential copper cable run. Ensure adequate surge protection is installed.

Power failure protection: do you have a backup power system in place?

Do you allow remote support via common remote desktop applications? Do you have a procedure in place that allows access? Are these remote sessions recorded to protect both parties?

For more information contact:

• Enkulu Technology, +27 87 551 3005, sales@enkulutech.co.za, www.enkulutech.co.za

• Powell Tronics, 0861 784 357, marketing@powelltronics.com, www.p-tron.com

Share this article:

Further reading: