printer friendly version

Securing your access hardware and software

As access control expands and technology advances, the attack surface for these systems also grows. Every interaction between readers, controllers, and host systems creates a potential attack point that, if exploited, could give attackers a foothold in the corporate network. For example, access control systems are often integrated with payroll for T&A, which could leave the financial system exposed.

SMART Security Solutions asked RBH Access Technologies’ regional manager, Teboho Rakhale, for insights into the risks and mitigation strategies for securing access control systems.

From a high-level perspective, Rakhale advises that the following measures are a starting point to mitigate cyber breaches:

• Reader security and encryption.

• Data encryption between the reader and the controller.

• Data encryption between the access control controller and the server.

He adds that the client must have a robust cybersecurity policy and strategy in place. Adhering to and complying with industry standards such as ISO27001 could help implement such a policy and strategy. It is not all about access hardware and software security, though. Network vulnerabilities and IT hardware and software protection must also be addressed by the client. The following are some of the related cyber risk mitigation requirements.

Network security:

• Firewalls,

• VPNs,

• Network segmentation,

• Zero Trust (continuously network access verification),

• Secure wireless settings,

• Disable remote access management.

Software and data protection:

• Regular updates on operation system, application software,

• Strong password policies and multifactor authentication,

• Encryption of software and data,

• Antivirus and EDR installation and updates on all devices.

Hardware protection:

• Ensure that Secure Servers and devices are in locked areas,

• Implement a robust backup and disaster recovery plan,

• Enforce a regular username and password change policy.

People management:

• Employee awareness training and regular cyber bulletins,

• Implement a robust backup and disaster recovery plan,

• Conduct regular audits and vulnerability assessments

Multiple authentication modalities are also recommended. Rakhale says RBH Access card readers and biometric readers offer multilayer authentication, for example:

• Card,

• Bluetooth/NFC,

• Card+PIN,

• Bluetooth/NFC+PIN,

• Card+PIN+fingerprint,

• Card+PIN+fingerprint+face,

• Card+Bluetooth/NFC+PIN+fingerprint+face,

• And other combinations. .

The physical risks

Rakhale says RBH Access’s biometric readers use 256-bit encryption and include multiple parameters for mobile app credentials. Since the mobile app generates an automatic credential number based on several parameters, such as the phone’s unique information and timestamp, RBH mobile credentials can not be cloned. Every time you delete the mobile app and install a new one, new credentials are generated.

Even if the phone is backed up and restored later, a new number is generated. The feature is called Ultra High Security Credential (UHSC). Due to this technology, RBH Access Technologies won an SIA award.

“RBH Access Readers use DESFire EV3 cards with protection such as AES, 3DES encryption. This is currently the most secure card in the world. RBH also uses Credit Security Number (CSN) card encryption. This technology allows an encryption handshake between the reader and the card. The reader will not detect a foreign card.”

Location is also a risk. Readers and controllers are usually positioned so they can be monitored or at least seen by passersby; however, the risk of tampering remains. Risk mitigation measures must include making these devices more secure against tampering (which includes changing the default passwords at the very start of an installation).

“Always implement a solution that includes controllers,” Rakhale advises. “Managing access reader via onboard relays poses a major security threat. Once the reader has been removed/ripped off the wall by the perpetrator, it is ‘open sesame’, the doors release. The controller must also always be in a secure, access-controlled area, under lock and key, so that it is not accessible for tampering.”

Communications between the reader and controller must use 128-bit encryption via RS485 Open Supervised Device Protocol (OSDP) v2. The controller has a feature that can be turned off for network device scanning. This prevents the controller from being detected/sniffed.

The RBH Access approach.

To ensure its users implement basic cybersecurity processes when using RBH equipment, Rakhale says it is standard for passwords to be changed and for communication between the controller and the server to use AES 256 encryption. Furthermore, communication between the controller and the reader is secured using AES-128 encryption. The company also advises that cybersecurity policies, as mentioned above, should be adhered to.

Share this article:

Further reading: