Managing who, what and why
November 2018, This Week's Editor's Pick, Cyber Security
The access and identity market is no stranger to cybersecurity and all the implications of losing control over your physical and logical assets. However, in the past the physical side of this industry has been a laggard in protecting its customers and products from cyber risks.
This lack has become more of a problem over the past few years as we have seen physical access and time and attendance products using IP communications as well as being integrated with other business systems. Today, allowing strangers to access and control a physical access point can also give them a foot in the door of your organisation’s complete identity management system and, if not properly protected, other sensitive corporate systems.
It is therefore critical for physical security decision-makers to make sure their systems are protected from cyber attack, no matter how unlikely it may seem that something like a simple reader on the door could be used to compromise the company.
Marco della Peruta from Sensor Security, explains that the most vulnerable information in an access installation is the organisation’s database of people, and following that, the time and attendance logs and the payroll information. “Too often we keep payroll information highly confidential, but the path from database to payroll could often be intercepted or investigated by the software installation team, for example.
“The key here would be to ensure that this database, and the ensuing path, are protected and managed correctly. Even the pulling of reports from the system is a possible danger to the access of information.”
Protection can be achieved by ensuring the database is on an independent computer. This should also not have attachments to the existing network infrastructure or Internet. If there is a need for connections, he says encryption of data as well as the connection should be ensured. Additionally, all information, apart from the temporary cache, should exist on a central machine and not on individual devices that are easily accessible.
He adds that people and access permissions are also extremely important as this is where breaches happen in most cases. Limiting access to very few key personnel should, therefore, be standard practice.
Elvey’s Chris Lelicanin adds that at each exposure point there should be technology-driven solutions in place that protect the organisation, users and their data. In a scenario where the user badges on a secure access control device, we should use encrypted secure card credentials, which can take the form of a wearable, smart device, physical access card or similar. The user’s fingerprint can also be used as a secure credential. There are also physical means along the lines of anti-tamper features which erase secure data on edge devices and door controllers.
When looking at the transaction point between device and controller, he says OSDP is a secure protocol to prevent any tapping of information between the device and door controller, as well as to the central server where TCP/IP communication is protected through encryption technologies such as TLS. On the server side, you want a system that has strong user permissions, and from which you can view comprehensive audit logs and easily manage expiration of personal data.
He adds that these technologies also struggle to stand alone, “there is no point in locking the doors of your car but you leave the windows open, a comprehensive system needs to be employed.”
Securing the database
David Corder from Saflec Systems says a good start is to ensure that the permissions on the database are set up sufficiently in order to limit access to only the people who should have access. You then limit the personal data that is captured to what is strictly necessary for the business processes used within the access control setup. This is necessary for parts of the PoPI act anyway, so it is becoming a necessity for database administrators to keep in mind.
SQL Server databases use TDE (Transparent Data Encryption) on the actual data files which protects the data on the hard drive or external backups. In any event, all communications between the database and any software package that reads from or writes to the database needs to be configured to use the highest level of encryption available – this is currently Transport Layer Security (TLS) 1.2 with 256-bit AES encryption. This protects the data in transit between data reader and database, however what is typically done is that there is an additional business layer that ensures that the person looking at the data is only seeing the information that has been made available to them on a user-rights basis.
Making it reality
As can be seen above, effectively securing your access systems is not a simple task, although there are products out there that make the process of securing the full access control chain simpler and automated. As with all security issues, complexity is the enemy of security as most people opt for ease-of-use and convenience to be able to get the job done as fast as possible.
If personal data protection wasn’t a relevant issue for users, we wouldn’t be hearing of class action suits and settlements against major tech companies for user data breaches, says Lelicanin, and regulations and acts such as GDPR and PoPI would be non-existent. One of the big challenges is that so many organisations are of the mindset that we’re ‘not in the firing line’ or ‘it won’t happen to us’, but the reality is that all of us are at risk from cyber threats. It’s a serious issue and there are huge ramifications for organisations willing to play footloose with user data.
Della Peruta says most people will talk the correct language about security, but the implementation does not always exist. “We are sometimes called to do a recovery on a database and find it is often far too easy to get access to it, such as with a TeamViewer link.
“I hear about ransomware that still hits systems, which is indicative of a lack of security and easy access from the Internet, LAN or even a USB. There are a few customers that really do in-depth protection, but many do not. Education about technology and what is happening in the real world, such as IoT and security breaches, should be a key component of the system integrator’s service.”
Corder’s experience is that traditionally the people in charge of the access control have been more worried about ensuring that people have access to the building than locking down the areas where people are given access. It tends to be when there is an issue of theft that they then start trying to work out who has been given access where and by whom.
“This trend is starting to change and as time goes by people are more concerned with ensuring that the data is accurate and security auditors are starting to push for proof that the system is secure (only authorised people are being given access to certain areas),” Corder notes. “As for cyber risks like hacking, I think that the industry is starting to care more, but it’s considered an ‘outside risk’.”
Should we all OSDP?
While it is easy to place physical access control products and installers/integrators in the box of not being aware of cybersecurity, that is not really true. One of the solutions devised to improve the security of data transferred in access control transactions is Open Supervised Device Protocol (OSDP), an access control communications standard developed by the Security Industry Association to improve interoperability among access control and security products (see more at www.securityindustry.org/industry-standards/open-supervised-device-protocol ). OSDP is touted as a Wiegand replacement because of the additional security built into the protocol.
Adding to the conversation, Lelicanin states, “Wiegand has been around for close on 35 years and is a standard in the industry; the problem is it hasn’t kept up with user and organisational data security needs. Weigand is unmonitored, easy to hack and suffers from interference and cable length is limited, to name a few disadvantages. OSDP is an open standard so there is interoperability between hardware of different manufacturers. It also has greater support for biometrics due to the increased bandwidth and supports bi-directional communication. “
Corder explains that OSDP has several advantages over Wiegand: “generally fewer wiring cores, longer run distances, multi-drop rather than star, multiple different devices on one network line, less hard-coded ways of interpreting the data and bi-directional communications immediately come to mind”. (See more in the article: The advantages of OSDP, www.securitysa.com/60145n).
However, he says the greatest advantage is the Secure Channel, which is the encryption between third-party devices and controllers. Unfortunately, even some of the big players out there have only basic implementations of OSDP and don’t support Secure Channel yet. “We are working with various companies to try and increase the up-take of the protocol, especially the optional cybersecurity.”
The benefits of OSDP are installation and security related, says Della Peruta. “Cybersecurity is not always espionage over the Internet, but any stage where electronic information is intercepted and understood. OSDP becomes important here as the communication medium might still be accessible, but the high levels of data encryption remove the risk of listening or talking down the line.”
Lelicanin adds that the good news is that forward thinking manufacturers have incorporated and integrated both technologies into their products, this lets legacy sites stagger their security requirements and balance them with their existing upgrade budgets.
Integrating to everything?
Controlling who or what has access to who or what is what access control is all about, whether in the physical or logical world. As we move into the age of the Internet of Things (IoT), the question of controlling access between millions or even billions of devices will become something the access industry needs to take note of and prepare for. In this scenario, the question of why also becomes an issue. There may be acceptable access to or from a device or server, but we need to know why the access is happening, is it a legitimate exchange of data or has someone hijacked a device and is trying to install malware on a server? Is the access control industry ready and are the management capabilities for such dispersed systems available?
There is no question that we are moving towards a more inclusive integrated environment, according to Della Peruta. The past of discrete packages where access, intrusion, video and building management are different brands and disconnected are over.
“I believe there are a few directions on this the industry needs to become comfortable with, such as threat management, business efficiency management and marketing analysis. We are not just using the individual components anymore, but collectively for much greater functionality. We no longer purchase devices for a simple function, but the devices exist as a means to a greater solution.”
Some examples he provides include:
• Monitor water usage and linking that with access control and video.
• Have a more accurate understanding of hotel guests to cater better and improve on food and maintenance costs while simultaneously making the venue more appealing.
• Collective security information to understand if a high security site could have a vulnerability through a perimeter system fault.
“Naturally, such a level of integration does become dangerous in terms of all the equipment that needs to interact with a common platform. Who operates and configures such a platform? Are they experienced in the type of industry and technology? Are they an ethical moral group? The realm of integration such as this goes beyond ONVIF, and more the direction of PSIM software systems.”
Accessing the IoT
Access control can already be considered part of the IoT, most systems already connect to the Internet and many are pioneers in IoT, says Corder. IT networks themselves are becoming more secure and are starting to require authentication to the network itself, using something like 802.1x. Access control products will soon have to support this in order to be allowed on the networks themselves – and this is a good thing in that it provides an extra layer of security.
“I think the way the industry is heading will be that all access control devices will be Internet-enabled devices that are configured using IT systems like Active Directory. Personal mobile devices are also increasingly being used as the access token using Bluetooth Low Energy, NFC or similar technologies with the ability to report back or do biometric authentication using Internet or LAN services.”
Similarly, Lelicanin also believes we are there already. “Personally, I think the most successful platforms will be ones that offer cloud services, are modular and scale to address the client’s specific needs, have integrated and complete solutions that incorporate your access, CCTV, fire and intrusion and take the hassle out of security.
So, while we still focus on securing readers, devices, data and servers within our organisations, the future security concerns of the access industry will have to include far more ‘things’ that are requesting and sending access or data. Even though most of these are simple sensors that deal in small bits of data that are generally necessary for analysis, but not a security threat, unfortunately the data pathways will be a tempting target for those intent on getting into your network. Access administrators will therefore need to make sure they secure their networks from direct and indirect attack. If it is not already, cybersecurity will soon be a core component of the access control industry.
For more information contact:
Elvey, +27 11 401 6700, firstname.lastname@example.org, www.elvey.co.za
Saflec Systems, +27 11 477 4760, email@example.com, www.safsys.co.za
Sensor Security, +27 11 314 9419, firstname.lastname@example.org, www.sensorsecurity.co.za