Access control systems unprotected against modern threats
- 04 September, 2016
- Amsterdam Security
Strangely though, modern physical access control systems, which are themselves IT systems connected to a company’s network, haven’t been through the same development. This can leave the security system with weaknesses and therefore vulnerable to cyber threats.
European guidelines limited to physical threats only
In particular, organisations providing critical infrastructure are increasingly dealing with digital threats. Where IT departments have improved the security of their systems, it’s highlighted that physical security systems, such as access control, are lagging behind when it comes to ensuring security of the system itself. This creates a real risk for organisations. Especially because it’s often necessary to access an organisation physically in order to do harm digitally.
Based on this insight, various European countries have developed guidelines to enforce that cardkeys for access control systems are stored on the safe side of the door. This prevents outsiders from reading cardkeys via card readers on the outside of the building, and then gaining unauthorised access.
Security of the entire system is missing
An access control solution that stores cardkeys by using a secure access module (SAM) in the door controller is the safest way of implementing these European guidelines. With this solution, card readers mounted on the outside of the building become ‘transparent’ and are no longer equipped with cardkeys. Meaning threats from the outside are significantly reduced.
What should you do, though, when the card keys in the SAMs need updating? You can only update keys centrally when encryption is applied to the entire system. This requires strong authentication of door controllers using certificates, which can be stored in the same SAM. Current guidelines don’t focus on the security of the entire access control solution, however. So they don’t cover how to update keys securely.
Inside threats not prevented
Without strong authentication, door controllers can’t be fully trusted as devices connected to a company’s network. Which means door controllers can be replaced by prepared copies, without this being detected. This means access can be provided to people outside the company without it being noticed. Moreover, when the principles of strong authentication are not applied, alien devices can be connected to the network and send commands to door controllers without leaving a trace.
IT principles increase security
Strong authentication is applied in IT, for example, by using smart cards to allow access to a company’s network and systems. This guarantees reliable communication with the right person. When a trusted system is used to issue and manage digital certificates (PKI), the integrity and authenticity of each certificate, and therefore the identity of its owner, is guaranteed.
When this principle is applied to access control, and door controllers are equipped with certificates, secure communication between door controller and server is achieved. When card keys are stored in the same SAM, card data is decrypted in the most secure place of the system. Card keys can be sent through the system securely, enabling secure centralised key updates.
Time to react
Organisations can only meet modern security requirements when they implement solutions that are designed based on the IT principles described above. However, taking appropriate measures is often a challenge as physical security and IT are two separate worlds in most organisations. These silos need to cooperate to enable physical security solutions to be implemented that meet modern security standards for IT systems.
Please contact Daryn Flynn to find out more about the digital risks to physical security in your company.
Kim te Kaat
Security Business Manager
+ 31 (0) 544 471 111
Nedap is official sponsor of Amsterdam Security Conference 2016.
Noot voor de redactie / niet voor publicatie:
Voor meer informatie kunt u contact opnemen met:
Alice Muurlink, Communication Manager