Cyber Security in an access control world

That’s according to Richard Huison, Regional Manager at Gallagher Security, who was speaking at The Security Event 2019 at the NEC Birmingham.

Huison hosted a seminar which looked at how security manufacturers can protect against cyber attacks through an access control system – an issue of increasing importance as most new access systems are connected to the internet via user networks.

Huison used the example of the WannaCry attack of May 2017, which saw a quarter of a million computers attacked in one day. The NHS was the most high-profile victim in that case, but a host of other businesses were impacted as well. Tellingly, only 81% of businesses affected reported an issue – the other 19% were unaware they had been breached.

Huison said the new reality is that access control systems, for so long a solution against outside encroachment, were now part of the problem.

“Access systems are now part of the network, and networks are vulnerable because disparate systems can be attached, there’s the chance of third-party access, and hackers can exploit them,” he explained.

“The cyber risk is increasing. The theft of data and subsequent disruption to business continuity is seen as the biggest issue. But in the past, access control manufacturers have not embedded security in the heart of the system. That has to change, and those physical access systems also have to be cyber resilient.”

Huison said there were important policies that manufacturers can put in place to address the threat of cyber incursion. This includes data minimisation: only keeping data which needs to be there.

“Access control systems should have no back doors in,” he said. “They should not be able to be accessed remotely. That’s surely a vulnerability.”

Companies which use access control systems should have their own strong IT policy in place, with tight controls over privileges and regularly maintained software. Passwords should not be changed regularly – instead, they should be longer and more complex to prevent hacking.

Short-term visitors should be pre-registered, and their data erased when they leave. Inactive card holders should be removed from the system, and any data which does not need to be kept should be discarded. All firms should ensure they comply with GDPR rules.

The latest and safest standard in access control card technology, Huison said, is Mifare DESFire EV2.

“Mifare Classic and iClass have both been compromised by hackers,” he said. “And 125Khz cards are simple and easy to clone, and should be avoided at all costs.”