
![]() |
Brian Sims
Editor |
Cyber Security in an access control world
09 April 2019
The Security Event 2019: Cyber security in an access control world. In a new age of network-connected access control systems, manufacturers need to continually evolve their products by interacting with cyber security experts – or risk a potentially disastrous cyber attack.
That’s according to Richard Huison, Regional Manager at Gallagher Security, who was speaking at The Security Event 2019 at the NEC Birmingham.
Huison hosted a seminar which looked at how security manufacturers can protect against cyber attacks through an access control system – an issue of increasing importance as most new access systems are connected to the internet via user networks.
Huison used the example of the WannaCry attack of May 2017, which saw a quarter of a million computers attacked in one day. The NHS was the most high-profile victim in that case, but a host of other businesses were impacted as well. Tellingly, only 81% of businesses affected reported an issue – the other 19% were unaware they had been breached.
Huison said the new reality is that access control systems, for so long a solution against outside encroachment, were now part of the problem.
“Access systems are now part of the network, and networks are vulnerable because disparate systems can be attached, there’s the chance of third-party access, and hackers can exploit them,” he explained.
“The cyber risk is increasing. The theft of data and subsequent disruption to business continuity is seen as the biggest issue. But in the past, access control manufacturers have not embedded security in the heart of the system. That has to change, and those physical access systems also have to be cyber resilient.”
Huison said there were important policies that manufacturers can put in place to address the threat of cyber incursion. This includes data minimisation: only keeping data which needs to be there.
“Access control systems should have no back doors in,” he said. “They should not be able to be accessed remotely. That’s surely a vulnerability.”
Companies which use access control systems should have their own strong IT policy in place, with tight controls over privileges and regularly maintained software. Passwords should not be changed regularly – instead, they should be longer and more complex to prevent hacking.
Short-term visitors should be pre-registered, and their data erased when they leave. Inactive card holders should be removed from the system, and any data which does not need to be kept should be discarded. All firms should ensure they comply with GDPR rules.
The latest and safest standard in access control card technology, Huison said, is Mifare DESFire EV2.
“Mifare Classic and iClass have both been compromised by hackers,” he said. “And 125Khz cards are simple and easy to clone, and should be avoided at all costs.”
- WMFS supports sprinkler fitting
- “Vital for companies to meet new standards for higher risk buildings” urges Fire Sector Federation
- Academia-led report calls for retailers to adopt more strategic use of video analytics
- Entries open for the Security Innovation Award
- Partnership to fight economic crime
- BSI issues advice on cyber security and data protection essentials for office return
- FBU receives fresh pay offer for firefighters
- Be alert to alarms for a safer home
- ASFP appoints new governing Council in wake of 2021 AGM
- Bed and Breakfast owner fined for breaches of fire safety regulations