31 May 2023
Securing Access Control and Video Surveillance Systems from Cyber Intrusions
We all know that securing access control and video surveillance systems from potential cyber intrusions is of paramount importance. They may be state sponsored or simply the efforts of criminal gangs. Either way, cyber-attacks pose a significant threat to the electronic security industry, which is why all of us involved in the product supply chain need to ensure that data captured by the solutions we provide to end-users, as well as the access they could potentially provide to their networks, is protected from hackers.
In a tough economic climate, with end-users looking to achieve a high return on investment (ROI) from their electronic security, installers and integrators are understandably striving to provide solutions which deliver the benefits of integrating network based access control with other products and systems. This can inevitably introduce cyber-security vulnerabilities which could prove to be costly. Just imagine the consequences of a hacker being able to remotely take control of an access control system. Apart from a major loss of confidential personnel information, a hacker could potentially remotely provide an intruder with easy access to a high security area or simply unlock all the doors of a building. They could also use security vulnerabilities in the access control system to gain access to anything stored on or connected to a company’s IT network.
The threat is greater if an access control system was installed more than say 10 years ago. Chris Morin, Vice President of Product Engineering at Genetec, the market leading security management software provider, was recently quoted in Detector International magazine as saying: “Whilst these older systems will still allow employees to badge in and out, there’s a very high likelihood that these systems employ technologies that are extremely vulnerable to modern cyber threats”.
However, even the latest generation of access control systems can be vulnerable to cyber-attacks. It is therefore advisable that system designers, specifiers and system integrators, (unless they employ inhouse cyber security experts,) should always seek guidance and assurances from the manufacturer or a specialist distributor such as Smart R, that the specified system has the ability to keep hackers at bay. For example:
- OSDP/SSCP Compliance: Look for systems which meet the Open Supervised Device Protocol (OSDP) access control communications standard developed by the Security Industry Association (SIA) in the USA. This supports high-end AES-128 encryption, constantly monitors wiring against attacks and is more secure than the older Wiegand protocols. In addition, look to see if a system complies with the Smart & Secure Communication Protocol (SSCP®) European Standard from SPAC®, which provides for interoperability among access control and other security products.
- Key Management: For high security and mission critical applications, always specify Smart cards and readers which have the manufacturer’s proprietary card and reader programming.
This will enhance the level of security, as will the fact that the cards will be supplied with custom keys.
- Dual Authentication: It is widely accepted that for building security purposes, it is advisable to use a second factor of authentication, e.g. a PIN or some form of biometric identification. In addition to being the best way to combat the threat of card cloning, it negates the potential consequences of lost or stolen card.
The cyber security threat is considered so great by some security managers operating within high security environments such as banking, that they are installing what many would regard as old fashioned analogue based CCTV (i.e. closed circuit) systems, rather than IP network video surveillance systems.
Whilst analogue CCTV systems might be sufficient for some end-users, there is no doubt that the mass market now wishes to take advantage of the benefits offered by video over IP, not the least of which is the ability to monitor live or recorded video from any PC on the network or from a smartphone or tablet. The technology does though create cyber security risks, even if they just come from opportunistic hackers who may endeavour to gain access to confidential data via a camera’s ‘back door’.
Some manufacturers have addressed the cyber security problem head on by taking it into consideration at the design stage of its cameras. Hanwha Vision, for example, has adopted what is considered to be cyber security best practice and has obtained official certifications from globally recognised safety standard and certification organisations, such as UL and Secure by Default. It also has a dedicated team, S-CERT (Security-Computer Emergency Response Team), who respond promptly to any possible security vulnerabilities and issues patches as soon as possible.
Hanwha Vision also supports NDAA compliance across its whole product line, which is one of the reasons why the company has enjoyed increased sales, perhaps at the expense of manufacturers who are unable to comply at a time when there are clear signs of European governments hardening their stance and thinking of adopting similar legislation.
There are other manufacturers who have gone to the same efforts as Hanwha Vision to combat the threat from hackers and who can verify their cameras are future proof in terms of being upgraded if and when new cyber security threats emerge. To avoid embarrassing and perhaps costly consequences of a data breach, it is obviously advisable to choose to work with these manufacturers, rather than those that have not yet designed cyber security into their products.
Going Phishing (Or Should We Say Fishing) For Data
If you are inclined to believe the threat from hackers is overstated, perhaps bear in mind the embarrassment of the network manager at a casino which had its data hacked via a fish tank. According to an article in Forbes, the high-tech fish tank had Internet connectivity for remote monitoring, automatic feedings and temperature control. The resourceful hackers had already helped themselves to confidential data before Darktrace’s software began monitoring activity and the tank’s unusual activity was spotted.