The Converged Security Risk Between Physical and Cyber Networks

Sept. 1, 2021
The evolving network-centric access control landscape is filled with potential security land mines.

As the physical security industry has undergone a steady migration to a network-centric environment over the last decade, there’s no more confounding issue than who is responsible for securing the network. The days when electronic access control (EAC) systems rode a parallel network and were under the primary purview of the physical security side of the house no longer are the norm. However, such an arrangement still might be preferable in some instances. Advanced edge devices, cloud solutions and the ever-expanding IoT universe have, in many cases, converged network platforms into a seamless solution. End users and systems integrators share the responsibility for establishing cybersecurity policy when that system is installed and configured.

Whether it’s an EAC system or a video surveillance network driven by artificial intelligence (AI), physical security policy now rides on the backbone of the organization’s IT framework. From the initial software configuration, through daily monitoring and, most important, the required security updates, mitigating potential network attacks is a critical element to maintaining cyber- and physical security hygiene.

The editors of Endeavor Business Media’s Security Group, which includes Locksmith Ledger, Security Business and Security Technology Executive magazines and the website, recently sat with Rick Focke, director of product management-enterprise access control for Johnson Controls, and Christine Lanning, who leads an elite team of security system integrators as president of Integrated Security Technologies (IST), a woman-owned electrical contractor headquartered in Hawaii. Here are their insights.

Locksmith Ledger: The expanding IoT universe and network-centric nature of advanced access control systems open all sorts of cybersecurity challenges. What are the key vulnerabilities system users should be aware of, and how can they begin to mitigate risk? 

Rick Focke: Embedded edge devices, such as access controllers, are particularly vulnerable to advanced cyberattacks. These small devices are historically underpowered for the types of events they have to defend against. Denial-of-service attacks can render a device inoperable, and exploit attacks can allow a bad actor to take control of a device for nefarious purposes. A compromised device also could serve as an entry point to the rest of the network. That’s why it’s important to maintain a rigorous practice of timely firmware updates for each device on your network and conduct cyber-audits and penetration testing to gauge the cyber-readiness of your system.

Christine Lanning: Networked legacy access control system [ACS] hardware should be the first concern. Much of this hardware lacks the basic network security protocol capabilities that exist in newer hardware platforms. Alongside the legacy hardware issue is a legacy architecture issue. From a risk-management perspective, ACS hardware simply doesn’t belong on the business network, so flat networks are a no-no. Total isolation is best where possible, and segmentation schemes should be tested thoroughly for penetration vulnerabilities.

LL: What are some ways in which a networked access control device can or should be “hardened” against cyberattacks? 

Focke: Ask your vendor for their hardening guide. If they don’t have one, choose a different vendor. Make sure that each device supports TLS 1.2 secure communications as a minimum — TLS 1.3 is even better — and deploy custom certificates on each device. If the device has a local webpage for configuration, make sure that it’s turned off after commissioning. Or, if left on, make sure it also supports TLS 1.2 or higher and can alert the main system if invalid login attempts are seen. And change that webpage’s password frequently.

The newer access control devices feature what’s known as a “Trusted Execution Environment,” or TEE. This is a hardware-based trusted environment within the device’s processor that guarantees confidentiality and integrity of code and data loaded onto the device, with an established chain of trust, and it provides for secure storage of keys and other cryptographic material. With a TEE on board, the device authenticates each command that the firmware on the device sends to its own hardware, which prevents a bad actor from taking over the device.

Lanning: A lost, stolen or copied credential is the simplest way into an organization, presuming they already have strong anti-tailgating measures in place, so user education and management is a key hardening element against human negligence. Implementing “secure” Open Supervised Device Protocol [OSDP] at the end points reduces the risk from an attack at the reader and should be considered a standard hardening step these days. Closing all unused device network ports, encrypted hardware communications, communication traffic monitoring and, obviously, updated software maintenance are some of the additional hardening steps that should be mandatory in an organization.

LL: How involved is the IT or information security department in the running and auditing of the ACS? What’s the expected level of cooperation and response time? 

Focke: We have seen increased involvement from the IT department and also from separate cybersecurity departments over the past few years, and we welcome that cooperation. Given the current cyber environment, a close level of cooperation and involvement is required to help to reduce risk. Your access control vendor should be keen to review and help with cyber-audit and pen-test mitigations and should be able to provide detailed advice on hardening and overall system design.

Lanning: No security system ever should be on-boarded within an organization without the express consent, and lifetime management support, of the organization’s IT department. The system’s departmental users aren’t generally capable of this type of management, nor do they understand the risks to the organization that are implicit to the compromise of networked devices. The broader organization can’t leave this level of vulnerability management to others, period. The organization must obtain outsourced support where internal support is unavailable.

LL: As the convergence of physical ACS and cyber-related platforms continues to expand, what are some of the emerging trends you see in access control over the next 3–5 years? 

Focke: Here are some of the key trends I see: I suspect we will see closer systems integration with cyber-management platforms as larger customers want to manage all their network devices from one platform so they can get a comprehensive view of device status, certs, passwords and firmware. I also anticipate a closer integration with identity-management systems for two-factor authentication access and operator authentication.

There might be a more aggressive move towards “high assurance” credentials to mitigate the card-cloning and shared-key vulnerabilities seen in today’s credentials and a migration towards more occupant-based apps for access control users. We’ll see privacy controls take on a larger role and higher cyber-standards for every edge device, with an expectation of direct data sharing to a third-party data lake. And, of course, AI will gain more traction and be used in the analysis of incoming cyber-threats.

Lanning: All of the tasking that occurs within an IT cyber-assurance program applies to the ACS equally: asset lists, access lists, trusted platform modules, protocol scanning, port scanning, communication encryption, multifactor authentication, continuous monitoring, etc. Future supply-chain risk-management requirements should be expected to include transparency in the software and hardware bill of materials if the product wants to be considered for use among DoD [Department of Defense] and the rest of the critical infrastructure sectors.

That’s basically all businesses, including commercial facilities. The major trend the industry should be preparing for is one that focuses on security first. It already is showing up at a level the industry never contemplated, much less worked toward. The strongest security adopters will remain relevant; others likely will exit the industry and even the technology space more broadly. It’s become too risky to keep poor security players and practices around already.