The level of risk mitigation gained from Access Control System (ACS) implementations depends upon the features and monitoring tools used e.g., multi-factor authentication, anti-passback, turnstiles, man-traps, etc. Staff challenging tailgaters plays a part too.
Let’s say you’ve added your supporting technologies (visitor mgmt, intercom, video, etc.), and you’ve properly specified, implemented, and monitored your ACS. What assurance do you have that you’ve done all you can do to mitigate the risk of perimeter breach by an unauthorized person?
Access control system hacks have been demonstrated to change user data, open all the doors, or to emulate a valid card read; so there are other vulnerabilities to consider.
Unauthorized administrative rights to many access control systems may be gained via well publicized, well documented man-in-the-middle attacks against weakly secured network communication ports. Because these vulnerabilities are present, never expose your ACS management console directly to the internet. Use a VPN with strong encryption for remote access if you must have it. You should protect against these vulnerabilities inside your network too. Close all unnecessary ports. Verify certificates and encryption on all network connected physical security equipment.
Test your ACS administration console with this free tool from Qualys SSL Labs. Don’t forget to test the NIC (Network Interface Controller) web interface on the hardware control panels too. Save the Qualys report and share with/ask your integrator and their manufacturers for updated firmware or bug fix timelines.
Another ACS problem is that the weigand protocol communicating between reader and panel simply cannot be secured. Card read data can be captured from the reader or the wiring, recorded, and played back to allow a faked “authorized” entry through a door.
Good News: This past week The Security Industry Association (SIA) demonstrated Open Supervised Device Protocol OSDP communicating with Transport Layer Security (TLS) version 1.2 between the reader and ACS control panel. TLS 1.2 is the most secure data communications protocol currently available. Manufacturers are preparing ACS control panels and readers using OSDP end-to-end encrypted communications for commercial availability soon. At risk companies will want this, and if you’re in a regulated industry you’re likely going to require this level of protection.
The bottom line is that if your business requires sound network security as a component of their risk mitigation strategy, you’re going to want to upgrade your ACS controllers, readers, and possibly some cabling to support OSDP. Road map this effort to assess your organizational impact.
If you’re at Tier Zero (lost or just beginning) with your cyber security journey, join our PSA Cyber Security Committee presentation this May 12th at PSA Tec and get started down the road to better cyber hygiene. You can get there, we can help.