Is your physical access control system cybersecure?
Today, physical security is about so much more than locks and bolts. Many modern physical access control systems are IP-based, powered by smart software and able to process large quantities of data. This provides more functionality, flexibility, scalability and opportunities for integration. It also means they’re part of your IT network, so it’s essential they’re protected and upgraded – just like your other IT systems.
We talked to Wesley Keegstra, Nedap Security Management’s integration manager, about cybersecurity. And why it provides crucial, but often overlooked, protection for physical access control systems.
Many companies still aren’t cybersecuring their IP-based physical access control systems – why do you think that is?
I think a lack of awareness plays a part. Physical security is something we can see and touch and so is easy to understand and justify. Cybersecurity is less tangible, but it’s just as vital. After all, investing time and money on physically securing your building is useless if you leave the back door open. And having no cybersecurity to protect an IP-based system such as physical access control is a door left wide open.
How can cybercriminals compromise physical access control systems?
Cybercrime comes in various guises. It could, for example, involve retrieving or manipulating data sent between devices to reveal who has access where and when. Or it might involve access card data being collected and then copied or cloned.
Taking a step further, cybercriminals may steal someone’s credentials to enable them to log into your access control system’s software. Once they’re logged in, they can enable unwanted access to all kind of doors and locations. And by, gaining access to your database, they can manipulate or even remove events that show, for example, what they or others did.
Many different components tend to be connected to IP-based access control systems, so it’s important every one of them is protected against cyberattacks too – from cards to cameras, readers, controllers and more.
What might be the repercussions of a cyberattack?
The effects can be wide ranging. The obvious result is that unauthorised people can gain access to your property and carry out physical theft or even terrorism.
Alternatively, a cybercriminal may be looking for data and may steal it remotely or by gaining access to your premises. This data could, for example, be classified product data which could give your competitors an advantage if it’s leaked. Or it could be personal or financial data, which could result in significant fines, depending on your industry and the countries involved. There may be costs involved to fix the results of a cyberattack and get your systems up and running again. And there may be other costs if your business can’t run properly while your IT system is down.
Cyberattacks can also result in damage to your business’s reputation, which could lead to financial losses and affect your growth and stability. All in all, it’s best to be cybersafe than very sorry.
How can businesses protect their physical access control system from cybercrime?
Nobody can say that something is 100% cybersecure, but prevention is definitely better than cure. Key measures are to cybersecure your access control hardware and software, as well as your data storage and the way data is accessed and transferred – not just within one building, but nationally and internationally.
It’s also really important to have clear security policies for using and managing your physical access control system. These should include cybersecurity elements and enforce the use of strong passwords that are changed after a set period of days. Security policies should also be established for other IP-based hardware such as cameras, because the weakest link determines the strength of the chain.
Employees also need to be educated in cybersecurity, so their lack of awareness and behaviour doesn’t sabotage the protection you put in place.
Does every organisation need the same level of cybersecurity?
Cybersecurity requirements vary according to the industry and the individual business or organisation. It demands resources and investment, so it’s important to get the balance right for your business.
That’s why our AEOS access control system puts you in control of cybersecurity, so you can determine what you secure and at what level. You can choose to cybersecure your cards, card readers, access control devices and databases, for example. You can also secure access to the AEOS user interface and communication between every component of your system – you name it, you can cybersecure it. And as cybersecurity becomes more important for your organisation, you can dial up the level of protection for your AEOS system.