Who (or What) is Your Physical Access Control System Letting in?

The ongoing tensions between China and liberal democracies show no sign of abating. They result in real-world consequences and prompt important questions about the companies and partners we choose to work with and the technologies we deploy.

In particular, we must be proactive when it comes to evaluating the risks of deploying technologies associated with suppliers who are vulnerable to foreign interference. There is no clearer example of this than technology companies that are owned or controlled by foreign strategic rivals like the government of China.

National security concerns have already resulted in the removal of Huawei infrastructure from 5G networks. In the video surveillance industry, the dangers of deploying high-risk or poorly designed IP cameras are also proven and clear. However, the issue has not received the attention it should within the realm of physical access control systems (PACS). We’re at a crossroads and the next few months could be critical.

Recently, Chinese government-controlled technology companies have struck up partnerships with European-based companies – a worrying trend that raises several questions. Most importantly, why have these technology companies, who remain banned in the United States, taken such a proactive and high-profile role in marketing their products in the UK and the EU? Why have they made partnering with European-based access control companies a part of their commercial strategy? And what will be the financial implication for integrators and end-users who install this type of technology if these companies are similarly subjected to restrictions in the European market?

Access Control Systems Are Under Threat

Doors say a lot about a business or an organization. Who is coming and going, when, where and how often, are powerful tools for managing and understanding the physical dimensions of a corporation or government. 

Typically, access control system attacks have focused on the outside of the perimeter (i.e. cloning cards and attacking readers) to gain unlawful entrance to facilities. As modern IP-based access control systems are placed on IT networks and become more connected to the cloud, steps must be taken to ensure they do not provide the entry point malicious operatives need to gain access to vital information and, most importantly, to the very real-world operation of your doors.

The problem is, there is a tendency among some in the security industry to forget about the risks associated with poor cyber hygiene, and a desire to focus on attractive cost savings from vendors that may not have your, or your country’s, best interests at heart. Responsible security practitioners and smart end users must demand better and must ask the tough questions.  

Don’t Risk Your Reputation

It is necessary to consider not only the strengths of a particular company’s hardware but also the motives and track record of the businesses involved in supplying them. Yet, it is relatively common for organizations to install a digital access control system without considering who may, through error, omission, or poor design, have access to this vital infrastructure.

We need to think practically about the costs of including high-risk vendors in our access control supply chains and their products in our system deployments. Given the lifecycle of an access control system, and the growing concerns from policymakers, it is entirely plausible that new regulations could require systems installed today to be ripped out and replaced well before they reach end-of-life. Nobody should in good faith be recommending an approach that knowingly puts end users at risk, be that of a costly rip and replace of kit, or a more serious cybersecurity incident.

Don’t Risk National Security

Some companies may be protecting their IP, whereas others could be protecting critical infrastructure or highly classified information. We’ve seen the devastation hackers can cause, and state-sponsored attacks are becoming increasingly common, with Microsoft finding that activity from Russia, China, Iran and North Korea is on the rise.

Access control therefore can’t be overlooked as part of your network cybersecurity plans. With the proliferation of IoT, and its integration with networks, any access control system must have a strong cyber-defense as otherwise companies are opening themselves up to increased cyber-risk and more worryingly to actual physical threats of doors being opened or locked without their permission.

Across all industries, from financial services to casinos, data centres to hospitals, the installation and connections of your PACS vendor must be taken seriously. Modern access control can provide a lot of value, so invest in it and choose your partners wisely.

What’s Hot on Infosecurity Magazine?