We’ve heard a lot about back doors in IP cameras – practically every manufacturer has had issues over the past few years. But what about IP access controllers? How would you secure these network-connected systems when they must be exposed to public networks?
A: We’d be limiting IP addresses that have access through the firewall using a white list comprising the fewest possible users. Ensure the IDS reports attempts to breach protected ports. Minimise or eliminate wireless network communications unless encrypted. Consider whether there’s a need for the security workstation to be exposed to local data networks. It’s possible to build dedicated links to minimise touch points.
The best access control solutions will have app-based management of security functionality allowing administrators a considerable measure of remote control when it comes to event reporting, alarm management and driving of doors. The app will need to run on a secure smart phone with biometric authentication. This device will also need secure passage through the firewall. Getting this right is going to take the input of the IT team.
Another consideration is the nature of the database and the network on which its server/s are installed. This aspect would be simpler if the access control solution lived on a secure subnet and it might be more complex if the database is managed in virtual servers in a fully networked environment. If it’s the latter, you’ll like already be on first name terms with relevant IT engineers.
Other things we’d be doing would be cyber security 101 – no default passwords, ensuring adjacent automation devices linked to the access control system are also secure, implementing a process of vulnerability testing and reporting. Training of staff so they are aware of the risks posed by operator error – opening attachments, using third party thumb drives, etc.
It also helps to get across the software that is controlling boards and devices across the entire solution. If it’s just an access control system, that’s easier, but if there are oddments of automation, that means devices run by who-knows-what code with who-knows-what vulnerabilities. A lot of automation code is free or open source and can’t be trusted in secure ecosystems.
Finally, ensure physical security of the control panels with tamper switches and secure the workstation, card printer and camera used to support the access control system.