The news that the Department of Homeland Security (DHS) in the US has been rapped on the knuckles for failing to address the cyber risks to access control systems will raise concerns globally about the security of these ubiquitous systems.
In a report by the General Accounting Office (GAO), the DHS was critiqued for failing to assess or address cyber risk to building and access control systems in a timely manner, particularly in the 9000 federal facilities protected by the Federal Protective Service (FPS).
The report is called “Federal Facility Cybersecurity: DHS and GSA Should Address Cyber Risk to Building and Access Control Systems” and can be downloaded from www.gao.gov/assets/670/667512.pdf.
The report said that threats against these systems were relatively new and that no one at the DHS had ownership of the problem. As a consequence, the DHS lacks a strategy that “defines the problem, identifies roles and responsibilities… and identifies a methodology for assessing this cyber risk.”
Also coming in for criticism was the General Services Administration (GSA) for failing to carry out sufficiently rigorous assessments of the elements of risk to their buildings’ systems.
The report cites a number of infamous hacking incidents to highlight the risk and then notes that cyber security experts are particularly concerned about the security of access control systems.
“Cybersecurity experts that we interviewed also generally said that building and access control systems are vulnerable to cyber attacks. One expert, for example, noted that control systems were not designed with cybersecurity in mind,” the report stated.
The GAO makes a number of recommendations:
- That the Secretary of Homeland Security develop and implement a strategy to address cyber risk to access control systems, to define the problem, identify roles and responsibilities, analyse required resources and identify a methodology for assessing the risk;
- That the Secretary direct DHS’s Interagency Security Committee (ISC) to include the cyber threat in its “Design-Basis Threat” report;
- That FPS-protected facilities’ access control systems are assessed against guidelines.
The lack of a strategy has contributed to the lack of action by the DHS on this vital issue.
According to an official within the DHS’s National Protection and Programs Directorate (NPPD), the DHS has “not developed a strategy, in part, because cyber threats involving these systems are an emerging issue. By not developing a strategy document for assessing cyber risk to facility and security systems, DHS and, in particular, NPPD have not effectively articulated a vision for organizing and prioritizing efforts to address the cyber risk facing federal facilities that DHS is responsible for protecting”, the report says.
It also states: “Because federal facilities are a part of the nation’s critical infrastructure and include some highly symbolic federal and commercial office buildings, laboratories, and warehouses—some of which are used to store high risk items such as weapons and drugs—determining the extent to which building and access control systems within them are vulnerable to cyber attacks is critical to providing security. However, DHS faces challenges in determining the extent to which building and access control systems in federal facilities are vulnerable to cyber attacks because it lacks a strategy that defines the problem, identifies the roles and responsibilities for securing these systems, analyzes the resources needed to assess cyber risk to the systems, and a methodology for assessing cyber risk to building and access control systems.”
No doubt, an assessment with which many organisations can identify.
The threat is broad
The threat to access control systems is part of the broader vulnerability of industrial control systems (ICS) and operational technology (OT).
According to the Whole Building Design Guide (www.wbdg.org), ICS are physical equipment oriented technologies and systems that deal with the actual running of plants and equipment, include devices that ensure physical system integrity and meet technical constraints, and are event-driven and frequently real-time software applications or devices with embedded software. These types of specialised systems are pervasive throughout the infrastructure and are required to meet numerous and often conflicting safety, performance, security, reliability, and operational requirements.
The Electronic Security System (ESS) is critical for providing a secure environment and protecting the safety of tenants. Elements include: anti-theft security and alarm system, electronic control system, physical access control system, closed-circuit tv surveillance system. The ESS is typically monitored by security personnel in the SOC.
ICS systems are often integrated with mainstream organisational information systems to promote connectivity, efficiency, and remote access capabilities, the WBDG says. The “front end” portions of these ICSs resemble traditional information systems in that they use the same commercially available hardware and software components. While the majority of an ICS system still does not resemble a traditional information system (IS), the integration of the ICS’s “front end” with IS introduces some of the same vulnerabilities that exist in current networked information systems.
As these systems and components became digital and IP enabled, the interconnects to the organisation network and business systems began to expose the organisation to exploits and significant vulnerabilities. Typically, there was not a clear line of demarcation where one system started and one ended.
That lack of separation between one system and another is the key to understanding the cyberthreat to the access control system. The system can either be hacked via your corporate network, enabling someone to gain physical access to your building or an access control device such as a card reader can be compromised and used as a gateway to the company IT system.
The US government is actively dealing with the threat to these new hybrid systems through its Computer Emergency Readiness Team (CERT). The ICS-CERT team works to reduce risks in critical infrastructure by working with law enforcement, the intelligence community and system owners, operators and vendors.
It monitors attacks nationally and says that the number of incidents is rising exponentially. You can learn more at www.wbdg.org/resources/cybersecurity.php.
Separate no more
Senstar is one company that has been thinking about the cyber threat to physical security systems for some time.
In a report published last year, entitled “Cyber Threats in Physical Security: Understanding and Mitigating the Risks”, the company observed that security systems which ten years ago would have been physically separated from other electronic devices are now increasingly linked through IP.
Excluding intruders from the site was considered sufficient protection against the compromise of the system. As we have seen, even banks employing the most sophisticated cybersecurity are vulnerable to hacking, so what chance your physical security system against a determined attacker?
Almost all new security equipment is IP-based, but unlike the banking system, they may actually be more vulnerable to attack because of how they are deployed, according to Senstar’s VP for Cybersecurity Products, Iftah Bratspiess.
Bratspiess points out that many systems include components which are installed outdoors, close to perimeters, leaving them physically accessible. Furthermore, some security managers may mistakenly believe that their systems are separated from the internet which, combined with a lack of skills in IT security, could make for a dangerous mix.
In its whitepaper, Senstar further warns about the fragmented approach being taken to security both by end-users and manufacturers. In many organisations, physical security and IT security are separate departments, so there is limited cooperation between the two. In the security industry itself, the market is fragmented into many small companies, therefore there is no one taking overall responsibility for ruggedizing systems.
So what would an attack look like? Having gained access to your network via a compromised device, one could neutralise alerts by blocking or saturating alarms, streaming false data including fake CCTV images, grabbing access control credentials to create fake access cards and even reaching beyond the security system to compromise building management systems or damage production systems.
However, theirs is not a counsel of despair – security systems have some qualities that make them easier to secure than most IT systems. This starts with the fact that the configuration of security systems tends to be more stable than corporate networks. Adding new authorised devices is an unusual occurrence and when it happens it’s almost always planned in advance.
Senstar makes two products for securing security networks which it believes are unique in the market –an industrial Ethernet switch called Tungsten and a monitoring system called Rubidium.
Tungsten monitors the flow of information across the network as well as the physical configuration of the system. Given the predictable structure of the network, it will generate an alarm in the event of unauthorised changes, says Bratspiess. In addition, it will monitor the flow of information and issue an alarm if there are any deviations from the norm.
Rubidium provides the management layer and can manage multiple Tungsten units.
As Mark Novak, the Managing Director of Senstar says, awareness of the threat to IP-based security systems is still relatively low. It’s only in the past three to four years that it has started to become an issue with consultants and customers, since when it has started to appear on the radar for security system integrators as well.
Novak said he welcomes the release of the GAO report on access control vulnerabilities as it may help to stimulate a debate as to how best to secure the security devices themselves.
Traditional risks to access control devices and systems
While cyber is the new attack vector against IP-enabled security systems, that’s not to say that they don’t remain vulnerable to traditional attacks.
Sarah Phillips, Product & Marketing Manager at TDSi, told us that there are a number of threats to systems both cyber and otherwise.
“Access control will always chiefly be under threat from anyone trying to gain entry to restricted areas, be that protecting physical assets (such as a warehouse or retail outlet), logical assets (such as a data centre or public records building) or vulnerable people (such as a hospital or school),” she said in an email. “Cyberattacks are certainly a possibility, with integrated IT and security systems seemingly presenting an appealing target. It is worth remembering that security systems have evolved alongside the threats and modern solutions anticipate and block many of these attacks.”
So what can end-users do to protect themselves?
“As well as straight-forward head-on attacks by potential intruders (literally trying to force entry) there is equally a danger of authorised people unwittingly granting access to intruders (or being forced to do so in a hostage or intimidation scenario). All security systems are only as good as their weakest point, so organisations and users need to be fully aware of this and to ensure good basic practice,” she said. “Authorised end users need to be aware of the trust placed in them and if they use security tokens/cards these need to be treated with the respect they deserve. Equally, users need to understand the dangers or granting ‘friendly’ access to visitors in restricted areas and to ensure protocols are maintained, even if this seems awkward or unhelpful.”
What are the potential consequences of a successful cyberattack against an access control system? Apart from the risk of unauthorised physical access to a building, are there related threats to other security systems?
“Potentially a successful cyber-attack could compromise an access control system if the security solution lacks effective fail-safe procedures. This would be especially acute in a situation where the physical access guards access to logical assets, such as sensitive medical records in a data centre for example. Potentially integrated systems could also raise a question mark over whether they open up greater vulnerability by combining previously separate systems. However, being able to cross reference a situation through different integrated security systems could actually make it harder for an attack to be successful. An attacker would have to outwit a number of different systems, which would be much tougher as long as the security team and operators have the right procedures in place to deal with this.”
Access control systems have traditionally been subject to physical attacks. These include shoulder surfing to spy on the access code. Alex Zarrabi, CEO at TBS, tells us: “Any means of access that can be copied is a potential risk. Thanks to digital keypads, we can scramble a PIN to avoid others from memorising the sequence you type on the keypad.”
He also highlights the security advantages of RFID badges and the biometric tokens. However, he warns that for every advance in security, new loopholes are found such as faking people’s fingerprints – a problem TBS believes they have overcome with the TBS 3D touchless finger scanner.