Around lock sat in the front of Joseph Bramah’s shop in London with a challenge displayed on the window: whoever could pick the Bramah Precision lock would win 200 guineas (roughly $30,000 today). That challenge would remain for 67 years until A.C. Hobbs—an American locksmith—took up the gauntlet.

Hobbs brought a great deal of experience to the table. He had gained recognition in America for demonstrating to bank managers that their locks could be picked, so they should be replaced with locks of his own invention.

At the Great Exhibition hosted in London in 1851, Hobbs announced after successfully picking a Chubb “Detector” lock that he would open Bramah’s creation. Bramah’s sons set Hobbs up with a workspace above their shop. For 52 hours, Hobbs worked at the lock until he successfully picked it.

Hobbs’ success became known as The Great Lock Controversy, striking fear into the hearts of everyone who had previously used the Bramah lock—including the Bank of England—because they believed it could not be picked. Their sense of security was shattered.

Since then, methods for locking doors and controlling access have changed with the times and technology advancements. Now, instead of having a guard monitor and log when a door is unlocked and opened in a facility, and then verify that that individual is allowed to do so, most organizations rely on access control systems. And often, these systems are connected to the Internet—making them vulnerable to cyber intrusions.

“Older access control systems were not meant to be tied to the building network or the organization’s network,” says Coleman Wolf, CPP, CISSP, senior security consultant for Environmental Systems Design, Inc., (ESD) and a member of the ASIS International IT Security Council. “There are adapters that can be used to put those on the network. They function just fine. I can access the control panel from my desk, but the security isn’t always the best.”

The access control system is “meant to provide a function, but either the device was not built to have password protection or the person who installed it wanted to get it up and running, so they didn’t put in the effort to install the security with it,” Wolf adds.

The Basics

By connecting an access control system to the Internet, the system becomes part of the Internet of Things (IoT). Typical IoT devices include thermostats, electrical outlets, light switches, refrigerators, smart speakers, and doorbells. They also now include—in the security arena—cameras, alarm systems, smoke detectors, locks, and other access control devices, says David Feeney, CPP, PMP (Project Management Professional), and advisory manager of cyber and physical security risk services at Deloitte.

“Before IoT, everything that was connected to a network was a network device in the traditional sense,” explains Feeney, who is past chair of the ASIS Physical Security Council. “Now, almost anything can be a network device. And while the computer industry has had decades to incorporate security into its products, services, and overall DNA, IoT is essentially a toddler—growing rapidly but with most of its maturation still ahead.”

All of these IoT devices face a “gauntlet of cyber threats,” Feeney says, including malware, man-in-the-middle attacks, brute force attacks, dictionary attacks, IP spoofing, denial of service and distributed denial of service (DDoS) attacks, session hijacks, and more.

“The difference that IoT brings is that the attack surface—the aggregation of all points at which an attacker can gain access—is now exponentially larger once access control and other IoT devices are added to the network,” Feeney adds.

It might seem obvious why someone would want to compromise an access control system: to unlock the doors to a building to gain entry.

“The first thing that people think about is that once they’re inside the system, they have control over the system so they can unlock doors or disable sensors—things that are part of the actual mission of the access control system itself,” Wolf says.

For instance, in a worst-case scenario at a highly controlled environment like a hospital, a compromised access control system could be used to lock surgeons out of an operating room or open doors to the pharmacy.

But there’s another equally concerning reason someone might want to hack an access control system, Feeney adds.

“Your natural first thought might be that access control systems are attacked because attackers want to gain access to an area, and the system is standing in their way,” explains Feeney. “That is one reason. But the reason is often that an attacker simply wants access to the network, and an access control system is as good an entry point as any other.”

Regardless of the method of infiltrating an organization, attackers are often looking to infiltrate the network and then move within it to gain access to more sensitive or valuable information.

Hackers used this method during the infamous Target breach in 2013. They compromised a third-party vendor, obtained valid credentials from an unknowing authorized user, and connected to Target’s network using its vendor-portal process. The malicious actors then leveraged this access to obtain payment card data and personally identifying information about Target customers.

“Maybe there are employee databases where they could steal information,” Wolf says. “Or they could use that access to spread ransomware, where files and systems could be encrypted and held hostage—forcing the organization to pay to free up that information.”

Leveraging an intrusion into the access control system to the organization’s building system could also pose safety risks to employees—such as setting off a fire alarm—or equipment.

“If you’re able to control the HVAC system, you could prevent cooling of data center space, so servers start to overheat and fail,” Wolf says. “And that can cause interruption of business or operations.”

Mitigating Existing Risk

Despite the numerous vulnerabilities that exist, there are myriad ways to mitigate the risk of compromise to an access control system.

“I work with a lot of clients who don’t have any drawings of where their devices are—they are flying blind,” Wolf says. “They don’t know, if something goes wrong, where to go and what component to look at.”

The first step for security pro­fessionals with an existing access control system that is connected to the network is to fully understand the system—where the readers are, how it works, how it is connected to the network, who has access to the system, and who has administrative privileges over it. Then, all that information should be documented.

“Identify where everything is and, probably most importantly, how those devices intercommunicate with each other and the outside world,” Wolf adds. “An Internet connection is one thing, but with older systems we’ll see a DSL line or dial-up modem connections to systems so a contractor can log in and make changes to the system.”

These systems may have been installed decades ago. People often forget about those connections, which could be used by malicious actors to infiltrate access.

Wolf also recommends security professionals working with an existing access control system connected to the network assess if it meets the organization’s current security requirements.

Starting from Scratch

For those in the fortunate position of installing a new access control system, the process should start with a “soul-searching discussion” on the risks and benefits of connecting that system to the Internet, Feeney says.

“If there isn’t a significantly com­pelling benefit to essentially adding a door to your network, it is arguably not worth doing,” he explains. “In the case of access control, there may be a strong case for doing this—especially if the desired end goal is moving to the cloud. In this case, be sure to leverage best practices to incorporate security into your new network architecture.”

The organization should consider if the access control system should be on a network separated from other assets. Doing this will help mitigate the risk that an intruder will use the access control network to obtain corporate information.

“If the ultimate goal is to move your access control system to the cloud, this network separation can still be done at the organization level,” Feeney says. “The separate access control or IoT network will connect to the cloud infrastructure. The original corporate network will separately protect all other assets. So, if the access control network’s connectivity is compromised, the attacker will not get access to the corporate network.”

Once a decision is made about what network the system should reside on, the organization should designate who is responsible for that network and the day-to-day management of it. This is critical because the system will require regular patching and updates to mitigate new security threats.

“Often an organization’s IT department is better equipped to maintain the system because—if they’re a good IT organization—they will have a patch management process in place to make sure that the network switches and all the network servers are up to date,” Wolf says.

When purchasing the actual access control system, the individual responsible—such as the physical or IT security representative—should ask vendors how data from the reader to the master console is protected, says Darrell Brown, CISSP, information security program manager at La-Z-Boy Incorporated and member of the IT Security Council.

“Is that data in transit encrypted? At what level? And what is the right fit for my company?” Brown adds.

Organizations should also ask how often the vendor itself issues patches to its products, and what the process for issuing those patches is.

“Proactively query your providers about patches and security updates to your hardware,” Feeney recommends. “Many access control devices traditionally get patches because customers request a feature or report an error that requires the patch. Instead, patch these devices like you do your computer—proactively as part of a comprehensive security strategy.”

Organizations should also have a robust master service agreement that outlines expectations and the responsibilities the vendor has to the organization.

“Have clear lines that delineate who owns what part of the system,” Brown adds. “Who’s responsible? Where’s the backup? Is there a backup? How do we ensure failover to it?”

And while the system is being installed and implemented, security professionals should ensure that the process follows best practices for maintaining good cyber hygiene. This starts with disabling default passwords to create strong, unique passwords for the system, and limiting administrative privileges.

ESD frequently encounters operating systems set up to automatically give administrator privileges to any users.

“Most people don’t need that, and by restricting that, you’re ensuring that if a bad guy were to gain access using one person’s credentials, they wouldn’t have the ability to have administrative rights over the whole operating sys­tem,” Wolf says.

Access control systems, like all locks, can be compromised by motivated actors given the right circumstances. Security practitioners should not assume that the system itself is secure.

“Security is ideally a shared responsibility between consumer and provider,” Feeney says. “You’ll find this to typically be the case. But where the separations of responsibilities lie can differ greatly. For that reason, always check your service level agreement to understand what security responsibilities your provider has and what is left to you as the consumer.”

Megan Gates is senior editor at Security Management. Contact her at [email protected]. Follow her on Twitter @mgngates.