At the end of August 2017, 352 poorly secured Australian CCTV cameras were discovered to have been hacked, and were actively broadcasting footage of the inside of people’s homes and local businesses. Whilst the thought of being watched by someone malicious is a terrifying prospect, it is arguable that organisations, public and private, have more to lose if their access control system, rather than CCTV, is compromised. Access control has the crucial duty of protecting people, assets and data. If a criminal hacked into and by-passed an access control system, they could get their hands on all manner of sensitive data, much of it even more sensitive than a live video feed.
An area particularly at risk is the town centre where many organisations – public and private – each control their own small systems, with little or no central co-ordination and management. In any town centre in the UK you’ll see many different access control applications. For example, your library card may also act as access control to the library building. Access control also manages bollards and barriers that limit access to pedestrianised areas. Certain vehicles such as rubbish trucks and emergency services still need to access these areas, so physical barriers must be retractable via a key, smart card or automatic number plate recognition system (ANPR). Due to budget constraints, however, many town centres are using legacy access control devices or are relying on non-unified systems which leave physical security technology vulnerable to attack and cloning.
Legacy access control systems are a risk. Say a council locked their data centre behind doors controlled by a system that used unsecure 125Khz proximity access cards – these cards can be copied for a couple of pounds, and readers to controller data can be hacked via their cabling. Cyber-criminals can also infiltrate weak, or poorly strengthened systems, by hacking into un-secured ports, or infiltrating the network via infected USB devices. As well as this, if a user clicks on a malicious link in a phishing email, an attack could spread and compromise the entire system.
It is the security product vendor’s responsibility to provide both their trained channel partners and customers with high quality, secure hardware and regular security updates. However, it is the duty of internal staff to ensure that such security updates are applied, that all PCs within a network remain secured and that all unnecessary ports are locked down.
Upgrading to a unified system can be highly beneficial for public sector organisations operating within a town centre environment. There are many reasons behind this, but from a cyber-security perspective the foremost is that IT security measures can be centrally managed and deployed. Users should also take advantage of the cloud. Secure cloud environments that criminals can’t physically access are a much safer choice than relying on a vulnerable, on-premise, out of date machines and software. Unified systems that combine CCTV and access control not only provide a better record of events but can also be used by remote monitoring services, maybe outside of normal hours, to authenticate users against a stored photo. Finally, using the most trusted and electronically certified hardware and latest protocols such as TLS 1.2 (Transport Layer Security) ensures that your network devices only communicate with the authorised servers either on site or in the cloud.
Manchester City Council (MCC) is a great example of a public sector organisation within a town centre that successfully balances protection and accessibility. Overseeing the UK’s second most populated urban area, MCC provides services to residents from three buildings. In addition to being open to the public, these buildings house government staff and officials as well as sensitive information and historical documents. As a result, the buildings have some restricted areas.
Rather than have multiple reception areas that block the public, MCC uses its physical security system to grant access to different areas. With a solution made up of access controlled doors and visitor ID cards, they can pre-establish where individuals are allowed to go based on factors including need and authorisation. All publicly available machines and devices have no open ports, all systems are hardened and the security infrastructure continues to grow towards full unification.
Ultimately, the end goal of any access control system is to protect people, assets and data; the town centre is a hub of all these things so should ensure that the best physical and cyber security measures are in place.