Securing Access Control Installations Tutorial

By Brian Rhodes, Published Oct 17, 2019, 10:25am EDT

The physical security of access control components is critical to ensuring that a facility is truly secure. Otherwise, the entire system can be circumvented or shut down by an adversary.

** **** *****, ** done *********, ****** ****** of ******** *** ********** access ********** **** ********** cost. **** *** ****'* 5 *********** ***** *** options:

  • ******* *********** ** ****** Side ** ********
  • **** ***** ******* & Server ***** ******
  • **** ********** & ******
  • *** ****** ******* & Alarms
  • ********* ************ *******

*******, *** **** ** the *** **** **** your *********.

Install *********** ** ****** **** ** ********

*** '****** **********' **** of *** ******* ** typically *** ****** **** unless ******* **** ******* or ***** ************ ***** one ** ****** ** lock ****** **.

**** * **** ** access **********, *** ****** is ** **** ***** unapproved ** ***** ** the '********* ****' ** occupants *** ****, **** called *** '*******' ****. While *** ***** ***** of ***** ***** *******, most ************ *** '****** the ****** ****' ** be *** ******* ****.

*** ***** **** ******* ***** ***************** *** ********** ** Secure ** ******* **** of *****:

******** ********* ******* ********* on *** ********* **** leaves ** * ****** to ***** ********** ** force *****.

******* *** ********* **** is *** **********, ***** should ** ***** ** mitigate *** **** ** exploiting ** ******** ****** control *******. * *********** step ** ** ******* as **** ** *** access ******* ******** (***********, power ********, *******) ** the **** ** ******* side.

***** **** *** **** to ** * *** of ****** *****, ** is ******** **********. **** this *******:

**** ***** ***** *** 'unsecured' **** ** *** door, **** *** ****** reader *** ******* **** facing ******* *** ****** door. *******, *** ********** has ******* *** ******** door ********** ** ***** sight ***** *** ******* on *** ****** ****.

*******, ******* ******** *** tampering ** ****** ********* by ******** ****** ******** on *** ******* **** of *** *******. ********* the ******** ** *** same **** *** **** expensive *** *********** ********** devices ** * ***** area.

**** ***** ***** ******* on *** ******* ****, mounting ******** ** * discrete ******** ** *******. Simply ******** ******* ** the **** ***** *** opening ***** ******* ***** puts ****** ******* ********* out ** *****, *** of *****,*** *** ** **** for ********* *******:

**** ** ***** ** access *******, *** **** of *** ******* *****/******* cabling ****** ** ******* during ******.

**** **** **** *********** or ********* ******* *** at ****. **** *** example ***** *****, ** a ******* ******** ** outside ******** ****:

** ***** ** ****** the ******* ********, **** the ******* ***** ***** to ** ***. ** note *** ****** ****** to *** ***** ***** in ********** ********* *****,***** ********** **** ******** need ** ******** *******.

Keep ***** ******* & ****** ***** ******

*********** ****** ******* ******* use ******* ***** ** servers ** ********** ********, and **** '****' ***** of ******* ********* *** centralized ******* *******.

** ** ******** ******** policy ********* ******** ***** locations ** **** ****** and ****** ** ****** few, ** *********, ***** doors *** ******** ********** by *** **** ****** system **** *** **********:

*** ***** *****, *** server *****, ***** ******* or ******* ** ************, despite ***** ******. **** and ***** *** ** shared, *** ******** ***, over **** ******* ***** areas ************ ** **** loosely *********.

********, ******* ***************** ******* ****** *** Schedules*** ***** ******* & Server ***** ***** ************ employees **** ******** ********* areas **** ****** ***** if **** ***** ******* a ****.

***** **** ***** ** not ********* *** **** of ****** **** ******* closets ** *** ******** access ******* ******, ******** that **** '*****' ******* should ** ****** ** well. **** *** **** or **** ** ****** access ******* ** **** to *******, * ****-******* system ** ********** ***** and ****, ** **** a '*****-*****' ********** **** keeps *** **** ** bay.

Lock *** ****** & **********

**** **** **** ****** locked *******, ***** ***** often *** ****** **** other ***** ** ********** systems **** ********, *******, or **** ********** *****. While ********** ** ****** may ** ****** **** for *** ******* ******, there *** ***** ** the **** ** ************ individuals ********* **** *******.

**** ********** ****** ******* include ******** **********, **** the **** ***** *****:

***** ********* '***' ******** a ***** **** ** kept ****** ** *** times. **** ***** **** ensures **** *********** ********* is *******, *** ****** keeping *********** ****** **** and ******* ******** *** keys ** * *******, low-cost ****.

Use ****** ******* & ******

**** ******* *** ****** include * '****** ******' that *********** ******* **** a ****** *** **** knocked *** * ******** point ** * ***** has **** ******. *************, these ******** *** ***** left *********** ** ************ to **** ******, ***** they ** *** ********* a **** ******* ** the ******.

*******, *********** *** ******* locks *** ** ******* or *********** ******* *** the ****, ******* *****. Properly ********** ****** ******** can ****** *********** ** seconds **** ********* ******, rather **** ***** ********** hours ***** *** ****.

**** ******* ******* ******** tamper ******* ** ********, and *********** **** *** use ***** ******* - another ***********, *** ******** method ** ********** ****** integrity:

Integrate ************ *******

*******, ******* *** **** expensive ****** *** **** provide ******* ********** *** immediate ********: *********** ***** and ****** ********. **** cameras *** ******* **** access-controlled ********, ********* ********* or ************ ***** ******** are ****** ** ******.

********** **** *** ********'* surveillance ****** ** ******** monitored, ***** ******** *** stop ****** ** ********* before ** ******.

*******, ***** **** *********, the **** ** *********** the *** ******* ******** can ** ********** ********* (several ******* ******* *** door) *** ******* ********** cameras ** *** ******* installed. ** **** *****, the *********** ******* *** two ******* **** ** used *** **** **** just ********** ********* ** threats, *** ********* *** the ************ ** ***** passing ******* *** *****:

Use ****

***** *** * ******** security ************* **** ******* enclosures ** ****** ********, OSDP ******** *** ****** bus ** *********** *** connection ******* *** ********** and ********** ******.

****** *******, ***** ** unidirectional *** ****** **** from ****** ** ********** only, **** ** ************* and *** ***** ****** users ** ******* ********** separates *** ****** **** the ******.

*** **** ** ****, catch ******* ****** ******* *****.

Quiz ********

**** *********** ****** ******* *******.

Comments (13)

I would add to the panel tamper recommendation and have them go to a UL listed central station. Panel tamper alarms that only go the access control UI can be easily overlooked. If they go to a central station you will get a better notification and response procedure.

If your hardware cannot send signals directly you can use global I/Os to monitor the enclosure tamper switch to trigger an intrusion alarm zone.

I recommend global I/Os because you can use the closest access control panel to the alarm panel for the trigger. Also you can group the tampers and use one alarm zone. To get details you would use the access control UI. This will save hardware costs and as you add enclosures all you have to do is add the tamper to the group and you are done.

(caveat....not all global I/Os are created equal....check with manufacturer...)

Agree: 2
Disagree
Informative
Unhelpful
Funny

I agree except not all tamper switches are created equal. In my experience too often the tamper alarm will send a false signal either do to a poorly manufactured tamper switch or a cabinet lid that gets warped over time.

Agree
Disagree
Informative
Unhelpful
Funny

I know IPVM has done articles on it, but do not sell/spec prox readers and credentials. That is 90s technology that can be hacked, duplicated, and cloned easily. Use at least iClass.

Agree: 3
Disagree
Informative
Unhelpful
Funny

You can state it until you’re blue in the face, and they will still be used and installed because there are so many companies living in the dark.

Windows 7 will be in the sunset soon. Perhaps manufacturers sunset 125kHz and be responsible by not contributing to the insecurities. They should have stopped selling it awhile ago or at least suggested moving and staying after a certain date it will no longer be sold/supported.

To actually be a part of surprising a hospital and a large company claiming to have knowledge in access control by proving how insecure the system was was very amusing to me considering I have still yet to enter the access control market. I don’t claim to be an expert in the access control field. I just happen to be able to read and can purchase a duplicator on eBay.

Agree: 2
Disagree
Informative
Unhelpful
Funny

I thought the same thing about manufacturers no longer making the old prox credentials and sure you can get the big boys to stop but I don't think you could ever get the cheap cards made in China and sold on Amazon to ever go away.

You are right though at some point it has to stop.

If the major access control companies would have programmed into their system if a cloned card was used then this might help to convince customers to start switching away quicker. When a card is cloned there is extra information put onto the card. I know ICT does this but not sure if others do or not. Of course there may also be a way for this to be overcome with the closer as well.

Agree: 2
Disagree
Informative
Unhelpful
Funny

Well said.

Agree
Disagree
Informative
Unhelpful
Funny

Great article Brian. One note for those reading if you must put the controllers above the ceiling, which I don't like to do but sometimes you don't have a choice, make sure the mounting location is somewhere you will be able to service the equipment at a later date. Directly above the door will always allow for service but often makes it a pain as people will ALWAYS want to walk through the opening even if there is a door two feet away.

What usually happens is the equipment is mounted above the ceiling and that location looks as though nothing will ever be put under you equipment but Murphy's law says otherwise and they will put in some 1000 lb bookcase you can't move or extend the cubicle over and then you can't reach your equipment as the desk extends so far out.

As I always say to the installers, just imagine that you have to come back and service this some day. You will want servicing this equipment to be as trouble free as possible.

Agree: 4
Disagree
Informative: 2
Unhelpful
Funny

I might mention not installing gear that isn’t listed for plenum use in a plenum ceiling above the tiles. Even though it’s metal, some inspectors get a little picky.

Agree
Disagree
Informative: 1
Unhelpful
Funny

Good stuff!

I always quote alarm panels with locks and tampers, and I always quote enclosures, locks, and tampers when selling more expansion modules than can easily fit into a panel enclosure. I'm always surprised by how many people forget about them.

Agree: 3
Disagree
Informative
Unhelpful
Funny

When it comes to access control, the risk of any exposed power/control cabling should be avoided during design.

This is not only true at the door but also in the data closet. So many times I've seen cans plugged in to a nearby outlet rather than having the power hard-line piped into the enclosure. A locking outlet cover might help in this case but the wires can still be cut (might tingle a bit).

Agree: 2
Disagree
Informative
Unhelpful
Funny

Good article.

Agree
Disagree
Informative
Unhelpful
Funny

Great knowledge in the installation of controller.

Agree
Disagree
Informative
Unhelpful
Funny

Tamper switches should be considered more, I agree. There are a variety of them for different applications. Also, I've seen EAC systems where the installer has left the key in the lock or on top of the controller. That's the customers decision as to where the key is stored in my opinion.

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,267 reports and 968 tests and is only available to subscribers. To get a one-time preview of our work, enter your work email to access the full article.

Already a subscriber? Login here | Join now
Loading Related Reports