Increasing Security for Legacy Access Control Systems
Exploring how companies can utilize legacy equipment to raise their level of security
By Jeff Smith
Jeff Smith, CPP, CDT, is Principal, Vice President at TEECOM in Oakland, California
Google the phrase “hack access control card” and you’ll be treated to countless stories, how-tos and warnings about vulnerabilities in today’s legacy 125 KHz proximity access cards and readers. Despite few documented incidents of someone cloning an access card and entering a facility to perform nefarious deeds, owners and security managers should be concerned.
Why Is It Important To Update Legacy Access Control Systems?
Why? Because it’s easy to take a card reader off the wall and attach a small circuit board that transmits cardholder data to someone nearby as each person enters the door. The copied data can be used to create access cards and gain entry to the building. You could even take your proximity card to your local home goods retailer and have it copied in order to keep one in your desk, one in your car and one in your bag. Does this sound like a secure credential? So how do companies utilizing legacy equipment raise the level of their organization’s security?
The answer is to acquire technology that is both secure and forward compatible as well as develop a comprehensive implementation plan. The basic approach is to implement smart 13.56 MHz encrypted cards, smart 13.56 MHz multiformat card readers, Open Supervised Device Protocol (OSDP) enabled products and work with manufacturers that support the encrypted data chain from access card to access control panel. These basics should also include your cybersecurity practices and be implemented in conjunction with your IT team’s best practices (changing default passwords, creating and implementing firewalls and educating users on phishing attacks).
What To Do With An Insecure Legacy Access Control System?
If you’re using a legacy system that you know is no longer secure, you don’t have to forklift the entire thing out tomorrow. Take an incremental approach. If you already utilize Prox access cards, you might start by adopting dual-form-factor cards with 125 KHz Prox and 13.56 Smart formats on the same card as a bridge to your upgrade strategy. The next step would be implementation of OSDP multi-format card readers, ensuring secure communication between card and reader. Lastly, upgrade to card reader panels utilizing OSDP data format. These are typically located in the building’s MDF and IDF rooms. These incremental steps will provide a secure data communication chain from access card to card reader to access control panel.
The point is that your security system upgrade can be done incrementally and as allowed by a limited budget. Our goal is to magnify your limited security dollars and ensure they are stacked on top of each other instead of being expended on disparate, ancillary efforts. Use an experienced security consultant and the access control system manufacturer’s professional services team to help you devise a solid plan, map out the implementation strategy and clean up the existing card holder database as part of the project.
Updating Legacy Systems with OSDP Access Control?
When choosing an access control system manufacturer, look for those that use open-sourced OSDP access control hardware boards as well as industry standard OSDP multi-format card readers. Commoditize as many of the security system components as possible so that you as the owner can migrate onto a new software platform with virtually no changes to your currently installed field hardware if desired in the future.
Supporting Legacy Access Control Systems
Your facility’s physical and cybersecurity is only as strong as its weakest point, and unfortunately in many cases that weak link is the access card’s data transmission chain. By modernizing your system, you raise the level of protection for your company, ensuring the safety of your employees and the protection of your company’s assets, including intellectual property. Manufacturer-agnostic physical security consultants can help clients select systems and components that meet their specific security requirements.