Knock knock: cyber resilience and building access controls

25 May 2020 (Last Updated December 15th, 2020 11:59)

Connected building access systems have introduced a range of features to make access control more secure and convenient for users. But as with any IoT installation, cybersecurity is a key concern. 2N chief product officer Tomáš Vystavěl lends his insights on making modern buildings cyber-resilient as well as physically secure.

Knock knock: cyber resilience and building access controls
2N has evolved into a solution provider in its own right, introducing a portfolio of intercoms, answering units and access control systems based on its Helios software platform. Credit: 2N

The rise of connected, IP-enabled cameras and access systems is transforming physical security and access control in offices and homes. Commercial installations came first, with offices and production facilities taking advantage of the benefits that networked systems can bring, from updating and customising staff security credentials to accessing areas with no more than the tap of a phone.

Physical security can be greatly enhanced when reception staff can see as well as hear guests via intercom before granting entry, or by the ability of connected CCTV cameras to alert off-site responders to unauthorised entrants. IP access control systems can also be customised with a range of integrated software bringing new features or security measures.

And in 2020, it’s not just offices and factories that can access these advanced IP functions. Modern residential building projects are increasingly baking IP security systems into the design and construction phases, or retrofitting them into existing developments. For tenants and homeowners, the ability to respond to their doorbell remotely or even grant access to pre-agreed visitors while they’re out is an upgrade in both security and lifestyle.

But making use of these internet-enabled features doesn’t come risk-free. As is the case with any IoT device, connectivity opens the possibility of cyberattacks from the outside. In this sense, a building’s cyber-resilience has become just as important as its physical security, and both must be guarded in tandem.

Tomáš Vystavěl is the chief product officer at 2N, a global provider of IP intercom and access control systems. When Vystavěl  joined the company more than ten years ago, it provided intercom units and other boxed systems, but has since evolved into a solution provider in its own right, introducing a portfolio of intercoms, answering units and access control systems based on its Helios software platform. The most recent addition to the range is a cloud-based service, My2N, which provides another option for users to configure access settings.

Below, Vystavěl discusses the best ways to mitigate cyber-risk in building access systems, the challenges of integrating third-party software securely and the potential benefits of connected access controls amid the Covid-19 pandemic.

Building access
2N chief product officer Tomáš Vystavěl. Credit: 2N

Chris Lo: Amid the current outbreak of Covid-19, do you think IP access technologies can improve a business’ ability to maintain social distancing rules or safely re-open earlier, once lockdowns have been eased?

Tomáš Vystavěl: Yes, definitely. There’s one big advantage of the IP access control system, or any IP-based system in general – the flexibility. For example at 2N, we have some corridors in our production facilities that we have split up for different shifts so [staff] don’t meet each other. You can tape an area off, but anybody can walk behind the tape. So it’s more effective to simply change the [access] rules more dynamically. This is, I believe, much easier with an IP-based access control system.

We also have requirements from hospitals. I met a few people from one of the biggest hospitals [in the Czech Republic], and what they are challenged by is if there is a Covid-positive patient. For example they had a woman who was pregnant and when she got there she tested positive for Covid, but they don’t have a quarantine for the team responsible for childbirth. So they had to create a quarantine in the surgical area for childbirth, and they need to be flexible in that.

So they needed to install an intercom to be able to talk to the patient, because anytime they enter the quarantine they have to cover themselves with a special suit, which is costly because it is then disposed of, and at the same time it’s time-consuming. They also told me that most of the infected doctors were infected because they didn’t know how to properly take the clothes off, because it’s covered by the virus and they need to be very careful when changing. These challenges are better addressed by the IP systems because of the flexibility.

CL: What kinds of cybersecurity risks can be introduced with a connected access system like this?

TV: It would be very similar to the attacks you could expect on an IP camera, or even on your home router. So there are port scan attempts, for example, that are on the internet very commonly. We’re not trying to scare people that there is some dangerous world behind the IP door that they should be scared of, because at the end of the day there are certain rules – we have seven rules on how to be safe – and if you follow them, you will not threaten the company or expose the whole installation to hackers.

Starting from the port scan attack, for example, when somebody is scanning for open ports, what you should do is secure your router so you are not using it for remote-configuration port forwarding. So you are forwarding some ports to your device behind the firewall, but you might be using a cloud-based service like My2N that is able to establish an encrypted VPN tunnel from our cloud, where we can ensure the connection with your computer is secured behind the firewall without having to expose open ports to the internet.

CL: What cybersecurity measures are built into your products to make them more resilient?

TV: Taking tamper resistance as an example, all of our new products are equipped with a tamper switch. This gives two possibilities on how to use it.

The first is that it could be connected by a simple switch to some alarm system, which in some installations is pretty common. The second is that we are able to sense [tampering] within the software, and we can react, generating a call to guards to warn them about tampering on a specific device. At the same time, we could trigger the video surveillance system to start recording. This is the usual scenario that we see.

There are some special protocols that we have implemented, starting with secured SIP and secured RTPs [real-time transport protocols], so all communication signalisation and voice can be encrypted and nobody is able to listen in or break into the signalisation to, for example, get your username and password that you use for registering.

We do regular firmware updates – every four months, we release new firmware for all of our devices. It contains, of course, new features and improvements, but also bug-fixes and security patches.

CL: How does integration of third-party tech in an access system complicate the cybersecurity picture, and how can the risks be minimised?

TV: The approach we have is that if we’re not able to tell that a third-party device is coming from a company with the same standards on device design and approach to intellectual property, or if we’re unable to test it, we don’t recommend it to be used with our devices. We don’t want to make it like a blacklist of devices, but that was the reason we started with the integration portal, where we want to have all of our third-party partners.

It’s not like we don’t want to be integrated – it’s the opposite, because 2N is building everything around integration, we want to be as open as possible. But we want to recommend devices that we’ve tested and we have some relationship with the manufacturer, and we can be sure – not 100%, because you can’t make a flawless device – that we can make the whole installation secure.

CL: How important is it to educate individual users about mitigating the risk of cyberattacks?

TV: Actually I think it’s more important than the whole development process we have at 2N. You can make a secure device, but if somebody sets it up the wrong way, you can really throw out all the development efforts we made to make the device secure enough.

For those in the office environment, these companies know how to make the whole system secure, because they’ve been installing it for a long time. But on the other end of the market, where we’re talking about residential, there are a lot of installing companies that were doing a great job with the two-wire systems, but after moving to IP they don’t have these habits, this experience of installing such systems.

So for us education is not only about the cybersecurity page [on the 2N website] – that’s just a teaser to attract these people to the topic. The most important thing is that we’re doing regular free training with these people, and that’s where we talk about cybersecurity, how to set up the device, what to avoid, what to use, how to configure everything to make it secure.

CL: How do you expect the technology to evolve in the next decade?

TV: There are several hyped areas that we can see, even related to the Covid-19 lockdown these days. I don’t see face recognition as a big general trend. Everybody’s asking about facial recognition, but in general it’s mostly popular in Asian countries – China, Korea and so on. That’s because they’re used to it – from the government, it’s a very advanced society in South Korea, for example, which uses such technologies.

In Europe we’re seeing more of a decline in these technologies, because of GDPR, and because people don’t want to share their biometric credentials that much. So what we see as a better trend for 2N is mobile credentials. Biometrics like facial recognition, we see as something that will not be adopted that much by European society. Biometrics like fingerprints, because of the hygiene factor, will not be adopted at all, I don’t think.

But mobile credentials, in terms of convenience of use, is the very same as a biometric credential because you have your phone with you all the time. You don’t have to give somebody something that is unchangeable – once I have your picture, I can deal with it and you’re not able to revoke your consent and delete.

Whereas if you have an application where you create a credential that you use for access control, you can simply delete the credential or turn off the application, and you’re not trackable. So mobile credentials – whether it’s through Bluetooth or some ultra-wideband applications that we’re seeing now – are something we’re investing in, and for the next year we’re preparing some really nice changes in our portfolio regarding Bluetooth technology.