The vulnerabilities of 125 kHz prox cards are now beginning to become public knowledge. Organisations unaware of the vulnerabilities of using proximity or handsfree cards or tokens in medium security applications are advised to contact their security advisors.
Advice and guidance is available in planning, designing, specifying, tendering, implementing and the maintenance of access control systems to end-users.
System design and project management services are available to installers of networked access control projects.
Access Control Systems
Access Control Systems can have a major impact on the security and daily functioning of an organization. This article outlines fundamental issues to be taken into consideration by system purchasers.
There is a well-known process that most people go through on the loss of a loved one: anger, denial, bargaining, depression and finally acceptance. Similar reactions arise when a large organization embarks on installing a comprehensive access control system. However, once acceptance is reached, which often takes one to three months, a reversal of attitudes is frequently seen. Instead of the standard curse when a cardholder approaches an access control card reader operated door as seen prior to acceptance, a sense of protection is acquired.
Access control systems are complex and they need to be carefully planned to ensure effective integration into the business operation.
As always in large technical projects, the technical problems can be difficult to overcome, but not always the human ones.
When thinking of introducing an access control system, one needs to bear in mind several key points. These card access systems can cost a lot of money and take up a large amount of company time, and 95% of access control systems are not security systems per se, they only restrict access to persons exhibiting normal acceptable social behaviour. If you are looking for security you need to think of full-time monitoring and effective responses to system alerts. This means labour, in-house or contract, which if it is not already present in some form or another can cost more than the system.
The hardware is only part of any solution, with large installations the purchaser needs to input a lot of man-hours during the installation to set up the system in a way that best suits his or her organization. There is also the production and issue of each individual's credentials (keys/identity cards/tokens/mobile telephones/pin numbers) and the on-going operational maintenance. Access control systems can provide many benefits apart from the obvious, good installations have been shown to produce significant changes to the working culture in the work place, as they tend to make (or force) employees to be more accountable and protective of their employer's property.
The Right Approach
There is typically a choice of three routes to installing an access control system. You could approach several suppliers for proposals, use an in-house engineer to project manage the whole project or use an external consultant. However, serious consideration should be given to using an experienced independent access control consultant to produce the necessary advice and documentation and to guide you through the steps. As in most industries, the response to detailed professional documentation that is clear in its objectives and reduces risk for both purchaser and its suppliers is met with very competitive prices, and a strong desire by the contractor to win the contract. The penalty to the purchaser for not getting the right person on-board at the start of a large installation can be high. The impact the system may have on the operation of an organization should always be fully analysed and understood.
The best approach involves consideration of the following:
- appointment of an in-house project manager/ co-ordinator,
- appointment of an external independent access control consultant,
- a security review and risk assessment of assets and their locations (This will help with developing the strategy and identify if security zone layering is required.)
- where required a formal strategy and security scoping proposals including high level system and equipment designs, detailed recommendations and budget estimates, (The high level design should identify what is necessary for a balanced system, i.e. there is little point controlling the front door if a side door is left open.)
- board approval,
- designs, specifications, contract conditions, tender lists and documentation,
- job descriptions for on-going in-house operations,
- tender appraisal (short term & long term)
- negotiations and award of contract,
- regular project meetings and site supervision,
- ensuring the factory, on-site acceptance tests (Handover)and tests at the end of the defects liability period are thorough,
- negotiating a fair and reasonable maintenance contract.
During the tender appraisal stage of a contract for a new integrated system, it is worthwhile visiting other organisations who have had similar access systems installed whenever possible. In one case, an installation presumably considered as a show site by one of the favoured tenderers, was visited by the potential client organization. After the visit the client reported that, technically, the installation looked really professional, but that for all the money spent on it, the site users admitted the access control system was only being used at night when there was nobody about.
Was the above system planned thoroughly in advance of the installation and was it introduced correctly to meet the organisation's objectives?
Unfortunately, where there has been no considered thought at the design stage and for the operational aspects, a few access systems have needed to be switched off for good after a few weeks!
Security Management Systems
Access control systems are often part of an integrated system. Integrated systems can reduce the diversity and complexity of a possible multitude of different building functions down into a single manageable system. Where there are building critical functions, auditing becomes very important. If this is structured correctly in an integrated system, management functions can be greatly streamlined. Secure auditing of key building services' alarms can be great added value to facility managers.
Built into the software of many of the systems available include features that allow the printout of lists of people within an area or building at a particular time. This can be important during emergency evacuations. Some software packages have fully developed roster or mustering features. Guard tours packages are also common allowing guards to be tracked while patrolling a pre-arranged route.
Reports should always be readily available. From the mass of system activity, data managers should be able to request reports on just about anything they want, in many cases that may be reports on just exception incidents. Large integrated systems are therefore management systems first and foremost and are therefore often referred to as security management systems. A well-planned system will not only monitor and control inputs from various systems; it will also monitor the performance and activities of the operators or guards. This introduces the key issue of "accountability" which is of course essential to high security installations.
Purchasers should be advised not to show-off their contractual purchasing power by demanding unrealistic timescales from suppliers, as it will cost more in the end - possibly a lot more. To get your Total Cost of Ownership (TCO) over a number of years your budget should include not only the tender price for the equipment installation, but civil works (especially for inter-building ducting, turnstiles and car parking units), electrics, alterations to rooms (e.g. control rooms), doors, gates etc., security consultancy costs, in-house project team, training and operational costs, increased number of contract operators and on-going maintenance costs.
Control Rooms and the System Interface
If an organization introduces 24-hour manned guarding or security monitoring where the guards are expected to respond efficiently to security, fire, access and prime building function alarms, the alarms need to be presented in a manner that allows them to do so, and in an environment that encourages it. Where alarm panels are wall mounted around a tiny room and the guard bombarded with alarms in an unstructured way, he/she may miss a critical battery low alarm or worse. Discrimination against security personnel is still widespread, and security staff with low morale do not, in general, perform well under any circumstances.
I have witnessed an (apparently) trained guard at the main data processing site of a large UK bank panic and fail to respond correctly with a (deliberately operated) security alarm because the circumstances were different from normal - he was being watched by visitors.
Give the security personnel appropriate working conditions and effective equipment to use and they become pro-active, gain a higher profile within the organization and try to continually improve site security. Remember that the security control room is a good indicator of your security. The most important part of any access control or integrated system is the user interface. Training of users is essential, but access control security systems still have to be designed in such a manner that they more or less instruct the user what to do.
Equipment and Suppliers
The majority of complex access control systems software is written in North America and are supplied and installed by large or specialist security companies. Don't expect them to tell you what you need. In many cases I have found sales representatives do not really know what they are selling and what impact the system may have on the operation of an organisation. Your business is unique and the pressures applied to system sales forces these days do not give them time to fully analyse or understand your needs. Insufficient training, new products and system upgrades coming too fast are all too common problems for system integrators.
Unless you insist, the supplier's personnel who most understand their company's products will not normally have much contact with the client until after the sale is made. Demand for engineering time for commissioning or rectification of badly sold or poorly specified access card control systems is high for many suppliers.
Door Entry Technology
There are many terms for the various types of technology used for gaining entry, these include; hands free, proximity, card swipe, card scan, biometric and keypad. The ones attracting most interest at present are near field communication (NFC) from smart-phones, biometric and smart card proximity types. Door holding/locking mechanisms come in all shapes and sizes; however, certain types can be overcome quite easily if the design is not thorough. During a security audit at one large organization, the Departmental Manager was shown just how easy it would be to come back later that evening, pass through the doors and clear out the entire department without the need of force or a valid card and without raising an alarm - and the doors had good quality electric locks fitted!
Biometrics access control is based on the verification of a person wanting access through an access portal by identification of a part or physical characteristic of the person wanting access.
Biometric access control has largely been developed to overcome the problem with card reader access control systems whereby when a card is presented to a card reader, the card reader verifies that the card is the right card; it does not verify that the holder of the valid card is the valid cardholder.
None of the current biometric access control systems on the market have reached their goal of achieving 100% reading accuracy. However, development has now reached a stage where practical uses for biometric reader systems are justifiable for particular applications.
Fingerprint biometric identification systems are the current market leaders of biometric access control systems. The two main types of sensors available are optical and semiconductor. Both types have their positive and negative attributes. New biometric readers using a light-emitting sensor are coming on to the market claiming to give higher security at a much more competitive price. The major drawback today with fingerprint biometric access control systems is the time required to verify fingerprints in large databases. This is typically dealt with by giving users an access card as well, so the biometric reader system only needs to check the fingerprint against one record.
The technology currently receiving most attention in the aviation industry is facial recognition with its functionality being non-intrusive and passive.
Iris recognition technology is also growing fast with good accuracy of readings.
Retina recognition still suffers from people's apprehension of putting their eye up to an electronic device.
Signature verification is still around. Mainly being used by governments and the military.
Hand geometry biometric access control is still remaining a good seller, but appears to be losing its market position.
Voice verification biometric access control still has some way to go to catch up with the other technologies, but in the future it is likely to become very important in telecommunications.
Smart access control cards are typically plastic ISO standard cards with an embedded chip and aerial. Certain smart cards have surface contacts showing, currently preferred by banks but they are not popular for access control readers where throughput is important.
There is a multitude of chips being offered all capable of doing different things. Some are straight memory cards while others have processors on-board.
Many manufactures would like their chips to become an industry standard, but so far NXP Semiconductors seem to have stolen the show with their 'MIFARE' standards
The original MIFARE Standard Chip has an 8Kbit EEPROM memory organised into 16 sectors, each sector having 4 memory blocks of 16 bytes (8 bits per byte). This means it is structured in a way that enables it to be easily set up for 16 different independent applications. Therefore with one access control card you could: use it for access to your office; access your computer; record the number of cups of coffee you've taken from the coffee machine; be restricted to a certain number of photocopies from the colour copier; have purses for vending, lunches, parking etc. and maybe even getting the bus home.
Today the MIFARE family covers many variants including: MIFARE Ultralight, MIFARE Ultralight C, MIFARE Plus, MIFARE DESFire, MIFARE ProX SmartMX and MIFARE DESFire EV1. A general description of each can be found at Wikipedia.org.
However, for access control all you really need is a number held securely, one that cannot be changed easily or erased and can only be read correctly by the intended card readers. This latter requirement brings in the need for authentication and encryption.
Many of the system structures being adopted today by system designers are following the fashionable trends of modern networks using anonymous clouds for data storage, which is not always desirable for security access control systems with life-critical or business-critical functions that require built-in redundancy.
Care also has to be taken if the system is to sit on an existing network. The requirements to ensure the integrity of the system can often fly in the face of existing IT policy. Also, if you start sending large numbers of photograph images or database restorations around a network or linking it with CCTV, there are bandwidth considerations.
Acceptance testing should be very thorough against the requirement specification as very few (if any) integrated systems are independently tested. In-house design staff normally carry out the majority of testing with the usual pressures for fast market returns. I'm sure most suppliers would welcome independent testing, as it would solve a lot of their installation problems. Again it's the speed at which new releases and upgrades are brought to the market that makes it difficult and expensive. Until there is user demand across the industry, it is unlikely suppliers will consider it as giving their products a commercial advantage.
Standards and Legal Requirements
There are British and European standards covering security management systems; access control (BS EN/IEC 60839), integrated systems (BS EN 50398), fire (ISO 7240), intruder alarms (BS EN 50131, closed circuit TV - CCTV (BS EN 62676, BS 8418 and BS 7958), lighting & control rooms (ISO 11064). Legal requirements concerning installations are usually limited to fire, electrical and Health & Safety (including CDM) regulations.
Life-critical security systems like fire detection are often integrated for monitoring and control purposes, but integrated systems never replace the fire control panels in the UK. Overseas in North America integrated systems can be certified to control fire detection inputs. Always communicate with your local fire officer when considering moving or modifying doors or fire equipment or altering the fire procedures.
The decision to install a large access control system can have far reaching consequences and any implementation should be carried through in the same professional manner as any other major business-critical system.
* Need content? You may use this article at your website, or in your newsletter. The only requirement is inclusion of the following sentence with hyperlink: Article by Gordon Herrald of Gordon Herrald Associates, www.herrald.co.uk, independent and international security engineering consultancy.