What is the relationship between access control and state-sponsored cybercrime?


George Moawad, Country Manager for Genetec, ANZ

While China has productive relationships with many western-style liberal democracies, none can ignore the fact that Chinese businesses are closely intertwined with the Chinese Government. These ties can prove problematic particularly when it comes to access and vulnerability. In the security industry, for example, it has become apparent that deploying high-risk or poorly designed IP cameras can result in clear and proven violations.

Recent data breaches conducted via these cameras have caused many around the world to start asking important questions about the technology companies they work with and the equipment they choose to deploy. Some, like the Australian Government, are taking more proactive steps through legislation and other initiatives.

In 2020, Australia launched Cyber Security Strategy 2020 aimed at creating a more secure online world for Australians. The Strategy has 10 years and a $1.67 billion investment to meet its vision. Australia also introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020. This Bill updates the earlier Security of Critical Infrastructure Act of 2018 by recognizing the increasingly interconnected nature of our infrastructures and how our interdependence has the potential to increase vulnerability.

To date, the tendency has been to focus on understanding and addressing the potentially devastating cyber security and privacy risks associated with installing untrustworthy cameras. But, the recent moves by Chinese government-owned technology companies to penetrate the access control market should be raising similar and serious questions.

The access control threat

A robust access control system is essential for organisations looking to secure their facilities and understand the movement of people through their spaces. Being able to collect and analyse data about who is coming and going – as well as when, where, and how often – is becoming increasingly important for managing and understanding the physical dimensions of a business or government.  If a bad actor were able to get their hands on this type of information, they could cause a significant privacy breach or, in the case of critical infrastructure, endanger public safety.

It is critical for organisations to perform due diligence on access control manufacturers with regards to their ownership, partners, supply chain, and cyber security track record. In the past, access control was simply about securing the perimeter and opening and closing doors. However, modern IP-based access control systems are now being used to implement complex access rules, analyse building usage, monitor for atypical behavior, and manage time-sensitive access requests within their facilities. And all of this data flowing into an IP-based access control system represents a gold mine of information for hackers.

The problem is that some in the security industry tend to overlook the risks associated with potentially malicious access control hardware in the drive to save money. For commercial enterprises, this can have serious consequences. A data breach could damage a company’s reputation and result in large fines if it is determined that the company jeopardised its safety and security capacity. This is also a serious issue for governments since hackers could uses malicious hardware as a vector for cyber-attacks that could threaten national security.

The importance of due diligence

Access control systems have a long life-cycle. They take time to procure and implement and cannot be replaced quickly. This means that organisations could ultimately be opening themselves up to significant long-term financial and operational risks if they do not perform their due diligence from the outset.

Current examples of the upheaval caused by such decisions include the mandated removal and replacement of Huawei from UK networks and the scrutiny around the Australian Defense Department’s decision to extend a contract with a Chinese-owned company to store data in its Sydney facility.  Given the scope of the potential threat, it’s becoming increasingly likely that new regulations will be implemented in the near future that will require companies to replace their access control systems at considerable expense well before their planned end-of-life.

Protect the life-cycle of your access control system

To ensure the security of your access control system, you need to consider not only the strengths of a particular vendor’s hardware but also the motives and track record of the businesses involved in supplying them. For example, when purchasing a high-quality physical lock, you would expect to take ownership of all of the keys and would exercise caution when deciding who to trust with your keys. Yet, it is relatively common for organisations to install an IP-based access control system without considering who may, through error, omission, or poor design, have access to this vital infrastructure.

Cyber security issues, in addition to vendor reputation, track record, and supply chain, should also be considered as part of the due diligence and selection process. Unlike other security systems, access control systems are not replaced on a regular basis. In fact, the product lifecycle can be up to 20 years, so it’s not surprising that some systems are presently lagging behind when it comes to cyber security. In this case, it is important to first future-proof your systems before upgrading any hardware.

The increased threat to national security

Whether you are responsible for IP, critical infrastructure, or highly classified information, it’s vital to ensure that you’re protected against the devastation hackers can cause, especially since state-sponsored cyberattacks are on the rise. At the time of writing, the ramifications of last year’s Solar Winds hack, perpetrated by a group with ties to Russian intelligence, continue to be felt around the world. Here in Australia, China launched a bold and broad cyberattack in June of last year targeting several organisations, including governments, educational institutions, and health and essential service providers.

Since hackers can use access control hardware as attack vectors, access control systems can’t be overlooked as part of your network cyber security plans. With the proliferation of the IoT and its integration with networks, an access control system must have a strong cyber defense. Otherwise, organisations can increase their vulnerability to unauthorised physical access and cybercrime.

Across all industries, from financial services and casinos to data centers and hospitals, the ownership, supply chain, and cyber security track record of your access control vendor must be taken seriously. Modern access control can provide a lot of value. It is imperative that organizations choose their partners carefully and invest wisely.