Physical Access Control Confronts a New World

Aug. 10, 2018
How the emergence and expansion of IoT devices is and will impact conventional physical access control

Physical access control is similar to other infrastructure solutions in use today.  There is a great deal of data flowing between devices connected to networks and yet the primary focus is something very real-world – unlocking a door.  As public internet services have become pervasive, the concept of network-attached “smart” (i.e. computer/software based) devices are being incorporated into more and more areas including access control.  Physical security solutions have used devices containing computers for some time now.  These devices were typically used in closed systems and only provided the minimal functionality needed to support their specific purpose.  In earlier times these might have been referred to as “embedded systems” meaning a computer was embedded within a device.

As the public internet evolved into what we now call “cloud services” there also has been an evolution of embedded systems.  Previous devices contained small processors with limited hardware and software.  Now we can get significantly more powerful processors, hardware, and software resources including high bandwidth network connections to powerful “back-end” (i.e. cloud-based) services.  These devices are what are being referred to as IoT devices; IoT meaning Internet of Things.  The “thing” part means there is some sort of embedded system.  The “Internet” part means it is purpose-built to connect to some sort of data network, typically cloud-based.

The ongoing introduction of IoT devices into physical security has several forms of impact. It impacts the marketplace, it delivers new and more effective solutions, and it impacts the risk of operating the infrastructure, in both positive and negative ways.

IoT in the Physical Security Marketplace

The IoT landscape includes all sorts of devices that sense inputs and perform actions far outside the physical security world.  This means there are large organizations (like Google) exploring the use of IoT devices.  What this means for physical security is that you can, and in fact, have had players enter the marketplace that came from backgrounds other than locks and construction and guard services.  So the first impact is that the marketplace has more players here today and an ongoing influx of new players.

IoT Benefits for Physical Security

The introduction of the IoT concept to physical security provides several benefits.  Generally, these are based on scale, availability of data, and new applications.

More processor horsepower: IoT introduces newer and more powerful hardware.  This includes processors, memory, and sensors.  Many of these devices are based on chips being produced on a large scale and so the devices themselves are less expensive.  And these processors have modern features like memory management and application containment so it is possible to deliver more complex more secure software in the devices.

More Telemetry: IoT devices, being attached to the cloud and having inexpensive sensing components, can provide new or simply cheaper sources of information that can be used in physical security applications.  Cameras are cheaper so we can now have dedicated cameras for all sorts of things. The monitoring camera on the internet-attached cat food bowl is quite feasible and probably available today.  In general, you can get more “telemetry” and that can be used to provide better and better situational awareness for a physical security deployment.

Data Aggregation: IoT devices, being designed for use with cloud services, can start to provide data aggregation services not previously available.  A cloud-based service can use aggregated data to benefit all their customers.  The cloud offers both computer resources and storage so you can start to do things you could not do earlier simply because you didn’t have the information.  Imagine an IoT thermostat attached to your VMS that gave you at least 12 months of temperature history that you could use in managing the deployment and use of heated camera housings.

New Use Cases for Computing: IoT devices can deliver complex capabilities in new places.  More secure communications can be delivered because the devices have the horsepower to deliver strong cryptography.  New peripherals can deliver beneficial information you could not access before.  Want LIDAR (a surveying method that measures the distance to a target by illuminating the target with pulsed laser light and measuring the reflected pulses with a sensor.) attached to your security cameras?  That can be done.  Want TLS network encryption on the web user interface for your mag lock?  That could be done.  And yes having a web-based user interface on a mag lock is not inconceivable.  After all there are Bluetooth-connected chainsaws now.

IoT Risks for Physical Security

All these new devices are a change in the physical security environment.  The typical physical security infrastructure today probably has network equipment, likely using on-site servers and networking components.  That environment carried certain risks which one had to manage.  Since much of this was done on a closed network with no exposure to the outside world an air-gap risk management scheme was used, either explicitly (you consciously kept the networks separate) or implicitly (because there are no network connections in public areas of the building.)   The continued introduction of new (IoT) devices will impact the risks to the infrastructure from the use of networking.  Some risks will be diminished while other risks will increase.

Changed maintenance paradigm: Previously, physical security systems were deployed and remained in that state for the life of the system.   Now we often see devices that are intended to be updated, possibly at a high frequency.  If the devices are all connected to the cloud this is easy to do.  This scenario can provide a risk reduction in that it’s a lot easier to update software in an automated manner.  On the other hand, you still have the operational risk that if you let the door locks update and the update fails you might end up with doors that don’t open when they are supposed to.

Changed network security paradigm: You’d previously never have your access control data leave the site.  Now, with attractive cloud solutions, there are lots of reasons to use IoT devices and leverage the cloud.  Which means your door-lock data is in someone else’s system.  This requires some careful thought.  It has been observed that centralized dedicated services can, in fact, provide good security; possibly better than the site operator can do themselves.  On the other hand, there are all these IoT devices out there accessing the cloud and each one of them has some inherent risk of being compromised over the network.  This can be managed.  Buy reliable IoT devices from reputable sources that perform known sound product validation on solutions they deliver.

IoT Business Practices: IoT devices often provide services that are based on a subscription model where you pay little or nothing for the device and a recurring fee for the cloud service behind it.  Note that while this may look strange to a vendor supply chain used to selling hardware and living on the margin from that, it looks completely reasonable to someone from the alarm business where recurring revenue models are how you normally do things.  The IoT marketplace is quite active, which means there are startups and new services showing up all the time.  The downside is that the service you purchase may or may not be there next week.  What if the vendor shuts down the service?  That would then mean any associated IoT devices you have deployed suddenly become useless.  The IoT world is still working out how this gets handled and there have been incidents where service users have suddenly found their IoT devices have been abandoned by the cloud and are rendered useless.  Service agreements, use of protocol standards, and business continuity tools (like source code escrow) can mitigate this.  Vendors also pivot more frequently and the solution you chose for its physical security benefit might one day deprecate a critical feature.

So What is the Impact?

IoT devices can provide great benefits by accessing more information and facilitating that information’s use.  This can be used to benefit physical security solutions.  There are risks.  Many of the risks are IoT-specific and can be managed like other IoT device environments.  Some things are in fact easier to update.  Updating a door lock system is likely easier than updating a sensor inside an earth mover that’s out in the field building a highway.  IoT devices are getting more and more powerful and can leverage the cloud computing solutions behind them.  Done right this means you can benefit from new information and actions while operating a secure infrastructure.

With care, you can choose IoT solutions that provide benefit while managing the risk.  It requires keeping track of both the benefits and the risk and it probably requires new ways of identifying whether vendor solutions have a positive benefit/risk profile.  But there’s an IoT revolution happening out there and physical security is not alone in addressing the new challenges.

About the Author: Rodney Thayer is a Convergence Engineer with Smithee Solutions LLC and a veteran network-centric security industry expert. He is a subject matter expert in networking use in physical security and infrastructure deployments. Specialties include cybersecurity, cryptography, networking protocols. Thayer is a member of the ASIS IT Security Council.