Using Biometrics to Protect Mission Critical Infrastructure

Sept. 9, 2022
Commercial properties should consider beginning with biometrics in an access control strategy

The Texas statewide power grid collapse and the ransomware shutdown of the Colonial gas pipeline are two of many recent highly publicized critical infrastructure failures that impacted millions of Americans. Although less talked about, the critical infrastructure systems that keep our nation’s commercial buildings operational are similarly vulnerable.

When tenants sign a lease, they trust that building management will provide resources like electricity, heat, ventilation, data communications, and clean water without interruption. These systems are mission-critical. Their malfunction can temporarily shut down a facility, causing inconveniences and financial losses for occupying tenants. In some instances, the impact can be catastrophic.

Protecting essential systems from tampering or outright attack requires the highest levels of security. Physical access to equipment must be tightly regulated and monitored. So, too, must network access to facility and system management software.

With growing frequency, developers and property management teams are turning to biometrics to secure these assets. By layering biometric identity systems on top of technology already in place, building managers can implement multi-factor authentication solutions that are increasingly difficult to penetrate.

Who Holds the Data?

Today's best-in-class biometric identity solutions use digitized, encrypted signatures of unique physical characteristics like facial architecture, iris patterns, palm vein patterns, or fingerprint whorls. Represented as random strings of digits, these "hashes" cannot be used to reverse engineer a facsimile of the recorded feature. However, because public concern over the storage of Personally Identifiable Information (PII) has become a hot-button issue, some building management teams prefer not to be responsible for storing the biometric data of enrolled users. However, biometric identity solutions remain an option. In a decentralized data model, biometrics are stored exclusively on each user's access control card. Today's 13.56 MHZ smart cards feature programmable memory designed for such applications. When users pass through an entry checkpoint, their biometric signature must match what's on their card. The card won’t work for anyone other than its rightful owner, rendering stolen, lost, or borrowed cards useless.

The EU's new biometric identity cards use this type of system. The cards feature an embedded chip with encrypted biometric data, including two fingerprints. However, there is no centralized EU database in which all fingerprints reside. This policy has helped build public trust in the system and dampened concerns of citizens who might perceive mandatory submission of fingerprints as an invasion of privacy. Individuals retain exclusive possession of their data.

By contrast, some facility management teams of commercial properties choose to store users' biometric data, as doing so extends conveniences to users and system administrators. Stored biometric data allows users to go card-free, eliminating the need to carry any physical or mobile credential. Their bodies become their access card. Biometric readers mounted at access points identify each user, communicate with the access control solution, and permit or deny entry based on the person's permissions. Of course, if they're not in the database, entry is denied. For enhanced security, dual authentication can leverage two biometric modalities. For example, the system might require a match of both the iris and face or the face and palm. Depending on the solution, a single reader may be able to process more than one modality.

For administrators, a stored database offers the advantage of a one-and-done enrollment process. Once registered in the system, users never need to enroll again. Except for the face – which changes gradually with age – biometric signatures, especially iris, remain constant over time. By contrast, in a decentralized model, if an employee loses their access card, they must submit new biometric data for inclusion on the replacement card.

When implemented according to best practices, biometric databases do not store individual names associated with each biometric signature – just a user ID code. This provides an additional layer of security to an already highly secure solution. If the database were compromised, bad actors could not associate biometrics with specific individuals. For building management to make practical use of the data, the biometric database links to other systems, like access control, through Active Directory. The result is seamless and accurate automated identity verification.

Where Should Biometrics Be Deployed?

Biometric identity solutions are so effective that Homeland Security recommends they be part of any multi-factor authentication system for access to Federal government locations.[1] While no such requirements exist for non-government buildings, there are areas within all buildings that deserve a similar level of security. These include boiler rooms, system head-ends, telecommunication centers, utility closets, data centers, and other areas that provide access to critical infrastructure. These locations are often already secured by electronic access control systems. There may also be surveillance cameras in place. If so, these cameras may serve the secondary function of performing facial recognition (FR). Many leading camera manufacturers integrate with third-party FR software or offer facial analytics as an edge solution. For other modalities, specialized readers can be mounted at any doorway, in addition to or in place of a card reader.

The repair and maintenance technicians who access these secure areas are often not onsite employees. Today's biometric identity solutions offer visitor management tools that make it easy to issue temporary biometric credentials to such workers through a pre-registration, self-enrollment process. A worker assigned to a specific job site can use their phone to provide an image of their face, a photo ID like a driver's license, and complete an online questionnaire. Administrators at the site review and approve the worker and issue a temporary credential to their phone. Upon arrival at the building, the worker must present the mobile pass and a facial match to gain access to critical infrastructure systems. Dual authentication combined with biometrics prevents an imposter from arriving on the scene and posing as the approved, vetted technician.

Of course, any conversation about securing infrastructure would be incomplete without addressing network security. Controlling physical access to data centers can be accomplished with biometrics; IT departments can apply the same technology to control logical access to the network.

Traditionally, the most sensitive network management permissions were granted only to employees working physically within a data center. The pandemic introduced the need for some of these employees to work remotely, along with fail-safe methods to authenticate and verify their identity. Combining biometrics with passwords allows networks to validate each user's identity as they sit at their computer, regardless of location. Leveraging a computer's embedded camera or attaching an encrypted biometric reader to verify the user's face or iris, the user's identity can be repeatedly matched against their enrolled biometric data. If someone replaces or joins them in front of the monitor, the application or the computer will immediately shut down.

In addition to enhancing security, this solution can deliver economies of scale for management firms with multiple, disparate holdings. A centralized critical IT support team can provide remote maintenance and system updates to a portfolio of properties. Biometric identity solutions, combined with zero trust architecture and other technology like computer privacy screens, remove any distinction between the security implications of working onsite versus remotely.

 A Critical First Step Toward Wider Adoption

Commercial real estate is on the verge of adopting biometrics on a wide scale. Its use requires buy-in from everyone who will use the system – a challenge in multi-tenant properties with many different stakeholders. However, the installation and start-up cost challenges of biometrics are far outweighed by the long-term benefits of secure critical infrastructure. Building management has the power and responsibility to do whatever it takes to keep its assets safe. Implementing biometric identity solutions is the place to start.

[1] https://csrc.nist.gov/publications/detail/sp/800-76/2/final

About the author: Bobby Varma, CEO/Founder of Princeton Identity. She is an accomplished senior manager with a strong affinity for technology and a keen business sense for the application of emerging products to add value, expand markets and develop strategic partnerships. She has a solid knowledge of scientific concepts and a proven ability to translate those into significant business opportunities. She has previously worked with SRI International and Sarnoff Corporation as Business Development Director. Bobby has completed her master’s in biomedical science/Engineering from Drexel University.

About the Author

Bobby Varma | CEO/Founder of Princeton Identity

Bobby Varma, CEO/Founder of Princeton Identity. She is an accomplished senior manager with strong affinity for technology and a keen business sense for the application of emerging products to add value, expand markets and develop strategic partnerships. She has a solid knowledge of scientific concepts and a proven ability to translate those into significant business opportunities. She has previously worked with SRI International, Sarnoff Corporation as Business Development Director. Bobby has completed her master’s in biomedical science/Engineering from Drexel University.