IP based Physical Access Control -- Security Today

IP based Physical Access Control

Five reasons to adopt this technology now

By Dan O’Malley
Oct 01, 2011

Organizations of all sizes are migrating from analog to IP-based physical access control solutions, drawn by increased security, increased operational efficiency and better availability. The shift to IP reflects what’s already happened in voice communications and, more recently, in video surveillance.

Shifting physical access control from analog proprietary serial communications to IP provides five main benefits:

Protecting access control data;
Accelerating response to alarms;
Helping to ensure business continuance;
Streamlining operations; and
Lowering door cable costs.

Protecting access control data. Analog physical access control systems make it relatively easy for someone with a little knowledge and widely available tools to create a working card to impersonate an employee. Most card data is not encrypted, neither over the air nor from the reader to door-control panels. Someone who taps the link can read badge data.

A related issue is that most analog door controllers use the Wiegand protocol, which is one-way only from reader to door-control panel. That means the card reader can’t tell whether it’s connecting to a legitimate door-control panel or a snooping device.

IP physical access control systems use digital encryption technologies to help protect identity information, making physical access control systems less vulnerable to attacks.

For example, new IP-based controllers support a challenge-response function, a secure way to protect card data sent over the link. When you present your card for access, the card does not immediately turn over its data. Instead, it first authenticates to the system by sending a public key and listening for a signed response from the system. The system signs the credential and sends it back to the card. Only after receiving verification that the system at the other end of the connection is legitimate, not an imposter, does the card transmit its encrypted data to the reader.

New standards in access control interoperability will increase security and interoperability while driving down system costs. One is the Federal Information Processing Standards (FIPS) 201 for personal identity verification (PIV). FIPS 201 defines a back-end public key infrastructure (PKI) system to manage public keys and user identities through a certificate authority. Other standards include Physical Security Interoperability Alliance (PSIA) and the Open Network Video Interface Forum (ONVIF). Card-reader vendors, in turn, are moving toward adopting an encryption standard to protect data traveling over the wireless and wired interface.

Accelerating response to alarms by integrating with video surveillance and incident response systems. Traditionally, a security officer who received a forced-door alarm on door 47 would have had to turn to another console to view video feed, look up which camera monitored that door, and then spend valuable time finding the relevant alarm video. Meanwhile, an intruder could cause harm or flee the property.

The process is more efficient when the physical access control and video surveillance systems are tied together. Integrating physical security systems with IP video is far simpler than it is with analog systems because all servers and endpoints connect to the same network.

For example, suppose someone kicks in an exterior door. An IPbased access control system can transmit the forced-door alarm to the IP-based incident response system. Receipt of the alarm invokes predefined policies, such as sending an alert to a security officer’s preferred device—say, an iPhone—along with real-time video or video associated with the alarm. This saves valuable minutes compared with the old situation, where the guard had to weed through alarm screens and search for the right video cameras. In addition, instead of being tethered to the desk, security officers can receive alerts on mobile devices while patrolling the property, helping prevent crime or fear of crime.

The benefits multiply if you add an IP dispatch system. Multiple agencies or teams—physical safety, local police, human resources and others—can join a virtual talk group on any device, including desk phone, mobile phone or any type of radio.

Helping business keep going if the network goes down. If physical access control is essential to business continuity, the traditional physical access control system might be the weak link: If the proprietary network goes down, so does the ability to let authorized people in and keep others out. Business continuity is especially urgent for governments and critical infrastructure organizations such as energy plants.

IP physical access controls give you options to increase availability. For example, instead of placing the intelligence in a central server that connects to all of your doors over the WAN, you can place intelligence at the network edge. This helps the business keep going even if the WAN goes down because of hurricane, tsunami, power outage or another disaster.

This approach is used today by a gasoline distribution company in the Midwest. Truckers present their Transportation Worker Identification Credential (TWIC) to the badge reader, which sends a message to a local system that Chris Johnson is at Gate 2, for example. Then the local gateway sends a URL action to the local system, which sends a work order to the card reader display, such as “Chris Johnson—Fill up on Pump 47.” The benefit to the company is faster truck dispatching, plus increased worker productivity because workers don’t need to wait around for orders.

In general, URL actions are a simple, effective way to integrate disparate systems because they do not require complex programming.

For even higher availability, implement redundant physical access control management servers, either one of which can take over if the other fails. The servers share a common IP address and are continuously synchronized. This practice is much cleaner than implementing tiered databases—for example, at the local, regional and national levels.

Streamlining operations by integrating with the IT or HR database. Many organizations separately maintain databases for network access, HR records and physical access control. The drawbacks are data duplication and redundant processes. Separately maintaining the database used for employee access control also can create an unsafe situation if terminated employees or vendors with limited-time access are not promptly removed from the system.

With an IP-based physical access control system, changes made to your central Microsoft Active Directory or SQL databases can be automatically propagated to the access control system.

Here, too, IP gives you choices. One option is to implement oneway communication between the central database and door gateways. The other is using a Web Services API. A public university in the South uses a Web Services API to allow building administrators to set their own lock schedules on a webpage. The API also is useful for organizations that give out large numbers of one-day visitor badges.

Lowering door costs. Traditional physical access control systems require bringing power to each door reader and lock. Some IP gateway readers, door locks and readers can receive PoE from network switches over standard Cat-5 or Cat-6 cabling. This can reduce installation costs by up to several hundred dollars per door.

A single unified physical infrastructure and managed cabling system can also increase availability, because you can use commercially available uninterruptible power supplies for backup power. The central UPS eliminates the need to install batteries by each door.

The right IP-based physical access control system can reduce risk and help the business continue to operate in the event of a disaster. Look for a solution that:

Encrypts credentials and identity in the server, over the air and over the wire;
Unifies your security system with IP video surveillance and IP incident response systems;
Provides high availability, both at the edge and on the network;
Integrates the network edge with local systems, using URL actions;
Takes advantage of your existing IP network with networked controllers and a common database;
Reduces door cabling costs by connecting to Cat-5/Cat-6 cabling; and
Supports network power such as PoE.

This article originally appeared in the October 2011 issue of Security Today.

Featured

Perimeter Security Standards for Multi-Site Businesses

When you run or own a business that has multiple locations, it is important to set clear perimeter security standards. By doing this, it allows you to assess and mitigate any potential threats or risks at each site or location efficiently and effectively. Read Now
New Research Shows a Continuing Increase in Ransomware Victims

GuidePoint Security recently announced the release of GuidePoint Research and Intelligence Team’s (GRIT) Q1 2024 Ransomware Report. In addition to revealing a nearly 20% year-over-year increase in the number of ransomware victims, the GRIT Q1 2024 Ransomware Report observes major shifts in the behavioral patterns of ransomware groups following law enforcement activity – including the continued targeting of previously “off-limits” organizations and industries, such as emergency hospitals. Read Now
- Cybersecurity
OpenAI's GPT-4 Is Capable of Autonomously Exploiting Zero-Day Vulnerabilities

According to a new study from four computer scientists at the University of Illinois Urbana-Champaign, OpenAI’s paid chatbot, GPT-4, is capable of autonomously exploiting zero-day vulnerabilities without any human assistance. Read Now
- Cybersecurity
Getting in Someone’s Face

There was a time, not so long ago, when the tradeshow industry must have thought COVID-19 might wipe out face-to-face meetings. It sure seemed that way about three years ago. Read Now
- Industry Events
- ISC West

Webinars

Hanwha Vision (formerly Hanwha Techwin), Salient Systems, Eagle Eye Networks Inc, Evolv Technology, Arcules, ZeroEyes

Shooter Detection: The First Line of Defense
Hanwha Vision (formerly Hanwha Techwin), Salient Systems, Arcules

Embracing AI-driven Access Control
HID Global

Unlock the Potential: Why Make the Shift to Mobile Credentials

Whitepapers

Genetec

How to Modernize Your Existing Security Systems Using Hybrid-Cloud
Eagle Eye Networks Inc

Are you ready for an on-site emergency? A practical checklist
Winsted Corporation

Top Considerations Designing an Ergonomic Control Room

New Products

Unified VMS

AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3
EasyGate SPT SPD

Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3
QCS7230 System-on-Chip (SoC)

The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3