Chinese tech: Who really has the keys to your access control system?

Despina Stamatelos at Genetec discusses tensions between China and western liberal democracies, illustrating how this impacts cyber security – do you know who has the keys to your access control system?

The fact that China requires successful Chinese companies to be intertwined with the Communist Party, the government and military has caused many Western democracies and businesses to re-evaluate their relationship with Chinese technology vendors. This is particularly true when it comes to physical security. And while the potentially devastating cyber security and privacy risks of installing untrustworthy security cameras are starting to be better understood, access control has largely remained under the radar. The recent moves by Chinese government-owned organisations to penetrate this market should be raising some serious questions.

The long-standing tensions between China and western-style liberal democracies have wide ranging ramifications. Aside from the sound and fury of global trade disputes, governments and businesses around the world are starting to ask important questions about the technology companies they work with and the equipment they chose deploy to protect their critical infrastructure, cities and businesses. Many countries are beginning to take proactive steps to mitigate the risks of deploying technologies associated with suppliers who are owned or controlled by foreign strategic rivals.

The John McCain National Defense Authorization Act

In 2018, the US Congress passed the John McCain National Defense Authorization Act (NDAA), which bans federal agencies from trying to “procure or obtain or extend or renew a contract” to buy “any equipment, system, or service” that uses certain Chinese-made telecommunications and video surveillance services or equipment. The procurement ban, that took effect in August of 2019 saw a near immediate, example-setting application with the indictment of executives from US camera vendor Aventura for conspiring with the Chinese government to fraudulently label their OEMed Hikvision products as “Made in the USA”.

In Europe, serious national security concerns have resulted in the removal of Huawei infrastructure from 5G networks – with the UK, Denmark, France and the Czech Republic to name but a few all taking the step of banning the equipment.

While the dangers of deploying high-risk or poorly designed IP cameras are proven and clear and have made headline news in recent months, another crucial element of a physical security system has largely remained ignored: access control.

Recently, Chinese government-controlled technology organisations have made partnerships with Western access control companies a core element of their commercial strategy – a worrying trend that raises several questions. Most importantly, why have these technology companies, who were recently banned in the United States taken such a proactive and high-profile role in marketing their products? And what will be the financial implication for integrators and end-users who install this type of technology when these companies ultimately get banned there as well?

The Dutch parliament has already recognised this issue, with politicians proposing a motion asking the government to investigate the use of products from Hikvision and Dahua and there are increasingly vocal concerns being raised in other national parliaments. We’re at a crossroads and the next few months could be critical.

Access control systems are under threat

Doors say a lot about a business or an organisation. Who is coming and going, when, where and how often, are powerful tools for managing and understanding the physical dimensions of a corporation or government. This information in the wrong hands, or under the control of a malicious actor would be a significant breach of privacy at best, catastrophic at worst. That is why it is important to closely scrutinise access control manufacturers and ask tough questions about their ownership, their partners, their supply chain and their cyber security track record.

Typically, access control system attacks have focused on the outside of the perimeter (i.e. cloning cards and attacking readers) to gain unlawful entrance to facilities. As modern IP-based access control systems are placed on IT networks and become more connected to the cloud, steps must be taken to ensure they do not provide the entry points malicious operatives need to gain access to your network and edge devices.

Cost reduction means malicious hardware risks can be ignored

The problem is, there is a tendency among some in the security industry to overlook the risks associated with potentially malicious hardware in the desire to reduce costs. Where corner cutting in any safety or security capacity is increasingly a matter of criminal liability, the scale and sophistication of the threat is also truly a threat to national security. The unscrupulous executives at Aventura, many of them still behind bars, provide a perfect example of this. Responsible security practitioners and smart end users must demand better and must ask the tough questions of their access control providers.

Physical Access Control Systems represent powerful elements of our infrastructure that have flown below the radar for many years. In the past it existed primarily to open and close doors, but IP technology has provided a host of valuable capabilities for this once purely electro-mechanical system. Businesses and governments can use modern physical access control to implement complex access rules, analyse building usage, monitor for aberrant behavior and manage time-sensitive access requests within their facilities and much more. Thus, physical access control systems (PACS) have started to come more into the spotlight as an important IoT technology, but also as a potential vector for cyber-attack.

Certainly, a close look is warranted as these systems control the very doors of your business. Placing a critical emphasis on the expertise, credibility and motivations of the manufacturers of these powerful systems is today a essential requirement for ensuring proper access control defence and security

Don’t risk your reputation for cost reduction

We need to think practically about the costs of including high-risk vendors in our access control supply chains and their products in our system deployments. We’ve seen the chaos caused by the mandated removal and replacement of Huawei from UK networks, and other high-risk vendors like Hikvision and Dahua from US security systems. Given the typically long lifecycle of an access control system and the growing concerns from policymakers worldwide, it is entirely possible that new regulations could require systems installed today to be ripped out and replaced well before they reach end-of-life.

Nobody should in good faith be recommending an approach that may cut costs in the short run only to incur potentially much larger ones down the road and all the while knowingly put end users at risk.

You protect your building for a reason

It is necessary to consider not only the strengths of a particular company’s hardware but also the motives and track record of the businesses involved in supplying them. For example, when purchasing a high-quality physical lock, we would expect to take ownership of all of the keys to unlock it and we would exercise caution with who we entrusted these to. Yet, it is relatively common for organisations to install a digital access control system without considering who may, through error, omission, or poor design have access to this vital infrastructure.

Access Control systems are also not like other security systems which are replaced more regularly – the product lifecycle can be up to 20 years, so it’s no surprise that some systems are presently lagging behind. It is for this reason that buyers must future-proof their systems before upgrading their hardware; cyber security issues including manufacturer reputation and track record, and vendor supply chain should be considered as part of the selection process.

There’s also a national security risk

Some companies may be protecting their IP, whereas others could be protecting critical infrastructure or highly classified information. We’ve seen the devastation hackers can cause, and state-sponsored attacks are becoming increasingly common, with Microsoft finding that activity from Russia, China, Iran and North Korea is on the rise. We’ve seen sanctions imposed upon individuals accused, for example, of instigating the WannaCry attack, showing how it is trying to crack-down on malicious behavior; although asset freezes and travel bans perhaps don’t go far enough considering the gravity of the information accessed and stolen.

Access control therefore can’t be overlooked as part of your network cyber security plans. With the proliferation of IoT, and its integration with networks, any access control system must have a strong cyber defence or run the risk of exposing the organisation to increased cyber-risk and even more worryingly, to actual physical threats of doors being opened or locked without their permission. Across all industries, from financial services to casinos, data centres to hospitals, the installation and connections of your PACS vendor must be taken seriously. Modern access control can provide a lot of value, so invest in it and choose your partners wisely.