Making PACS Unbreachable

Security of an organization commonly comprises three critical systems – Physical Access Control System (PACS), Video Surveillance, and Logical Access Control. Physical access control is the first line-of-defense against security breaches, whereas video surveillance is required more for root cause analysis post-incident. Moreover, intrusion into information-systems occurs generally from within the facility. Therefore, one must ensure that PACS is implemented in the most effective way to stop potential security breaches.

In this blog, we discuss several pointers to create a more secure web of PACS to make it unbreachable in the real sense, in opposition to the threats & vulnerabilities (as discussed in “How to hack Physical access control system (PACS)“).

1. Securing all the Storage Locations

To ensure better security, install all the controller devices and the corresponding cabling in a way or an area invisible and inaccessible to the public.

User Identities, better known as credentials, are the cornerstone of PACS. Limit the storage of credential data to fewer components, such as controllers and server databases. Even if smart cards or readers get hacked, it becomes impossible for the intruder to gain sensitive information.

Here are some of the most effective ways to secure storage components of PACS credentials:

a. Server Database Security
–   Use of standard RDBMS products offering secure authentication protocols

b. Controller Memory Security
–   Crypto memory chip
–   Biometric credential storage on the controller itself (publicly exposed devices such as readers should not carry any confidential credential data)

c. Reader Memory Security
– A secure element for the protection of keys and cryptographic operations

d. Smart Card User Memory Security
– Key-based secure user memory access (instead of just referring to card CSN)

2. Securing all the Communication Channels

The physical access control system architecture is such that if any one of the communication channels (server, controller, reader, cards) gets compromised, all the sensitive credential information becomes vulnerable.

However, here are some of the most effective ways to secure the respective communication channels:

a. Secure Communication between Card & Reader
– Symmetric Key Encrypted data transmission (instead of just referring to card CSN)

b. Secure Communication between Reader & Controller
– Use of communication protocol supporting encryption such as OSDP SC (instead of ubiquitous wiegand protocol)

c. Secure Communication between Controller & Server
– TLS encryption or AES 128/256 bit
– Cryptographic module, like OpenSSL FIPS Object Module RE for certified implementation of TLS
– IPV6, ensuring greater connection integrity and security

d. Secure Communication between Server & Clients
– SSL (HTTPS)

3. Device/ Application Access Management  

PACS security threat continues on application access management levels, wherein hackers gain access to privileged user’s credentials for unauthorized access.

Here are some of the most effective ways to secure against unauthorized application access:

a. Robust Password Policy Implementation, such as-
– Enforcing strong passwords
– Password expiry
– Portal lockout (multiple incorrect login attempts)
– Audit trails
– CAPTCHA

b. Ensure Server Application Security with:
– VAPT certification
– ISO 27001:2013 (ISMS) certified processes

To know more about PACS and effective implementation methodologies, contact our experts at IDCUBE.