PCSC Access Control Cards, Tags & Fobs

Today’s security industry technology standards create a common framework for achieving predictable performance. Systems are made more secure and easier to install, use and integrate with other devices. Standards are also intended to be living documents, open to continual refinements to benefit manufacturers, integrators and end users. An excellent example is the Open Supervised Data Protocol (OSDP), which is now the industry’s gold standard for physical access control installations. It was designed to offer a higher level of security with more flexible options than the aging defacto Weigand wiring standard. Updating OSDP-readers simultaneously One recent addition enables end users to push firmware and software updates to thousands of OSDP-enabled card readers simultaneouslyOSDP, first introduced in 2011 by the Security Industry Association (SIA), continues to evolve with significant manufacturer input. One recent addition enables end users to push firmware and/or software updates to a few or thousands of OSDP-enabled card readers simultaneously. Weigand technology requires updates to be made one at a time at each reader. Regularly changing reader encryption keys is an excellent way to enhance facility security. It’s easy using the OSDP file transfer capability and the latest DESFire EV2 credentials containing multiple encryption keys. You can transfer the next code on the card to all readers and the job is done. And there’s no need to create a new card for each user or reprogram each individual reader. AES-128 encryption ensures cybersecurity It’s time to migrate entirely away from Weigand technology. If greater security, convenience and reduced labour from the latest OSDP updates isn’t reason enough, here are a few more things to consider. The 40-year-old Weigand protocol provides no signal encryption, making it easy for hackers to capture the raw data transmitted between cards and readers. OSDP readers support AES-128 encryption while providing continuous monitoring of wires to guard against cybercriminals. Weigand reader installations require homerun cable pulls from the control panel to each peripheral device. OSDP readers can be daisy chained, providing additional savings on cabling and installation time. Weigand technology is simply too slow to work with today’s most versatile and secure card technologies. OSDP readers work with virtually all modern access control cards. The OSDP standard also works with biometric devices; Weigand does not. Meeting requirements of FICAM guidelines SIA is pushing to make the latest OSDP version a standard recognised by the ANSI, a move to enhance the global competitiveness of U.S. security businessesAlso, OSDP is becoming a must-have standard for organisations demanding the highest security levels. The standard meets requirements of the Federal Identity, Credential and Access Management (FICAM) guidelines that affect how the access control industry does business with the federal government. SIA is pushing to make the latest OSDP version a standard recognised by the American National Standard Institute (ANSI), a move to enhance the global competitiveness of U.S. security businesses. There’s still a large worldwide reader installation base that works solely with the Weigand protocol. Admittedly, changing them all at one time may be prohibitively expensive; however, standards should be viewed as a journey, not a destination. That’s why a measured migration is the right choice for many organisations. Begin by securing the perimeter. Replace only the outside-facing Weigand readers. As long as the walls are secured, the inside can remain a softer target until OSDP-compatible readers can be added indoors. The case for moving to OSDP as a standard is compelling. It offers our industry the opportunity to design access control software and products that provide what end users want most – greater security, flexibility and convenience.

It’s not surprising that people are nervous about the security of newer technologies, many of which are part of the Internet of Things (IoT). While they offer greater efficiency and connectivity, some people still hesitate. After all, there seems to be a constant stream of news stories about multinational corporations being breached or hackers taking control of smart home devices. Both of these scenarios can feel personal. No one likes the idea of their data falling into criminal hands. And we especially don’t like the thought that someone can, even virtually, come into our private spaces. The reality, though, is that, when you choose the right technology and undertake the proper procedures, IoT devices are incredibly secure. That said, one of the spaces where we see continued confusion is around access control systems (ACS) that are deployed over networks, particularly in relation to mobile access, smartcards, and electronic locks. These technologies are often perceived as being less secure and therefore more vulnerable to attacks than older ACS systems or devices. In the interest of clearing up any confusion, it is important to provide good, reliable information. With this in mind, there are some myths out there about the security of ACS that need to be debunked. The fact that these devices communicate with an ACS via Bluetooth or Near Field Communication (NFC) leads to one of the main myths we encounter Myth #1: Mobile credentials are not secure The first myth we have to look at exists around mobile credentials. Mobile credentials allow cardholders to access secured doors and areas with their mobile devices. The fact that these devices communicate with an ACS via Bluetooth or Near Field Communication (NFC) leads to one of the main myths we encounter about the security of credentialed information. There is a persistent belief that Bluetooth is not secure. In particular, people seem to be concerned that using mobile credentials makes your organisation more vulnerable to skimming attacks. While focusing on the medium of communication is an important consideration when an organisation deploys a mobile credentialing system, the concerns about Bluetooth miss the mark. Bluetooth and NFC are simply channels over which information is transmitted. Believing that Bluetooth is not secure would be the same as suggesting that the internet is not secure. In both cases, the security of your communication depends on the technology, protocols, and safeguards we all have in place. So, instead of wondering about Bluetooth or NFC, users should be focused on the security of the devices themselves. Before deploying mobile credentials, ask your vendor (1) how the credential is generated, stored, and secured on the device, (2) how the device communicates with the reader, and (3) how the reader securely accesses the credential information. When you deploy smartcard technology as part of your ACS, you should choose the latest generation, such as MiFARE DesFIRE EV1 or EV2 and HID iCLASS SEOS Myth #2: All smartcards are equally secure The question “how secure are my smartcards?” is a serious one. And the answer can depend on the generation of the cards themselves. For example, while older smartcards like MiFARE CLASSIC and HID iCLASS Classic offer better encryption than proxy cards and magstripe credentials, they have been compromised. Using these older technologies can make your organisation vulnerable. As a result, when you deploy smartcard technology as part of your ACS, you should choose the latest generation, such as MiFARE DesFIRE EV1 or EV2 and HID iCLASS SEOS. In this way, you will be protecting your system as well as your buildings or facilities. Some traditional readers and controllers can also pose a serious risk to your organisation if they use the Wiegand protocol, which offers no security. While you can upgrade to a more secure protocol like OSDP version 2, electronic locks are a very secure alternative worth considering. It is also important to understand that not all smartcard readers are compatible with all smartcard types. When they are not compatible, the built-in security designed to keep your system safe will not match up and you will essentially forego security as your smartcard-reader will not read the credentials at all. Instead, it will simply read the non-secure portion—the Card Serial Number (CSN) —of the smartcard that is accessible to everyone. While some manufacturers suggest that this is an advantage because their readers can work with any smartcard, the truth is that they are not reading from the secure part of the card, which can put your system and premises at risk. Using electronic locks can help protect facilities and networks through various security protocols, including encryption and authentication Myth #3: Electronic locks are more vulnerable These days, there are still many who believe that electronic locks, especially wireless locks, are more vulnerable to cybercriminal activity as compared to traditional readers and controllers. The concern here is that electronic locks can allow cybercriminals to both access your network to get data and intercept commands from the gateway or nodes over the air that would allow them access to your buildings or facilities. The reality is that using electronic locks can help protect facilities and networks through various security protocols, including encryption and authentication. Additionally, because many of these locks remain operational regardless of network status, they provide real-time door monitoring. This means that many electronic locks not only prevent unauthorised access but also keep operators informed about their status at all times, even if a network goes down. Outdated technology and old analogue systems are more vulnerable to attacks When it comes to deploying electronic locks, it is important to remember that, like any device on your network, they must have built-in security features that will allow you to keep your information, people, and facilities safe. Be prepared to unlock future benefits Ultimately, the information in your IP-based ACS is at no greater risk than any other information being transmitted over the network. We just have to be smart about how we connect, transmit, and store our data. In the end, maintaining the status quo and refusing to move away from old technology is not a viable option. Outdated technology and old analogue systems are more vulnerable to attacks. The reason it is so important to debunk myths around ACS and, at the same time, get people thinking about network security in the right way is that network-based systems can offer an ever-increasing number of benefits. When we deploy new technology using industry best practices and purchase devices from trusted vendors, we put ourselves and our networks in the best possible position to take full advantage of all that our increasingly connected world has to offer.

The basic principles of access control are well established: only authorised people should have access to secure areas, only at times that can be defined in advance, and only within a system that can identify exactly who went where, and when. Traditional mechanical lock-and-key systems cannot accomplish this — at least, not without loading a huge admin burden onto security staff. But modern, electronic wireless access control has the flexibility to achieve it. What criteria determine the right sort of access control for your organisation? It makes sense to assess what is desirable against what is affordable or available in the electronic access control market today. Asking yourself these 5 questions will lead to a wise investment in the right technology: Wireless locks like Aperio work seamlessly with existing systems from over 100 different access control providersDo you want to extend your existing system, or begin from scratch? You are not stuck with locks chosen by a previous management team. Security needs change. Wireless locks like Aperio, for example, work seamlessly with existing systems from over 100 different access control providers, integrated online or offline. You will save time and money extending your current system with a technology like Aperio and users can continue with their existing credentials. Going forward, it makes sense to choose locks built using open architecture, for added flexibility and to future-proof your next investment. Who are the site users and what kind of credentials suit their needs? In many industries, access to premises is required by permanent staff and short-term contractors: your access system needs to be flexible. Different systems offer credentials stored on cards and fobs, or on programmable, battery-powered keys. For example, the new Openow app for SMARTair wireless locking converts a user’s smartphone into a virtual key. You issue and revoke user keys using the intuitive software, an efficient, flexible mobile management solution. What is the structure of the site (or sites) you protect? You will need different locks for high-traffic and low-traffic doors, indoor and outdoor use. Almost everywhere, wireless locks are much easier to install and to maintain than traditional wired magnetic locks — and more cost-effective to run. Certified wireless security locks provide extra protection for sensitive areas needing stringent standards. If you have a mobile workforce or manage dispersed sites, consider the credential management practicalities. For example, programmable keys that are easy to update with a Bluetooth-enabled smartphone app — like ASSA ABLOY’s CLIQ Connect solution — will save your staff time and money. For outdoor access points, you will need gate locks or padlocks certified for operation in extreme conditions Do you want to secure more than just doors? Some wireless systems have locks for cabinets, machines, windows and even server racks (handy if you want an extra layer of control over co-located servers). There will be workflow advantages in monitoring these ‘non-doors’ — medicine stores, for example, or car parks or lifts — from the same admin interface as your doors. Site users will appreciate the convenience of carrying one credential for every access need. For outdoor access points, you will need gate locks or padlocks certified for operation in extreme conditions. For example, CLIQ mechatronic padlocks are currently deployed outdoors at utility sites in Scandinavia and supermarkets in East Africa. Do you need real-time capabilities? Choose an Online system and you can manage and amend access control doors at any time and from anywhere, using the admin software. You can monitor sensitive areas like medicine stores remotely and in real time, and can revoke access rights if a user credential gets lost. In an emergency, remote locking or unlocking of an entrance could be critical. Aperio wireless locks, for example, are integrated with online electronic access and real-time monitoring systems in hospitals, manufacturing plants and student halls of residence. With some systems, including SMARTair, you can combine ‘Update on Card’ and Online updating for different doors within the same installation. The CLIQ Connect app and programmable keys make real-time control over remote sites or teams possible. Wireless access control offers a compelling mix of audit compliance, easy installation, cost efficiency, and seamless integration. It makes life easier for security managers, and is deployed in premises as diverse as power plants and co-working spaces; museums and care homes; banks, schools and skyscrapers.

PCSC, a designer and manufacturer of access control solutions and Coolfire Solutions, a St. Louis based software company known for creating Military-Grade situational awareness platforms, collaborate to deliver top-level capabilities for access and security. Coolfire Solutions created its innovative Ronin Platform to deliver software that sits on top of existing systems and infrastructure to transform data into actionable intelligence. Originally developed for the U.S. military, the Ronin Platform is being widely adopted by industry leaders and organisations who recognise the importance of placing the right data, in the right hands, in real-time, so that intelligent decisions can be made. LiNC-NXG PSIM system Stacking the Ronin Platform on top of the data provided by PCSC’s LiNC-NXG PSIM system provides a robust, real-time common operational pictureStacking the Ronin Platform on top of the data provided by PCSC’s LiNC-NXG physical security information management system provides a robust, real-time common operational picture, visually representing physical security events, and enabling a coordinated security response. For instance, urgent security related event details are pushed to mobile devices of nearby security officials for immediate action. An additional benefit, in the case of an on-premises environment, the underlying access management system is not exposed, only the top-level data is managed. Extend the capabilities of access solutions “An extremely impressive GUI for our industry and an actionable set of features extend the capabilities of PCSC’s access solutions for real-time response,” said Mas Kosaka, President and CEO of PCSC. “The expansion possibilities are virtually limitless too. We’re excited to debut the capabilities of Ronin to our Business Partners during the PCSC Symposium in conjunction with ISC West, the largest security industry trade show in the U.S.” Coolfire Solutions and PCSC have the experience and capabilities to transform the way security professionals do their job every day" “Coolfire Solutions and PCSC have the experience and capabilities to transform the way security professionals do their job every day. We can maximise the value of existing technology investments by combining data from any source and making it actionable," said Don Sharp, CEO at Coolfire Solutions. "Security professionals have an incredibly challenging job and it’s only getting tougher. By bringing all of their critical data onto a single pane of glass we can increase the level of security while driving significant operational efficiencies.”

The BioConnect Identity Platform provides an integration of Suprema's biometric solutions with the majority of leading access control systems BioConnect and Suprema have announced Suprema's launch of the BioConnect Identity Platform. Developed by BioConnect, Suprema's long-standing strategic partner in North America, the BioConnect Identity Platform provides an integration of Suprema's biometric solutions with majority of the leading access control systems in the global security market. Under the appointment, Suprema will provide and support the BioConnect Identity Platform globally from June 1st, 2016 onward. Powerful integration featuresWith the BioConnect Identity Platform's powerful integration features and BioConnect's and Suprema's partner eco-systems, enterprises benefit from the ability to take advantage of deploying biometrics with their existing (or their choice of) access control vendor, standards, devices and way of operating. The BioConnect Identity Platform enables the seamless integration of Suprema's biometric terminals with access control systems, ERP and time and attendance systems, supporting biometric and multi-factor authentication, biometric enrollments and user ID management. One central system The solution enables greater security, identity assurance and convenience from one central system and has ultimately changed the way that the physical access control market can consume biometrics as an authentication strategy. No other manufacturer around the world has been able to offer this level and quality of integrations - with the BioConnect Identity Platform boasting over 20. "With the BioConnect Identity Platform, BioConnect complements our goal of providing industry-leading biometric security solutions to the global market. The product is a ready-made bridge solution that provides easier integration of cutting-edge Suprema biometric technology together with a customer's choice of leading access control systems," said Young Moon, VP of Suprema. "We are looking forward to providing the BioConnect Identity Platform to a more global security market and are excited to offer our customers a seamless and cost-effective way of adopting Suprema's biometric security solutions," Moon added. Innovative technologies From the perspective of the access control provider, the BioConnect Identity Platform opens up the option to provide a Suprema biometric solution and continue to benefit from the complete product line as Suprema brings new and innovative technologies to market. "As a Suprema partner we have experienced a lot of growth in the North American and UK markets due to its leadership and continued emphasis on producing biometric products of superior quality, versatility and range," said Steve Greb, Strategic Director of Business Development at BioConnect. "We're very excited to draw on Suprema's impressive partner network and continue to build out our Quest for Rightful Identity on a global scale." Integration with leading systems The BioConnect Identity Platform integrates the following leading access control systems with the Suprema biometric terminals; ACT ACTManage, AMAG Symmetry, Axis A1001, Brivo OnAir/OnSite, Genetec Security Center, IMRON IS2000, Lenel OnGuard, Open Options dnaFusion, Paxton Net2, Honeywell ProWatch, Honeywell WINPAK, RS2 AccessIT!, S2 Netbox, Software House CCURE 9000, Stanley SecureNET, Gallagher Command Centre and now PCSC LiNC-PLUS. Suprema and BioConnect will team together to showcase the BioConnect Identity Platform at IFSEC 2016 in London on June 21st-23rd at Stand E1400.

Systems may be reliable and performing as originally intended, but can also beoutdated in comparison to current technology offerings Let’s start by defining what a legacy system is in the context of a security control system. Legacy refers to an installed and operating security control system made up of numerous components, both hardware and software, that have been eclipsed by newer technologies. A shortage of parts and pieces may be creeping in, and it’s also likely the older stuff has a service tech scratching his head when faced with a configuration setting or data entry protocol. The newer technologies, however, may still be providing much of the desired functionality required by the legacy system user. Legacy in this context then is not necessarily a pejorative term. The system may be both reliable and performing as originally intended but is outdated in comparison to current technology offerings both from a communications standpoint and as it relates to applications and data mining. So what to do? For openers, as my dad would day, do a Ben Franklin list of do’s and don’ts. Naturally you’d love to move to a new, bigger or smaller, better and faster system. But, first, what does that list look like? I for one think is might begin to look like this: Things to do when managing legacy systems Do you have a handle on your current technology capabilities? Many legacy systems are underutilised and have features that are not used. Revisit your systems capabilities: You are likely to make some pleasant discoveries. Do you have a handle on your current technology capabilities? Many legacy systems are underutilised and have features that are not used Do you currently know how all of the pieces and parts in your system are currently communicating? A great start for planning the next steps is to understand the “plumbing.” Associated with that is the location of communication; specifically, how are things wired and where are they terminated, recorded and catalogued? What does your power distribution for the system components look like? Do you have backup and other means of maintaining operations during a loss of power, and where is that stuff? If not done recently, this step provides an opportunity to ensure you are ready for things that don’t happen and also to revisit codes. It’s always worthwhile if a maintenance provider is available to a system test in this area, or it can be self-conducted. What is the state of your record management, and when was the last time you did some basic housekeeping, such as backup and the like? If you don’t remember when you did it last, stop reading and go do some housekeeping — it’s clearly due now! What works for you and your organisation, and what have you developed a work-around for? If your “super users” have found ways to manage desired system outcomes by some clever workaround, are there other desired features?  Do you have a relationship with an authorised service provider or an on-staff trained first responder? Do you have attic stock (stuff you own) to support those older components? I like to think of it like making a road trip with a spare tire and basics in the trunk in case an extended unplanned stop on the side of the road interrupts your trip. Have you developed a plan for an eventual upgrade? What’s first, what does it cost and whom will I let provide pricing to do so?  Rip-and-replace isn't your only option. There are many products and servicesavailable to migrate from a legacy to next steps utilising embedded infrastructure Planning and management What are my/your basic functional requirements, and where are the gaps now you must fill for enterprise sustainability? That legacy system likely has paid its way and now needs to be retired; I’m not ready either. Do you have a business case for this refresh – applications, data mining, new and reporting and risk mitigation strategies? If not, you are missing this first step of legacy migration planning and management. Managing the age includes a system exit strategy. Getting C suite, namely your CFO’s, attention is key; sustainability of your enterprise is 101, so functionality as it relates to risk mitigation is essential to keeping your entity flourishing. So what are the DON’T’s? Don’t trivialise the migration or response to the Do’s or you’ll end up in a big To Do. Don’t minimise the relationship with existing integration resources you have worked with, old and new. Organisations evolve, some for the best, some not so. Refresh these relationships as well; resources are like bridges – you never know when a crossing is needed. Don’t rush into the latest and greatest; be wary of who’s definition you subscribe to. There’s a reason they call it the “cutting” edge. Don’t believe that rip-and-replace is your only option. There are many legacy systems in our industry, and many well-made and well-thought-out products and services are available to migrate from a legacy to next steps utilising embedded infrastructure. The bottom line: Define your parameters, select your partners and engage companies with a history of legacy migration and thought leadership. If your legacy includes some products with forward-thinking engineering thought leadership, you may be able to manage your needs with security control board-level replacements or the flashing of new firmware and upgrades to software. I‘m aware of several companies whose products elegantly move through time, adding new applications and functionality without wholesale rip-and-replace. These legacies carry on. The market has responded to you and others eager to know their options. There are many ingenious and clever ways to upgrade communications and transport of data, reliable mainstream products designed to meet this challenge head-on. There are solutions aimed at allowing you to use current IT and Internet of Things (IoT) apps and functionality. However, there are also quite a number of technology partners able help make the leap from analogue to digital using existing pathways. The bottom line: Define your parameters, select your partners and engage companies with a history of legacy migration and thought leadership. They are most likely to produce the best results and allow you to leave behind the legacy you want to be associated with.