Physical access monitoring and control systems have been around for quiet some time, but things are changing. These systems and devices have been moving away from their CCTV roots and making their way onto IP networks. There are certainly benefits to networking this equipment. Monitoring of these systems becomes easier as does their administration. The primary motivator for moving to IP based systems, however, is the cost and ease of deployment. Most buildings, new and old, have ethernet runs everywhere. With IP based access control systems, you no longer need to run dedicated cables (most commonly RS485), saving money in both time and materials and and it allows for easier modification in the future.
With added benefits comes added risk. Obviously, any device on the network adds to the networks attack surface, but I believe the largest danger presented by networked access control stems from the fact that, in most organizations, Facilities (ie: Physical Security) and Information Security fall under two very different groups. Facilities is no longer deploying RS485 door controllers, they are deploying networked computers that control and monitor access to their building (in turn their data), often with little to no input from the information security group within the organization. As most people are aware, an attacker with physical access to a location is almost guaranteed access to sensitive data. Physical Security is Information Security, and Information Security is Physical Security. Read More …