Customer Logins

Obtain the data you need to make the most informed decisions by accessing our extensive portfolio of information, analytics, and expertise. Sign in to the product or service center of your choice.

Customer Logins

Electronic physical access control: Monetizing the combat in the fight against cyber threats

23 February 2018 Jim Dearing

Manufacturers should develop solutions that offer customers flexibility to adapt and scale to their needs

In the fight to secure networks from malignant attacks, electronic access control has historically been the first line of defense in cyber security. Designed to regulate access to a network, the electronic access control system denies potential hackers access to the physical location of IT hardware, in the process protecting assets from a number of potential cyber vulnerabilities.

However, in recent years increasing numbers of security systems are being integrated with IT systems and networks, resulting in physical security systems also becoming susceptible to remote cyber attacks. Shipments in 2015 of IP-enabled controllers and edge-based devices accounted for 39% of the total global market for access control door controllers, but both devices combined will account for a majority of the global market by 2021, IHS Markit forecasts.

Manufacturers today of electronic access control systems currently have many methods to help safeguard their systems from virtual attack. Some of the most common methods used at present by manufacturers include adopting more secure physical credentials, encrypting reader and panel communication, and educating end-users and installers on cyber-security best practices. But in many cases these actions are not enough or are too expensive, or the methods are implemented incorrectly by the either the installer or end-user.

The result is a constant search by manufacturers in the battle against cyber threats to develop and deploy new tools to aid end-users of electronic control access systems. Unfortunately for manufacturers, developing software patches that can be applied across the entirety of their product portfolio is expensive.

So, how can they offset this cost without damaging profits? Increasing equipment prices is undesirable, as a significant portion of potential customers are unwilling to pay more for systems even if they are marketed as “more cyber secure.” Another option for manufacturers would be to develop a wider range of products that cater to the large variance in appetite for cyber secure systems, but this likewise would be costly for makers.

IHS Markit believes that the solution cannot be found by using the same pricing and business models of the past 20 years. Instead, manufacturers should look toward developing “software as a service”—or even “cyber security as a service”—solutions that offer end-users the flexibility to adapt and scale access control systems to suit their own needs and cyber security risk tolerance. Manufacturers can also offer a tiered service solution, slowly transitioning end-users to higher, more expensive levels of the service as they educate customers on the many dangers posed by cyber-security threats and attacks.

In return for recurring payments, manufacturers could provide software and services that include the examples below:

  • Penetration testing toolkits: software provided to the end-user, or run by the manufacturer on the system remotely, to test for common easy points of access to the system via the network
  • Workshops and seminars for end-users: events, conferences, or even webinars for system owners to become educated on cyber-security best practices
  • Cyber-security reporting: annual or quarterly reports, as well as action plans and recommendations on how to help protect systems
  • Access control software add-ons: software that incorporates data analysis or dynamic-risk-score modelling to require additional authentication, following periods of irregular activity or commands and requests—applicable at credential-holder level to check access requests, as well as at admin level to protect against unauthorized users attempting to communicate with equipment via the network
  • Software/firmware updates and patches: could be increased in frequency following a paid subscription, even though in many cases already provided to end-users for free
  • Cyber-security monitoring: full-time supervision of access control systems to monitor irregularities and threats, as well as being on hand to respond to attacks; manufacturers can even outsource most of this service to an alarm-monitoring company

Jim Dearing, Senior Analyst, Security Technology, within the IHS Technology Group at IHS Markit

Posted 23 February 2018


Filter Sort