ISJ Exclusive: At the forefront of critical infrastructure protection

Demonstrating the possibilities of keyless protection, an innovative solution has been developed which is ideal for securing critical infrastructure: The ABLOY BEAT.

Cybersecurity concerns devices, people and practices. At the centre of it all is trust: Devices must be safe, best practices must be complied with and users must know how to use locking devices safely. Keyless access solutions can make buildings and infrastructure smarter, more connected and safer when cybersecurity is included and prioritised throughout all access points and actions.

Technology is always evolving and new solutions are introduced to streamline operations. For example, people nowadays use their smartphones as true multifunctional work devices. With a smartphone, a person can make and receive calls, locate appointments and even authenticate their identity and pay bills. To add to the smartphone’s many uses, it can also easily be used as a secure digital key to access different sites and premises.

Access locations and assets with ease and intelligence

Digital locking solutions provide exceptional security and privacy protection for critical infrastructure. There are wired solutions, like locks with physical keys, and then there are wireless solutions that utilise NFC-technology or Bluetooth.

Wireless locking solutions commonly utilise digital credentials that can open locks to access buildings and other important assets – just like a physical key. If a digital credential is used with a smartphone, it is called a mobile credential. They can efficiently replace physical keys, cards and fobs. A mobile credential is easy and intuitive to use and offers multiple layers of cybersecurity, which increases physical security.

How do mobile credentials offer layers of security?

First, let’s examine device safety. Both the smartphone manufacturer and the mobile network provider offer quality products and services that are secured with multiple layers of cybersecurity. For example, smartphones commonly utilise fingerprint, face ID and other biometrics to authenticate the user within a managed smartphone.

Secondly, the mobile credential can be examined. A mobile credential is housed in a smartphone and secured with advanced cryptography and privacy protection. Because it is encrypted, it is incomprehensible for any person or device that does not need it – if they were even able to access the data in the first place.

And thirdly, there is behavioural protection. People make use of their smartphones throughout the day. For this reason, people will notice if their phone has gone missing. And, this realisation will likely hit them a lot sooner than they would realise they have lost a key. The missing device can then be disabled remotely. All of this creates multi-layer protection for keyless solutions. Next, let’s take a closer look at the solutions’ built-in security procedure layers.

Implementing three essential cybersecurity procedures

Keyless solutions provide exceptional security and privacy protection for critical infrastructure. With all keyless solutions, three important cybersecurity procedures should be layered: Encryption, authentication and authorisation:

1. Encryption – information can be concealed with encryption. Encryption protects all data that travels between devices by encoding information or scrambling readable text to hide and protect it from unauthorised users

• Authentication –authentication identifies both the user and the access management system. Once the other end of the line can be trusted, access rights can be granted and used. Authentication for the user of a mobile credential can include a mobile app’s identification measures as well as their phone’s biometrics. Similarly, all information is also authenticated by the access management system. If any invalid data is received, the management system will not read the data

• Authorisation –authorisation determines what each user is allowed to do within an application or with received data; for example, if a user is allowed to first receive access rights and then share them forward. With access rights, users can be limited to only receive and use their personal access rights and never share them. This tightens physical security as well

Encryption scrambles readable data to appear random

What exactly is encryption? To keep things simple, let’s examine it this way: There are two popular methods to encrypt data. In symmetric encryption, all devices use the same secret key for encryption and decryption. In asymmetric encryption, each device has its unique encryption key. Asymmetric encryption is more complex to crack and therefore it offers more protection against hacking attempts.

“For example, hackers can try to use brute force to crack a security system open,” explains Simo Pikkarainen, Product & Software Director, ABLOY Critical Infrastructure, ASSA ABLOY Global Solutions.

“Brute force means they guess multiple different combinations until they guess the correct login information to gain unauthorised access. This type of cyber-attack can be efficiently stopped with encrypted credentials. In theory, an encrypted system can be hacked with brute force, but in practice it would take some 10,000 years to decrypt all the data and break through.”

That is why the keyless ABLOY BEAT solution utilises asymmetric encryption with elliptic curve cryptography, which means that access right data is always uniquely encrypted from point-to-point. In an end-to-end encrypted security channel, data that travels from the management system to the lock and the smartphone will also be encrypted during transport.

A keyless solution made for critical infrastructure protection

All ABLOY BEAT locks have a unique identity. Also, every smartphone with the BEAT application installed has a unique identity. Public key infrastructure encryption with a certified authority-created certificate binds the identity to the lock.

A unique lock’s data cannot be decrypted with another lock’s decryption keys. If someone decrypts one lock in a security system, all the other locks still have their unique keys and remain protected. A single compromised lock will neither break the system nor affect any other devices within the system.

The keyless ABLOY BEAT is designed for safe wireless access management. To make sure that BEAT is safe now and in the future, we implement multiple cybersecurity layers and procedures:

• Encryption protects all data that travels between devices by encoding information or scrambling readable text to hide and protect it from unauthorised users. We use advanced, next-generation Seos encryption technology with improved IoT capabilities as well as industry-standard security protocols and practices

• Authentication identifies the user and the access management system. All locks and clients in the system have an individual verified and trusted identity and only authorised clients can get access to BEAT locks. We authenticate all user traffic and follow a ‘trust no one’ policy, meaning that there is not a single device or user that can bypass our authentication process

• Authorisations are securely delivered from BEAT’s backend system to locks. Each authorisation in a mobile device is valid for a limited period. All data sent from the locks is end-to-end encrypted, so even the authorised mobile clients cannot read the contents. Compromised and stolen devices can be mitigated and invalidated through the backend

Keyless ABLOY BEAT products are operated with a mobile application over a Bluetooth connection. The ABLOY BEAT app for mobile access control allows flexible entry and activation of user rights from wherever you are. These keyless, mobile access control solutions are especially useful in remote areas, amidst busy schedules and in emergency situations. BEAT can be integrated with third party systems or added to your existing workflow with API and SDK architecture.

With the ABLOY BEAT keyless solution, you can:

• Gain improved situational awareness with mobile access control, tracking the flow of contractors and employees
• Manage keys, locks and access rights from wherever you are
• Integrate access control to the system of your choice, including third party systems
• Stay at the forefront of critical infrastructure protection. Our ever-evolving digital portfolio, complete with its futureproof products, offers security combined with effortless connectivity
• Save travel time and costs while also reducing emissions thanks to simplified logistics

www.abloy.com/global/en/our-products/abloy-beat

This article was originally published in the February 2023 edition of International Security Journal. To read your FREE digital edition, click here.