Interview with Michael Nicholson, 2N’s Business Development Manager for the UK & Ireland.
- Given that we have European Cybersecurity Month – how big an issue is cybersecurity in the intercom business?
Back in 2021, Hiscox published its Cyber Readiness Report 2021 which was based on a survey of more than 6,000 companies based in the US, the UK, Spain, the Netherlands, Germany, France, Belgium and Ireland. The report assessed firms’ maturity across six different areas which comprise the elements required to install, run, manage and govern an effective security system. One of those six areas was ‘Identity and access management’, and, across all the companies surveyed, it came second bottom of the list, with an average score of 2.97.
A couple of weeks ago, the 2023 Cyber Readiness Report came out, and the average score for ‘Identity and access management’ had actually dropped slightly, to 2.87. We’ve been saying for a while that cybersecurity is rarely front of mind when it comes to access control, and Hiscox’s latest report seems to confirm that.
Some people continue to downplay the importance of access control when it comes to cybersecurity, suggesting that intercoms as completely edge devices are not a very interesting target for hackers. The truth is that any device can be vulnerable – including IP intercoms. If these devices are not sufficiently secured, in the event of a cyber-attack, they can represent a security hole in the entire corporate network, putting at risk the daily operations of the building – and, consequently, its residents. In addition, if the access control system is hacked, the intruder can gain unauthorised access to the building. This is why it is more important than ever that users are aware of any potential vulnerabilities that may exist so that they can ensure appropriate security measures are in place.
- What is your approach towards cybersecurity?
We take a company-wide approach to cybersecurity. All of our products are designed and developed following the cybersecurity best practice defined in ISO 27001, SOC 2, AWS Hardening and Axis ASDM model. We also have a dedicated team which works closely with industry bodies and customers to stay aligned with the most up-to-date practices. Additionally, in every part of the business, we prioritise the protection of personal data, whether it be employees’, partners’ or customers’.
But in access control, social engineering – deceiving a victim to gain control over the system – is still the biggest risk. This requires integrators and installers to be doing the right things as well, which is why support and education are so important. We have published seven pieces of best practice when it comes to cybersecurity which integrators and installers should bear in mind when working on all projects, and a Hardening Guide which explains how to configure 2N products in a truly secure way. We will continue to prioritise this part of our work to ensure that customers can enjoy all of the security and convenience benefits of IP intercoms without any risk from cyberattacks.
- How secure are your IP intercom systems?
We believe that we are leading the way on cybersecurity in the access control industry.
The first step towards cybersecurity is the physical security of our products. Our IP intercoms and access readers are “Secured by Design” certified and are available in robust materials, such as aluminium or zinc alloy. Some of them are designed for very demanding environments and therefore boast IP69K and IK10 certification. A mechanical or optical tamper switch which helps to prevent unauthorised entry into the device is already standard for 2N devices.
We also have security certificates which are unique to each device, as well as intelligent password systems, protection against dictionary attacks and communication using state-of-the-art encryption principles. By applying these and many other principles in the development process, 2N products meet the very highest security criteria for personal data protection, product security and network infrastructure security.
Regular testing is also an integral part of product safety. Testing is done on several levels in the form of unit tests, smoke tests, integration and regression tests, and, of course, penetration tests which are designed to eliminate security weaknesses.
To make sure we stay ahead of the curve, we also release new firmware for all of our devices every four months. It contains new features and improvements, as well as bug-fixes and security patches for any vulnerabilities discovered.
- How do you protect customer data?
As a European company, we operate in full compliance with the rules established in the General Data Protection Regulation (GDPR). We only use data that is essential to door communications and access, and only work with personal data where we have the customer’s consent to do so. Sensitive personal data from our cloud and software services is saved and encrypted in secure, backed-up data repositories, and we never share data about users with any third party or for marketing purposes. Personal data saved directly in our IP intercoms is hashed and thereby protected against unauthorised access.
More specifically, HTTPS data encryption is used for the connection between web browsers and servers. Port hijacking is then prevented by a point-to-point connection using the 802.1X protocol. This makes unauthorised access to the LAN port very difficult to obtain. We use the SIPS protocol to encrypt the communication, thus preventing man-in-the-middle attacks or identity theft, and voice data is encrypted using the SRTP protocol, preventing unauthorised people from listening in to any communication.