For the better part of history, building security relied primarily on physical barriers – gates, doors, manual locks, etc. – and on-site personnel to control authorized access. Though these physical barriers obviously remain critical to building security and are often the first layer of defense, access control now extends well beyond the physical and into the world of both electrical autonomy and connected technology. Access control systems, including single door control units, help streamline access and increase security through the use of technology, and these advancements require additional evaluation to ensure safety, performance and security are maintained.
To further complicate modern access control systems, many are now also considered “connected” devices, meaning they have become part of the Internet of Things (IoT). This connectivity offers great potential and enhanced system capabilities while also increasing the need for security and for a better understanding of industry cybersecurity requirements for both hardware and software.
To help ensure success in the market, it is important for all manufacturers of access control systems to understand the basic requirements of the primary North American standard, ANSI/UL 294, Standard for Access Control System Units. Specifically important for those manufacturing single door control units is the understanding of criteria within this standard that are specifically related to these autonomous systems. Additionally, when internet connectivity is used with the device, manufacturers should remain aware of testing and certification options that can help ensure cybersecurity.
The UL 294 Standard is ANSI approved and covers the construction, performance, and operation of access control systems. The standard’s code references first appeared in the National Fire Protection Association’s 2009 edition of NFPA 101: The Life Safety Code, and the 2012 edition of the International Business Code (IBC). The application of UL 294 has expanded under both codes since its first appearance, but its application is not the same in both codes. Today there are additional references to the application of UL 294 in the latest versions of the International Fire Code (IFC), NFPA 1, 101, 730, 731 and 5000. Ultimately code adoption is dependent on the authority having jurisdiction (AHJ) of the project and application in question.
The standard evaluates the electronic components – including control units, accessories, card readers, delayed egress locks, and single point locking devices – necessary for the proper operation of the access control system to help ensure they will operate without creating a hazard and perform to industry consensus norms. A dedicated version of this standard was also created for the United Kingdom at the request of Secured By Design, an initiative of the UK Police Department, to more specifically address the localized needs of that region.
Focus on Single Point Locks
Contained within UL 294 (6th edition) is section 33.2.1, which specifically covers single point locks. This section applies to both residential type locks (keypad, mobile device, Bluetooth, WiFi) and those typically found in, for example, hotels (key card, etc.). For single point systems where the access control solution resides locally to the access point, all credentialing, decision making, and information storage is contained within the autonomous lock. As this single device grants or denies access to a single door without requiring the assistance of additional system components, the devices offer convenience and simplicity.
Performance is assessed in several areas with numerous different tests (as applicable), including:
Attack Resistance: This test assesses the system’s ability to withstand a physical attack without granting access to the attacker, even if the system is disabled. Attack testing is performed in a tiered manner ranging from no attack (Level 1) to maximum attack (Level 4) depending on need. See the previewed Table 8.1 (below), from the upcoming 7th edition of the standard, for reference.
Line Security: Though single point systems operate completely autonomously, they can still be designed to send signals to a central monitoring system or off premises receiver, and line security is rated in a tiered manner to help ensure this signal can be sent and will transmit with encryption. Connectivity with regards to communication protocol and remote software updates is not specifically addressed within UL 294, but the collateral standard, UL 2900-2-3 provides applicable guidance.
Endurance: These tests, also provided in a tiered manner, assess the system’s usability following a specified number of operational cycles. See Table 8.1, from the upcoming revision of the standard, for reference.
Standby Power: To ensure continued operation in the event of loss of primary power, the unit’s standby power supply must also be tested.
Additional tests related to the operation of the unit include Input and Output Transient, Electrical Supervision, Standby Power, Under voltage and Overvoltage Operation, Variable Ambient, Humidity, Jarring, Dielectric Voltage-Withstand, Temperature, Abnormal Operation, Electrical Transient, Polymeric Materials, Battery Replacement, Strain Relief, and Special Terminal Assemblies tests. If the single point system also contains a key lock, it may be subject to the applicable requirements of UL 437, Standard for Key Locks.
Remember, state and/or local requirements may differ from the NFPA 101 and IBC and the local AHJ will ultimately determine the necessity of compliance with UL 294. Always refer to the published codes and the requirements of the Local Authority Having Jurisdiction (AHJ). However, bear in mind that it is also possible for the end user, architect, and/or security consultant to specify the standard as a way of helping to guarantee the quality of the product.
Security Beyond the Device Itself
Many manufacturers are now taking advantage of the convenience offered through the enhanced connectivity available in today’s markets by connecting single point systems to the Internet via Bluetooth, cellular wireless, personal WiFi, or business WiFi. Gartner, Inc. forecast that 8.4 billion connected devices would be used around the world in 2017, totaling nearly $1.7 trillion in hardware spend.1 This is an exciting trend for the industry and one that will only continue to grow as wireless connections become more commonplace, but with this shift comes the need for additional security. For example, Symantec, in its 2017 Internet Security Threat Report based on 2016 data, reported that 357 million new malware variants were introduced last year and IoT devices were attacked on average once every two minutes.2
Though UL 294 provides a full assessment of the physical single point locking unit and even the signals sent to a central monitoring system (if applicable), the standard does not address communication protocols, IoT interoperability or software based cybersecurity. Additional testing pertaining to cybersecurity can help provide added peace of mind for units offering such connectivity. The UL 2900 series of standards was created to help manufacturers understand and assess software security as it relates to connectivity. General requirements are contained within UL 2900-1, but more specific guidelines can be found in UL 2900-2-3, Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-3: Particular Requirements for Security and Life Safety Signaling Systems.
This set of standards, developed with industry input, provides a set of cybersecurity performance and evaluation requirements that can help establish a baseline of cyber protection against known vulnerabilities, weaknesses and malware. UL’s Cybersecurity Assurance Program (UL CAP) relies on UL 2900 to test, evaluate and certify a product’s software architecture and design to the specifications enumerated in the Outline of Investigation. This includes the system’s ability to accept updates and/or patches to address the changing needs of this technology.
To further illustrate the importance of cybersecurity in access control products, it is worth recounting the events at the Romantik Seehotel Jaegerwirt, an Austrian hotel that was attacked early in 2017. The bad actor in this scenario used software known as ‘ransomware’ to take over the electronic key system at the hotel, locking all rooms and, as a result, locking all guest out of their rooms. The hotel was at maximum capacity and, to avoid further inconvenience to guests, had to pay a ransom (in this case, the demand was in Bitcoins) to regain access to the system.3
Securing the Road Ahead
Access control systems with or without the convenience of wireless connectivity will only continue to become more prevalent due to the promise of convenience and, in many cases, improved security. With this in mind, the organizations, tests and standards that work to help guarantee the performance and safety of these systems will continue to evolve to ensure that changes in technology are properly addressed.
Table 8.1
Summarized levels of access control components
Feature Level I Level II Level III Level IV
Destructive Attack no attack test withstand attack test for 2 minutes Withstand attack test for 5 minutes or generate an alarm event in 2 minutes Withstand attach test for 5 minutes, generate an alarm in 2 minutes which cannot be silenced for 2 minutes
Line security No line security Standard line security Encrypted line security 128 bit Encrypted line security 256 bit
Endurance 1000 cycles 25,000 cycles 50,000 cycles 100,000 cycles
Standby power No secondary power source Can maintain normal operations for minimum 30 minutes Can maintain normal operation for minimum 2 hours Can maintain normal operation for minimum 4 hours
Single-Point Locking Device with Key Locks No attack test on key lock Picking, lock bumping and impression tests for key locks from Table 11.1 of the Standard for Key Locks, UL 437 All key lock resistance tests from Table 11.1 of the Standard for Key Locks, UL 437 All key lock resistance tests from Table 11.1 of the Standard for Key Locks, UL 437