The collapse of the Texas statewide power grid and the shutdown of the Colonial Gas Pipeline ransomware are two of many recent high-profile critical infrastructure failures that have affected millions of Americans. Although less talked about, the critical infrastructure systems that keep our nation’s commercial buildings operational are just as vulnerable.
When tenants sign a lease, they are confident that building management will provide resources such as electricity, heating, ventilation, data communications, and potable water without interruption. These systems are critical. Their malfunction can cause the temporary shutdown of an installation, causing inconvenience and financial loss to the occupying tenants. In some cases, the impact can be catastrophic.
Protecting critical systems from tampering or direct attack requires the highest levels of security. Physical access to equipment must be strictly regulated and monitored. The same is true for network access to facilities and systems management software.
With increasing frequency, developers and property management teams are turning to biometrics to secure these assets. By layering biometric identity systems on top of the technology already in place, building managers can implement increasingly difficult-to-penetrate multi-factor authentication solutions.
Who owns the data?
Today’s best biometric identity solutions use digitized and encrypted signatures of unique physical characteristics such as facial architecture, iris patterns, palm vein patterns or fingerprint whorls . Represented as strings of random digits, these “hashes” cannot be used to reverse engineer a facsimile of the recorded item. However, since public concern over the storage of personally identifiable information (PII) has become a hot issue, some building management teams prefer not to be responsible for storing biometric data of registered users. However, biometric identity solutions remain an option. In a decentralized data model, biometrics are stored exclusively on each user’s access control card. Today’s 13.56 MHz smart cards feature programmable memory designed for such applications. When users pass through an entry checkpoint, their biometric signature must match what is on their card. The card will not work for anyone other than its rightful owner, rendering stolen, lost or borrowed cards useless.
New EU biometric ID cards use this type of system. The cards feature an embedded chip with encrypted biometric data, including two fingerprints. However, there is no centralized EU database in which all fingerprints reside. This policy has helped build public confidence in the system and alleviated concerns from citizens who might perceive the mandatory submission of fingerprints as an invasion of privacy. Individuals retain exclusive possession of their data.
In contrast, some commercial property facility management teams choose to store users’ biometric data because it extends convenience to users and system administrators. Stored biometric data allows users to go card-free, eliminating the need to carry physical or mobile credentials. Their bodies become their access card. Biometric readers installed at access points identify each user, communicate with the access control solution and allow or deny entry based on the person’s permissions. Of course, if they are not in the database, entry is refused. For enhanced security, two-factor authentication can take advantage of two biometric modalities. For example, the system may require a match of both iris and face or face and palm. Depending on the solution, a single reader may be able to process more than one modality.
For administrators, a stored database offers the advantage of a one-time sign-up process. Once registered in the system, users do not need to register again. With the exception of the face – which gradually changes with age – the biometric signatures, notably the iris, remain constant over time. In contrast, in a decentralized model, if an employee loses their access card, they must submit new biometric data to be included on the replacement card.
When implemented according to best practices, biometric databases do not store the individual names associated with each biometric signature – just a user identification code. This provides an additional layer of security to an already highly secure solution. If the database were compromised, malicious actors would not be able to associate the biometrics with specific individuals. In order for building management to use the data conveniently, the biometric database is linked to other systems, such as access control, via Active Directory. The result is seamless and accurate automated identity verification.
Where should biometrics be deployed?
Biometric identity solutions are so effective that Homeland Security recommends that they be part of any multi-factor authentication system for accessing federal government locations. Although no such requirement exists for non-government buildings, there are areas in all buildings that deserve a similar level of security. These include boiler rooms, headends, telecom centers, utility closets, data centers, and other areas that provide access to critical infrastructure. These locations are often already secured by electronic access control systems. Surveillance cameras can also be installed. If so, these cameras can perform the secondary function of performing facial recognition (FR). Many leading camera manufacturers integrate with third-party FR software or offer facial analysis as a cutting-edge solution. For other modalities, specialized readers can be mounted at any door, in addition to or instead of a card reader.
The repair and maintenance technicians who access these secure areas are often not on-site employees. Today’s biometric identity solutions offer visitor management tools that facilitate the issuance of temporary biometric identifiers to these workers through a pre-registration and self-registration process. A worker assigned to a specific job site can use their phone to provide an image of their face, photo ID like a driver’s license, and complete an online questionnaire. Site administrators review and approve the worker and issue a temporary ID to their phone. Upon arrival at the building, the worker must present the mobile pass and face match to access critical infrastructure systems. Dual authentication combined with biometrics prevents an impostor from arriving on the scene and impersonating the approved and vetted technician.
Of course, any conversation about securing infrastructure would be incomplete without addressing network security. Physical access control to data centers can be achieved with biometrics; IT departments can apply the same technology to control logical access to the network.
Traditionally, the most sensitive network management permissions were granted only to employees physically working in a data center. The pandemic has introduced the need for some of these employees to work remotely, as well as fail-safe methods to authenticate and verify their identities. The combination of biometrics and passwords allows networks to validate each user’s identity while sitting at their computer, regardless of location. By leveraging a computer’s built-in camera or connecting an encrypted biometric reader to verify the user’s face or iris, the user’s identity can be repeatedly compared to their stored biometric data. If someone replaces or joins them in front of the screen, the application or the computer will shut down immediately.
In addition to improving security, this solution can generate economies of scale for management companies with multiple and disparate holdings. A centralized critical IT support team can provide remote maintenance and system updates to a portfolio of properties. Biometric identity solutions, combined with Zero Trust architecture and other technologies such as computer privacy screens, remove any distinction between the security implications of onsite and remote working.
A crucial first step towards wider adoption
Commercial real estate is poised to embrace biometrics at scale. Its use requires buy-in from everyone who will use the system – a challenge in multi-tenant properties with many different stakeholders. However, the installation and start-up cost challenges of biometrics are far outweighed by the long-term benefits of secure critical infrastructure. Building management has the power and responsibility to do whatever it takes to ensure the security of its assets. Implementing biometric identity solutions is the starting point. https://csrc.nist.gov/publications/detail/sp/800-76/2/final
About the Author: Bobby Varma, CEO/Founder of Princeton Identity. She is an accomplished senior executive with a strong affinity for technology and a keen business acumen for applying emerging products to add value, expand markets and develop strategic partnerships. She has a solid understanding of scientific concepts and a proven ability to translate them into meaningful business opportunities. She previously worked with SRI International and Sarnoff Corporation as Director of Business Development. Bobby completed his Masters in Biomedical Science/Engineering from Drexel University.