The State of Michigan recently faced a daunting security breach. Someone copied an employee’s credentials to a government building using a software program that clones access cards to grant the individual unauthorized access.
“I’ve always known that with the normal proximity cards there are vulnerabilities,” says Chris Christensen, director of cybersecurity and infrastructure protection for the State of Michigan. “On YouTube, you can figure out how to clone and copy those proximity cards quite quickly and efficiently and be able to get to places where you’re not supposed to.”
Thankfully, in the case of this security breach, it was a paid vulnerability test, in which a penetration testing team was tasked with finding ways to infiltrate the building’s security.
The test exposed a problem with the state’s physical security, which is important, according to Christensen, because of the growing emphasis on cybersecurity over the past decade. “We have a lot of firewall rules, we’re making sure applications are secure, but what about when somebody takes a key and copies it and walks into a building, a secure site, and then has access—what are we doing about that?” Christensen asks. “So, I think that’s a big thing that we’re missing in security. We’re trying to protect the castle from the inside, and we’ve just opened the front door for people to walk in.”
Tasked with access control for approximately 40 government buildings, including facilities in the capital city of Lansing and on Mackinac Island where the governor’s residence is located, Christensen notes that physical security can’t fall by the wayside as departments focus more on digital threats.
After the penetration test, he wanted to find a more-secure, cutting-edge solution to access control. “Once that happened, I knew that we needed to do something that was more safe and secure, and that had a little bit more of the ‘wow’ factor,” he says.
About two years ago, the state turned to the Vector Occupant app from Honeywell, a Bluetooth-enabled access control system that stores user credentials on individuals’ smart devices. Users download the Vector app from any smartphone application store and enter a code sent by the state of Michigan. Since the beginning of 2018, all new card readers installed at government buildings are equipped with Vector.
Having access via one’s phone is preferable to carrying around a traditional proximity card for several reasons, Christensen notes, including higher reliability and usability for the end user.
“When you go to work in the morning, if you’re at the first stop sign, and you look down and your phone’s not there, you turn around and go home and get your phone,” he says. “If you don’t have your card, you go all the way to the office and then go try to get a loaner card or have somebody else sign you into the building.”
He adds that the potential for sharing and swapping access control devices is essentially a nonissue, because people would be less likely to share their phones than a plastic card.
So far, Vector has been installed at about 20 government buildings. “We’re utilizing Vector in the high-security areas,” Christensen says. “Places like gun rooms, evidence rooms, where we’re housing money with the medical marijuana areas.” He adds that it’s being used for the governor’s detail areas that require higher security. “It’s easier, it’s faster, and it’s more secure so we can keep our executive leadership better secured.”
The Honeywell Vector Occupant App generates reports on who is accessing what doors and when, telling the infrastructure team whether someone was accessing a certain area an unusual amount of times.
“If someone is using Vector, and the report shows someone scanned at the same place three times, obviously something wasn’t working at that point,” Christensen says. “So we would investigate it and whether it was just a user error issue.” Most often he says these reports show that the user wasn’t holding his or her phone close enough to the reader, and not cases where unauthorized individuals were attempting to enter a secure area.
Alarms from door access panels also alert security when a person has entered a secure room at unusual hours. “We had an alarm go off on one of our Vector doors at 2:00 a.m., but it was actually the detective sergeant going back in and putting some more evidence in after a long day of protests,” he says. “So, it was valid, but we did look into that.”
Authorizing access for users is quick and simple, as is provisioning conditional, temporary access for contractors and employees who don’t normally have access to a certain building. “We’ve done that on various employees when they’ve needed access. So, let’s say the data server room at Michigan State Police headquarters had to be updated,” Christensen explains. “I’ll get the access for the individuals for a 24-hour time period, and after that time they don’t have access.”
As the person provisioning access, he says Vector offers added peace of mind that no one walks away with a card that they shouldn’t have. “It made it really easy for me, because by the time the week was done I forgot he was in the system,” says Christensen. “So, for the credentials to expire and him to not have access, I didn’t have to worry about it again.”
Eventually the state also hopes to take advantage of the building intelligence function of Vector—via the app, users can report their comfort level within buildings—if they’re too hot or cold; whether a conference room needs more chairs; and more. “At our agency, we’re all about trying to do customer service,” Christensen says. He adds there’s a cost-saving benefit to the building intelligence. “Knowing where people have come or gone, or where they’re moving with their Bluetooth being activated—it will help us save and use the power when we need to.”