A lock is a part of a locking system, usually used to secure a door, container or other opening.
Locks and locking hardware need to provide security against forcible and/or surreptitious attack. For high security applications, the resistance against forcible attack is primarily provided not by the lock itself, but by other elements of the locking hardware and doorset etc it is housed upon, such as the multi point locking, dog bolts, keeps, cylinder guards etc. Therefore, although strength is a consideration, the main purpose of a high security lock is to resist manipulation, picking and other forms of surreptitious attack.
Types of lock
There are many types of locks available on the market and these can be broadly separated into five main types.
Currently the most commonly used lock within the UK which comes in many forms such as:
- Pin tumbler: The most recognisable lock commonly available in euro profile, euro oval and rim cylinder forms.
- Wafer tumbler: Commonly used in applications such as cabinets, desk drawers and lockers.
- Mortice locks: Traditionally used on domestic wooden doors but used less commonly since the introduction of UPVC doors.
- Disc tumbler: First produced by Abloy in 1918 typically seen in padlocks but available in euro profile, euro oval and rim cylinder forms.
All of the above are operated by the insertion of the correct mechanical key.
Mechanical combination locks are operated by the user mechanically entering the correct opening code. This this can be done in a multitude of ways, including for example by simply rotating a numbered dial face or by the pressing of buttons to enter the opening code.
Electronic locks are available in all the same forms as their mechanical cousins and the operation of electronic locks is achieved by introducing an electronic token to the lock, much in the way a token and reader operate, with the lock being the reader.
E-locks are typically standalone systems that replace mechanical locks on a single door. They are a way of upgrading your standard mechanical lock to an access control system, and give you additional functionality. The main advantages of an E-lock are that they can record the details of who opened the lock, and importantly, when. E-locks allow access to be predetermined. Only those with keys can open the lock, and access can also be restricted to certain times.
This could be, within a chosen time frame per 24 hours. For example, keys only work during working hours. A set period of time. For example, keys work for one week only, and then access is revoked. Or simply a key could be set for a single use only. E-locks can be separated into two main variants: mechatronic locks and fully electronic locks.
Mechatronic locks are a combination of an existing mechanical lock, with the addition of an electronic component. As with the mechanical lock, your key has a physical pattern of cuts cut into it. If the incorrect key or pattern is inserted into the lock, it will not fit or turn the barrel to unlock the door. But a mechatronic lock has the added electrical components: a motor or cam that drives the final pin, up and down.
Most mechatronic locks are suitable for retrofitting into existing doors, as they don't require extensive wiring or complex installation. And the keys are powered by nothing more than a standard coin cell battery. However, due to lowering the number of mechanical components, less pins in the barrel, to make room for the electrical component, a mechatronic lock may be physically weaker than the traditional mechanical lock it is replacing, and could be forced open more easily.
Fully electronic locks are locks that have no physical key to interact with. Instead, the lock is disabled by other means. These are typically, what you KNOW - knowledge based system, such as a pin code or password. What you HAVE - a physical item that can be contact based, like an eye button, or contactless, such as an RFID tag.
Who you ARE - Biometric verification such as fingerprint, iris, or facial recognition. WHAT YOU KNOW - Knowledge based, electronic locks rely on a user knowing secret information, such as a PIN code, and entering the code into a physical keypad on the lock. They tend to be lower security as they are susceptible to very basic attacks, such as overlooking. PIN-only systems have a fundamental weakness.
Either the PIN has to be the same for everyone, resulting in it eventually becoming common knowledge, or each person has a different pin for the lock. This can result in there being numerous correct options, so that the pin can be more easily guessed by an attacker. WHAT YOU HAVE - Contact technologies require a physical contact between the lock and a token.
For example, an eye button, and are therefore harder for an attacker to capture the data. The security of these locks depends on the strength of the encryption protecting the FOB, but can be compromised if a FOB is lost or stolen. Radio based technologies uses a device such as an RFID card to hold an electronic key. This is transmitted via a radio signal to the lock.
RFID cards should always be protected against copying. WHO YOU ARE - Biometric locks read an individual's unique bio information to grant access, and are therefore very difficult to compromise, copy, or steal. All E-locks require a power source to operate, as a mechatronic locks are designed to be an easy replacement for the traditional lock. The power source is normally located within the key itself, but it can also be located within the lock. As the power source is usually in the key, it requires each user to be aware of its battery level, and either charge the key or replace the battery regularly. Fully electronic locks almost always require power to the locking mechanism. This allows for battery-less keys, but also requires either a battery in the lock with the potential for this to run down, or power cables to the doors, which can incur additional installation costs. With both mechatronic and fully electronic locks, you must check that even at low and no voltage, the lock remains secure.
Some locks may have a mechanical override for power loss situations, which can be a vulnerability to some systems. As an electronic system, E-locks require configuration rules to run. These decide who can go where, and when, and will require periodic updates. Updates can be distributed in different ways. Manually updated by a member of security staff - each lock has to be visited individually, to ensure all locks are updated.
This is a thorough but slow and expensive option. Updated over a network - this requires the additional expense of installing a network, and ensuring the network itself is secure. However, if affordable, this is the fastest method to ensure all locks are updated. Updated by staff - an updated key when used by staff on any lock can spread the updated information over to the system.
Whilst this is the cheapest option, this process does not guarantee that all locks will be updated, as infrequently used locks and doors may not receive the update for some time. Most E-locks will have some form of administration application, which is used to update and manage your locks. Whether this application is within your premises or is cloud based, good cyber security processes and mitigations should always be applied, in order to protect it, and the information contained on it.
If not protected correctly, this could become a vulnerability in your site security. E-locks are a relatively easy and quick way of adding a standalone security measure to your site, but they are just that, one type of security measure, and should be deployed alongside other security systems to keep your site safe from attack. For more information on E-locks and other security measures, please visit the NPSA website.
Electronic combination locks work much in the same way as their mechanical counterparts, but have much fewer mechanical moving parts and require a power source of some description to operate.
Mechatronic locks are a combination of both the mechanical lock and an electronic lock. They consist of a mechanical key part which is inserted into the lock and a token which is incorporated into the mechanical key, which communicates with a reader within the lock, such as in the electronic lock. The mechatronic style lock operates much as a modern car key does, with a mechanical key and transponder (token and reader) part.
Higher Security Applications
Currently there are two main variants for high security applications, namely mechanical key operated and both mechanical and electronic combination locks.
Key operated locks are very common and typically come in cylinder form including euro profile, euro oval (commonly referred to as Scandinavian oval) and rim cylinder but all have vulnerabilities which need to be considered:
- A keyway which can be exploited
- Keys can be stolen, copied or lost
- Unauthorised removal of keys from site
- Master key systems can be convenient but are inherently insecure. Note: that loss of the master key will compromise all keys on that mastered suite.
Combination locks are available in mechanical and electronic formats and provide protection against surreptitious attack, against which they are graded. When developing procedures for using combination locks it is important to ensure that the following operational issues are covered:
- Fully closing the door or container and scrambling the lock after use
- Combinations should not be written down or shared by end users
- The regular changing of combinations (six monthly recommended) and/or when staff change position or leave the location
- Combination locks are subject to specific requirements with regard to their supply, fitment and disposal, details are available from the CSE
- Electronic combination locks can contain an audit function and should be regularly reviewed.
When selecting a lock for fitting to a door, container or opening it is important to consider what locking hardware the lock will be married to and whether the lock will be used internally or externally.
It should be noted when fitting an approved lock to a door or locking hardware which is weak or ill-fitting that the lock cannot offer any higher level of security than the door to which it is fitted.
Where a mechanical lock is required to provide resistance to forcible attack a cylinder guard protection system needs to be fitted.
NPSA approves locks for higher security applications and clients of NPSA are encouraged to seek further advice from their NPSA adviser.