The challenges of cybersecurity in access control

SMART Access & Identity 2026 Access Control & Identity Management, Information Security


Mercury Security released a white paper, “Meeting the Challenges of Cybersecurity in Access Control: A Future-Ready Approach,” that discusses cybersecurity challenges in today’s access control industry. This article summarises the main points in the white paper, focusing on the cyber risks in the access and identity field.

The evolution of physical access control has shifted from isolated, hardware-focused installations to interconnected systems operating within corporate IT networks. While this progression offers benefits such as mobile credentials, cloud-based scalability, and immediate management capabilities, it simultaneously exposes the system to cybersecurity risks that older technologies were not built to handle. Therefore, to ensure system resilience, essential security elements such as encryption and authentication must be embedded in the system’s architecture rather than added as afterthoughts.

Core pillars of a secure architecture

The document outlines three critical technical pillars for securing modern PACS:

1. Encryption (data protection): Systems must incorporate established protocols, such as TLS 1.3, to secure communication between controllers and hosts. Encryption must cover data in transit and at rest, including bus-level encryption for I/O modules and secure reader channels, such as OSDP Secure Channel, to prevent eavesdropping at the edge.

2. Authentication (device trust): Verifying user credentials is no longer sufficient; the system must also authenticate the specific devices processing those credentials. Effective security requires mutual validation between the host, controller, and edge components to verify the legitimacy of the requesting device.

3. System integrity (lifecycle security): Trust must be maintained from deployment through the entire lifecycle, starting with secure boot mechanisms that validate firmware before execution. Operational integrity relies on secure distribution models, Software Bill of Materials (SBOM) visibility, and continuous monitoring for vulnerabilities (CVEs).

Strategic security models

To address modern threats, organisations must adopt specific operational strategies:

Zero Trust architecture: This model eliminates implicit trust, requiring that every access transaction be validated against real-time policy regardless of the device’s network location or proximity. Enforcement should occur at the edge (the controller level), ensuring policies persist even during network disruptions.

Compliance and auditability: To meet frameworks such as HIPAA, GDPR, or FIPS, systems must support secure credential management, tamper-evident logs, and role-based access segmentation.

Detection and response: Security strategies must move beyond prevention to include the detection of anomalies, such as out-of-schedule badge use or unauthorised firmware updates. Integrating PACS telemetry with SIEM (Security Information and Event Management) systems allows organisations to correlate physical access patterns with digital threats.

Mercury MP intelligent controllers

The paper concludes by highlighting Mercury MP Intelligent Controllers as a solution that meets these requirements. They feature digitally signed firmware, secure boot, and ARM TrustZone for runtime isolation. These controllers support authenticated communication via OSDP Secure Channel and ensure real-time policy enforcement at the edge, aligning with Zero Trust principles.

Conclusions

Modern PACS features (real-time access, mobile integration, open architecture) require a robust security foundation (encryption, authentication, system integrity). This is vital for sustained trust amid evolving threats and compliance. Organisations must adopt architectural strategies for secure, scalable, policy-driven access control, enforcing security at the edge, validating behaviour, and adhering to Zero Trust principles.

The full white paper is available on Mercury’s website: tinyurl.com/2vsj9b5z


Credit(s)





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Paxton set to launch game-changing new system
Paxton Access Control & Identity Management News & Events
Access control is evolving fast. Installers and end users are looking for systems that are simple to install, easy to manage remotely, and flexible enough to scale. In response, Paxton is exploring how emerging technologies can reshape access control.

Read more...
From the editor's desk: When the rules change
Technews Publishing News & Events
         Welcome to the SMART Surveillance & AI Handbook 2026. We were a bit nervous about including AI in the title, since it either has a good or bad reputation depending on the individual – very few people ...

Read more...
Proactive estate security in Cape Town
neaMetrics OneSpace Technologies Technews Publishing SMART Security Solutions Fang Fences & Guards ATG Digital Editor's Choice News & Events Integrated Solutions Infrastructure Residential Estate (Industry)
SMART Security Solutions started the year with our annual SMART Estate Security Conference in Cape Town on 26 February 2026. Held at Anna Beulah Farm, the conference saw a number of delegates enjoying the farm’s excellent cuisine, while listening to outstanding presenters.

Read more...
Open systems support hybrid surveillance
SMART Security Solutions Axis Communications SA neaMetrics Editor's Choice
Today, end users can select the most suitable surveillance solution for their needs, whether it is on-site, at the edge, or in the cloud; a hybrid approach combining different options is most effective depending on the scenario.

Read more...
NEC XON secures mobile provider’s hybrid identities
NEC XON Access Control & Identity Management Information Security Commercial (Industry)
For a leading South African telecommunications operator, identity protection has become a strategic priority as identity-centric attacks proliferate across the industry. The company faced mounting pressure to secure both human and non-human identities across complex hybrid environments.

Read more...
Cloud security in visitor management and access control
SA Technologies Access Control & Identity Management Infrastructure Residential Estate (Industry) Commercial (Industry)
Cloud has become the default platform for modern security operations, from visitor management portals and remote access control to incident logging, reporting, analytics, and integrations. But “in the cloud” does not mean “someone else is securing it for us”.

Read more...
Rise in malicious insider threat reports
News & Events Information Security
Mimecast Study finds 46% of SA organisations report a rise in malicious insider threat reports over the past year: reveals disconnect between security awareness and technical controls as AI-powered attacks accelerate.

Read more...
Surveillance & AI roundtable
DeepAlert Lytehouse Refraime SMART Security Solutions Technews Publishing Editor's Choice Surveillance Integrated Solutions AI & Data Analytics
SMART Security Solutions held an online roundtable with a few surveillance experts to explore the intersection of surveillance and AI, gaining insights into the market and how control rooms are evolving.

Read more...
Centurion raises the bar at HomeSec Expo
Centurion Systems News & Events Access Control & Identity Management Residential Estate (Industry) Smart Home Automation Commercial (Industry)
Centurion Systems unveiled its latest product lines at HomeSec Expo 2026, introducing SMART+, a simpler way for installers and end users to manage their Centurion installations - as well as a few new products.

Read more...
New campaign exploiting Google Tasks notifications
News & Events Information Security
New phishing scheme abuses legitimate Google Tasks notifications to trick corporate users into revealing corporate login credentials, which can then be used to gain unauthorised access to company systems, steal data, or launch further attacks.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.