printer friendly version

The challenges of cybersecurity in access control

Mercury Security released a white paper, “Meeting the Challenges of Cybersecurity in Access Control: A Future-Ready Approach,” that discusses cybersecurity challenges in today’s access control industry. This article summarises the main points in the white paper, focusing on the cyber risks in the access and identity field.

The evolution of physical access control has shifted from isolated, hardware-focused installations to interconnected systems operating within corporate IT networks. While this progression offers benefits such as mobile credentials, cloud-based scalability, and immediate management capabilities, it simultaneously exposes the system to cybersecurity risks that older technologies were not built to handle. Therefore, to ensure system resilience, essential security elements such as encryption and authentication must be embedded in the system’s architecture rather than added as afterthoughts.

Core pillars of a secure architecture

The document outlines three critical technical pillars for securing modern PACS:

1. Encryption (data protection): Systems must incorporate established protocols, such as TLS 1.3, to secure communication between controllers and hosts. Encryption must cover data in transit and at rest, including bus-level encryption for I/O modules and secure reader channels, such as OSDP Secure Channel, to prevent eavesdropping at the edge.

2. Authentication (device trust): Verifying user credentials is no longer sufficient; the system must also authenticate the specific devices processing those credentials. Effective security requires mutual validation between the host, controller, and edge components to verify the legitimacy of the requesting device.

3. System integrity (lifecycle security): Trust must be maintained from deployment through the entire lifecycle, starting with secure boot mechanisms that validate firmware before execution. Operational integrity relies on secure distribution models, Software Bill of Materials (SBOM) visibility, and continuous monitoring for vulnerabilities (CVEs).

Strategic security models

To address modern threats, organisations must adopt specific operational strategies:

• Zero Trust architecture: This model eliminates implicit trust, requiring that every access transaction be validated against real-time policy regardless of the device’s network location or proximity. Enforcement should occur at the edge (the controller level), ensuring policies persist even during network disruptions.

• Compliance and auditability: To meet frameworks such as HIPAA, GDPR, or FIPS, systems must support secure credential management, tamper-evident logs, and role-based access segmentation.

• Detection and response: Security strategies must move beyond prevention to include the detection of anomalies, such as out-of-schedule badge use or unauthorised firmware updates. Integrating PACS telemetry with SIEM (Security Information and Event Management) systems allows organisations to correlate physical access patterns with digital threats.

Mercury MP intelligent controllers

The paper concludes by highlighting Mercury MP Intelligent Controllers as a solution that meets these requirements. They feature digitally signed firmware, secure boot, and ARM TrustZone for runtime isolation. These controllers support authenticated communication via OSDP Secure Channel and ensure real-time policy enforcement at the edge, aligning with Zero Trust principles.

Conclusions

Modern PACS features (real-time access, mobile integration, open architecture) require a robust security foundation (encryption, authentication, system integrity). This is vital for sustained trust amid evolving threats and compliance. Organisations must adopt architectural strategies for secure, scalable, policy-driven access control, enforcing security at the edge, validating behaviour, and adhering to Zero Trust principles.

The full white paper is available on Mercury’s website: tinyurl.com/2vsj9b5z

Share this article:

Further reading: