Access control lifecycles are traditionally quite long, particularly compared to their security counterpart, video surveillance. It is not uncommon to still see 30+-year-old technology in the field, which presents unique challenges when it comes to cybersecurity. The inherent vulnerabilities of proximity technology are well known, but they are far from the only concern.

As the convergence of physical and logical security becomes more of a priority, the issue will become even more critical.

“It is essential that security integrators start with an understanding of the risks that access control systems face from those intent on exploiting them, and recognize how the installation of these technologies might introduce broader security risks to a customer’s overall business,” says John Szczygiel, executive vice president and COO, Brivo, Bethesda, Md. “Navigating cybersecurity for customers is not always a rinse-and-repeat scenario, so integrators must gain a deep knowledge of the specific cybersecurity requirements and the internal review processes of each target customer.”

This often means identifying and mitigating the “weakest link,” says Ewa Pigna, chief technology officer of access solutions, Honeywell, Atlanta. “Integrators should establish repeatable processes to help them identify any potential gaps early, and align security controls across the full system, because any unsecured area can quickly become your weakest link.”

While nothing about cybersecurity is ever simple, Johan Oosthuizen, senior director of system architecture and product security for HID, Austin, Texas, breaks the process down into three, digestible points. “Integrators should focus on the following: 1. Readers; 2. The credentials these readers scan (physical or mobile credentials); and 3. The unique data contained within these credentials that is sent to the controller that makes access control decisions based on the credentials’ authenticity and access rights,” he says.

Below, we examine these three fundamentals more closely, looking at credentials, readers and the data and infrastructure that support them.

Is the Credential Secure?

Obviously, the vulnerability that comes to mind immediately with access control systems is the outdated yet ubiquitous proximity card. While use of prox credentials has come down in recent years, it is still very much a factor today, even in new installations. The first, best step, is to take these out of your proverbial toolbox, the experts say.

“Unencrypted credentials, such as prox, are primary culprits in delivering poor system security,” Szczygiel says. “Good cybersecurity starts at the front door, and no educated cyber review team will take an integrator seriously if they are proposing prox as a secure credential in today’s environment.”

While most security integrators are not leading with proximity these days, it is affordable and convenient and still being requested by end users.

“There is a lot of [unsecure] legacy technology that people are still using,” says Mathieu Chevalier, principal cybersecurity architect, Genetec, Montreal. “Prox is slowly fading away. I think, in the last two years, approximately 57% had prox enabled compared to more secure technologies. But there is a misconception that if you are not using prox anymore you are fine. … There are many other vulnerabilities.”

For example, the famous “flipper” hacking tool can hack some smart cards as well, he explains. “Cloning is easy and it is more than just prox.”

Wayne Dorris, CISSP, program manager, cybersecurity, Axis Communications, Chelmsford, Mass., agrees. “One of the most significant risks in physical access control today is the continued use of 126 kHz proximity cards, which rely on unencrypted identifiers and are highly vulnerable to cloning,” he says. “These credentials can be copied using readily available tools costing as little as $20 online, making them an easy target for bad actors.”

The solution is fairly straightforward, but not necessarily easy. “Starting with credentials, organizations using legacy prox technologies should consider moving to modern credential technologies that contain security-boosting technologies,” Oosthuizen says. “This eliminates the vulnerabilities of older cards that are the equivalent of easily-duplicated physical door keys. Other important best practices include protecting printed card numbers (HID recommends ordering credentials without a printed number or with a non-matching number). … Sensitive locations should be protected with multi-factor authentication such as a pin or biometrics. Moving to mobile credentials increases both security and convenience.”

The experts interviewed for this article all agree that mobile credentials are one of the best ways to increase cybersecurity on the credential side.

“They offer an inherently higher level of security and are easier to manage and revoke at scale through automated bulk issuance,” Oosthuizen says.

“A person’s phone is the one thing they always carry around with them,” adds Jonathan Dupont, senior director, field sales North America, AMAG Technology, Hawthorne, Calif. “If you lose your phone, it is locked down and you can remotely wipe credentials. With a physical badge, often users will not report it lost or stolen for days. We also get better encryption protocols with mobile/wallet credentials, making it more difficult to clone a card.”

But mobile credentials come with their own set of challenges. “Mobile credentials are very popular, since almost everyone has a phone, making it incredibly convenient for users,” Dorris says. “However, implementation can be a challenge if not done correctly. In many cases, mobile credentials require you to integrate mobile providers such as Apple or Android into your access control ecosystem, and the requirements can be difficult. Another aspect to consider is the cost, as most mobile credentials cost more than physical credentials.”

Mobile credentials are also still in the early phase of adoption. Biometrics are another more secure alternative, but pose many of the same issues on cost and adoption as mobile credentials.

Where these card alternatives are not practical or desired, Oosthuizen suggests at least implementing the latest generation of physical cards. “Modern physical cards are significantly more secure. … They perform mutual authentication between readers and cards before data is transmitted; use secure messaging to protect credential data in transit through per-transaction encryption keys; and employ proven and standardized cryptographic techniques.”

There is a misconception that if you are not using prox anymore you are fine. … There are many other vulnerabilities.

The Reader Side of the Equation

The other front-facing element of access control is the reader. For many years, access control manufacturers have pushed “multi-technology” readers, which are great options for updating from legacy technology to newer offerings, but can also introduce cyber-vulnerabilities if not handled properly.

“Many access control manufacturers offer readers designed to support multiple technologies,” Dorris explains. “While the original intent for these products was to support the transition to more secure credentials, many organizations never turn off legacy capabilities. As a result, they continue to support less secure credential options, leaving their systems exposed to unnecessary risk.”

Even if the end user customer doesn’t use proximity or is phasing it out, it is critical to make sure these multi-technology readers are properly configured,” Chevalier adds. “When you buy a reader, they are pre-configured, but sometimes that is misleading. If you use the default configuration, you still have unsecure technology. If you are migrating from proximity, it makes sense to use both, but, once the migration is complete, make sure that configuration is turned off.”

When used and configured properly, however, multi-technology readers are still a great way to future-proof customers and help them move off of legacy credentials, Oosthuizen says. “With this approach, legacy credential data can be encoded to modern credentials that support more secure authentication and encryption without having to reprogram new credentials into the controller for each user. Readers should also feature tamper monitoring and only be configurable after first being power cycled.”

One cybersecurity advancement on the reader side has been the Open Supervised Device Protocol (OSDP), an access control communications standard that offers encryption and much greater security than the old Wiegand wiring standard that was developed in the 1980s.

OSDP was developed by the Security Industry Association (SIA) to help increase the security of the connection between the reader and the access control panel or system to protect credential data in transit, Oosthuizen says. “It reduces the number or wires required for control signals, allows a reader to be monitored and enhances integrated tamper detection.”

Dorris recommends using OSDP wherever possible. “When working with customers that have legacy access control systems, integrators should prioritize upgrading readers and devices to support OSDP,” he says. “OSDP enables encrypted, bidirectional communication between readers and control panels, helping protect sensitive credential and device data from interception or tampering. Equally important, integrators should educate customers on the security benefits of OSDP, reinforcing their role as a trusted advisor while measurably improving the customer’s overall security posture.”

When working with customers that have legacy access control systems, integrators should prioritize upgrading readers and devices to support OSDP.

Data & Infrastructure Considerations

The “back end” of the access control system is perhaps the most complex cybersecurity risk, and is similar whether you are talking about access control, video or any other network connected device. It is also perhaps the biggest differentiator for an integrator, where the cyber-savvy ones will often have the advantage in winning contracts and maintaining customers.

“Cybersecurity requires continuous management and active monitoring,” Pigna says. “Integrators need to ensure they have a strong understanding of manufacturer guidelines for routine system updates and patches, and that systems are properly maintained as potential threats and operating environments evolve. If an incident does occur, they should have a clearly-defined response plan with clear ownership, escalation paths and points of contact to minimize impact.”

Dupont says the first step is both simple and non-negotiable: “Eliminate defaults on day one. Change every factory password, disable unused accounts and lock down administrative access. … From there, apply ‘least privilege’ access with discipline: give users and service accounts only the permissions they need; avoid shared ‘general admin’ logins, and require stronger authentication (like MFA) for administrators and remote service. Finally, reduce exposure by segmenting security infrastructure from the broader corporate network and restricting access to management interfaces.

“For ongoing systems maintenance and hygiene, think in routines, not one-time settings,” he adds. “Maintain a predictable cadence for controller firmware, software and operating system updates. Many manufacturer releases include security hardening and fixes for known vulnerabilities, and delaying them leaves [your customer] exposed to threats that are already understood and actively exploited.”

For greenfield applications, Dupont recommends that integrators practice “secure-by-design” architecture. “Start by understanding the customer’s risk profile and requirements, because a hospital, a data center and a government site will not share the same cybersecurity expectations. Design to reduce the attack surface from the beginning: segmentation, minimal exposed services, secure remote access and protected integrations. Treat every integration and API as a security boundary: document what has been connected; limit scopes and permissions; protect secrets; and define who owns updates over time.”

Integrations can add to the risk. “Increasing integrations can make cybersecurity more complicated, as end customers expect the entire ecosystem to meet their security standards,” Szczygiel says. “It’s important that integrations are built on modern standards, such as secure APIs, and that testing is completed to ensure the integrations are sound.”

As more end users seek a converged physical and logical stance, it is important to integrate the physical access control logs into cybersecurity monitoring platforms so the physical and digital security events can be analyzed together, Dorris says. “While basic syslog integration is a good starting point, integrators should encourage customers to leverage audit logging and integrate those logs into cybersecurity monitoring platforms. Audit logs surface security-relevant events that a SOC is actively looking for, such as repeated access attempts, brute-force delays, atypical access patterns or credential misuse. This level of logging enables meaningful cyber-physical correlation, recognizing that physical access activity is often directly tied to cybersecurity threats and incident response.”

One tech trend that is helping with cybersecurity efforts is the move to the cloud. “Cloud solutions offer strong advantages for access control, especially for smaller installations or remote sites,” Dorris adds. “They provide scalability, flexibility and centralized management. … Cloud platforms also tend to stay current automatically, as updates are handled by the provider, and are generally easier for IT teams to manage compared to traditional on-premise systems.”

Pigna agrees. “Cloud-based platforms are also helping strengthen an entity’s cybersecurity posture,” she says. “Cloud deployments enable faster updates, built-in resiliency and security capabilities that smaller organizations might struggle to maintain independently.”

As more solutions go to the cloud or even a hybrid cloud environment, it isn’t just smaller customers that are benefitting. “Manufacturers push firmware upgrades that can be on the controller or back end,” Chevalier says. “Sometimes, you will have updates pushed by default. If you are more in the cloud, that is a perk because it is easier to do.”

The main takeaway for integrators is this: “Become trusted advisors to really review what is currently deployed and what end users should do for the best cybersecurity possible,” says Marie-Jeanne Sauve, manager of product and industry marketing, Genetec. “Be the day-to-day contact and/or conduct a yearly review with them, making sure they have the best cybersecurity practices implemented. … Access control moves slowly, but we are seeing it shift faster than before. There is a lot of new technology in the market, and the end users want to deploy new systems to have access to it, so it is more important than ever for channel partners to stay up to date on what is happening.”

Szczygiel agrees, adding, “Instead of sidestepping cybersecurity conversations and potential issues, address them directly. Being proactive about a customer’s [cybersecurity] requirements will distinguish you from your competitors and show that you are a partner in their security, not just a security installer.”

Cloud deployments enable faster updates, built-in resiliency and security capabilities that smaller organizations might struggle to maintain independently.