Steven Commander, Head of Consultants and Regulations at HID, delves into the actionable steps organisations can take to strengthen their PACS security posture.

Why is cybersecurity now considered a critical aspect of Physical Access Control Solutions (PACS)?  

Cybersecurity is increasingly a critical aspect of Physical Access Control Solutions (PACS) because modern systems are deeply integrated with digital networks.

Where traditionally an access control system would have been siloed in the overall information system, it is now more and more integrated as part of a unified security platform and incorporates other safety and security services.

This integration expands the attack surface and exposes PACS to cyber threats, as vulnerabilities in multiple components can be exploited to gain unauthorized physical access.  

There are also increasing guidelines and regulations which are raising awareness of Cybersecurity in general and for Physical Access Control in particular.

Just to name a few: the “Security Overlay to the RIBA Plan of Work” which does not specifically address Cybersecurity for PACS but promotes a holistic approach to Security, including Cyber, as part of building design; the NPSA CAPPS program which promotes Cyber assurance of security products and includes Physical Access Control applications; and finally the EU’s NIS2 directive has put cybersecurity in the spotlight, even in the UK.  

What are some common vulnerabilities in PACS systems that attackers are increasingly exploiting?  

When it comes to Physical Access Control Solutions, attackers mostly exploit vulnerabilities such as legacy technologies and the lack of encryption.

The use of legacy technology cards which can easily be cloned with scanning devices remains a common vulnerability, but the use of legacy systems with unpatched security flaws are also prime targets for attacks.  

Attackers also focus on less obvious but equally vulnerable aspects, such as non-encrypted card data and communications.

For instance, using a Card Serial Number instead of encrypted unique badge numbers even when using the latest technology cards, or using unencrypted communication between readers and controllers, which can easily be intercepted and replayed.  

Credential lifecycle management is often overlooked but can also be a weakness that attackers target.

It is essential to deactivate any unused, lost or stolen cards but is not always done diligently.

Cards and associated credentials of former employees for example, if they are not deactivated in the Access Control System constitute a vulnerability that can be exploited.

An attacker having access to such a badge would access premises without being detected.  

Can you share any real-world examples where mobile credentials have enhanced security or efficiency?  

A notable example is the University of Dundee in Scotland.

Recognising that their student body is largely composed of digital natives who are comfortable with and prefer technology, they transitioned from traditional RFID cards to mobile credentials using HID Mobile Access and HID Signo readers.  

This upgrade not only improved security by significantly reducing the risks associated with lost or stolen cards—a common issue among students—but also enabled convenient remote credential provisioning.

Students appreciate the ease of use and the fact that they can access buildings with their smartphones, which are already integral to their daily lives.  

How should organisations assess whether their current PACS can adapt to evolving threats?  

There are many risk assessment frameworks which are perfectly suited for PACS. They usually go through the main steps of risk identification, assessment, prioritisation, mitigation, control and review.   

When it comes to PACS more specifically, and adaptation to evolving threats, organisations should assess:  

• Their current system compatibility with latest technologies. This includes card and reader technologies but also the supporting cabling. This is essential to enable encryption upstream from the reader. Compatibility with the latest technologies also needs to be assessed at the controller level because here as well, supporting device authentication and communication security needs up to date capabilities 

• Authentication and encryption capabilities. They can be configured in multiple ways with varying levels of secret keys ownership, but they must be available to begin with 

• The security of the integration of the Access Control System with the IT Infrastructure. An Access Control System must be part of the enterprise Cybersecurity governance and policies. Involvement of IT and security experts is good practice to ensure there are no blind spots in the system’s security 

What actionable steps can organisations take today to strengthen their PACS security posture?  

A strong PACS Cybersecurity posture is the outcome of a holistic approach that takes into consideration technologies, processes and procurement.

So, a Cybersecure Access Control System consists of secure technologies supported by robust processes, and installed and maintained by trusted vendors. 

Moreover, a good way of hardening PACS is to adopt a Good -Better -Best approach. There are core best practices which must be enforced to harden the various PACS components to a “good” level.

These include deploying or upgrading devices to support the latest technologies and ensuring encryption is in place.

Advancing to “better” usually leverages more secure configurations in already deployed devices and taking ownership of the lifecycle management of devices secret keys.

Reaching “best” implies advanced overall PACS system security such as custom TLS device certificates of full in-house key management and card encoding.

In this context, standards such 802.1X or ISO60839 can also provide guidance in terms of what needs to be implemented to achieve the right level of security.  

If we zoom in on PACS, examples of practical actionable steps could be:  

• Implement end-to-end encryption: Ensure data transmitted between devices is encrypted 

• Adopt multi-factor authentication: Use a layered approach combining mobile credentials with biometrics or PINs 

• Regularly update and patch systems: Keep PACS firmware and software up to date to mitigate vulnerabilities 

• Enable real-time monitoring: Use cloud-based platforms for instant reporting and threat detection 

• Conduct security audits: Regularly assess access control policies, user permissions, and compliance status 

• Integrate with cybersecurity frameworks: Align PACS security with broader IT security policies 

What are the biggest mistakes organisations make when implementing PACS?  

The challenge when implementing PACS, in any organisation, is to find the right balance between security, cost and user-acceptance.   

The biggest mistake is usually to focus on one of these criteria over the others. Although there are sectors where security is the key consideration over cost and user-acceptance.

This is the case for critical infrastructure for example. But in a typical enterprise environment, PACS implementation mistakes can be avoided by focusing on several key areas:  

• Prioritising open and adaptable systems: Choosing systems that adhere to open standards and offer robust integration capabilities ensures long-term flexibility and avoids vendor lock-in. This allows for seamless adaptation as technology evolves  

• Strengthening cybersecurity posture: Implementing strong encryption, multi-factor authentication and adhering to relevant compliance requirements are essential to protect against increasingly sophisticated cyber threats 

• Engaging in cross-functional collaboration: Engaging IT, security, HR and facilities management from the outset fosters a holistic approach, ensuring the PACS aligns with diverse organisational needs  

• Focusing on user-friendly solutions: Designing or selecting systems that are intuitive and easy to use promotes user adoption and minimises disruption 

• Implementing a strategic migration plan: Adopting a phased approach, potentially with a hybrid system, allows for a smooth transition and minimises operational disruptions  

• Exploring sustainable alternatives: Evaluating and integrating mobile credential options can reduce reliance on physical cards, contributing to environmental sustainability and aligning with modern user preferences 

Is there anything else you would like to add?  

Building upon the points discussed, the 2025 State of Security report by HID underscores the accelerating shift towards mobile-centric access control.  

The rapid rise of mobile credentials signals a significant shift away from traditional access methods, with nearly two-thirds of respondents either deploying or planning to deploy mobile solutions.  

At HID, we believe mobile access is the future, as it addresses the growing need for seamless security, operational efficiency and sustainability in access control.

By leveraging biometric authentication, cloud-based management, and encrypted mobile credentials, organisations can enhance security, reduce costs and support eco-friendly initiatives.  

Mobile access not only aligns with the expectations of digital-first users but also provides a future-proof solution that integrates with smart building technologies and evolving cybersecurity frameworks.  

This article was originally published in the April 2025 Edition of Security Journal UK. To read your FREE digital edition, click here.