Access Control Cybersecurity Guide | Serious Security Sydney & Melbourne

Technical planning guide

Networked access control is both a physical-security system and an information system. Controllers, management servers, cloud services, workstations, apps and integrations can affect who enters a building, so cybersecurity ownership should be agreed before installation—not added after remote access stops working.

access reader installed beside a door relevant to Access Control Cybersecurity Guide
Access reader installed beside a door.

Map the architecture and trust boundaries

Document controllers, readers with network capability, servers, gateways, administrator workstations, mobile services, identity providers and third-party integrations. Record every connection into and between networks, the data exchanged and the team responsible.

Cyber.gov.au’s current networking guidance recommends maintained high-level and logical diagrams for critical network assets and stresses protecting that documentation because it can also assist an attacker. Give security, facilities and IT the level of detail each needs without publishing sensitive diagrams in general tender material.

Segment systems and allow only required traffic

Place components in network zones appropriate to their criticality and restrict traffic to documented business needs. Avoid placing controllers or management interfaces directly on the public internet. Separate service-provider access from the organisation’s normal network and close temporary rules after commissioning.

Segmentation is not a substitute for secure devices. Change default credentials, disable unused services, use supported encrypted protocols, protect switch ports and confirm how devices authenticate to servers and gateways.

Protect administrator and service access

Use named accounts, least privilege and strong authentication. Apply multi-factor authentication where the supported architecture and risk require it, particularly for remote or cloud administration. Avoid shared installer accounts that remain active indefinitely.

Record who approves vendor access, how it is enabled, what is logged and when it expires. API keys, integration accounts and service credentials need the same lifecycle discipline as human accounts.

Own updates and vulnerability response

Create an asset register containing manufacturer, model, firmware or software version, support status, network location and owner. Subscribe to relevant vendor advisories and decide who assesses and schedules updates.

Test changes in proportion to risk. A security update that interrupts door service can create an operational incident; delaying every update indefinitely creates a different risk. Retain supported backups and a rollback plan, and verify that restored controllers and servers have current credentials and settings.

Design doors to remain safe and recoverable

Confirm which access decisions continue locally if the management server, cloud service, internet connection or site network fails. Define event buffering, time synchronisation, administrator access and reconciliation after service returns.

Back up configurations and databases under an approved schedule, protect the backups and test restoration. Keep emergency contacts and essential recovery instructions available outside the system they are intended to recover.

Turn cyber risks into project controls

Access-control cyber risks and evidence to request
Risk Project control Acceptance evidence
Default or shared administrator credentials Named privileged accounts, strong authentication, least privilege and an approved recovery process. Account register, role test, multi-factor demonstration where supported and sealed recovery record.
Flat or unnecessarily exposed network Documented segmentation and only required, authorised communication paths. Logical diagram, approved ports/services, firewall or network-control evidence and connectivity test.
Unsupported firmware or software Asset inventory, version baseline, advisory monitoring and owned update process. Device/software schedule, current supported versions, backup and tested rollback method.
Uncontrolled remote support Authorised, time-bound and monitored remote access through an approved method. Connection workflow, identity and logging test, disable/revoke procedure and support responsibility.
Lost configuration or event history Protected backups and restoration testing for the components that need it. Successful restore test, retention location, encryption/access record and recovery owner.
Compromised integration Minimum data exchange, authenticated interfaces, service-account control and failure monitoring. Interface specification, credential ownership, logging, error alert and safe failure test.

ASD guidance identifies segmentation, controlled communication paths, secure administration, logging and recovery as core cyber practices. Apply them proportionately to the access-control architecture rather than copying an IT checklist without understanding door continuity. See the ASD network segmentation guidance.

Cybersecurity handover checklist

  • Current network and data-flow diagrams
  • Asset, version and licence register
  • Named administrator and service accounts
  • Changed defaults and closed commissioning access
  • Approved firewall rules and remote-access method
  • Backup, restoration and update responsibilities
  • Vendor-support and vulnerability-notification contacts
  • Documented server, network, internet and cloud outage behaviour
  • Incident escalation shared by IT, facilities and security

Cybersecurity questions

Should access-control controllers be on a separate network?

Segmentation is often appropriate, but the exact zones and permitted traffic should follow the organisation’s architecture, risk and manufacturer requirements.

Can the installer retain remote access?

Only under an approved support arrangement with controlled accounts, strong authentication, logging, limited privilege and prompt removal when no longer required.

Do doors stop working during a cyber incident?

Behaviour depends on controller architecture and the incident response. Document local operation and safe containment before an incident occurs.

Who installs firmware updates?

Assign responsibility in writing among the client, IT team, installer and manufacturer support channel. Verify compatibility and recovery before change.

Is the Essential Eight a complete access-control standard?

No. It is an Australian mitigation baseline for enterprise IT environments, not a product-specific physical access-control design standard. Use applicable guidance within a broader risk assessment.

Sources and further reading

This is general information, not a cybersecurity certification or guarantee. Apply organisation-specific risk, IT and incident-response advice.

Include IT in the access-control design

Share the proposed doors, network ownership, remote-management needs, integrations and support model with Serious Security and the organisation’s IT team before equipment is selected.

Request a technical site assessment