Access Control Security: Keeping Components Safe?

What steps do you take to keep Access Control devices secure?

Most systems take an approach similar to the image below:

The door controller, power supply, and cabling terminates above the door (typically above drop ceiling tiles) on the secured (not outside/public) side. This keeps all the sensitive bits out of sight and behind a locked door, and is generally effective at keeping the system secure.

However, is this good enough?

Do you use locking enclosures? Do you avoid certain devices because they cannot be secured? Do you worry about the security of data between the reader and the controller?

I remember years ago commenting to a customer on the existing controllers they had in a droptiled ceiling with fail safe doors, with a little bit of tunneling into a firewall above the corridor and something to pull out or cut the power wire I could have gotten into the office (provided the batteries died). In the end, the customer was fine with the risk and I wasn't going to press it.

Im sure there are other applications where keeping the components secure is an issue, but in reality, I havent run into many.

It used to come up more with alarm panels being close to access points, but its been a while since I have seen that either.

Hello Scott:

In the end, the customer was fine with the risk and I wasn't going to press it.

Very familiar scenario. This is why I am curious about this topic. Usually the customer wants the door to lock/unlock on command, and anything beyond that is a 'reach goal'.

They typically don't even want locking controller cans, and if they do, they just leave the keys hanging from them. If the customer expressed concern about spoofing or combo controller security, it usually was because we put the idea there to begin with.

I am really curious to know what best practices look like for this aspect of access control.

I hate putting controllers and such above the door. I try to avoid that and use a central location depending upon the size of the building. In the case of multiple floors I pick a central point per floor. I do generally lock the access control panel with a key, and depending upon which power supply was sold I would do the same for the power supply. I always try to supervise the power supply via the auxillary inputs. Mostly for loss of AC and low battery.

If it was a centralized system, everything went in a locked room in locked cabinets. Though we all know how useless those locks and cabinets are. You can pry them open with a screwdriver in 5 seconds half the time. The better ones had shackles you could padlock, but that wasn't common.

For edge systems (using HID Edge, go figure), where we located them above the door, we just used tamper screws to lock them down to the backbox. I preferred spanner screws.

In all cases, the more important step was getting emailed alarms when some component went down, immediately. Drilling out a lock or a screw takes no time. Someone should know when it's penetrated, and fast.