- An access control system that is working is not necessarily a system that is still adequate; technology, regulation, and cybersecurity requirements have all changed significantly since most Singapore commercial systems were installed.
- Card technologies used in many older Singapore systems, including Mifare Classic; have known vulnerabilities that allow them to be cloned with equipment now readily available online.
- From June 2024, Singapore's WSHA requires construction worksites with contract values of $5 million and above to install video surveillance at high-risk locations; a signal of the regulatory direction for all workplace occupiers.
- Singapore's Cybersecurity Act, amended in 2024, means physical access to servers, network equipment, and sensitive systems is now part of cybersecurity compliance, not just physical security.
- Access control logs are personal data under Singapore's PDPA; organisations need a clear retention policy and restricted access to those records.
- The question is not whether the system works. The question is whether it still meets the standards that regulators, auditors, and insurers now expect.
The Problem With "It Still Works"
For many years, an access control system that opened the right doors and kept a log of who came and went was considered a system that did not need attention. If the doors opened, the reports generated, and the users had no complaints, there was no reason to act. That view is increasingly difficult to defend, and three converging pressures explain why organisations across Singapore are being prompted to review systems they had previously assumed were adequate.
The pressures are not new in isolation. Technology has always evolved. Regulators have always raised standards. Cybersecurity has always mattered. What has changed is the pace and the specificity. Card technologies that were industry-standard a decade ago have documented vulnerabilities. Singapore's Workplace Safety and Health Act (WSHA) has been amended to create explicit obligations around monitoring who is on site and where. The Cybersecurity Act, most recently amended in 2024, has extended its reach into physical access controls for organisations handling sensitive systems. And the Personal Data Protection Act (PDPA) has always applied to access logs, even when many organisations have not treated those logs as personal data.
None of these pressures require a crisis to act on them. They are best addressed before an audit, a regulatory inspection, or a security incident creates urgency. This article explains what each one means in practice, and what a reasonable review of your current system should consider.
Reason One; Technology Is Moving Faster Than the Equipment
The access control systems installed in most Singapore commercial buildings over the past fifteen years use two underlying technologies that were designed in a different era. The first is the card credential; most commonly a proximity card or a Mifare Classic smart card. The second is the communication protocol between the card reader and the access control panel; most commonly Wiegand.
Both have well-documented security limitations that were not significant concerns when they were deployed but have become progressively more relevant as the tools available to bad actors have changed.
The Card Credential Problem
Proximity cards; the thin white cards used in many older Singapore access systems; transmit their identity using radio frequency without any encryption. A reader held near the card can capture that identity without the cardholder being aware. The equipment needed to do this is commercially available, inexpensive, and small enough to conceal in a bag or jacket pocket. A card cloned in this way produces an identical credential that the access control system cannot distinguish from the original.
Mifare Classic smart cards, which replaced basic proximity cards in many systems, were designed with encryption. However, vulnerabilities in that encryption were publicly documented over a decade ago, and attacks on Mifare Classic credentials are now well-established. Many security professionals no longer consider Mifare Classic adequate for medium or high-security environments.
Modern credential technologies, including Mifare DESFire EV2 and EV3, and mobile credentials using encrypted Bluetooth or NFC; address these vulnerabilities with substantially stronger encryption and mutual authentication between the card and the reader. The gap between what many Singapore buildings are using and what current security standards recommend has widened considerably.
The Communication Protocol Problem
Wiegand is the protocol used by most card readers to send the card identity to the access control panel. It was developed in the 1980s and has been the dominant standard in the industry for decades. It is simple, reliable, and compatible with virtually every access control panel on the market, which is precisely why it remains so widely deployed.
The problem is that Wiegand sends data without encryption and without any verification that the reader sending the data is legitimate. An attacker who gains access to the wiring between a reader and its panel can intercept the card identity being transmitted, or inject a fake identity without using a card at all. This attack; known as a Wiegand replay attack; does not require any card cloning. It requires only brief physical access to the reader wiring, which in many buildings is accessible in common areas, lift lobbies, or car parks.
The Open Supervised Device Protocol (OSDP) was developed specifically to address these limitations. OSDP provides encrypted communication between reader and panel, two-way authentication, and tamper detection; the panel knows if a reader has been disconnected or replaced. OSDP is increasingly specified for new installations and is available on most modern readers and panels.
WHAT THIS MEANS IN PRACTICE
If your access control system uses proximity cards or Mifare Classic credentials and Wiegand-connected readers, the system may be functioning perfectly while providing a level of physical security that is materially lower than you believe. A security assessment can confirm whether the credential and communication technology in your system remains appropriate for your security requirements.
Securevision's View
We have assessed systems in Singapore commercial buildings where the access control infrastructure was performing without fault; doors opened, reports were correct, users had no complaints, but the underlying credential technology had been publicly identified as vulnerable for over a decade. The system was working. It was not secure. Those two things are not the same, and the distinction matters when a security incident occurs and the question of due diligence arises.
Reason Two; Workplace Safety Legislation Now Requires Knowing Who Is Where
Singapore's Workplace Safety and Health Act (WSHA) places a duty of care on all workplace occupiers, not just construction sites, not just factories, to maintain safe premises for everyone on the property. This includes employees, contractors, visitors, and delivery personnel. The WSHA's requirements have been progressively tightened since the Act was first enacted in 2006, with the most recent amendments taking effect in 2024 and 2025.
The most directly relevant development for organisations reviewing their access control systems is the mandatory Video Surveillance System (VSS) requirement that came into force on 1 June 2024. Under the amended WSH (General Provisions) Regulations, all construction worksites with contract values of $5 million and above are now required to install video surveillance at designated high-risk work locations. The purpose is explicit; surveillance is required for risk identification, incident investigation, and deterrence of unsafe behaviour.
The construction VSS mandate is significant not only for construction companies, but as a clear signal of the regulatory direction across all workplace categories. The underlying principle, that workplace occupiers must be able to demonstrate who was present on site and what happened in safety-critical areas; extends well beyond construction. For any organisation managing a workplace where contractors, visitors, or maintenance personnel access restricted or hazardous areas, the question of whether the access control system provides an adequate audit trail is a legitimate WSHA compliance question.
What "Duty of Care" Means for Access Control
Under the WSHA framework, workplace occupiers must take reasonably practicable steps to ensure the safety of everyone on the premises. This includes knowing who is in the building and which areas they have accessed. In the event of a workplace accident, emergency evacuation, or MOM investigation, the ability to produce an accurate access log; showing who entered which areas at what time; is part of demonstrating that the occupier had appropriate controls in place.
An access control system that logs every entry and exit by zone provides exactly this evidence. A system without zone-level logging, or one where the logs are not retained for an adequate period, creates a gap in the occupier's ability to demonstrate compliance. For organisations managing hazardous areas; chemical stores, electrical rooms, plant rooms, server rooms; this gap is particularly significant.
WSHA; KEY POINT FOR OCCUPIERS
The WSHA does not prescribe exactly how access must be controlled. It requires occupiers to identify hazards and implement appropriate controls. For restricted or hazardous areas, an access control system with zone-level logging and time-stamped records is one of the most direct ways to demonstrate that appropriate controls are in place and that only authorised personnel can access those areas.
Securevision's View
The construction VSS mandate is a clear statement of regulatory direction. The principle that organisations must be able to produce evidence of who was where, when, is not going to become less important over time. Organisations that invest in access control infrastructure that provides accurate, reliable, zone-level audit trails are positioned well for whatever the next round of WSHA amendments requires. Those that are operating on systems where the logs are incomplete, unreliable, or not retained are not.
Reason Three; Cybersecurity Now Starts at the Door
For most of the history of access control, physical security and cybersecurity were managed by different teams, governed by different policies, and assessed against different standards. The server room had a card reader on the door. The IT team managed the servers inside. The security team managed the card reader outside. Neither team was particularly aware of what the other was doing.
That separation is no longer tenable. Singapore's Cybersecurity Act, originally enacted in 2018 and substantively amended in 2024, recognises explicitly that protecting sensitive systems and data is not only a question of network security, firewalls, and endpoint protection. It is also a question of who can physically reach the hardware, and whether there is a reliable record of every time someone did.
What the Cybersecurity Act Means for Physical Access
The Cybersecurity (Amendment) Act 2024 extended the Act's reach to cover a broader range of organisations and infrastructure types. Key provisions came into force on 31 October 2025. The amended Act introduces requirements for organisations designated as handling sensitive information or systems that support essential services; what the Act calls "Entities of Special Cybersecurity Interest", to demonstrate that access to those systems is controlled, monitored, and auditable.
For most commercial organisations that are not directly designated under the Act, the practical implication is indirect but increasingly real. Cybersecurity audits; whether conducted under the Act's framework or as part of an organisation's own due diligence; are increasingly examining physical access controls as part of the overall security posture. An organisation that cannot demonstrate that only authorised personnel accessed its server room last month, or that has no record of when a contractor was in its network equipment room, has a gap in its cybersecurity evidence that auditors are now specifically looking for.
The Cyber Security Agency's Cyber Trust Mark framework, which is becoming mandatory for Critical Information Infrastructure owners and their auditors, explicitly includes physical access controls as one of the domains assessed. Organisations seeking or maintaining Cyber Trust Mark certification need to demonstrate that physical access to sensitive systems is managed with the same rigour as logical access.
Access Control and Document Security
The cybersecurity implications of access control extend beyond server rooms and network cabinets. Organisations increasingly need to demonstrate that access to areas where sensitive documents are stored; HR records, financial data, client files, legal documents; is controlled and logged. In a world where data protection regulations require organisations to know who accessed personal data, the physical access log for the room where that data is stored is part of the compliance evidence.
This is a significant expansion of what access control is expected to do. It is no longer just about keeping the wrong people out of the building. It is about maintaining an auditable record of who accessed what, when; a record that can be produced to regulators, auditors, and insurers as evidence that appropriate controls were in place.
CYBERSECURITY; KEY POINT
Ask yourself: if your organisation faced a cybersecurity incident in your server room tomorrow, could you produce an accurate log of everyone who physically accessed that room in the past 90 days? If the answer is no, or not reliably, that is a gap that your next cybersecurity audit will find before your next incident does.
Securevision's View
We are increasingly asked to assess access control systems not by the security team but by the IT department or the compliance function. This would have been unusual five years ago. It reflects a genuine convergence between physical security and cybersecurity that is now happening across Singapore commercial organisations of all sizes. The access control system that was specified to keep the wrong people out of the building is now also expected to produce the audit trail that demonstrates cybersecurity due diligence. Many systems installed before 2020 were not designed with that requirement in mind.
The Fourth Consideration; PDPA and Access Log Retention
Every time an employee, contractor, or visitor taps a card or scans a fingerprint, the access control system records their identity, the door they accessed, and the time. This is personal data under Singapore's Personal Data Protection Act. Most organisations have clear PDPA policies for HR records, customer data, and financial information. Far fewer have an equivalent policy for access control logs; even though those logs may contain the most detailed record of an individual's movements and working patterns in the organisation's possession.
The PDPA requires that personal data be retained only for as long as there is a legitimate business purpose for doing so. It requires that access to personal data be restricted to those who need it. And it requires that individuals be informed that their access data is being collected and how it will be used. Most access control systems collect this data continuously and retain it indefinitely by default, which is not a PDPA-compliant position without a defined retention policy and access restriction framework.
For organisations that have recently implemented biometric access control; fingerprint readers or face recognition terminals; the PDPA obligations are more significant still. Biometric data is treated with heightened sensitivity under the PDPA framework, and the requirements for consent, retention, and protection are correspondingly more stringent.
PDPA CHECKLIST FOR ACCESS CONTROL
Does your organisation have a defined retention period for access control logs? Is access to those logs restricted to authorised personnel? Are employees and visitors informed that their access data is being collected? If biometric data is collected, has appropriate consent been obtained and is the data stored with adequate protection? If any of these answers is uncertain, a PDPA review of your access control data practices is worthwhile.
Four Questions Every Organisation Should Ask About Their Current System
A formal access control review does not need to be a major project. As a starting point, these four questions identify the most common gaps we find when assessing older Singapore commercial access control systems.
Question 1; What credential technology is the system using?
Ask your access control contractor or security team what type of cards the system uses. If the answer is proximity cards or Mifare Classic smart cards, the credential technology has documented vulnerabilities and should be assessed against your current security requirements. Modern alternatives; Mifare DESFire, mobile credentials, or high-frequency encrypted cards; provide substantially better protection.
Question 2; Does the system log zone-level access by individual?
A system that logs entries and exits by door, with individual card identity and timestamps, provides the audit trail that WSHA compliance and cybersecurity audits increasingly require. A system that only logs whether a door was opened, without recording who opened it; provides very limited audit capability. Check whether your current system's logs are detailed enough to answer the question "who accessed the server room between 2pm and 4pm last Tuesday?"
Question 3; How long are access logs retained, and who can access them?
Most access control systems retain logs until the storage is full, at which point older records are overwritten. There is usually no default retention policy and no restriction on who in the organisation can view the logs. Establishing a defined retention period, typically 90 days to one year depending on the organisation's requirements, and restricting log access to authorised personnel is a straightforward PDPA compliance step that many organisations have not yet taken.
Question 4; Can the system produce evidence of who accessed restricted areas?
In the event of a workplace incident, a cybersecurity event, or a regulatory inspection, the ability to produce a clear, time-stamped record of who accessed a specific area is the practical test of whether the access control system is fit for its current compliance purpose. Test this now, before you need it. If the system cannot produce this report reliably, that is the clearest possible indicator that a review is needed.
Securevision's View
In our experience, organisations that carry out a structured access control review; even a relatively brief one; almost always identify at least one significant gap they were not previously aware of. The most common findings are credential technology that is no longer considered secure, log retention that is not PDPA-compliant, and zone-level reporting that is less granular than the organisation's WSHA or cybersecurity requirements now demand. None of these gaps are difficult to address once identified. The challenge is identifying them before a regulatory inspection or security incident makes the identification urgent.
Frequently Asked Questions
Does the WSHA require organisations to have an access control system?
The WSHA does not mandate access control systems specifically. It requires occupiers to take reasonably practicable steps to ensure the safety of everyone on the premises. For workplaces with hazardous areas, restricted zones, or contractor access requirements, an access control system with zone-level logging is one of the most direct ways to demonstrate that appropriate controls are in place. The June 2024 VSS mandate for construction sites signals the regulatory direction clearly; organisations that can demonstrate who was where and when are in a stronger compliance position than those that cannot.
What is the difference between Wiegand and OSDP?
Wiegand is the protocol most older card readers use to send card data to the access control panel. It transmits data without encryption, which means the data can be intercepted or replicated by someone with brief access to the reader wiring. OSDP (Open Supervised Device Protocol) is a newer standard that encrypts the communication between reader and panel, verifies that the reader is legitimate, and detects if a reader has been tampered with or replaced. OSDP readers and panels are now widely available and are increasingly specified for commercial installations where security is a genuine concern rather than a formality.
Are Mifare Classic cards still acceptable?
Mifare Classic cards are still widely deployed and continue to function in existing systems. However, their encryption has been publicly broken since 2008, and tools for cloning Mifare Classic credentials are commercially available. For low-security applications; canteen access, car park management; the risk may be acceptable. For access to sensitive areas such as server rooms, data storage, or areas covered by cybersecurity obligations, Mifare Classic is no longer considered an adequate credential. Most security assessors and cybersecurity auditors will flag it as a finding.
Does the Cybersecurity Act apply to our organisation?
The Cybersecurity Act's most stringent requirements apply to Critical Information Infrastructure owners; organisations in sectors such as energy, water, healthcare, banking, transport, and government. However, the Act's 2024 amendments extend its reach to a broader range of organisations that store sensitive information or perform functions that, if disrupted, would have significant national impact. Even if your organisation is not directly regulated under the Act, cybersecurity audits and due diligence processes, including those conducted by clients, partners, and insurers; are increasingly examining physical access controls as part of the overall cybersecurity posture.
Are access control logs considered personal data under the PDPA?
Yes. Access control logs contain the identity of individuals, the locations they accessed, and the times of those accesses; all of which constitute personal data under the PDPA. Organisations must have a legitimate purpose for collecting and retaining this data, must define how long it will be retained, must restrict access to authorised personnel, and must inform individuals that this data is being collected. Most organisations have not formally addressed their access control data under their PDPA framework, even though it is one of the more detailed records of individual movement that organisations hold.
What is the Cyber Trust Mark and does it affect our access control system?
The Cyber Trust Mark is a certification framework administered by the Cyber Security Agency of Singapore (CSA). From 2026, it is being mandated for Critical Information Infrastructure owners and their auditors. The framework assesses cybersecurity across multiple domains; one of which explicitly includes physical access controls. Organisations seeking or maintaining Cyber Trust Mark certification need to demonstrate that physical access to sensitive systems is managed with appropriate controls, logging, and review processes. If your organisation is in scope for the Cyber Trust Mark, your access control system is part of what will be assessed.
How long should access control logs be retained?
There is no single prescribed retention period across all Singapore regulations. A reasonable approach for most commercial organisations is 90 days as a minimum for operational purposes, one year for areas covered by WSHA compliance requirements, and potentially longer for areas subject to cybersecurity audit obligations. The key is to define a retention period, document it, implement it in the system configuration, and restrict access to the logs to authorised personnel. Retaining logs indefinitely without a defined policy is not PDPA-compliant.
What is an access control review and how long does it take?
An access control review assesses the current system against four dimensions: credential technology and its current adequacy; communication protocols and their security; log capability and retention practices; and zone coverage relative to current WSHA and cybersecurity requirements. For a typical Singapore commercial building, an initial assessment takes two to three hours on site, followed by a written findings report. The findings typically identify two to four areas requiring attention; some addressable with configuration changes, others requiring equipment upgrades. A review costs nothing as part of a proposal process with Securevision.
Can we upgrade the credential technology without replacing the entire system?
In many cases, yes. The most common approach is to replace the card readers with OSDP-capable readers that support modern encrypted credentials, while retaining the existing access control panels and software. This is typically significantly less expensive than a full system replacement and addresses both the credential vulnerability and the Wiegand communication protocol issue simultaneously. Whether this approach is viable depends on the age and capability of the existing panels; a site assessment will confirm which upgrade path is most cost-effective for your specific installation.
In Short
An access control system that is still working is not necessarily a system that is still adequate. Technology has changed; card credentials and communication protocols that were industry-standard a decade ago have well-documented vulnerabilities. Regulation has changed; WSHA and Singapore's Cybersecurity Act have both extended their requirements in ways that create new expectations around knowing who accessed what and when. And data protection obligations have always applied to access logs; most organisations simply have not addressed them. A structured review of your current access control system, assessed against these three dimensions, is the most direct way to understand where your organisation currently stands.
