The barrier gate controller that manages your parking entry lane is an internet-connected computer. It runs an embedded operating system, accepts commands over a network, and in many facilities sits on the same subnet as HR workstations and the corporate wireless network. That combination — operational technology connected to poorly segmented IT infrastructure — is the configuration that CISA and NIST have been warning about for years, and that ransomware operators have been quietly exploiting.
Parking access control does not appear in the same headlines as water utilities or manufacturing PLCs, but the threat model is similar enough to take seriously. Gate controllers that accept remote commands, that ship with default credentials, and that run firmware nobody has updated since installation are exactly the profile of device attackers enumerate first.
Why Gate Controllers Are in Scope for OT Security
NIST SP 800-82 Rev. 3, the federal guide to operational technology security, explicitly lists physical access control systems alongside building automation and transportation systems as OT — not IT — infrastructure. That classification matters because OT devices share a set of characteristics that IT security tools are not designed to handle: long asset lives (10–15 years), infrequent firmware update cycles, proprietary protocols, and safety requirements that make taking a device offline for patching difficult.
CISA’s 2025 guidance document Secure Connectivity Principles for Operational Technology makes the same point from the threat side: when OT devices connect to business networks or the internet to enable remote management, they pick up the exposure of IT networks while losing most of IT’s security tooling. Gate controllers sit squarely in that gap.
An Iranian-affiliated APT group documented in a CISA advisory published in April 2026 was targeting internet-exposed programmable logic controllers — the same class of device found in higher-end gate controllers — specifically because they were reachable from the internet and running default or weak credentials. The intent was operational disruption.
The Most Common Attack Surfaces on Gate Controllers
Default credentials left in place
Gate controllers ship with factory-default usernames and passwords documented in publicly available installation manuals. Automated scanners continuously probe IP ranges for these default combinations. In a 2025 survey of industrial IoT security posture, a substantial share of deployed devices were still reachable on the open internet and had never had their credentials changed. Facility managers inheriting equipment from a previous vendor or integrator often have no record of whether credentials were ever changed.
The fix is straightforward but requires doing it: change every default credential on initial deployment, document the change in a secured credential store, and audit at least annually. If you cannot log in with the current documented password, assume the device may have been accessed.
Firmware that has not been updated
Gate controller manufacturers release firmware updates that patch known vulnerabilities. The update cadence is not fast — typically once or twice a year — but the gap between update release and deployment at most facilities is measured in years, not weeks. Embedded controller firmware updates require a maintenance window, sometimes a physical connection to the device, and familiarity with the manufacturer’s update tooling. That friction means it usually does not happen unless someone owns the task explicitly.
Create a firmware inventory: for every networked gate controller, record the manufacturer, model, current firmware version, and the date you last verified it against the manufacturer’s current release. Set a calendar reminder to check quarterly. Most manufacturers publish a security contact or advisory page — subscribe to it.
Flat network architecture
The most common and most consequential configuration error is placing gate controllers on the same network as office systems, tenant Wi-Fi, or payment card infrastructure. A single compromised endpoint in that flat network can reach the gate controller directly. Attackers can then send open commands, disable gate functions, or use the gate controller as a pivot point into the broader facility network.
NIST and CISA both recommend the Purdue Model approach for OT environments: segment operational technology onto isolated network zones with explicit firewall rules governing cross-zone communication. For a parking facility, the practical version of this is a dedicated VLAN or physical network segment for all gate controllers, LPR cameras, and pay stations, with a firewall blocking unsolicited inbound connections from the office network.
Remote access through unsecured channels
Many integrators enable remote management of gate controllers via direct port forwarding — assigning a public IP and exposing the management port to the internet so they can troubleshoot without a site visit. This is convenient and dangerous. CISA’s Known Exploited Vulnerabilities catalog contains multiple entries for remotely accessible control system interfaces.
Remote access to gate controllers should go through a VPN or zero-trust network access solution, not through direct internet exposure. Require your integrator to document their remote access method as part of the service contract, and verify it annually.
What a Reasonable Security Baseline Looks Like
Facilities that have not yet addressed gate controller security are not starting from zero — most of the required controls are standard IT security practice applied to an OT context:
Network segmentation: Gate controllers and associated access control infrastructure on a dedicated VLAN, isolated from tenant networks and general office infrastructure. Firewall policy allowing only the specific traffic each device needs — cloud API calls, NTP, management VPN — and blocking everything else.
Credential management: Unique, strong passwords for every device. No shared credentials across sites. Stored in a password manager or credential vault. Audited on staff turnover and at least annually.
Firmware tracking: An inventory of every networked device with current firmware version documented. A defined process — someone’s job — for reviewing manufacturer advisories and scheduling updates.
Remote access via VPN: No direct internet exposure of management interfaces. Require the same of any third-party integrator with remote access to your site.
Logging: Enable whatever event logging the controller supports and route logs to a central collector. You cannot investigate an incident you have no record of.
Physical security of the controller cabinet: Network-accessible controllers in unlocked or unmonitored cabinets undermine every software control above. Controllers should be in locked enclosures accessible only to authorized personnel.
Where to Start If You Have Not Started
If your facility has never formally addressed gate controller cybersecurity, the first step is an asset inventory — not a technology project, just a spreadsheet. List every networked device in the access control chain: gate controllers, LPR cameras, pay stations, server appliances, and any cloud management portals. For each, record the IP address, whether it is reachable from the internet, the current firmware version, and who has credentials.
That inventory will surface the highest-risk items quickly: internet-exposed management interfaces, devices on unknown or default firmware, and credentials that belong to technicians who no longer work with your facility. Fix those first. The more structural changes — network segmentation, VPN-only remote access — can follow on a reasonable timeline.
The CISA Secure Connectivity Principles for OT document is a practical starting point for understanding what a segmented, hardened OT network looks like and what questions to ask your integrator or IT team. It is written for asset owners, not security specialists, and the eight principles translate directly to parking access control environments.
Gate controllers are not the most glamorous part of facility management, and they will not make the news if your network hygiene is good. They will make the news if it is not.
Hero image: “Peaje de Salinas, Salinas, Puerto Rico (2)” by Yarfpr, CC BY-SA 4.0, via Wikimedia Commons (https://commons.wikimedia.org/wiki/File:Peaje_de_Salinas,_Salinas,_Puerto_Rico_(2).jpg).

