How can a compromised IP camera be used to attack the rest of the corporate network?

A compromised IP camera provides an attacker with a persistent, network-connected foothold that is typically not monitored by enterprise security tools (EDR, DLP, user behavior analytics). Attack paths include: (1) lateral movement — the camera's network connection to the VMS server allows port scanning and exploitation of VMS server vulnerabilities from inside the Security Device VLAN; (2) credential harvesting — VMS servers often use service accounts with broad access; compromising the VMS server from the camera pivoting path can yield domain credentials; (3) traffic interception — a compromised camera can act as a passive network listener, capturing traffic from other cameras or IoT devices on the same VLAN; (4) botnet recruitment — Mirai and its descendants specifically target exposed IP cameras for DDoS botnet recruitment; the camera's outbound internet access becomes a DDoS attack tool against third parties. Prevention: VLAN segmentation, no camera direct internet access, firmware patching, and network flow monitoring for anomalous outbound traffic are the essential controls.

What is a realistic patching cadence for IP cameras and access control panels in a production security environment?

IP cameras and access control panels rarely have scheduled maintenance windows, which makes patching operationally challenging. Practical approach: (1) Inventory all device models and establish subscriptions to CVE feeds from each manufacturer (Axis, Hikvision, Milestone, Lenel each publish security advisories); (2) triage new CVEs by CVSS score — CVSS 9.0+ critical vulnerabilities affecting actively exploited classes (unauthenticated RCE) should be patched within 30 days even if it requires planned maintenance outages; (3) CVSS 7.0–8.9 high vulnerabilities within 90 days; (4) test firmware updates on a representative lab device before production deployment, particularly for access control panels where a failed firmware update can leave all doors in a fail-safe open or fail-secure locked state; (5) document all firmware versions and patch dates for compliance audit evidence. Camera firmware updates on a clustered VMS can often be pushed via VMS management console without individual device access, which enables batch patching during overnight low-activity windows.

Should physical security systems be on a completely separate network from the corporate IT network, or is VLAN segmentation sufficient?

VLAN segmentation with a stateful firewall (NGFW with application layer inspection) between physical security VLANs and corporate IT VLANs is sufficient for most enterprise environments and is the industry standard architecture. A completely air-gapped physical security network (physical separation, no logical connection to corporate infrastructure) is operationally impractical: it prevents remote administration, eliminates integration with corporate identity systems (Active Directory synchronization for PACS user provisioning), and prevents PSIM/SIEM integration for converged alerting. The security benefit of air-gapping is real but must be weighed against these operational costs and against the fact that most documented physical security network compromises have been through exploitable devices with internet exposure or weak VLAN boundary controls, not through well-controlled inter-VLAN firewall policies. For the highest-security installations (nuclear facilities, government SAPs, classified data centers), physical separation plus data diodes for one-way telemetry export is appropriate; for enterprise commercial facilities, NGFW-enforced segmentation is the appropriate standard.

What is the risk of using Chinese-manufactured IP cameras (Hikvision, Dahua) in sensitive government or corporate facilities?

The risk is significant and is now subject to regulatory prohibition in certain contexts. Section 889 of the FY2019 National Defense Authorization Act (NDAA) prohibits U.S. federal agencies and their contractors from procuring or operating telecommunications equipment from Hikvision, Dahua, Huawei, ZTE, and Hytera. The prohibition extends to any "substantial or essential component" or "critical technology" of these manufacturers regardless of rebrand. For corporate facilities: CISA has documented multiple critical vulnerabilities in Hikvision and Dahua products with evidence of active exploitation; the FBI has issued private industry notifications about PRC-nexus targeting of U.S. critical infrastructure using compromised IP cameras. Security-conscious enterprises — particularly those with federal contracts, defense subcontractor status, or sensitive R&D — should migrate to U.S., European, or Japanese-manufactured cameras (Axis, Hanwha, Bosch, Sony) on procurement renewal cycles. In the interim, VLAN isolation, internet access blocking, and aggressive firmware patching are the minimum compensating controls.

How do I correlate a physical security event with a cyber security event to detect a coordinated attack?

Correlation of physical and cyber security events requires both systems to feed into a common data platform with a unified event timeline indexed by user identity and timestamp. Implementation: (1) configure the PACS to forward all access events (badge presented, door opened/denied, alarm triggered) to the SIEM (Splunk, Microsoft Sentinel, IBM QRadar) via syslog or API; (2) configure the VMS to forward motion detection events and camera status (offline events particularly — a camera going offline before an incident may indicate physical tampering); (3) build SIEM correlation rules for cross-domain anomalies: example — alert when a user credentials an email with a malicious attachment from an external location AND badges into a server room within 2 hours (impossible travel suggesting the badge credential was stolen); or alert when a badge credential is used at a controlled access point AND the associated Active Directory account was locked or disabled in the preceding 24 hours (terminated employee with retained physical badge); (4) conduct regular tabletop exercises of coordinated attack scenarios to validate that alert rules actually fire and that the SOC response procedures address cross-domain incidents.

← Physical Security Studio

Engineering·10 min read·January 1, 2026

🔒 Integrating Physical Security with Cybersecurity: Convergence Engineering and Best Practices

Engineering guide to physical-cyber security convergence — how physical security systems create cybersecurity attack surfaces, IP-connected security device hardening, unified SOC design, identity governance across physical and logical access, and standards including IEC 62443, NIST CSF, and NERC CIP.

Why Physical Security Is Now a Cybersecurity Problem

Every IP-connected security device — network camera, access control panel, video management server, intercom, door controller, intrusion detection communicator — is simultaneously a physical security asset and a cybersecurity attack surface. The transformation of physical security from isolated analog systems to networked IP infrastructure has created a new class of risk: physical security systems that can be compromised remotely, used as pivot points into enterprise networks, or disabled at scale through cyber attacks before or during a physical intrusion.

The evidence is unambiguous: Axis camera CVEs (multiple critical RCEs, most notably CVE-2018-10660 series), Hikvision backdoors (CVE-2021-36260, a 9.8 CVSS unauthenticated RCE used in Mirai botnet variants), and Genetec VMS vulnerabilities documented in ICS-CERT advisories have demonstrated that physical security devices are not security-exempt from cybersecurity disciplines. CISA has issued multiple alerts specifically about threat actors targeting physical security system vendors and devices as initial access vectors for OT and IT network compromise.

The Convergence Problem: Organizational and Technical Dimensions

Physical-cyber convergence has two distinct dimensions that must be addressed together:

Organizational convergence — historically, physical security (reporting to CSO/VP Security) and cybersecurity (reporting to CISO) operated as entirely separate functions with different reporting chains, different budgets, different tools, and different incident response protocols. A physical intrusion that begins with a cyber attack on access control falls through the gap between these organizations. Converged security programs — where a single executive (Chief Security Officer or equivalent) has unified accountability for both disciplines, and where a converged SOC handles both physical and cyber alerts in a single platform — are increasingly adopted by Fortune 500 companies and required by certain regulatory frameworks (NERC CIP-006 physical, CIP-007 cyber, both targeting the same BES Cyber Systems).
Technical convergence — the shared network infrastructure, shared identity systems (Active Directory/LDAP used for both IT access and PACS badge provisioning), and shared data center facilities mean that a compromise in one domain can directly enable compromise in the other. A compromised VMS server with administrator credentials can unlock doors if the PACS runs on the same server infrastructure. A compromised door controller with a known vulnerability can be used to enumerate the network and identify VMS servers for subsequent attack.

Hardening IP-Connected Physical Security Devices

Network-connected physical security device hardening follows the same principles as general IT device hardening but must account for the operational characteristics of security devices (always-on, maintenance windows limited, firmware updates require security system downtime):

Change default credentials immediately — the most common exploit vector for physical security devices. Hikvision, Dahua, Axis, and virtually every IP camera ships with default admin/admin or admin/12345 credentials. Require a password change as part of device commissioning and enforce minimum password complexity. Use a password manager or PAM (Privileged Access Management) solution for security device credential management.
Firmware patching program — establish a 30-day patch cycle for critical CVEs (CVSS 9.0+) and a 90-day cycle for high CVEs (CVSS 7.0–8.9) for all physical security devices. This requires a software asset inventory of every device model and firmware version — typically absent in legacy physical security programs that have never tracked firmware versions. IEC 62443-2-3 (Patch Management in the IACS Environment) provides the methodology framework.
Disable unnecessary services — IP cameras commonly ship with Telnet, FTP, HTTP (unencrypted), UPnP, and multicast enabled. Disable every service not operationally required; enable HTTPS only (TLS 1.2 minimum); disable UPnP universally. Verify using Nmap service scan after hardening.
Encrypted communications — require HTTPS/TLS for all camera web management and VMS API communication. OSDP v2 Secure Channel for access control readers. DTLS or SRTP for SIP video intercoms. Verify that certificate validation is actually enforced rather than bypassed by security software.
Disable ONVIF discovery on production VLANs — ONVIF WS-Discovery uses multicast UDP broadcasts to enumerate all ONVIF cameras on the network. This is useful during commissioning but is a reconnaissance gift to attackers on the same VLAN. Disable WS-Discovery in the camera's ONVIF configuration after initial commissioning; use static IP registration in the VMS instead.

Network Segmentation for Physical Security Systems

Physical security systems must operate on dedicated, isolated network segments (VLANs) with strictly controlled inter-VLAN routing rules. A flat network where IP cameras, access control panels, and NVRs share the same broadcast domain as user workstations and servers is indefensible. The segmentation architecture:

Security Device VLAN — all IP cameras, access control panels, intercom devices, and other field devices. No internet access from this VLAN. Access restricted to VMS servers and access control servers only. Monitor for unexpected lateral movement attempts (camera attempting to communicate with workstations is an anomaly).
Security Server VLAN — VMS servers, access control servers, PSIM, identity management servers. Strictly controlled inbound rules from Security Device VLAN (only the specific TCP/UDP ports required by each system). Outbound internet access for license validation and cloud backup only, via explicit proxy with TLS inspection. No direct workstation access to Security Server VLAN except through jump server with MFA.
Monitoring/Operations VLAN — SOC workstations, operator monitors, guard consoles. Access to Security Server VLAN is read-only for camera video and alarm display; write access (door commands, configuration changes) requires privileged role with additional authentication step.

All inter-VLAN traffic must pass through a next-generation firewall (NGFW) with application-layer inspection, not just stateful packet filtering. Configure network flow analysis (NetFlow/IPFIX export to SIEM) for the Security Device VLAN to detect anomalous traffic patterns that may indicate compromised devices.

Identity Governance: Unifying Physical and Logical Access

The most powerful convergence integration is a unified identity governance platform that manages both physical access control (badge/credential) and logical access control (Active Directory, LDAP, application SSO) from a single authoritative identity store. Benefits:

Joiner/mover/leaver automation — when an employee is terminated in HR, a unified IGA (Identity Governance and Administration) system simultaneously disables their Active Directory account and revokes their physical access credentials in the PACS — eliminating the common gap where ex-employees retain building access after IT offboarding because physical access revocation required a separate manual process in a separate system.
Separation of duties enforcement — IGA can enforce rules like "a user cannot have both administrator access to the access control system AND a physical access credential to the server room" — preventing insider threats from self-provisioning access.
Cross-domain anomaly detection — a user who badges into the building at 11 PM but has no corresponding login event on any IT system within 30 minutes is anomalous and may indicate badge sharing or tailgating. A user who accesses sensitive systems remotely while their badge shows them as not on-site is an impossible travel anomaly. These cross-domain correlations are only possible when physical and logical access data flows into a common analytics platform (SIEM or UEBA).

Platforms supporting unified PACS/IAM integration include SailPoint IdentityNow (with Lenel, Genetec, Software House connectors), Saviynt Security Manager, and ForgeRock (now Ping Identity). Most integrate with PACS via REST API or SCIM (System for Cross-domain Identity Management) provisioning.

Standards and Regulatory Requirements for Converged Security

Key standards governing physical-cyber security convergence:

IEC 62443 — Industrial Automation and Control Systems Security. Series of standards covering security management (62443-2-1), patch management (62443-2-3), system requirements (62443-3-3), and component requirements (62443-4-2). Widely applied to physical security OT systems in critical infrastructure. 62443-3-3 SL 2 (Security Level 2) is the baseline requirement for most physical security network environments.
NIST CSF 2.0 — Cybersecurity Framework. The Govern, Identify, Protect, Detect, Respond, Recover functions apply directly to physical security system cybersecurity. CSF profiles are increasingly used by physical security system owners to document their cybersecurity posture and identify gaps.
NERC CIP-002 through CIP-014 — the critical infrastructure protection standards for electric utilities. CIP-005 (Electronic Security Perimeters) applies to physical security devices that connect to Electronic Security Perimeters protecting BES Cyber Systems; CIP-006 (Physical Security) and CIP-007 (System Security Management) are directly converged requirements mandating both physical and cyber controls on the same assets.
NIST SP 800-82 Rev. 3 — Guide to OT Security. Provides network architecture guidance, including physical security system network segmentation recommendations applicable directly to PACS and VMS deployments.
UL 2900-2-3 — Software Cybersecurity for Network-Connectable Products — Particular Requirements for Security and Life Safety Signaling Systems. The UL listing program for evaluating the cybersecurity of physical security devices including access control panels, video management servers, and alarm communicators.

Topics covered

physical cyber convergenceconverged security operationsPACS cybersecurityIP camera hardeningIEC 62443 physical securityNIST CSF physical securityNERC CIP convergenceIoT security camerasVLAN segmentation security systemszero trust physical accessidentity governance PACSphysical logical access convergencesecurity system network hardeningCVE IP camera vulnerabilitiessupply chain physical security OT

🛠️ Related Free Tools

Put this knowledge to work on your iPhone

Browse our full catalog of professional iOS apps — from electrical code tools to AI builders.

Browse All 95+ Apps