Cybersecurity for physical security systems: the controls that close the gap

Cybersecurity for physical security systems comes down to eight controls: NDAA 889-clean hardware, factory-default credentials replaced before commissioning, separate VLAN for the camera and access-control network, signed firmware with a documented patch cadence, encrypted streams (HTTPS, TLS 1.2 or higher), role-based admin access with audit logs, vendor-managed cloud or on-prem with explicit BAA or DPA, and a written incident-response runbook for camera or controller compromise. Most breaches we see started with a default password on a camera that nobody knew was internet-exposed.

The convergence problem in one sentence

The camera on your loading dock and the panel on your CUI-room door are full IP endpoints, each with an OS, a firmware image, a web server, and an account. If any of those are weak, the device is a way into the network. The Mirai botnet showed this at scale in 2016. The pattern hasn't changed; the volume has.

Cybersecurity for physical security is mostly hygiene. The eight controls below close the gaps that cause real incidents, and they satisfy the physical-cyber overlap in NIST SP 800-53, NIST SP 800-171 for CMMC, ISO 27001 Annex A.7, PCI-DSS Requirement 9, and the FTC Safeguards Rule.

1. NDAA 889-clean hardware as the default

Hikvision, Dahua, Lorex (Dahua-owned), and other Section 889 covered vendors don't just create procurement risk for federal-touching customers. They've shown up repeatedly in CISA advisories for hard-coded credentials and slow patch response. The defensible default is NDAA-compliant from day one: Verkada, Avigilon, Genetec, Axis, Hanwha, Milestone, Eagle Eye Networks for video; Brivo, Avigilon Alta, Kisi, HID for access. See our NDAA 889 explainer for the procurement detail.

2. No factory defaults at commissioning

Every camera and panel ships with a known default password, and half the publicly indexed Shodan results for IP cameras are still on factory creds. Before the device touches the production VLAN, change the admin password to a unique value, disable any anonymous or guest accounts, and confirm the device responds only on the management interface, not the public WAN.

3. Separate VLAN, locked-down inter-VLAN routing

Cameras, door controllers, and the video management server live on their own VLAN. Inter-VLAN routing is restricted to the specific ports the VMS needs (RTSP, HTTPS admin) and nothing else. Point-of-sale, corporate Wi-Fi, HVAC, and clinical networks don't share a broadcast domain with security devices. Cisco Meraki, Ubiquiti UniFi, and Cisco Catalyst all support this; the gap is usually that nobody asked for it during install.

4. Signed firmware and a written patch cadence

Cloud-native systems (Verkada, Avigilon Alta, Eagle Eye, Brivo) push firmware silently. On-prem systems (Genetec, Milestone, Axis, Hanwha) need a maintenance window and a process owner. The audit-defensible posture is a written policy: monthly review, critical CVEs patched inside 30 days, zero-days patched on vendor release, test bed before production push. Three paragraphs is enough; you just need it on paper. Most customers don't have one in writing, which becomes the audit finding even when patches are current.

5. Encrypted streams and encrypted credentials

Camera-to-VMS over TLS 1.2 or higher. Admin web over HTTPS with a valid certificate. Footage at rest on encrypted storage. Reader-to-panel using AES-encrypted credentials, not 125 kHz prox cards (which clone in seconds with a $40 device). When a customer is upgrading controllers anyway, that's the moment to retire prox.

6. Role-based admin access with audit logs

One shared admin account is the most common finding in customer audits. Every operator should have a named account with role-scoped privileges, MFA on the VMS, and an audit log that survives operator deletion (cloud systems do this by default; on-prem needs configuring). When somebody leaves, the offboarding workflow revokes the account the same business day.

7. Vendor agreements that match the data class

Healthcare cloud video needs a Business Associate Agreement (HIPAA). EU-resident-touching deployments need a Data Processing Agreement (GDPR). Defense work under CMMC 2.0 needs vendor selection constrained to NDAA-compliant manufacturers and documented in the System Security Plan. Auditors don't want to hear the contract is fine; they want the signed agreement on file.

8. Written incident-response runbook for camera or controller compromise

The runbook names who isolates the device, who reviews logs, who notifies the customer's CISO, and what gets preserved for forensics. Three pages is fine. The call tree exists before the incident, not the morning after. See our ISN certification primer for the broader documentation expectations industrial buyers apply.

Frequent buyer questions

How does an IP camera become a network attack vector?

Three common patterns. The installer never changed the factory password and the camera ended up on the public internet because each team assumed the other managed it; botnets like Mirai scan for exactly this and recruit the camera into DDoS swarms or pivot to the network. The firmware has a known unpatched CVE and the vendor's update process is manual or non-existent. Or the camera shares a VLAN with point-of-sale or HVAC, so an attacker who owns it can reach far more sensitive systems. The fix is the same in each case: NDAA-compliant cameras with signed firmware, separate VLAN, no default credentials, documented patch cadence.

Does NDAA Section 889 actually affect cyber posture or just procurement?

Both. The procurement piece is well-known: federal agencies, prime contractors, and grantees can't use Hikvision, Dahua, Hytera, Huawei, ZTE, or their subsidiaries (FAR 52.204-25). The cyber piece is that the same vendors have appeared repeatedly in CISA advisories for hard-coded credentials, undocumented backdoors, and slow patch response. Even private companies with no federal exposure carry the operational risk. The defensible default is NDAA-compliant from day one: Verkada, Avigilon, Genetec, Axis, Hanwha, Eagle Eye Networks for video; Brivo, Avigilon Alta, Kisi, HID for access. The camera cost difference is small; a forensic incident is not.

What does network segmentation look like for cameras and access control?

Cameras and door controllers live on their own VLAN, isolated from production traffic, point-of-sale, HVAC, and corporate user traffic. Inter-VLAN routing is locked to specific management ports between the security VLAN and the video management server, which sits behind a firewall with explicit allow rules. Cloud-native systems (Verkada, Avigilon Alta) talk outbound to vendor cloud over TLS 1.2 or higher; on-prem systems (Genetec, Milestone, Hanwha NVR) need no inbound exposure if remote access is brokered through a VPN or vendor-managed tunnel.

What encryption do auditors expect on camera streams and credentials?

Camera-to-VMS over TLS 1.2 or higher. Web admin over HTTPS with a valid certificate (self-signed acceptable on isolated VLANs, public CA on internet-exposed). Footage at rest on encrypted storage. Reader-to-panel using AES-128 or higher. Mobile credentials (Brivo, Avigilon Alta, HID) handle this transparently; legacy 125 kHz prox cards don't encrypt and clone trivially with a $40 device, which is why most upgrade paths move to encrypted credentials at the controller refresh.

Free quick physical-cyber convergence audit.

Bring your camera and access-control vendor list, your network diagram, and any open audit findings. We'll review NDAA exposure, default-credential gaps, network segmentation, and patch cadence. Output: a written gap list with a phased fix plan.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.

Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Get the details 855-577-0400