Why Your Physical Security System Is the Soft Spot in Your Network

A security integrator pulls cable, mounts cameras, installs card access on the doors, and gets everything wired and talking. The customer watches a guard pull up live video on a monitor, sees the door unlock when a badge taps the reader, and signs off. Job done. Except the part nobody checked is the only part that matters once the building is occupied: whether any of those devices is safe to have on a network.

Most of the time, it isn’t.

Here’s the thing people miss. A modern camera is a Linux computer with a lens. A door controller is a computer that can open a locked door. A video management server is a Windows box sitting on your network with a service account that probably has more access than it should. These are computers, and they get installed by integrators whose training was in conduit, mounting, and making the demo work, not in network security. That’s not an insult. It’s a description of how the work is structured, and it’s how critical infrastructure ends up exposed without anyone deciding it should be.

The buyer makes it worse without meaning to

Customers judge a security system by whether it works the way they can see it work. Does the camera show a picture? Does the door open? Did the install look tidy? Those are the acceptance criteria, and a system passes them whether or not it’s a soft entry point into the corporate network. So the buyer pays for what they can observe, the integrator delivers what the buyer pays for, and network security, which nobody can see in a walkthrough, falls into the gap between them. Airports, hospitals, courthouses, law enforcement, and plain office buildings. Everywhere is impacted.

I’ve watched enough of these systems pass acceptance testing to know the gap between a system that works and a system that’s secure is wide, and the customer almost never finds out until something goes wrong.

The 5 things that close most of the gap

None of this is exotic. It’s the basic hygiene that should have been part of the install, applied after the fact because it wasn’t.

1. Get it off the flat network. Cameras, controllers, and the management servers belong on their own segment, with traffic between that segment and the business network controlled and logged. A flat network where the lobby camera can reach the finance server is a design failure, even if everything displays correctly.
2. Change the credentials, all of them. Default passwords on devices, default service accounts, the vendor’s maintenance login. Change them before the system goes live, not in a future maintenance window that never comes.
3. Patch the things, on a schedule. Camera and controller firmware ages out fast, and “it still works” is not the same as “it’s safe.” If nobody owns patching for the security estate, nobody is patching it.
4. Lock down the management server. Least privilege on the service accounts, host hardening, logging turned on and going somewhere. The video management system is a Windows server like any other, and it should be treated like one, with stability, security, and sometimes functionality weighed honestly when you do.
5. Write down who owns it. The single most common failure isn’t technical. It’s that no one is responsible for the security of the security system after handoff. Name the owner, on paper.

The deeper problem is the handoff

The integrator finishes and leaves. The customer’s IT team was rarely in the room during the install and inherits a system they didn’t design, often without documentation, sometimes without even knowing the device count. The vendor considers the job closed. So the system runs for years, unpatched and unsegmented, until an incident or an insurance review or an auditor finally asks the question nobody asked at sign-off.

If you operate any of this, the fix isn’t a product. It’s deciding that the security system is part of your network, holding the integrator to a standard before you accept the work, and owning it afterward. That’s the work I do on the convergence side, and it’s the same gap I keep finding on assessments.

Hans Study is an independent security advisor and fractional CISO in Ontario, Canada, focused on the boundary where physical security, OT, and IT meet.