Physical security and cyber security have traditionally been separate domains. Modern CCTV systems run Linux-based firmware and connect to cloud management platforms. Door access controllers run on the corporate network. Intercoms have IP addresses. The physical security perimeter and the cyber security perimeter are now the same perimeter.
Why Physical Security Devices Are High Risk
Network-connected physical security devices share characteristics that make them particularly vulnerable. They are rarely patched — treated as appliances rather than computing devices. Many ship with default credentials that are publicly documented. They are frequently placed on the same network segment as corporate computers.
What Attackers Do With Compromised Devices
A compromised CCTV camera provides visual intelligence — showing occupancy, security routines, and the location of high-value assets. At the network level, it provides a persistent foothold inside the network for lateral movement. Large botnets used for distributed denial of service attacks are frequently composed primarily of network cameras.
Access Control Specific Risks
A compromised access controller potentially allows an attacker to unlock doors remotely, grant credentials to unauthorised individuals, or export the access database. For businesses using biometric access control, a breach is permanent — biometric data cannot be reissued.
Practical Steps
Network segmentation: physical security devices on a dedicated VLAN isolated from corporate systems. Change default credentials on every device before installation. Include firmware updates in your vulnerability management program. If remote management is required, use a VPN — do not expose management interfaces to the public internet.
Does the Essential Eight cover CCTV and access control devices?
The Essential Eight was primarily designed for endpoint computers and servers. However, the principles — patching, restricting admin privileges, MFA — apply to any networked device. An assessment that ignores physical security devices is providing an incomplete picture of your risk exposure.
