How to Prevent Your Physical Security System from Becoming Your Biggest Cybersecurity Threat

One of the fastest growing threats to organizations is being breached through cyber vulnerabilities in their IoT devices, specifically physical security systems. The number of attacks reach a record of over 3 billion in 2022, and 2023 is likely to be bigger still. Threat actors see physical security devices (like an IP camera) not based on what they do, but what they can do if exploited, since many IoT devices are complex, with the compute, storage and networking capabilities for malicious hackers to leverage.

Physical security systems don’t live in isolation. If you have heard about DDoS attacks (distributed denial of service attacks) you may be aware that they are increasing in both volume and velocity. Many DDoS attacks come from bots (or malware) placed on network-connected physical security devices, quietly lying in wait to be activated to launch attacks.

Their continued (and expanded) presence is a sign that the basic security needed to prevent the malware from being placed on the device is simply not there.

Ready to improve your organization’s cybersecurity around physical security? Here a few concepts that are useful in developing strategy and tactics:

  • Think of it as a “Security Journey” rather than arriving at a destination. Like most journeys there are stages you go through; reading an article like this shows you at least are aware of the problem and want to do something about it. Deploying an agentless asset discovery solution, followed by an automated agentless remediation solution suggests you are further along. Needing automated documentation to for audit and compliance purposes shows even further progress.
  • Also keep in mind that threat vectors and types of attacks may vary; what matters most is resilience and ability to stem damages and recover operations. Preventing all threats from ever occurring should not be the focus; having an active program that can adjust to changes is.
  • Going it alone is not effective; cybersecurity is a team sport, and there are partners both inside and outside your organization that need to be actively involved.

With these factors in mind, here are 10 steps you should be taking on your security journey specific to physical security:

  1. Avoid agent-based solutions; they are a dead end. Many cybersecurity solutions were designed for IT environments that use Windows or Linux by putting agents (software code) directly onto the IT device. In the physical security world, there are many different forms of operating systems, making the use of agents highly limited. In addition, the scale of physical security devices is often 10x that of IT, so you should never sign up for the overhead of putting and managing agents onto devices. Only use solutions that are agentless and don’t require putting software onto cameras or access control systems.
  2. Know what you have gotten by using an agentless asset discovery solution: the starting point for securing your systems is having a complete inventory. There are several agentless asset discovery solutions that can provide you with both asset inventory and which devices are vulnerable and in need of remediation.
  3. Think of your networks as layers of defense. Having a network dedicated to your physical security devices has always been a best practice, but there is more you can do. Using network access control allows you to block devices from network communication, a good initial strategy to limit a threat from progressing through your network.
  4. Mitigation is good in short term but needs to be followed by remediation in the form of firmware updating (or patching). When you mitigate threats by stopping network traffic you are also stopping the function of the devices (capturing video evidence or granting access).
  5. Focus on both remediation and repatriation. With IoT systems like physical security you remediate a vulnerability in a device but that needs to be followed by repatriation, where for audit and compliance purposes you need to show that the devices are functioning back in its overall workflow.
  6. Lifecycle management includes cyber hygiene. Just like regular maintenance and decommissioning devices that have reached their end of life, maintaining device firmware, passwords, and certificates should be thought of as part of overall lifecycle management.
  7. Key functions (firmware, passwords, certificates) must be automated because of both the scale and physical placement of video and access control devices. Studies performed on large fleets of devices (8,000+) has shown that there is an 80% or more reduction in both people and budget needed to perform required cyber hygiene functions.
  8. Use automation to enforce and audit corporate policies. Like the point above, the sheer scale of devices and applications requires automated methods of alerting and reporting to be able to manage the overall process. Especially if your organization holds a cyber insurance policy having a push-button mechanism to deliver detailed information about your cyber hygiene can make the difference in the insurer being willing to underwrite the risk or process claims.
  9. Work across organizational boundaries, especially procurement. The data held by physical security teams is an asset in working with other parts of the organization to appropriately set budgets, allocate headcount, and be able to plan and negotiate upcoming purchases. For example, providing your procurement team with a schedule of what devices are going end of life can help them negotiate and purchase systems more efficiently and with the proper cyber security as it is deployed.
  10. Managed services more than ever offer organizations flexibility to address cybersecurity issues without having to add permanent headcount and to be faster in reducing the attack surface from physical security. Not only are there highly skilled service providers who can extend your workforce, but they are likely to help expose your team to what the latest and most efficient and cost-effective methods for maintaining your cyber hygiene.

In summary, there is an imperative for physical security teams to improve their cyber hygiene. By focusing on the best practices listed here organizations will not only shrink their attack surface from physical security but also gain valuable operation data, reporting capabilities, and closer ties to other parts of the organization. The result is a physical security organization that is increasing its organizational value in numerous ways while making the organization safer and more resilient.

About the Author

Bud Broomhead is the CEO of Viakoo.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3