Cyber Goes Physical: When IT Problems Become Facility Problems

Connectivity makes systems easier to manage but also easier to misuse as networked cameras and badge readers become the new front line of risk.

• By Will Knehr
• May 15, 2026

I spend a lot of time talking with integrators and end users who are doing everything right from a traditional physical security perspective. Cameras are well placed, coverage is solid, access control policies make sense, and the system works day to day.

Then the cybersecurity conversation comes up, and the tone changes. People assume it is too technical, too IT-focused, or someone else’s lane.

The truth is more straightforward and more urgent. Physical security systems are now networked systems. Cameras, recorders, access control panels, intercoms, building management platforms, and the cloud portals used to manage them all run on IP networks. That shift changes the risk. It also changes the consequences when something goes wrong.

A compromised laptop is a bad thing. A compromised system that can unlock doors, blind cameras or disrupt building operations is a different category of bad. That is what “cyber goes physical” really means.

The Blast Radius is Bigger Than Most People Think

In many organizations, physical security infrastructure lives close to business networks, sometimes intentionally for convenience, and sometimes simply because it evolved that way over the years. Remote access gets added to support a new site.

A server is dual-homed (two NICs) for management but inadvertently creates a bridge between two networks. A vendor receives persistent access because it saves time. None of that feels reckless in the moment; it feels practical, and attackers love practical.

Once an attacker has a foothold, the question becomes what they can reach. In a flat or loosely segmented environment, they can often access much more than they should. That is when cybersecurity stops being an IT issue and becomes a continuity and safety issue. I explain it to teams this way: the same connectivity that makes systems easier to manage also makes it easier to misuse. If a compromise can travel, impact can travel.

How Intrusions Usually Start

Most real incidents do not begin with someone targeting a camera model in isolation. More often, the path is boring, as most security failures are. It is rarely the camera hack people imagine.

It starts with a credential that should have been retired but never was. It begins with a remote-access service that was temporarily exposed and became permanent. It starts with password reuse, phishing, vendor accounts with broader access than anyone remembers approving, poor network segmentation, and more.

Sometimes the entry point is a cloud dashboard or management portal. Cloud management can be a big win for operations, but it also concentrates power. If access controls are weak or an attacker gains administrative access, one compromise can quickly escalate into many.

The pattern is consistent: attackers find the easiest path, not the most cinematic one.

What Does Physical Impact Look Like in a Connected Building?

When attackers move beyond data and into operational control, the outcomes get very real, very quickly.

If surveillance systems are accessible, attackers can turn off cameras, manipulate coverage, or exfiltrate video. If recorders are reachable, they can tamper with retention or destroy evidence. If access control infrastructure is exposed, doors can be unlocked, schedules altered, badges misused, and alarms suppressed.

If building management systems are reachable, HVAC setpoints and building operations can be changed in ways that disrupt business and, in some environments, affect safety.

Even when the attacker’s goal is still financial, the leverage changes. Ransomware that takes down email is painful. Ransomware that forces a site into manual operations, restricts access control workflows, or disrupts building systems becomes a business-stopping event.

Why Facility Environments Need a Different Cybersecurity Playbook

Security leaders who come from IT often assume the solution is simple: patch faster, replace older systems, and enforce modern standards everywhere. In buildings and critical environments, that approach breaks down.

Many devices have long lifecycles, and some are still deployed for a decade or more. Maintenance windows are limited. Availability is non-negotiable. In specific environments, a downtime-causing change is unacceptable. That means cybersecurity must be implemented in a way that respects operations, safety, and the realities of the field.

This is also where integrators and manufacturers play a significant role. Decisions made at design and deployment time shape the security posture for years.

What Actually Reduces Risk Without Breaking Operations

The good news is that the most effective improvements are not exotic. They are not reserved for large enterprises with big budgets. They are the fundamentals applied consistently.

Segmentation is one of the most potent examples. When security systems, building management systems and corporate IT all share the same space, a foothold anywhere can become a problem everywhere. Thoughtful zoning, clear boundaries, and controlled pathways between networks can help prevent an incident from escalating into a facility-wide event.

Privileged access is another. Shared admin accounts, persistent vendor credentials, and weak remote access controls remain common because they are convenient. Convenience is not the same as capability. Remote management should be tightly controlled, monitored and protected with multi-factor authentication and a password manager. Vendor access should be time-bound and auditable, not a standing invitation.

Then there is hardening. Default credentials, unused services, overly permissive firewall rules, and unmanaged firmware updates are both technical problems and predictable failure points. Eliminating them is one of the fastest ways to raise the cost for attackers.

Finally, detection and response cannot live only in IT. If something goes wrong in a facility environment, the people who run the building need to be part of the response plan from the start. That means knowing what safe mode looks like, understanding manual overrides, and rehearsing the decision points that matter in real incidents.

In the near term, focus on removing easy wins: eliminate defaults, reduce exposed interfaces, constrain remote access, and get a clean inventory of what is deployed. In the mid-term, focus on containment: segmentation, jump hosts, multi-factor authentication (MFA), and transparent vendor governance.

In the long term, concentrate on modernization: lifecycle plans for older devices, improved protocol choices and monitoring tailored to the unique traffic patterns of security and building systems.

The Takeaway

The physical security industry has always been about protecting people, property and operations. Cybersecurity is now part of that responsibility, whether we like it or not.

When cyber goes physical, the question is not whether your cameras have good image quality or whether the badge readers are dependable. The question is whether the systems that protect your building can be reached, controlled or disrupted by someone who should never be there.

The encouraging part is that most organizations do not need a revolution. They need discipline.

Tighten remote access. Segment networks. Remove defaults. Manage firmware. Build an incident playbook that includes the building's operations team. Do those things consistently, and you do not just reduce cyber risk. You increase resilience, minimize downtime, and make your security systems more trustworthy when it matters most.

This article originally appeared in the May/June 2026 issue of Security Today.