Cybersecurity Awareness Month 2025: Why Your Physical Security Systems Are Your Biggest Cyber Vulnerability
By Scott Gordon | Gordon Security Solutions
October marks Cybersecurity Awareness Month, with the Cybersecurity and Infrastructure Security Agency (CISA) rallying organizations around the theme “Building a Cyber Strong America.” The focus is clear: secure the vital services fundamental to our civilization – water, power, communications, food, and finance.
But there’s a critical blind spot in most cybersecurity discussions: physical security systems themselves have become prime cyber attack targets.
The Convergence Crisis
For years, physical security and cybersecurity operated in separate silos. The Chief Security Officer (CSO) managed locks, cameras, and access control. The Chief Information Security Officer (CISO) handled firewalls, networks, and data protection. Different budgets. Different priorities. Different teams.
But that separation is now a dangerous liability.
Today’s physical security infrastructure is fundamentally different from what existed even a decade ago:
- Access control systems run on IP networks
- Surveillance cameras stream data to the cloud
- Emergency notification platforms integrate with mobile devices
- Building management systems connect to enterprise networks
Your physical security systems aren’t air-gapped anymore. They’re networked, internet-connected, and vulnerable to the same cyber threats as any other IT asset.
The Statistics Are Alarming
The data reveals just how exposed organizations really are:
On IoT Security Cameras:
- While security cameras make up only 5% of enterprise IoT devices, they account for 33% of all security issues
- More than 40,000 IoT security cameras are exposed online right now, accessible to anyone who knows the IP address
- 79% of camera devices use unencrypted HTTP and FTP protocols
- 78% still use default manufacturer login credentials
- One in three data breaches now involves an IoT device
On Attack Frequency:
- Organizations face an average of 60 attacks per week targeting IoT devices – 41% higher than in 2022
- 820,000 daily IoT attacks occur globally
- 98% of IoT traffic remains unencrypted, exposing video feeds, credentials, and commands
On Operational Technology (OT) Attacks:
- Of the 55 cybersecurity incidents disclosed through SEC Form 8-K in 2024, more than half (30 cases) were direct attacks on OT systems
- Ransomware attacks on OT systems surged 46%
Real-World Consequences: The Verkada Breach
In 2021, hackers breached video surveillance provider Verkada, gaining access to live feeds from over 150,000 cameras installed in factories, schools, hospitals, and even prisons. The attackers didn’t use sophisticated zero-day exploits. They simply found administrator credentials that had been exposed online.
Once inside, they could:
- View live surveillance feeds in real-time
- Access archived footage
- Pivot into separate corporate networks of customer accounts
- Identify security vulnerabilities and blind spots
The breach exposed a harsh reality: the systems designed to provide security were themselves the security vulnerability.
Why Physical Security Systems Are Attractive Targets
Cybercriminals target physical security infrastructure for several reasons:
1. Weak Default Security Most IoT devices ship with default passwords that are rarely changed. Attackers maintain databases of these credentials and can scan networks to find vulnerable devices within minutes.
2. Lack of Network Segmentation Many organizations place physical security systems on the same network as critical IT infrastructure. When a camera or access control system is compromised, attackers can move laterally across the network to reach more valuable targets.
3. Infrequent Updates Unlike laptops and servers that receive regular patches, physical security devices often go years without firmware updates. Known vulnerabilities remain exploitable long after patches are available.
4. Limited Visibility Security teams often lack complete visibility into their IoT device inventory. You can’t protect what you don’t know exists.
5. Valuable Intelligence Compromised cameras provide reconnaissance for physical breaches. Access control systems reveal who enters buildings and when. This intelligence helps attackers plan more sophisticated attacks.
The Three Questions Every Security Director Must Answer
If you’re responsible for security – physical or cyber – ask yourself these questions:
1. When did IT last audit your access control system for cyber vulnerabilities?
If the answer is “never” or “I don’t know,” you have a problem. Your badge readers, door controllers, and management software all run on networked systems with potential vulnerabilities.
2. Are your physical security systems segmented from your core network?
Mixing IoT devices with critical IT infrastructure creates a highway for attackers. Best practice requires separate VLANs with strict firewall rules governing communication between zones.
3. If your surveillance system was compromised tomorrow, would you even know?
Without continuous monitoring for anomalous behavior – unexpected outbound connections, unusual data transfers, or configuration changes – a breach could go undetected for months.
Moving Forward: Integration Is Not Optional
As ransomware attacks targeting physical security systems increase, the disruptions can compromise sensitive data and critical operations. Organizations can no longer afford to treat physical and cyber security as separate domains.
The attackers certainly don’t make that distinction.
Building a truly “Cyber Strong America” requires:
- Unified Risk Assessment: Physical security systems must be included in enterprise risk assessments and vulnerability management programs
- Network Segmentation: IoT and OT devices should operate on isolated network segments with carefully controlled access to corporate resources
- Continuous Monitoring: Security teams need visibility into all connected devices and the ability to detect anomalous behavior in real-time
- Regular Updates: Establish processes for tracking and applying firmware updates to physical security infrastructure
- Integrated Incident Response: Breach response plans must account for scenarios where physical security systems are compromised
- Cross-Functional Collaboration: Break down the silos between physical security, IT, and cybersecurity teams
The Bottom Line
October is Cybersecurity Awareness Month, making it an ideal time to assess whether your organization is truly prepared for the converged threat landscape.
The question isn’t whether your physical security systems are vulnerable – the statistics make clear that they are. The question is whether you’re going to address those vulnerabilities before or after they’re exploited.
Attackers don’t respect organizational boundaries. They don’t care if something is labeled “physical security” or “IT infrastructure.” They simply look for the weakest entry point.
Is your physical security infrastructure that entry point?
About Gordon Security Solutions
Gordon Security Solutions is a comprehensive enterprise security risk management platform provider that empowers organizations to transform security from a cost center into a strategic business advantage.
Through an integrated suite of modules—including Risk Assessments, Incident Reports, Business Continuity, Task Management, Crisis Management, and Business Impact Analysis—Gordon Security Solutions helps security leaders demonstrate measurable value while protecting their organization’s most critical assets. The platform we provide eliminates manual processes, delivers real-time visibility, and provides the data-driven insights needed to make security decisions that align with business objectives.
Ready to elevate your security program? Connect with our team to discover how we’re helping organizations reduce operational costs, ensure compliance, and build security programs that drive business success.