A mid-size manufacturer typically has 80 to 200 surveillance cameras. A large data center has 400 or more. Every one of those cameras is a Linux-based embedded device with a network stack, a web interface, and — unsurprisingly — a long list of published CVEs. And yet camera systems are almost universally deployed and then forgotten.
This is not a rant about a specific camera vendor. All the major vendors have shipped vulnerable firmware at various times. The issue is structural: camera systems are procured and installed by integrators, then operated by facilities teams, and almost never reviewed by security teams. The result is a few hundred unmanaged Linux boxes sitting on your network.
What the typical camera deployment actually looks like
- Cameras on a dedicated VLAN, which is considered "isolated" — but routing to corporate is enabled for NVR access
- NVR running an OS that is two major versions behind current
- Default administrator password, or a single shared password that was set at install
- Firmware never updated since commissioning
- Vendor remote access configured during install and never revisited
- Web interfaces exposed to anyone on the camera VLAN, which (as above) has routing to corporate
This is not an exaggeration. This is what we find at a solid majority of facilities. And the attack paths that result are, by now, well-documented in the CISA alerts catalog.
The real risk
Two risks matter, in order:
- Camera infrastructure as a beachhead. A compromised NVR is a Linux server on your network. It can be used to pivot, to host command and control, to exfiltrate. The fact that it is "just a camera system" does not change its utility to an attacker.
- Loss of surveillance. If cameras go dark during an incident — whether a cyber incident or a physical one — you lose the ability to understand what happened. That is an operational risk independent of the cyber risk.
What good camera operation looks like
Four things, none complicated:
- Real segmentation. Camera VLAN, firewall-enforced, allow-list only for NVR viewing traffic. No bidirectional routing.
- Credential hygiene. Unique administrator credentials per site. No shared passwords. No defaults.
- Firmware currency. Track versions. Schedule updates. Budget time for the updates to break things and require troubleshooting — because they will.
- Annual review. A one-day review once a year covering all of the above. Findings reported to security and facilities leadership.
The org chart question
The reason camera systems end up this way is almost always organizational. Facilities owns the cameras. IT owns the network. Security owns the policy. Nobody owns "the camera system as a cybersecurity asset." Fix the ownership question and the rest follows.
Our physical security consulting engagements always include the camera infrastructure as a first-class asset. If yours hasn't been reviewed in the last two years, it's time.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.