01 The Lateral Movement Crisis & Why Your Building Automation Systems Are The Next Frontier for Cyber Criminals
According to IBM's Cost of a Data Breach Report, lateral movement was a contributing factor in nearly 25% of breaches in 2024, with the average breach costing $4.88 million.
As cyberattacks become more sophisticated, many organizations are overlooking one of the weakest links in their infrastructure, the building automation and physical security networks.
While such a large figure often evokes images of compromised customer databases or ransomed financial records, an increasingly common vector lies elsewhere: the interconnected systems that manage our physical environments. Building automation systems (BAS), access control networks, video surveillance platforms, and environmental controls, traditionally the domain of BAS or physical security professionals, are no longer isolated. These systems are now networked and frequently connected to the broader corporate infrastructure. Attackers are well aware of their value as entry points or tools for lateral movement and disruption.
To a sophisticated adversary, these systems present a soft target. A networked HVAC controller with a known vulnerability, a security camera left with default credentials, or an unpatched access control server can all provide a quiet back door into the digital ecosystem of a facility. Once inside, the goal is not simply to adjust the thermostat or unlock a door. The attacker is seeking a foothold to pivot deeper into the network, probing for high-value assets like sensitive data, OT systems, or financial platforms.
02 So how do these beaches actually happen?
Although sophisticated zero-day exploits often grab headlines, the reality is far more mundane, and often points to fundamental security hygiene failures. To this day, one of the most common entry methods into surveillance and access control systems remains the simple exploitation of default credentials that were never changed during installation. Coupled with this is the persistent issue of unpatched systems. The case of Hikvision security cameras is a stark reminder: as recently as 2024, reports indicated that more than 3.2 million Hikvision systems remained vulnerable to CVE-2021-36260, a severe command injection flaw disclosed years prior. This widespread vulnerability, affecting millions of devices globally, underscores how easily outdated or poorly configured equipment can become a wide-open door for attackers looking to penetrate a network and potentially move far beyond the camera system itself.
03 Moving laterally...
Once an attacker has exploited such vulnerabilities and gained access to a network device, they seldom stop at that initial point of entry. Their objective shifts to exploring the broader network, searching for more valuable data, control systems, or pathways to disrupt operations. This critical exploratory phase, where an attacker navigates from one compromised system to others, is known as lateral movement, and it forms a fundamental tactic in contemporary cyberattacks.
Lateral movement describes the process by which an intruder, having established a foothold on one system within a network, proceeds to identify, access, and potentially compromise other connected devices and resources. In the context of building and physical security infrastructure, this trajectory might begin on a vulnerable network video recorder, move to an access control server containing sensitive personnel data, pivot into a system controlling environmental conditions like HVAC, and from there, seek pathways into core enterprise systems such as financial databases or employee records housed on the broader corporate network. Once an attacker achieves this level of free movement within a network, a breach becomes significantly harder to contain and substantially more damaging.
04 Network segmentation as a safety net
The scenario above illustrates why assuming breach, rather than hoping to prevent it entirely, has become a cornerstone of modern cybersecurity strategy. While we must continue implementing robust perimeter defenses, the reality is that determined attackers will eventually find ways through. The question then becomes, when they do breach your initial defenses, how do you limit the blast radius and prevent a single compromised camera from becoming a gateway to your entire enterprise?
The answer lies in network segregation, with Virtual Local Area Networks (VLANs) serving as one of the most effective and accessible tools for containing potential breaches. VLANs act as digital walls within your physical network infrastructure. Walls that can stop an attacker's lateral movement even after they've gained initial access to a device.
05 Why security and other low voltage professionals can't afford to delegate network design
In many organizations, there's a natural tendency to treat network infrastructure as "someone else's problem." When installing CCTV systems or access control infrastructure, security professionals often defer to the client's IT department or network administrators for VLAN configuration, assuming that network segmentation falls outside their area of expertise. This hands-off approach, while understandable, creates a critical vulnerability in your security posture.
The reality is that poor segmentation leaves physical security systems wide open to lateral movement in the event of a breach. A compromise in an HVAC controller or IP camera shouldn't provide a bridge to the access control system or intrusion panel, but without proper network boundaries, it often does.
Breaking systems into separate VLANs helps contain attacks, isolate vulnerabilities, and prevent devices from exposing each other unnecessarily. It also sharpens access control, making sure vendors, contractors, and even internal teams can only reach what’s relevant to them. As building systems become a growing target for cyber threats, proper network segmentation has become paramount.
06 What you should know about VLANs
To effectively advocate for and implement proper VLAN segmentation, security professionals need to develop a working understanding of several key concepts. First, learn how VLANs function at the switch level, understanding how traffic is tagged, how inter-VLAN routing works, and why default VLAN configurations often leave systems vulnerable. You should be able to read basic network diagrams, understand the difference between access ports and trunk ports, and know how VLAN assignments affect device communication.
Equally important is understanding access control lists (ACLs) and firewall rules, which govern traffic between VLANs. These define what can and can’t cross between security zones, and they’re essential for balancing security with operational needs. It's also critical to get comfortable with basic network management tools and monitoring systems that help confirm segmentation is working as intended and flag signs of lateral movement. You don’t need to be a network engineer, but you do need enough technical fluency to have productive conversations with IT, specify practical requirements, and step in when something goes wrong.
07 In the news...
08 About the project and the curator
I'm Timur (or Tim), and I have over a decade of experience in the security integration field. I've worked with industry leaders such as Siemens and Johnson Controls, serving clients across the Canadian market. Originally from Toronto and now based in Ottawa, Ontario, my background covers the full range of our industry. Access control, intrusion detection, surveillance systems, and the infrastructure that connects them all.
The Physical Layer was born from a simple observation; unlike the AI or software world, our industry lacks insightful, fast moving newsletters that keep integrators informed and ahead of the curve. While other sectors have embraced dynamic, insight driven newsletters, physical/electronic security has largely stuck to dry product announcements and vendor press releases.
This newsletter changes that. Each quarter, I will try to deliver the strategic insights, emerging trends, and practical knowledge that help security integrators stay ahead of the curve. From AI implementation guides to market analysis, I will focus on what matters most, which is helping you grow your business and expand your capabilities.
The Physical Layer will always be free, because knowledge should never come with a paywall. That said, creating and curating this content does take a significant amount of time, effort, and a few out of pocket costs. If you find value in what you're reading and want to help keep it going, consider supporting this project via Ko-Fi using the link below: