A practical resource for examining network usage in the context of modern networking technologies is the free eBook Future-Ready Network Design for Physical Security Systems. The book takes a closer look at Zero Trust for physical security systems, networking and also examines the requirements for an enterprise-caliber physical security system CPS protection platform.
Zero Trust Basics
Zero Trust is a cybersecurity approach — not a product — that assumes no device, user, or system is inherently trusted, whether inside or outside the network. Trust is continuously verified through authentication, authorization, and health checks. Its principles suit security systems due to their predictability and limited scope.
1. Never Trust, Always Verify—Assume Breach
No device or user is trusted by default; every action requires verification. Networks are designed to limit harm if a device is compromised, assuming a breach may already exist.
2. Device Identity and Network Integrity
Connections require verified identities, with encrypted data to prevent eavesdropping or malicious traffic. This involves:
- Authentic digital certificates for all devices and systems.
- Certificate-based encryption using strong standards.
- Mutual authentication between devices making a connection is a cornerstone of Zero Trust.
Vendors such as Avigilon, Axis Communications, Hanwha Vision, and Bosch support mutual authentication (see their product documentation and hardening guides, e.g., the Axis Hardening Guide). Security teams must collect product hardening guides and device network security specifications to prepare for collaboration with IT.
3. Microsegmentation
Networks are divided into isolated segments (microsegmentation) by function, thereby limiting the potential spread of threats. For example, card readers and controllers are grouped separately from cameras. VLANs often isolate video traffic, a common practice. Microsegmentation supports Industrial IoT Ethernet, a Modern LAN practice that reduces costs. Access control devices, with lower bandwidth requirements, are well-suited for long-range Ethernet segments.
Modern LAN enables cost-effective Zero Trust over long distances, using long-range Power over Ethernet (PoE) with standard unshielded twisted pair (UTP) or reused coaxial cabling. The tables below show supported cable lengths and data rates.
4. Least Privilege Access
Devices and users receive minimal access necessary for their functions, which is already a standard practice among leading security teams.
5. Continuous Monitoring
Devices and users are continuously evaluated for compliance with expected behavior, firmware versions, and configurations, with device errors or deviations indicating potential security compromises (e.g., malware, hacking attempts).
6. Incremental Implementation
Zero Trust is not an all-or-nothing approach. It can be deployed in stages, starting with simple network segmentation and device isolation. A practical starting point could be to create isolated VLANs for cameras, access control systems, and intercoms. Then restrict device communication pathways and implement authentication at key connection points. Most existing infrastructure supports this.
In any existing physical security system deployment, the degree of device and application support for Zero Trust networking will vary, partly based on the age of the products deployed. A key step for Security teams in preparing for a zero-trust collaboration with IT is the inventory and assessment of the physical security system software and hardware landscape, including product age, warranty, and other product lifecycle information.
Zero Trust Advocacy
Physical security professionals need not be Zero Trust experts, but should advocate for it, defining their systems’ overall network design and usage. IT can assist with certificate infrastructure, cybersecurity details, and tasks such as switch and router configuration (if not outsourced to a technology service provider), as well as network validation and testing. But security teams and partners must lead design, ensuring alignment with the system functionality on which site security operations depend.
link