Chapter 6: Security & Risks
Physical security, cybersecurity, EMI/EMC risks, grounding, surge protection, and risk mitigation strategies for surveillance cabling systems.
6.1 Physical Security of Cabling Infrastructure
The physical security of cabling infrastructure is often underestimated relative to camera placement and network security. An attacker who gains physical access to a cable or cabinet can intercept data, inject signals, or simply cut connectivity. All zone cabinets must be locked with key or electronic access control, and access logs should be maintained. Exposed cable runs in public-accessible areas must be protected with conduit or armored cable to prevent tampering and accidental damage.
| Risk | Level | Mitigation |
|---|---|---|
| Cabinet tampering / unauthorized access | High | Locked cabinets, access logs, tamper alarms |
| Cable cutting in public areas | High | Armored conduit below 3 m height |
| Patch cord accidental disconnection | Medium | Locking patch cords, cable managers |
| Fiber tap / data interception | Medium | Fiber in conduit, optical power monitoring |
| Accidental cable damage during maintenance | Low | Clear labeling, work permits for cabinet access |
6.2 Cybersecurity Risks in Surveillance Cabling
IP surveillance systems are increasingly targeted by cyber threats. The cabling infrastructure itself creates several cybersecurity risk vectors that must be addressed at the design stage. Unauthorized network access through unsecured switch ports, default credentials on cameras and switches, and unencrypted management traffic are the most common vulnerabilities. Network segmentation via VLANs, port security features (802.1X), and encrypted management protocols (SSH, HTTPS) are essential countermeasures.
Critical: Never leave unused PoE switch ports in an active, unprotected state. Disable unused ports or configure 802.1X port authentication to prevent unauthorized device connection.
| Threat Vector | Level | Technical Control |
|---|---|---|
| Unauthorized device on PoE port | High | 802.1X port authentication, MAC address filtering |
| Default credentials on cameras/switches | High | Mandatory credential change at commissioning |
| Unencrypted management traffic | Medium | SSH, HTTPS, SNMPv3 only; disable Telnet/HTTP |
| VLAN hopping attacks | Medium | Disable trunk negotiation on access ports (DTP off) |
| Firmware vulnerabilities in cameras | Medium | Regular firmware update schedule, isolated VLAN |
| Physical network tap on copper cable | Low | Conduit protection, port security monitoring |
6.3 EMI/EMC Risks and Mitigation
Electromagnetic interference (EMI) is a primary cause of intermittent camera dropouts, degraded video quality, and unexplained PoE power cycling. The most common EMI sources in surveillance environments include variable frequency drives (VFDs), fluorescent lighting ballasts, high-current power feeders, and elevator motor cables. Maintaining adequate separation distances and using shielded cable in high-EMI zones are the primary mitigation strategies.
| EMI Source | Minimum Separation | Additional Mitigation |
|---|---|---|
| High-voltage power feeders (>480V) | 300 mm | Shielded Cat6A or fiber |
| Motor and VFD cables | 300 mm | Shielded cable, separate tray |
| Fluorescent lighting (magnetic ballast) | 150 mm | Separate tray or conduit |
| UPS output cables | 150 mm | Separate tray section |
| Elevator motor room cables | 500 mm | Fiber preferred for nearby runs |
| Radio/antenna cables | 150 mm | Shielded cable, grounded tray |
6.4 Lightning and Surge Protection
Lightning-induced surges are the leading cause of mass camera failures in outdoor and perimeter deployments. A single lightning strike near a building can induce thousands of volts on copper cable runs, destroying cameras, switches, and patch panels simultaneously. The protection strategy relies on three layers: building lightning protection system (LPS), equipotential bonding of all metallic infrastructure, and surge protection devices (SPDs) at cable entry points.
Fiber optic backbones provide inherent galvanic isolation between buildings, eliminating the ground loop risk that makes copper inter-building runs so vulnerable. For any copper cable that exits a building or runs along an outdoor structure, SPDs must be installed at the building entry point on both the camera side and the switch side of the circuit.
| Protection Layer | Component | Specification | Location |
|---|---|---|---|
| Layer 1 — Building LPS | Air terminals, down conductors, earth electrodes | IEC 62305 compliant | Building exterior |
| Layer 2 — Equipotential Bonding | Grounding bus bars, bonding conductors | ≥6 mm² green/yellow conductor | All cabinets and metal structures |
| Layer 3 — SPD (RJ45) | Inline surge protector for Cat6A + PoE | IEC 61643-21, <1 ns response | Building entry, outdoor cabinet |
| Layer 3 — SPD (Fiber) | Fiber surge protector (for armored fiber) | Metal armor grounding clamp | Building entry point |
6.5 Common Design Errors and Risk Register
The following table summarizes the most frequently encountered design and installation errors in surveillance cabling projects, their probability and impact, and recommended preventive actions. This risk register should be reviewed at the design stage and used as a checklist during installation and commissioning.
| Error / Risk | Probability | Impact | Preventive Action |
|---|---|---|---|
| Exceeding 90 m horizontal run limit | Medium | High — link failure or degraded performance | Measure all runs before installation; use fiber for long runs |
| Mixed T568A/T568B terminations | Medium | High — link failure | Enforce single standard; test all links before commissioning |
| Insufficient PoE budget | High | High — camera reboot loops, IR failure | Calculate worst-case PoE load including IR and heaters |
| No surge protection on outdoor copper | High | High — mass equipment failure in storms | Mandatory SPD at all outdoor cable building entries |
| Poor fiber connector cleanliness | High | Medium — intermittent link errors | Clean and inspect all fiber connectors before mating |
| Inadequate cabinet ventilation | Medium | Medium — switch overheating, PoE instability | Calculate heat load; add fans or cooling if needed |
| Missing or incorrect labels | High | Medium — extended troubleshooting time | Label all cables, ports, and cabinets at installation |
| No spare capacity in pathways | Medium | Medium — costly re-work for expansion | Provision ≥25% spare capacity in all pathways and cabinets |