The blind spot that exists in plain sight
Walk into a modern UAE enterprise and look at the security architecture diagram. The cybersecurity team has a beautiful map of the IT estate. Firewalls, endpoints, identity, SIEM. The ELV team has a beautiful map of the physical security estate. CCTV cameras, access control panels, intercoms, gate barriers. Both maps stop at the boundary of the other team's responsibility. Neither map shows where the two estates touch.
The problem is they touch everywhere. The CCTV cameras run over the same physical infrastructure as the IT network. The access control panels integrate with the identity directory. The intercoms run on SIP and TLS. The video management system has internet access for vendor remote support. The recorded footage sits on storage that someone is administering. Every one of these touchpoints is a potential pivot from one estate into the other.
In most enterprises, the CCTV VLAN is the soft underbelly. Attackers know. Security teams rarely do. This piece walks through why the ELV and cybersecurity teams keep operating as if they have nothing to do with each other, what the actual attack patterns look like, and what the converged operating model that closes the gap looks like in practice.
Why ELV and cyber teams do not talk to each other
Four reasons consistently. They are worth understanding because the converged model has to push against each of them.
Reporting lines. Cybersecurity reports to the CIO or CISO. ELV reports to Facilities, sometimes to a Head of Security who is more concerned with physical security operations than cybersecurity. The two functions sit under different executive sponsors with different priorities and different language.
Vendor ecosystems. The ELV vendor stack (Hikvision, Axis, Hanwha, HID, Suprema, Lenel, Genetec) overlaps almost not at all with the cybersecurity vendor stack (CrowdStrike, Microsoft Defender, Palo Alto, Zscaler). The vendor channels speak to different teams and the integration conversations rarely cross the boundary.
Procurement separation. CCTV refresh projects get procured by Facilities or Capex. Cybersecurity tooling gets procured by IT. The two procurement tracks rarely meet. Neither integrates the other's requirements into its specification.
Skill-set silos. The engineers who design and operate CCTV networks come from a different background than the engineers who design and operate enterprise networks. Both think the other category is technically simpler than their own. Neither is right.
The actual attack patterns on ELV infrastructure
Five attack patterns we see consistently across our UAE incident-response work and our broader threat-intelligence feeds.
Pattern one: vendor remote access compromise. CCTV systems are typically configured with vendor remote access for maintenance and firmware updates. The remote access is rarely subject to the same conditional-access and PIM discipline applied to IT vendor accounts. Compromise the vendor credentials, and the attacker has live access into the venue's CCTV estate with the credentials of someone the system trusts.
Pattern two: default credentials and unpatched firmware. The IoT firmware on CCTV cameras, NVRs and VMS appliances has a track record of slow patching and persistent default credentials. The Mirai botnet and its descendants live on this gap. Most enterprise CCTV estates have at least one device running firmware that is two or three vendor revisions behind the current release.
Pattern three: flat CCTV VLAN with east-west reach. The CCTV VLAN often shares broadcast domains with other infrastructure because the original network design treated it as a peripheral system rather than a tier-1 estate. Compromise a camera, pivot to other CCTV devices, then to the VMS server, then to whatever else lives on the same broadcast domain.
Pattern four: access control as an identity pivot. Access control panels integrate with the enterprise identity directory to map card holders to people. Compromise the access control system and you potentially have a path into the identity infrastructure that runs the rest of the enterprise. This is one of the most underappreciated attack paths.
Pattern five: VMS server as a privileged endpoint. The video management system administrator account typically has substantial privilege on the VMS server, which often shares the network with other infrastructure. Compromise the VMS account and you have a privileged host inside the enterprise that the EDR coverage may not extend to.
None of these patterns are theoretical. We have seen at least three of them across our regional incident-response work over the past two years.
What the converged operating model looks like
Five elements distinguish the enterprises that have closed the gap from those that have not.
One. ELV is in scope for the SOC. The cybersecurity SOC monitors the CCTV VLAN, the access control network and the VMS server with the same telemetry discipline applied to the IT estate. Anomalous traffic patterns, credential-stuffing attempts, unusual administrative actions all generate alerts. The SOC analyst on duty does not need a separate playbook because the ELV estate is just another sensor stream.
Two. ELV network segmentation is engineered, not assumed. The CCTV and access control networks live in their own VLANs with explicit firewall policy controlling east-west and north-south flows. A compromised camera cannot reach the broader IT estate. Outbound traffic from the VMS server is restricted to known vendor endpoints. The segmentation is verified by test, not by diagram.
Three. Vendor remote access uses the same controls as IT vendor access. Vendor remote-access to the CCTV system runs through the same privileged access management workflow as vendor access to anything else, JIT elevation, session recording, time-limited credentials, audit logging. The convenience drop is small. The risk drop is large.
Four. Firmware and patch management for ELV is on the same cadence as the IT estate. CCTV cameras, NVRs, VMS appliances and access control panels go through a documented patch cycle with vendor-supplied firmware updates. The cycle is not perfect (vendor patch velocity varies) but it exists and is reviewed quarterly.
Five. The cybersecurity team is involved in ELV procurement. New CCTV deployments, VMS upgrades and access control refreshes go through a brief cybersecurity review before procurement. The review confirms the proposed system supports the segmentation, monitoring and access-control requirements the enterprise standard expects. The review takes a half-day; the avoided remediation work later runs into weeks.
UAE-specific dimension: ADMCC integration as a security surface
Abu Dhabi commercial CCTV installations integrate with the ADMCC (Abu Dhabi Monitoring and Control Centre) central monitoring infrastructure for certain premises, banking, federal, critical-infrastructure. That integration is a defined security surface in its own right.
The integration carries real-time video and access-event data from the venue to the ADMCC operations centre. The connectivity, the authentication and the audit logging on that path need the same security discipline applied to any other inter-organisational data flow. In practice the ADMCC connectivity is usually engineered properly because the regulator scrutinises it; the rest of the CCTV estate around it sometimes is not.
For Abu Dhabi-based enterprises operating ADMCC-integrated CCTV, the rest of the CCTV estate should be held to at least the same security standard as the ADMCC connectivity. The regulator does not look at the venue-internal CCTV network the same way. Attackers do.
What changes when the two teams converge
Three measurable changes consistently across the enterprises that have made the operating model change.
Incident detection on CCTV-pivot attacks moves from "discovered during forensics after the breach was found" to "alerted in the SOC at the time the anomaly occurred". This is the single most consequential change.
Firmware currency on CCTV estates moves from "patch when there is a vendor mandate" to "patch on the documented cycle". The current-firmware percentage typically rises from below 40 percent to above 85 percent within a year of the operating-model change.
Vendor remote access incidents drop measurably. The discipline applied to IT vendor access turns out to be more useful when applied to ELV vendor access than the original design assumed.
Bottom line
CCTV networks and access control systems are IoT estates with privileged paths into the rest of the enterprise. Treating them as ELV-team-only infrastructure is how enterprises end up in incident-response situations they could have prevented.
The converged operating model is not technically complicated. SOC scope expansion to include the ELV estate, engineered segmentation, vendor access discipline, firmware cycle alignment, cyber review of ELV procurement. None of these elements requires new technology. All of them require the two teams to operate against a shared standard rather than two parallel ones.
For UAE enterprises with substantial CCTV and access control infrastructure, which is most of the regulated sector and most of the hospitality, healthcare and government-adjacent footprint. The converged operating model is the change that closes a real and avoidable exposure.
