Cannabis is the only industry where physical security is written directly into the license: 90-day video retention, camera coverage of every plant and point of sale, access-controlled limited areas, alarm systems with documented testing. Operators spend six figures meeting those requirements. And then — in facility after facility — the entire mandated stack gets administered from a shared Windows PC in the back office with the VMS password on a sticky note.

We made the architectural argument in our physical security × cybersecurity integration guide and the complete dispensary security master guide: the camera system, badge controller, and alarm panel are IT systems wearing physical-security costumes. This piece is about the specific machine those systems all meet on — the surveillance workstation — because it’s the highest-leverage, least-examined box in your building.

Why That One Machine Matters

Think about what the surveillance/security workstation can do in a cannabis facility:

  • Delete or export the video archive your license requires you to retain — and that your seed-to-sale system’s chain of custody quietly depends on
  • Unlock doors via the access-control console, including the vault and limited-access areas
  • Silence alarms and edit the audit logs regulators inspect
  • See everything — every camera, every badge event, every employee movement

Camera infrastructure is actively hunted: Dutch intelligence caught Russia hijacking security cameras across Europe at scale, and cannabis facilities — cash-heavy, inventory-rich, compliance-bound — are exactly the kind of target where a quiet week inside the VMS pays off in a planned burglary or an extortion demand (“nice retention requirement you have there”).

Meanwhile the workstation itself usually runs a consumer OS with default telemetry, shared local accounts, and — increasingly — Recall-class AI features that screenshot whatever’s on screen into a searchable index. On the machine displaying your camera walls and badge database, that’s a data-exposure mechanism you installed yourself.

The Fix: Treat the Control Plane Like the Vault

The standard we’d apply is the same one we’ve been building across our network for smart-office control planes: the machine that administers security systems runs a quiet OS on hardware you can verify, and nothing else.

NovaCustom, a Dutch manufacturer, ships that machine off the shelf:

  • Open-source Dasharo coreboot firmware — the boot code is public and auditable, replacing the OEM black box; Intel Management Engine disabled
  • Linux preinstalled (PrivacyGuard line) — no telemetry, no screenshotting AI, native fit for VMS clients and admin tooling
  • Physical camera/mic kill switches or removal — the machine watching your cameras shouldn’t be a camera someone else can watch
  • NUC Box mini-PC with the same open firmware — a tidy dedicated console for the security room or a second site
  • SecurityTitan builds add Qubes OS certification and tamper-evident boot verification (Heads + Nitrokey attestation) — if someone touches the machine overnight, you know at boot
  • EU-assembled, 3-year warranty, 7+ years of support — and for German and European operators building under CanG and its cousins, an EU-built, auditable machine keeps data-protection and procurement reviews short

NovaCustom open-firmware laptop for the security control plane

Configure direct → or US operators buy through the authorized storefront at securitygadgets.shop/novacustom — roughly 13% below EU pricing, free shipping, identical warranty. Full evaluation on our sister site: the complete NovaCustom review.

The Weekend Hardening Plan

  1. Dedicate the machine. One box for VMS/access-control/alarm administration. No email, no browsing, no POS. Most incidents ride in on the “also used for everything else” part.
  2. Put it on the management VLAN with the cameras and controllers — segmentation you likely already sketched in the integration guide.
  3. Hardware-key the logins. The VMS admin, badge console, and alarm portal get FIDO2 where supported — yesterday’s piece covers the dispensary key rollout, and the SecurityTitan’s boot attestation uses the same Nitrokey you’ll already carry.
  4. Document it like a compliance control. One page: dedicated hardware, open firmware version, account list, retention-access roster. Regulators rarely ask — but insurers, as federal oversight expands, increasingly do.

Vendors With Skin in the Game

NovaCustom backs the broader security community our playbooks come from: at CISO.POKER — the invite-only security-leaders poker night on August 5, 2026 at The Wynn, Las VegasNovaCustom is the second-place prize sponsor, machine under wraps until the night. The kind of vendor behavior worth weighting when your license rides on their hardware.

Bottom Line

Your regulator told you where to point the cameras. Nobody told you to secure the machine that controls them — so almost nobody has, and that asymmetry is exactly what makes it the best hardening dollar in the building. Dedicated, open-firmware, Linux, hardware-keyed: the surveillance stack your license depends on deserves at least the scrutiny you give the vault door.

Build your security workstation →

Affiliate disclosure: This article contains affiliate links. If you purchase through our links we may earn a commission at no extra cost to you.