Few industries are as heavily physically secured as cannabis. Open a dispensary in almost any U.S. market and the rules are explicit: continuous video surveillance with defined retention, badge or biometric access control on restricted areas, alarm systems, and in many states a 24/7 recording archive that regulators can request. Operators spend enormous effort satisfying these requirements because failing a physical-security inspection can cost a license.

Here is the problem almost no one budgets for: those physical-security systems are computers on your network. The cameras stream over IP. The recorders are servers. The badge readers talk to a controller that talks to the internet. The alarm panel phones home to a cloud dashboard. Every one of them is an entry point, and most were installed by a low-voltage integrator focused on coverage angles and compliance sign-off β€” not on patching, segmentation, or credential hygiene. In 2026, the line between physical security and cybersecurity has effectively dissolved, and cannabis is sitting on the seam.

The mandate that became an attack surface

State cannabis regulations turned surveillance into a legal obligation. Camera coverage of points of sale, entrances, vaults, and grow areas; retention periods often measured in months; tamper-resistant storage; remote regulator access in some jurisdictions. The intent is sound β€” deter diversion and theft, create an audit trail.

But the same mandate produced a sprawling fleet of internet-connected devices that share several uncomfortable traits:

  • They ship with default or weak credentials. IP cameras and network video recorders (NVRs) are notorious for default passwords that never get changed during installation.
  • They run firmware that is rarely updated. A camera installed at buildout may run the same vulnerable firmware three years later. Patch management for physical-security hardware is almost nonexistent at most operators.
  • They are often on the flat business network. Cameras, recorders, the POS, the back-office PC, and the Wi-Fi a customer joins frequently live on the same subnet β€” so a foothold on one is a foothold on all.
  • They are exposed to the internet for remote viewing. β€œWatch your stores from your phone” is a feature every owner wants. It is also a port open to the entire internet, scanned constantly by automated tools.

The result is a large, under-managed attack surface that exists because of a security requirement. The control meant to protect the business becomes the way into it.

What goes wrong when physical systems are network-weak

The convergence creates failure modes that span both worlds:

Ransomware that encrypts your cameras. Modern ransomware does not just hit the file server. It encrypts everything it can reach β€” and on a flat network, that includes the NVR and surveillance archive. An operator can find itself simultaneously unable to sell (POS down) and out of compliance (no working cameras, no recorded footage), facing both an extortion demand and a regulatory violation at the same moment. We covered the broader operational stakes of these attacks in our analysis of the cannabis cybersecurity threats you can’t ignore.

Cameras as the initial foothold. An internet-exposed camera or NVR with weak credentials is a classic entry point. Attackers compromise the device, then pivot across the flat network to the POS, the inventory system, and the customer database. The surveillance system you installed to watch the store becomes the door an intruder uses to reach everything else.

Surveillance footage as a privacy breach. Your cameras record customers’ faces and, in many configurations, their purchases. A compromised surveillance archive is not just an operational loss β€” it is an exposure of biometric and consumption data, the same category of sensitive information that drove the Cannaleaks ID exposure and the biometric privacy lawsuits hitting dispensaries.

Access-control manipulation. Badge and biometric door controllers, if reachable, can be manipulated to unlock restricted areas or to erase entry logs β€” turning a cyber compromise into a physical-security and diversion problem, the exact outcome the rules were written to prevent.

The convergence cuts the other way too

It is worth saying that physical access remains a cyber risk in its own right. An unattended POS terminal, an unlocked back office with a logged-in workstation, a network switch in a public-accessible closet, or a USB port on a recorder are all physical paths to digital compromise. Strong cybersecurity with weak physical control is just as broken as the reverse. The two disciplines are now one program, and they have to be governed as one.

Closing the seam: a practical checklist

You do not need to rip out your surveillance system. You need to treat it like the networked computing infrastructure it is.

1. Segment the network. This is the single highest-leverage control. Put cameras, NVRs, access controllers, and other operational devices on their own VLAN, isolated from the POS, back office, and guest Wi-Fi. Segmentation means a compromised camera cannot reach your customer database, and ransomware on a workstation cannot encrypt your surveillance archive.

2. Change every default credential β€” and inventory the devices. You cannot secure what you have not counted. Build an inventory of every IP camera, recorder, controller, and panel, with its IP, firmware version, and credentials. Replace all default passwords with strong, unique ones stored in a password manager.

3. Close internet exposure; use a VPN for remote viewing. Do not port-forward NVRs or cameras directly to the internet. If owners and managers need remote access, route it through a VPN or the vendor’s properly secured cloud relay β€” never a raw open port.

4. Patch firmware on a schedule. Assign ownership for checking and applying firmware updates to surveillance and access-control hardware quarterly at minimum. Retire devices whose vendors no longer issue security updates.

5. Back up surveillance footage off the primary network. Keep an immutable or offline copy of recordings so that ransomware encrypting the NVR does not simultaneously destroy your compliance archive. This is both an operational and a regulatory safeguard.

6. Vet your physical-security integrator on cybersecurity. The company that installs your cameras is now a cybersecurity vendor whether it markets itself that way or not. Ask how it segments, patches, and secures remote access β€” apply the same vendor-risk scrutiny you would apply to any provider touching your systems.

7. Write physical systems into your incident-response plan. Your runbook should explicitly cover a scenario where surveillance or access control is knocked offline β€” including how you maintain compliance and physical safety while systems are down. Our cannabis incident-response template is a starting point.

The bottom line

Cannabis was forced to become physically secure before most of the industry thought seriously about cybersecurity β€” and that sequence created a blind spot. The cameras, recorders, and door controllers that satisfy the licensing inspector are unmanaged computers sitting on the same network as the data that matters most. Attackers know it. Ransomware crews specifically target operational technology because taking it down maximizes pressure, and in cannabis, downing the surveillance system is also a compliance hit.

The fix is not more cameras. It is treating the cameras you already have as part of your cyber attack surface: segment them, harden them, patch them, and back them up. Physical and cyber security stopped being separate disciplines some time ago. In cannabis, where both are mandated, the operators who manage them as one program are the ones who will not be locked out of their own stores β€” and their own footage β€” when an attacker comes knocking.

This article is provided for informational purposes only and does not constitute legal advice.