The Hidden Physical Layer of Security: How U.S. Operators Should Protect Underground Routes, Cameras, and Access Control
Image Source: depositphotos.com
Security teams often watch dashboards, alerts, and access logs. The failure can start below the pavement.
Underground cable routes, conduit, vaults, field cabinets, camera poles, access-control readers, locks, and backhaul paths form a physical layer that many organizations document poorly. When that layer fails, cameras go dark, gates lose control, alarms lose context, and public-safety communications can lose routing. The U.S. incident record shows the pattern: most failures come from excavation damage, poor route data, shared dependencies, floods, maintenance errors, and exposed networked devices.
Operators reduce disruption and security risk when they manage this layer as one system. Facilities, IT, security, utility, and legal teams need one map, one dependency register, and one cutover plan.
1. Define the system before buying hardware
The hidden physical layer includes more than cables. It covers rights-of-way, permits, duct banks, handholes, vaults, buried and overhead paths, field power, backhaul, cameras, readers, locks, controllers, video systems, physical access-control platforms, and the central monitoring layer.
A route drawing alone is not enough. The operator needs a dependency map that shows what each device needs to function: power, network path, controller, credential store, monitoring platform, local override, and restoration access.
Figure 1. A practical dependency map for underground routes, field devices, access control, video systems, and monitoring.
What to document
- Every buried or overhead route that supports cameras, gates, alarms, readers, locks, network closets, or central monitoring.
- Ownership and quality level for each route record: record-only, surveyed, designated, or exposed and verified.
- Shared ducts, bridges, tunnels, poles, streets, manholes, central offices, and utility rooms.
- Power sources, UPS coverage, generator scope, surge protection, and restoration access.
- Normal, degraded, and outage behavior for gates, doors, cameras, and monitoring platforms.
This turns security planning into dependency control. It also exposes false redundancy: two circuits can look independent in procurement files and still share the same trench, bridge, vault, transport node, or central office.
2. Treat compliance as a layered U.S. framework
The United States does not use one national rulebook for the hidden physical layer. Federal law and guidance set baselines. States, DOTs, municipalities, fire officials, utilities, and sector rules shape the actual project path.
The same project can trigger excavation safety rules, electrical-installation requirements, right-of-way permits, utility accommodation policy, outage-reporting duties, access-control identity standards, surveillance governance, privacy laws, and supply-chain restrictions. The operator should verify those layers before design freeze, not after procurement.
|
Regulatory layer |
Principal U.S. instruments |
What operators should take from it |
|
Installation and utility safety |
NEC Article 300 and Article 770; IEEE NESC; OSHA excavation rules |
Underground work needs electrical-installation discipline and excavation-safety discipline. Buried communications and power cannot be treated as informal field work. |
|
Highway ROW and utility accommodation |
23 CFR Part 645: state DOT utility programs; municipal street-opening rules |
Route decisions are legal decisions as much as engineering decisions. A backup path that cannot be permitted is not redundancy. |
|
Communications reliability |
FCC authority over ducts. conduits. rights-of-way, outage and 911 reporting |
Operators must include transport dependencies, notification duties, and PSAP-facing paths in resilience design. |
|
Federal PACS and credentials |
HSPD-12; FIPS 201-3; NIST SP 800-116 Rev. 1; SP 800-73-5; GSA PACS guide |
High-security PACS should validate credentials end retire deprecated mechanisms. Cloud or hybrid PACS adds WAN and data-governance dependencies. |
|
Security controls and OT resilience |
NIST SP 800-53, SP 800-82 Rev. 3, SP 800-160 Vol. 2 Rev. 1 |
Cameras and access control should be governed as OT and ESS systems with cyber, physical, and lifecycle controls. |
|
Procurement and supply chain |
Section 889 FAR rules; FCC Covered List; CISA SBOM and procurement language |
Contracts should address national-security exclusions, software transparency, patching, spare parts, and secure remote access. |
Figure 2. Regulatory layers that commonly affect underground cable routes, CCTV, access control, and utility corridors in the United States.
Why local review matters
Federal requirements can define safety or reporting duties, but local authorities often control the schedule. A city can restrict protected street openings. A DOT can require utility accommodation approval. A fire marshal can specify gate override hardware. A state privacy law can affect biometric or surveillance use. A utility can set service and restoration requirements.
Project teams should therefore assign one owner for the permit matrix. That owner should track authority, approval path, lead time, design dependency, and operational impact. Without that control, the project can stall after equipment arrives on site.
3. Control underground route risk with verified data
Buried infrastructure creates a security problem because teams often know less than they think. Old as-builts, hand sketches, vendor drawings, and GIS layers can disagree. Field crews may find abandoned lines, unmarked utilities, undocumented duct banks, and routes that share chokepoints.
FHWA guidance treats subsurface utility engineering as risk management. The useful idea is simple: a record-only line has lower confidence than a designated line, and an exposed line has higher confidence than both. Critical crossings, boring paths, building entries, and shared corridors deserve higher-quality verification.
When teams add conduit under a paved yard or plan a bore near live utilities, they should combine 811 coordination, potholing, route-quality metadata, and field verification. Crews that already use HDD guidance equipment can evaluate DigiTrak Falcon F5 equipment as part of the broader utility-locating and boring workflow before they commit to work under a live lane.
The main underground vulnerabilities
The research shows that most buried-infrastructure failures come from ordinary operating conditions, not rare attacks. Excavation damage, storm restoration cuts, floods, and route concentration can create the same business impact as a deliberate intrusion: lost visibility, lost access control, lost communications, and delayed restoration.
|
Vulnerability |
How it appears in U.S. facilities |
Representative evidence |
Security consequence |
|
Excavation damage |
Bad records, late locates, weak potholing, restoration work striking lines |
CGA 2024 DIRT counted 196,977 reported damages; top root causes drove nearly 85% of damages |
Service loss, emergency outages, safety hazards, emergency restoration cost |
|
Hidden common-mode route failure |
Redundant paths share a corridor, bridge, office, conduit, pole line, or transport node |
FCC NG911 records cite multistate outages from fiber cuts and upstream dependencies |
Redundancy fails during the event it was meant to survive |
|
Targeted physical tampering |
Attackers cut exposed or poorly monitored route segments or route markers |
FBI documented intentional Bay Area fiber severing in several cities |
A Iow-cost attack can produce a high-impact outage |
|
Flooding and prolonged water exposure |
Vaults, basements, central offices, and access routes flood |
FCC Katrina findings tied outages to flooding, power/fuel failure, route failure, and restoration cuts |
Physical access and equipment can fail at the same time |
|
Storm recovery and restoration cuts |
Debris crews, pole crews, and utility crews cut parallel communications routes |
FCC Katrina and Hurricane Michael reviews cited restoration-era fiber cuts |
Recovery work creates new outages after the initial event |
|
EMP/GMD |
Critical electronics upset or fail at poorly protected nodes |
DOE, DHS, and CISA maintain guidance for critical infrastructure |
High-impact, low-frequency disruption to power and control electronics |
Figure 3. Main vulnerability classes for underground cable routes, vaults, and physical security infrastructure.
How to reduce route risk
- Build one route inventory with owner, medium, function, record source, confidence level, and last verification date.
- Mark true diversity. Show where backup paths share roads, bridges, conduits, offices, vaults, or power sources.
- Use SUE or field exposure at high-impact crossings and chokepoints.
- Treat flood zones, groundwater, basements, vaults, and restoration access as security variables.
- Add spare conduit when crews open a corridor that may need future cameras, access control, sensors, or fiber.
4. Design CCTV and access control as field infrastructure
A camera is not just a device. It depends on mounting, light, field power, surge protection, network path, storage, retention policy, monitoring, and cyber controls. Access control depends on the reader, credential, controller, lock behavior, door-position switch, request-to-exit device, local override, and life-safety coordination.
Good camera design starts with the task: detect, observe, recognize, or identify. A wide overview camera can show movement and traffic patterns. It may not identify a face, license plate, or badge. A narrow camera at a gate, turn, or loading point can capture evidence that a wide camera misses. The design should match the decision the operator needs to make.
Power and backhaul choices
Copper Ethernet with PoE works well when distance and power budgets fit. Fiber backhaul fits long outdoor runs, inter-building links, and electrically noisy corridors. Local conditioned power can improve resilience but adds maintenance. Cloud or hybrid systems can simplify multi-site administration, but they create WAN, data-location, and remote-management dependencies. On-premises platforms reduce WAN dependency but increase local support work.
|
Design decision |
Security upside |
Main downside |
Best U.S. use case |
|
Copper Ethernet with PoE to edge camera |
Simpler install, fewer local power supplies, easier swaps |
Distance limits and switch PoE budgets can take down multiple devices |
Dense buildings or campuses with camera runs inside Ethernet limits |
|
Fiber backhaul plus conditioned edge power |
Long reach, EMI immunity, stronger backbone resilience |
More edge components and more power planning |
Outdoor runs, inter-building links, noisy electrical environments, critical corridors |
|
Electric strike or lock with DPS and REX |
Door-state awareness and cleaner life-safety design |
Retrofit work can still be significant |
Regular secure doors where fail-safe or fail-secure behavior can be engineered |
|
Magnetic lock |
Simple in some retrofits; strong holding force |
Normally fail-safe; UFC treats it as a last choice in many applications |
Only where life-safety and staffing assumptions support it |
|
On-premises PACS or VMS |
Fewer WAN dependencies; local control during internet outages |
Higher local support burden |
Sites with weak WAN reliability or strict data-locality requirements |
|
Cloud or hybrid PACS |
Easier multi-site administration and vendor-managed updates |
WAN dependency, data residency, remote-management risk |
Distributed sites with mature network resilience and vendor governance |
Figure 4. Design choices that shape CCTV and access-control resilience.
Door hardware and fail behavior
Operators should decide fail-safe, fail-secure, and degraded-mode behavior with security, facilities, and life-safety teams in the same room. Magnetic locks can simplify some retrofits, but they normally fail safe and can leave an unstaffed site unsecured during a power loss. Electric strikes, electric locks, door-position switches, request-to-exit devices, and tamper signals give operators better state awareness when designed correctly.
Credential assurance also matters. In high-assurance environments, a reader should validate the credential rather than accept a weak card number. Legacy reader-to-controller designs can become the real vulnerability, even when the badge looks modern.
Network exposure and remote access
Networked cameras, controllers, VMS, and PACS platforms need the same discipline as other operational technology. Operators should maintain an asset inventory, segment the security network, remove default credentials, require MFA for remote access, patch devices, and block direct internet exposure. Remote access should pass through approved secure channels and leave an audit trail.
5. Learn from documented U.S. incidents
The U.S. record repeats four patterns. Excavation and restoration crews cut routes. Authorized maintainers make changes outside tight control. Attackers target exposed fiber or communications nodes. Disasters combine flooding, power loss, fuel limits, route concentration, and blocked access.
Figure 5. Timeline of representative physical-layer incidents in the United States.
These cases matter because they crossed boundaries. A cut in a communications path can affect 911 routing, camera backhaul, PACS administration, dispatch connectivity, and business continuity at the same time. A local facility team may never see the upstream dependency until the outage happens.
What the incidents teach
- Redundant routes must be physically separated. Different contracts do not prove different paths.
- Maintenance work needs strict change control. A routine test can disable a critical path if the system does not fail over correctly.
- Flood and restoration plans matter as much as pre-event hardening. A recovery crew can create the next outage.
- Critical nodes need access, power, spare parts, escalation paths, and tested restoration procedures.
- Security teams should know which central offices, transport nodes, and public-safety handoffs support their local systems.
6. Budget for the parts that control risk
Device prices rarely explain the total project cost. Poles, cabinets, trenching, boring, conduit, pavement repair, permits, power, network work, software licensing, cybersecurity review, union labor, and commissioning often decide the budget.
The research gives useful public planning cues. DelDOT SUE budgets often fall around $50,000-$200,000 depending on scope. Older FHWA/Purdue work estimated $4.62 in construction savings for each $1 spent on SUE. Berkeley estimated $44,000-$55,000 per public-intersection camera installation once purchase and install were included. Public GSA examples show that individual readers and controller boards can cost far less than the labor and integration around them.
Where the budget should go first
- Route-quality verification at critical crossings and chokepoints.
- Physical separation of backup paths and key power feeds.
- Flood protection for vaults, basements, cabinets, controller rooms, and handholes that support critical systems.
- Tamper and door-state monitoring at cabinets, gates, and secured openings.
- Cyber controls for cameras, controllers, VMS, PACS, and remote support channels.
- Commissioning tests that prove the system works in normal mode, degraded mode, and outage mode.
7. Use a prioritized operator checklist
The operator should not start with a product list. Start with controls that reduce the largest known failure modes: bad route data, shared dependencies, direct internet exposure, weak credential validation, flood exposure, poor contracts, and untested restoration.
8. Avoid these common mistakes
- Treating cameras, access control, and underground routes as separate procurements.
- Calling a path redundant before field teams prove physical separation.
- Freezing a route before locates, potholing, and utility-owner coordination.
- Leaving cameras, VMS, PACS, or controllers exposed to the internet.
- Ignoring how gates and locks behave during power loss, fire alarm, WAN loss, or controller failure.
- Buying devices before confirming permits, street-opening limits, right-of-way rules, and fire-department override requirements.
- Skipping spare conduit when a lane or corridor is already open.
- Closing the project without functional tests, as-builts, training, spare-parts rules, and support obligations.
Conclusion
The hidden physical layer deserves the same discipline as the visible security system. Operators need verified route data, true path diversity, hardened field devices, deliberate fail behavior, segmented networks, and contracts that keep vendors accountable after installation.
The practical rule is simple: map dependencies before design, verify routes before digging, isolate critical paths before an outage, and test the system before handoff. A facility that follows that rule can add security capacity without creating a new single point of failure under the pavement.
Source note
This article was prepared from the research document "The Hidden Physical Layer of Security in the United States." The article preserves the research findings and converts its tables, diagrams, comparisons, and checklists into figures for editorial use.