The threat that software cannot solve
Most cybersecurity conversations in commercial buildings focus on firewalls, endpoint protection, SIEM platforms and zero-trust architecture. These are all important. But there is a layer beneath all of them that is rarely discussed in a security context, and it is the layer that a determined attacker will look for first: the physical network.
If an attacker can physically connect to your network infrastructure, tapping a cable run in a ceiling void, plugging into an unsecured patch panel port, accessing a comms room that was left unlocked, the software security stack becomes significantly easier to circumvent. Physical layer security is not an alternative to software security. It is the foundation on which everything else sits.
This is the security argument for structured cabling design, and it is one that almost no cabling contractor in the UK is making.
This is the security argument for structured cabling design, and it is one that almost no cabling contractor in the UK is making.
How AI systems change the attack surface
The deployment of AI in commercial buildings substantially increases the physical attack surface. Every AI-powered device, a CCTV camera with on-board analytics, an occupancy sensor feeding a building management system, an AI-managed WiFi access point, an edge compute node in a comms room, is a physical network endpoint. Each one is a potential entry point to the network if it is not physically secured and logically isolated.
The risk is not theoretical. A compromised IP camera on the same network segment as business workstations provides lateral movement opportunities. A malicious device plugged into an unmonitored patch panel port can capture traffic, inject packets, or establish a persistent foothold. An AI building management system connected to the corporate LAN creates a bridge between operational technology (OT) and IT networks that did not exist in older analogue building systems.
Physical network separation, installing separate, dedicated cable runs for different network segments, provides a layer of security that software-based VLAN separation cannot fully replicate.
A VLAN is a logical boundary. A separate cable run is a physical boundary. For AI systems handling sensitive data or controlling critical building functions, physical separation should be part of the design specification from day one.
VLAN architecture and the cabling contractor’s role
Virtual LANs (VLANs) are the standard mechanism for segmenting a network logically, separating corporate data traffic from IoT devices, guest WiFi from staff WiFi, AI surveillance systems from general business systems. VLANs are effective and essential. But they are implemented in switch firmware, and switch firmware can be misconfigured, exploited, or bypassed by an attacker with physical access to the network.
The cabling contractor’s role in VLAN security is often overlooked. VLAN design only works if the physical cabling correctly routes each device to the right switch port, patch panel port and logical segment. A cabling error that connects a CCTV camera to the wrong patch panel row can inadvertently place it on the corporate network segment. A poorly documented comms room makes this kind of error invisible for months or years.
ACCL designs cable runs with VLAN architecture in mind from the outset. TIA-606-B asset labelling on every cable, port and panel means the physical infrastructure matches the logical design. Fluke DSX test documentation provides an auditable record of every connection. That documentation is the physical evidence of your VLAN implementation.
Physical layer security is not an alternative to software security. It is the foundation on which everything else sits.
Physical separation for AI systems: when and how
For most commercial buildings, VLAN segmentation across a shared physical infrastructure is appropriate and sufficient. But there are circumstances where physically separate cable runs are the right specification:
- AI-powered CCTV and access control systems in environments handling sensitive data, legal, financial, healthcare, government
- Edge compute nodes running AI inference on business-critical processes
- Building management systems controlling physical access, power distribution or environmental controls
- Any network segment where a breach would have regulatory consequences, GDPR, FCA, NHS DSP Toolkit
Physical separation means dedicated cable runs, dedicated switch hardware, and in some cases dedicated comms room infrastructure. The cost is higher than a shared physical plant. The risk reduction is substantially higher still.
The comms room is the most physically sensitive space in a network infrastructure. All cable runs terminate here. All switches, patch panels and servers are here. Unrestricted physical access to the comms room is effectively unrestricted access to the network.
ACCL recommends, and can install, access-controlled comms rooms as standard on any AI network infrastructure project. A Paxton Net2 door controller on the comms room door, linked to the same access control system as the rest of the building, provides an auditable access log and prevents casual or unauthorised entry.
Documentation as a security tool
A structured cabling installation without complete, accurate documentation is a security liability. Unknown cable runs, unlabelled ports and undocumented connections are the physical equivalent of shadow IT. An attacker who understands your building’s layout can exploit undocumented network access points that your IT team does not know exist.
Every ACCL installation includes TIA-606-B compliant labelling of every cable, port and panel, Fluke DSX test reports for every link, and as-built documentation showing the physical routing of every cable run. That documentation is not just a project handover requirement. It is a security asset that allows your IT team to identify, audit and control every physical network connection in the building.
Standards and sources
- NCSC network security guidanceUK National Cyber Security Centre
- ISO/IEC 27001 information securityInformation security management standard
Frequently asked questions
What is physical layer security in a commercial network?
Physical layer security refers to the measures taken to protect the physical cabling infrastructure, comms rooms and network access points from unauthorised access. It includes physically separate cable runs for sensitive network segments, access-controlled comms rooms, comprehensive cable documentation, and asset labelling that makes every network connection traceable and auditable. Physical layer security is the foundation on which software-based security measures, firewalls, VLANs, endpoint protection, operate.
Are VLANs sufficient to isolate AI systems from corporate networks?
VLANs provide effective logical separation for most commercial environments and should always be specified for AI devices and IoT systems. However, VLANs are implemented in switch firmware and are vulnerable to misconfiguration and certain attack techniques. For environments handling sensitive data, legal, financial, healthcare, government, physically separate cable runs for AI systems provide an additional layer of security that software-based VLAN separation cannot fully replicate. The appropriate approach depends on the sensitivity of the data and the regulatory environment.
Why does the cabling contractor matter for network security?
The cabling contractor determines how the physical network is structured, documented and labelled. A poorly documented installation with unlabelled cable runs and unaudited patch panel connections creates physical security vulnerabilities that software tools cannot detect or remediate. A well-documented installation with TIA-606-B compliant labelling and complete Fluke DSX test records gives the IT team full visibility of every physical network connection, which is the prerequisite for effective network security management.
Should AI CCTV and access control systems be on a separate network?
AI-powered CCTV and access control systems should always be on a dedicated network segment, separated from corporate data traffic. In most commercial environments, VLAN segmentation across a shared physical infrastructure is appropriate. In environments handling sensitive data or subject to regulatory requirements, physically separate cable runs and dedicated switch hardware provide a higher level of assurance. ACCL designs cabling infrastructure with network segmentation requirements built in from the outset.
