Why Hazardous-Location Camera Networks Need Special Design Attention
An explosion-proof camera is only as effective as the network infrastructure that carries its video to the control room and VMS. In industrial facilities — refineries, chemical plants, offshore platforms — the camera network intersects with operational technology (OT) networks, distributed control systems (DCS), and safety instrumented systems (SIS). A poorly designed camera network can introduce cybersecurity vulnerabilities into the OT environment, cause bandwidth congestion that delays safety-critical communications, or fail to deliver video during the emergency response scenarios where it is most needed.
This guide covers the four pillars of industrial camera network design: physical infrastructure, VLAN segmentation, bandwidth planning, and cybersecurity hardening.
Physical Infrastructure: Fiber vs. Copper in Classified Areas
The physical layer choice between copper (Cat6) and fiber has significant implications for hazardous-location installations:
- Cat6 copper: Supports PoE (required for most XP cameras), 1 Gbps up to 100 m. Requires conduit in classified areas per NEC 501.10. Susceptible to electrical noise near high-voltage equipment.
- Single-mode fiber: Immune to electrical interference, supports runs to 20 km, no galvanic corrosion risk. Does not support PoE — requires separate power supply at each camera location.
- PoE + fiber hybrid: Cat6 runs from the camera to a media converter in a small XP enclosure near the camera, then fiber to the control room. This is the preferred architecture for Class I Division 1 installations with long cable runs or significant electrical noise.
For cameras in Class I Division 1 locations, explosion-proof PoE switches or media converters can be installed inside the classified area to extend copper runs while keeping fiber as the backbone. The PoE switch enclosure must be rated for the specific Division and Group.
VLAN Architecture for Camera Isolation
Camera networks in industrial facilities should never share a VLAN with OT control networks (DCS, PLC, SIS). The appropriate segmentation model:
- VLAN 10 — Safety/Camera network: All XP cameras, NVR, and VMS server. No direct routed access to OT VLANs.
- VLAN 20 — OT Control network: DCS workstations, historian, SCADA servers. Strict access control list (ACL) blocks all traffic from VLAN 10 to VLAN 20 except pre-approved flows (e.g., VMS alarm triggers to DCS historian).
- VLAN 30 — IT/Corporate network: Remote viewing workstations, operator consoles in safe areas. Access to VLAN 10 NVR streams via a data diode or unidirectional gateway — never bidirectional access from IT to OT.
The data diode (or unidirectional security gateway) between the OT network and IT network is particularly important for facilities subject to NERC CIP or ISA/IEC 62443 requirements. Video from the camera VLAN can flow to the corporate network for remote viewing without creating a bidirectional channel that could be exploited for OT network intrusion.
Bandwidth Planning for IP Camera Systems
Bandwidth is the most commonly underestimated aspect of industrial camera network design. Cameras in hazardous locations often cover large process areas where high resolution is needed for incident investigation — but this resolution comes with a significant bandwidth cost.
Typical IP camera bitrates at various resolutions and compression settings:
| Resolution | Codec | CBR @ 15 fps | H.265 @ 15 fps |
|---|---|---|---|
| 2 MP (1080p) | H.264/H.265 | 4 Mbps | 2 Mbps |
| 4 MP (2560×1440) | H.264/H.265 | 8 Mbps | 4 Mbps |
| 8 MP (4K) | H.264/H.265 | 16 Mbps | 8 Mbps |
| 12 MP | H.264/H.265 | 24 Mbps | 12 Mbps |
For a 50-camera system with 4 MP cameras at H.265 @ 15 fps: 50 × 4 Mbps = 200 Mbps sustained bandwidth from cameras to NVR. Add 20% headroom for PTZ control, management traffic, and burst events: 240 Mbps minimum between camera aggregation switches and the NVR.
Use a 1 Gbps uplink from each access layer PoE switch to the distribution layer, and a 10 Gbps uplink from the distribution layer to the NVR. This provides adequate headroom even in motion-intensive industrial environments where bitrate spikes during activity.
PoE Switch Selection and Placement
In a hazardous-location camera installation, PoE switches can be placed either:
- Outside the classified area (safe area equipment room): Lower cost, standard commercial PoE switches. Requires longer cable runs — verify that total cable length stays within 100 m Cat6 limit.
- Inside the classified area (XP PoE switch): Higher equipment cost but enables shorter per-camera cable runs and eliminates need for fiber media converters at each camera.
Key PoE switch specifications for industrial camera systems:
- PoE budget: minimum 30 W per port for PTZ cameras with heater/blower accessories; 15 W per port for fixed cameras
- Industrial temperature rating: -40°C to +75°C for outdoor/process area switches
- Conformal coating: required for coastal, offshore, and humid environments
- Managed switch with VLAN support: required for proper network segmentation
- Ring topology support (RSTP/ERPS): provides sub-50ms failover if a fiber ring segment is cut
Cybersecurity Hardening for Industrial Camera Networks
IP cameras are a known attack vector in industrial environments. Several incidents have involved cameras as entry points for OT network intrusion. Hardening measures:
- Default credentials: Change all factory default passwords immediately on deployment. Use unique passwords per device managed in a privileged access management (PAM) vault.
- Firmware management: Establish a process to apply camera firmware updates within 30 days of release. Known CVEs in camera firmware have been exploited for lateral movement in OT networks.
- RTSP stream encryption: Enable TLS for RTSP streams and HTTPS for web management interfaces. Disable HTTP, Telnet, and unused protocols at the camera.
- 802.1X port authentication: Require certificate-based authentication before a camera port becomes active. Prevents rogue device insertion into the camera VLAN.
- Video watermarking: Enable camera-side video watermarking for evidence integrity in post-incident forensics.
- NTP synchronization: Synchronize all cameras to a common NTP source for accurate event timestamps. Use internal NTP server — do not allow cameras to reach internet NTP servers.
Redundancy Design for Safety-Critical Coverage
In areas where camera coverage supports emergency response (not just security), consider:
- Dual-path fiber ring topology at the distribution layer — single fiber cut does not interrupt video
- Redundant NVR with automatic failover — primary NVR failure triggers recording to secondary
- UPS-backed PoE switches — camera feeds remain up during power disturbances
- Local SD card recording on cameras — continues recording even if network fails
Frequently Asked Questions
- Should explosion-proof cameras be on the OT network or IT network?
- Neither directly. Camera networks should occupy their own VLAN, segmented from both OT (control) and IT (corporate) networks. One-way data flows to IT for remote viewing should pass through a data diode or application-layer gateway.
- What bandwidth should I plan for NVR storage?
- Storage bandwidth must match the total incoming stream bitrate from all cameras simultaneously. For 50 cameras at 4 Mbps each: 200 Mbps sustained write throughput to NVR storage. Use RAID-6 with 10 Gbps SAS or NVMe SSDs for the recording volume.
- Do I need a firewall between the camera VLAN and the NVR?
- At minimum, use ACLs on managed switches to restrict camera-to-NVR traffic to RTSP and ONVIF protocols only. For high-security facilities, a dedicated next-generation firewall with deep packet inspection (DPI) provides better visibility into camera traffic anomalies.
Standards References: IECEx International Certification Scheme · OSHA Hazardous Work Environments
Explore Veilux’s full range of explosion-proof cameras and request a quote for your hazardous-area project.
Related Resources
- NVR Selection for Explosion-Proof CCTV Systems
- Explosion-Proof NVR Selection: Class I Division 1
- How to Design a Hazardous Area CCTV System
- Browse Explosion-Proof Cameras
- Request a Project Quote
Need explosion-proof cameras for your facility?
Veilux has designed and supplied explosion-proof surveillance systems for oil refineries, chemical plants, offshore platforms, grain elevators, and mining operations. Our engineers review your hazardous area classification and specify certified cameras that meet every code requirement.
About the Author
Daniel Fernandez
Daniel Fernandez is a hazardous area security systems specialist with over a decade of experience specifying ATEX, IECEx, UL Class I Division 1, and cUL certified surveillance equipment for oil and gas, chemical, mining, pharmaceutical, and offshore environments. He holds expertise in NEC and IEC area classification standards and has consulted on explosion-proof camera system designs across North America, Europe, and the Middle East.