Sneakernet or Internet: Pushing Updates to Surveillance Systems in the Age of AI & ML

Billy F.

Somewhere in a casino on the Las Vegas Strip, on a Tuesday at about three in the morning, a person is walking across a server room with a USB drive in their hand. 

This is not a witching hour hack or part of an Ocean’s-style heist. This is a software update. 

The USB drive contains a few gigabytes of compressed files: new code for the surveillance system, signed and verified, downloaded from the vendor’s portal earlier that day onto a different computer in a different room. The person carrying it has a security badge. The server room has a camera watching the door. The walk takes maybe forty seconds. 

Forty seconds is the slow part of the network. Once the file reaches the server, things accelerate considerably. The file gets unpacked, validated, and distributed across a cluster of machines in something like the time it takes to brew a pot of coffee. The walking-around-with-a-USB-drive portion is the bottleneck. 

And it is, very much on purpose, the bottleneck. 

There is a name for this kind of network, the kind where data is moved by a person physically carrying it. It’s called sneakernet. A network where the transfer protocol is a pair of sneakers. You know, metaphorically; the “sneakers” could be flip flops, a car, a bike... or a St. Bernard. 

In 1981, famed computer scientist Andrew Tanenbaum opened his textbook Computer Networks by asking students a strange question. He asked his students to calculate the bandwidth of a St. Bernard dog named Bernie, carrying three boxes of floppy disks, and the ranges where Bernie transferred data faster than a 300 bps telephone line. 

The point of the exercise was to demonstrate something that sounds wrong but isn’t: for large amounts of data, physically carrying it from point A to point B is often faster than sending it over a wire. 

Decades later, xkcd’s Randall Munroe ran the numbers again in 2013 with a FedEx truck full of microSD cards and got the same answer. The truck won. He concluded, “So the bottom line is that for raw bandwidth, the internet will probably never beat SneakerNet.” 

What Tanenbaum might not have anticipated 45 years ago is that, even with network speeds increasing exponentially, sneakernets would still be in active use in some of the most advanced surveillance systems and secure environments on earth. Not for the speed (or because the people running them are nostalgic). Because they have made a deliberate decision that their systems should not be allowed to touch the internet. Ever. Under any circumstances. 

This is called air-gapping, and it is the reason the USB stick is being escorted into a secure server room. 

What is Air Gapping? The Castle with No Drawbridge 

The term “air gap” comes from electrical engineering, where it referred to a literal gap of empty space between two conductors. No matter what happens on one side, the other side is electrically unreachable. 

Computer security borrowed the term and meant it just as literally. An air-gapped system has no network connection to anything outside itself. No ethernet cable to the internet. No Wi-Fi card. No Bluetooth radio. No cellular modem. The system sits in physical isolation, and the only way to put something on it (or take something off) is to carry it there. 

Picture a castle on an island. No bridge, no ferry, no tunnel. If you want to deliver a message, you swim. Slower, but safer for the castle and its inhabitants. 

This is, to put it mildly, an inconvenient way to run a computer. It also happens to be an extremely effective way to keep one secure. You cannot remotely attack a system that has no remote connection. You cannot phish a server that does not receive email. You cannot install ransomware on a network that does not exist as far as the internet is concerned. 

Air-gapping is standard practice in environments where the cost of unauthorized access is catastrophic. Classified government networks. Industrial control systems at power plants and water treatment facilities. Financial clearinghouses. And, in many jurisdictions, the surveillance systems that watch over regulated environments, where regulators or institutional policy require that video data never leave the property and never touch a network that could be reached from outside it. 

The arrangement works. It has worked for decades. But something is changing. 

From Air Gap to Network Segmentation 

Across critical infrastructure, systems that were once fully air-gapped are increasingly moving toward a different security architecture: network segmentation. Instead of complete physical disconnection, network segmentation uses controlled, monitored boundaries (firewalls, DMZs, encrypted channels, strict access controls) to isolate sensitive systems while still allowing specific, tightly governed connections. 

The shift is well-documented. As Qiang Huang, Vice President of Product Management at Palo Alto Networks, put it: “Major digital transformation trends such as smart manufacturing, machine analytics, remote operations, and SCADA modernization have reshaped OT networks from isolated air-gapped systems to dynamic hybrid environments with increased IT and cloud connectivity.” 

Surveillance environments face the same pressure. AI and machine learning are increasingly powering the analytics that make modern surveillance systems valuable, and those AI models improve through frequent updates. A purely air-gapped system can receive those updates, but only via the sneakernet: a person, a USB drive, a walk across the building. When updates were annual or semi-annual, that overhead was negligible. When AI models benefit from monthly or even weekly refreshes, the math starts to shift. 

This doesn’t mean air-gapping is going away. For some operators, in some environments, complete physical isolation is and will remain the right answer. But for operators whose systems depend on staying current with AI model updates, the question has become: how do we preserve the security principles of air-gapping while accommodating the update frequency that AI demands? 

Engineers have answered that question with several approaches. They sit on a spectrum, from pure air gap (a person physically carrying a USB drive) to network segmentation (carefully controlled digital channels). Each one represents a different bet about how much convenience to trade for how much certainty. 

Getting Updates In: From USB Drives to Cryptographic Handshakes 

The Bundle Drop (Air-Gapped) 

The simplest version is what the person in the server room, from the beginning of this article, is doing right now. 

Step one: somewhere on the connected internet, an administrator logs into the vendor’s download portal from a computer that has nothing to do with the surveillance network. They select the components they need (core software, camera firmware, a security patch), and the portal wraps everything into a single compressed file. 

Step two: the file goes onto a USB drive. 

Step three: a person walks the USB drive to the air-gapped server room and plugs it in. 

Step four (this is the part people miss): the server takes over. It checks the file’s cryptographic signature. It verifies the contents haven’t been tampered with. It confirms there’s enough disk space. Then it pushes the update to every other server in the cluster, one at a time, in sequence. 

The sequential part matters more than it sounds. If the system updated all servers at once and something broke, every camera would go dark simultaneously. By taking the servers down one by one, the system stays operational throughout. In an environment where the cameras need to be watching twenty-four hours a day, this is the difference between a maintenance window and a disaster. 

The whole arrangement is sometimes called a “modular update package” by the people who design these systems. The person carrying the USB drive probably calls it “the update.” 

This is the only method on this list that maintains a true air gap. Everything that follows introduces some form of controlled network connection. 

The Mail Room (Network Segmentation: DMZ Proxy) 

Some operators want updates more often than a person can reasonably walk them over. The compromise is a DMZ. The acronym stands for “demilitarized zone,” which is borrowed from military terminology and is one of those technical names that sounds more dramatic than the thing it describes. A DMZ in network terms is a small, isolated computer that sits between two networks and acts as a buffer. 

The mail room analogy is the easiest way to picture it. 

Imagine a building where outside visitors are not permitted past the lobby. Packages get delivered to a receiving desk. A staff member checks the sender, inspects the contents, and then carries the package inside. The delivery driver never enters the building. The people inside the building never interact with the delivery driver. The mail room is the only point where the outside and inside touch, and it enforces strict rules about what crosses. 

In a DMZ, a single dedicated computer sits in the buffer zone. It can talk to the internet on one side. It can talk to the surveillance network on the other. But it can only do certain things, with certain partners, in certain ways. It downloads updates from the vendor. The surveillance network pulls those updates from the DMZ machine, never from the internet itself. 

The air gap, technically, no longer exists. What replaces it is a single, hardened, monitored chokepoint. Whether that’s an acceptable substitute depends entirely on the rules the operator is required to follow and the threats they are most worried about. For some, it’s perfect. For others, the existence of any connection at all is unacceptable, and they stick with the USB drive. 

The Agent Network (Network Segmentation: Managed Agents) 

A different approach, used by some major surveillance platforms, doesn’t try to push updates outward from a central server. It puts a small piece of software on every machine in the network and asks that software to do the work. 

The small piece of software is called an agent. Each agent has one job: listen to a designated central server, verify that any instructions are legitimate, and execute them when authorized. The agents communicate over encrypted channels and refuse to take orders from anything else. 

The mental image, if it helps, is a building where every door has a trusted employee posted next to it. Those employees only accept packages from one specific delivery person, and only after checking the credentials carefully. 

The central server itself can receive updates via the sneakernet, or via a DMZ proxy. Once an update is on the central server, the administrator approves it, and the agents handle the rest. They pull the update down, install it on their machines, and restart in sequence. 

The deliberate part is the approval step. The update doesn’t just happen because the file showed up. A human has to say yes. This is a small thing that turns out to matter a lot in environments where unexpected system behavior, even helpful unexpected system behavior, can trigger compliance reviews or operational alarms. 

The Paranoid Handshake (Cryptographic Challenge-Response) 

The most cautious method takes a different philosophical approach entirely. It assumes that even a verified, signed update file might somehow be wrong, malicious, or intended for a different system. So it requires the system to actively prove, before accepting anything, that the update is specifically meant for it. 

The technical name is challenge-response authentication. In practice, it works like this. 

The air-gapped system generates a small file. The file is, essentially, a cryptographic question. Here’s who I am. Here’s what I’m currently running. Here’s my serial number. Prove you’re allowed to update me. 

That file gets carried out of the air-gapped environment on a USB drive. An administrator uploads it to the vendor’s portal. The portal reads the question, validates it, and generates an answer file, which is a cryptographic response that will only work on that specific system at that specific moment. 

The answer file gets carried back in. 

Two trips. One question, one answer. The system refuses to accept the update unless the answer file matches its question, and the answer file is mathematically useless to any other system on the planet. 

This is the software equivalent of a two-key launch system. Both sides have to participate. The participation is bound to a specific identity. It’s twice as much work as the bundle drop, and operators who use it think the extra walk is worth it. 

This method can be implemented in a fully air-gapped environment (with two physical USB trips) or within a network-segmented architecture where the challenge-response happens over a controlled channel. The cryptographic verification works the same way regardless. 

The Update That Isn’t Really An Update 

Everything described above was designed for a particular kind of software, where an “update” means new instructions. A bug fix changes a few lines of logic. A security patch closes a known vulnerability. A feature release adds new menus or new capabilities. The shape of the update is essentially the same shape it had in 1990, just bigger. 

For traditional surveillance software, this works fine. A video management system that records, stores, and plays back footage gets updated occasionally to fix bugs or add features. The system from 2018 does basically what the system from 2024 does, with some quality-of-life improvements in between. The model is: install once, run for years, update when necessary. 

AI-powered surveillance changes this in a way that’s worth slowing down on, because the implications aren’t obvious. 

When an AI analytics system gets updated, the new version is not a new set of instructions. It’s a new set of learned weights. Millions of numerical values that collectively represent what the system has been trained to recognize and how. The architecture might be the same. The code that runs the model might be unchanged. What’s different is what the model knows. 

A useful way to think about it: a traditional software update is like giving a security guard a revised employee handbook. Same guard, same instincts, new procedures. 

An AI model update is like swapping in a different security guard who has been watching cameras for six more months than the previous one. Same uniform, same post, same job description. Different judgment behind the eyes. 

This changes the math on update frequency. A surveillance system running 2025’s video management software does what 2025’s video management software always did, which for a recording-and-playback system is almost always fine. A surveillance system running 2025’s AI model is, in a meaningful sense, dumber than it could be. Not broken. Not malfunctioning. Just less sharp than the current version, because the team behind the model has spent another year finding edge cases, identifying failure modes, and refining what the system pays attention to. 

The longer the model sits, the wider the gap between what it can do and what the latest version can do. In the current age of AI & ML-powered systems, these meaningful updates can come weeks or just days apart. 

The good news is that every update method described above can deliver a model file just as easily as it can deliver a software patch. A model file is just a file. It fits on a USB drive. The sneakernet doesn’t care what’s inside the package. 

The complication is that walking a USB drive across the building once a year is fine, and walking it across the building every month or week starts to add up. Not to mention, when your implementation is customized and built on your proprietary training data, a unique update like that may require oversight and tuning from one of your vendor’s engineers. With purely air-gapped systems, that equates to more trips. More scheduling. More expenses. More coordination between vendor and customer. Taking all of that into consideration, it starts to become clearer why operators are increasingly moving from pure air gap toward network segmentation. 

The Drawbridge 

Something interesting has been happening in industries that historically used air-gapped systems. They are, slowly and carefully, reconsidering how absolute the air gap needs to be. 

Not abandoning isolation. Refining it. 

The DMZ proxy described earlier is one version of this thinking. The system isn’t truly air-gapped, but it has a single, hardened, monitored point of controlled connectivity, and the surveillance network never touches the open internet directly. Plenty of organizations that once required pure physical isolation have moved to this kind of architecture, because it preserves the security benefits while reducing the operational burden. 

Industry guidance has been moving in the same direction. ONVIF, the standards body for IP-based physical security products, recommends network segmentation and VMS-mediated access controls as the modern approach to surveillance security, rather than relying on absolute physical disconnection. A whitepaper from a major networking equipment manufacturer notes that most IP video networks today are connected, and that the security model has shifted toward robust enterprise networking configurations rather than air gaps alone. 

The moat is still there. It just has a very carefully engineered drawbridge across it now. 

AI-powered analytics are accelerating this conversation. When the software running on a surveillance system genuinely benefits from regular model updates, and when the gap between an old model and a current model is the gap between catching an incident and missing it, the calculus shifts. The same engineering principles that make air-gapped methods trustworthy (encrypted transport, cryptographic signatures, customer-controlled authorization, comprehensive logging) can be applied to a narrow, dedicated channel that does exactly one thing: deliver verified model updates on a schedule the customer controls. 

The customer decides when. The customer decides whether. The customer can shut the channel down at any moment, for any reason. Every action that happens on it is logged. 

This is not a replacement for air-gapping. It’s another point on the same spectrum, governed by the same principle: nothing enters the system without verification, and the customer controls what enters. 

The person walking across the server room at three in the morning is not going away. For some operators, in some environments, the USB drive is and will remain the right answer. The walk across the building is the design. 

What’s changing is that for operators who run AI-native systems and want to stay current with their models, there are now more options than there used to be. Every option, including the USB drive, sits on the same spectrum. Every option, including the dedicated update channel, uses the same security tools. 

Tanenbaum was right in 1981, and he’s still right. The station wagon full of tapes is a perfectly good way to move data. It’s just sharing the road now with other vehicles, designed for a different kind of cargo, traveling on roads that didn’t exist when Bernie the St. Bernard was born. 


Sources & Further Reading 

Billy F.

Billy F. is Business Operations & GTM Systems Lead at EagleSight.ai.