printer friendly version

The convergence of physical security and IT: broad convergence - IT, security and building controls

This is the seventh article in a series of articles that explores the convergence of physical security technology and information technology, and its impact on security departments and IT departments, their personnel and their vendors. This is not just the convergence of physical security and IT security, but a larger convergence of information technology with physical security systems.

This article focuses on the broader aspects of convergence for building control systems, of which security systems are just one part, and upon the demand for interoperability that convergence brings.

Here, there and everywhere

The growth of information technology (computers, networks and electronic data) has resulted in convergences in many industries. For example, 'advertising' is converging with 'entertainment' and so is 'news and information' (infotainment). The convergences are powered by computing technology. The security industry is simply one industry of many that is faced with one type or another of computer-driven convergence.

Telecom and network convergence

To the telecommunication and networking industries, convergence means the delivery of voice, video, data and applications over one network - wired or wireless. You can get a free Convergence Briefing Pack from Nortel Networks and download a video on Nortel's Architecture for the Converged Enterprise, in a section of the Nortel website dedicated to convergence. One result of the convergence is the changing role of the mobile telephone from a person-to-person communications device to a more general-purpose audio-visual communications terminal.

Network World magazine's online component Network World Fusion lists convergence as one of its 16 key research topics, for which it maintains a home page that is updated as related news and information becomes available.

Looking at the terms multimedia, voice and data, one cannot help but think about the video, audio and access/alarm data that security systems deal with. It is the convergences in telecom and networking that enables the capabilities of many security systems. For example, if network switches from Cisco and others could not handle streaming video over a network, many security video applications would not be able to function.

Telecom and networking, building automation, and factory automation are all industries with convergence impacts - impacts that are affecting the security industry at many levels.

Building controls convergence

Security systems are one component of building automation controls, along with safety systems, which also fall into the security domain.

Convergence impacts on lighting and HVAC control include the building occupant's desire to have PC desktop control over temperature and lighting settings; zone-specific control for after-hours occupancy; and occupancy-based comfort control for conference rooms and other frequently-unoccupied areas. The general trends all involve situation-specific response in realtime. Blinds, shutters and lighting can be automatically controlled based upon the occupant's preferences and the current level of sunlight, with an orientation towards reducing cooling requirements (by minimising direct sunlight into the building).

Ken Sinclair, editor/owner of the online magazine AutomatedBuildings.com, points to the arrival of new network-based technologies for buildings, such as digital signage. Sinclair says: "In addition to the direct IT solution for our industry, new concepts such as networked digital signage systems are opening up new communication conduits with the exciting medium of inter-building communications. A digital sign is a display device, which is used as an electronic sign to present constantly changing, computer generated, full motion video, photo-realistic graphics, text, and animation. It is a dynamic venue as opposed to static billboards and posters." The security implications of dynamic building signage are obvious with just a little thought. See the AutomatedBuidings.com for additional articles about convergence in building automation controls.

Other computer-technology-based building technologies are appearing that have security implications. Seismic Warning Systems, (http://www.seismicwarning.com/) California, has introduced the QuakeGuard earthquake early warning system. Earthquake warnings can be broadcast via e-mail, web page, cellphones and pagers - any device capable of realtime information display. The system can be used to isolate hazards, such as shutting off gas and water main valves to prevent fire and water damage; activate and lock/unlock electronic doors to protect assets and people; isolate chemicals, gases, and fuel tanks. It can prevent accidents in operating rooms, initiate shutdown of industrial processes, and improve transportation system passenger safety. It can also be used to open critical doors that could become inoperable through building deformation, activate emergency power generation, and park elevator cars. The greater the integration of QuakeGuard with other building systems, the greater its benefits are. The same statement can be made for many building automation devices and systems.

Building intelligence

The incorporation of computer intelligence and network connectivity into devices and systems - the basic convergence influence - allows systems to be of greater and greater realtime benefit to the systems users. This was the original promise of the 'intelligent building' movement in the late 1980s. The movement declined when the building controls industry did not swiftly address the primary barriers: connectivity and interoperability.

Now the widespread deployment of personal computers and networks has resolved, for all practical purposes, the connectivity barrier. Driven by relentless customer demand for improved systems, a number of standards and technologies have been developed over the past 10 years or so to address the interoperability barrier.

Interoperability does not necessarily mean that any device or control panel from one manufacturer can be substituted for a similar device from another manufacturer, in mix-and-match fashion. A more practical definition of interoperability would be the ability of equipment or systems from different manufacturers to share information for the purpose of daily operation. For security systems some examples of this information are:

* viewing and editing schedules for monitoring and access control.

* receipt and acknowledgement of alarms and access events.

* access privilege status for access tokens and associated biometric data.

* realtime status of alarm and access control devices and their networks.

* user status information such who is 'in' or 'out' of an controlled area or building.

* realtime and recorded audio and video streams.

* historical report information (alarms and access events).

To exchange such information requires common standards and protocols.

Security lags behind

Unfortunately, with only a few exceptions (mentioned later), the advances in interoperability do not involve security systems. This is the chief complaint about the security industry from security system customers, as was evidenced at the ASIS International Emerging Trends conference in Chicago two years in a row (2003 and 2004). During a panel discussion session on physical security systems in each conference, the dominant topic was the lack of interoperability of existing systems. Many attendees had security systems which were replaced for year 2000 issues, and others had systems that were purchased or expanded after 11 September, 2001. These systems are too new to warrant wholesale replacement. The Emerging Trends conference attendees participating in the discussion expressed their extreme frustration at the lack of interoperability. One said that it felt more like a 'betrayal' of the customers by the security industry. Most had been told by system providers that to have the security systems of their facilities interoperate would require replacing them all with a single brand from one manufacturer. A few of the 2004 panel attendees had already taken that route (less than 5%) and the rest simply did not have the option to do so.

Convergence of expectations

Interoperability is common in two realms, IT and building environmental controls (HVAC and lighting). Knowledge of that interoperability affects the customer expectations for the security industry. One of the aspects of convergence that has plagued security system manufacturers and security dealers since the industry's introduction of PC security system software has been the carry-over of end user expectations from information systems. In the early 1990s dealers would commonly hear complaints like this: "I can get that kind of report from my dBase software, a $500 product. Why can I not get it from your system that I am paying $30 000 for?" Ten years later end users continue to be frustrated over the glaring gap between state-of-the-art information systems and state-of-the-art security systems.

Key industry differences

It is important to note some key differences between the environmental controls industry (HVAC and lighting controls) and the physical security industry, both of whom today have to deal with convergence issues:

* Environmental controls systems have about a 10-year head start on interoperability.

* Improvements in environmental controls provide tangible financial returns in terms of energy savings. Security improvements rarely provide the same kind of tangible return.

* Improvements in environmental controls provide a noticeable and continuous impact on the comfort of building occupants, which contributes to a higher level of demand for improvement and for convergence benefits.

What is most important about these three points, as we will address later in this article, is that the existence of these three differences could very well enable the security industry to deal with its interoperability and convergence issues much faster, benefiting both customers and the overall health of the security industry and its companies.

Interoperability challenges

From some perspectives, it is understandable why security manufacturers have not embraced interoperability earlier. One reason is explained in a Solutions White Paper by Andover Controls titled, 'BACnet without Limits'. See the sidebar below: 'Open Protocols and Security Systems' which contains Section XI of that white paper, and explains why security issues regarding open protocols have been a valid concern.

System interoperability faces the same types of technical, financial and business culture challenges in security as were faced in environmental controls. However, the liability stakes are much higher for security systems, due to the loss of property and loss of life potentials. This aspect of the security industry has always inspired a reluctance factor on the part of manufacturers to change their products. In a smaller way, it has also contributed to some reluctance on the part of some customers to buy 'new and improved' systems; they want to avoid the potential security system problems. Improvements in building security systems cannot offer customers the same financial returns that improvements in environmental controls can. Thus, although security systems customers demand improvements, they often are less willing and able to bear the cost of them.

Other security system manufacturers' concerns about introducing interoperability are:

* Manufacturers do not want to give away their secrets and enable their closest competitors to be able to 'take over' their installed systems.

* Makers of the highest quality systems do not want to enable the addition or integration of lower quality components to their systems. This creates a potential support burden for them, and complicates the product liability picture.

* Manufacturers often bundle the software with their hardware at no cost or at a reduced price; open protocols and separately available hardware would require a different pricing structure and sales strategy - one that the customer is not prepared for.

* Open protocols could result in a 'lowest common denominator' situation, where the advanced or market-specific features of some systems and products are not welcomed or supported during protocol development.

* Open protocols will not directly increase the security or user-level operability of high quality systems, but will increase their costs due to the added engineering cost of supporting open protocols.

* Interoperable systems are likely to require a greater level of knowledge and training of the vendor, knowledge that is more in-depth than was previously required to achieve a working system.

* As has been discovered already in the in the world of environmental controls, specifications writers will have to state specifically what functionality is intended to be interoperable, and what commands and data must be shared between which specific subsystems. This would result in a new and continuous educational burden for manufacturers and specifiers alike, which would be another factor contributing to increased project costs.

* Manufacturers fear the scenario where the costs of being a leader (ie, being responsive to the customer demands for interoperability) could make them non-competitive price-wise, while the very customers they aim to serve continue to make low-price buying decisions. This would, in effect, accomplish a transfer of market share from one manufacturer to another, thus penalising the leading manufacturers.

On the other hand, some customer concerns about the lack of security system interoperability are:

* Use of a single manufacturer's systems and components across the board means that the customer is sometimes paying for advanced features and capabilities that are not needed in specific locations or applications.

* If local authorised system integrators for a brand do not provide sufficiently good service, customers are left with no options for good service, due to proprietary lock-in. Global enterprises cannot use the strategy of select the best of local security vendors because the vendors do not all carry the same brand of system.

* Although generally the prices of computers and computerised equipment continue to fall, security systems prices will not fall because they will not have to, due to proprietary lock-in.

* IT departments disdain the prevalence of proprietary systems and components in physical security systems, and corporate security customers have to overcome IT reluctance to get involved in security system projects. This can hamper the efforts of security managers to obtain support for new system purchases or for system expansions, especially when IT states that new system's design uses outdated technology.

The same kinds of considerations on the part of environmental controls manufacturers slowed their adoption of interoperability, but in the end customer demands for interoperability prevailed. However, the 10-year head start of the environmental controls industry is just that - a head start. Environmental controls interoperability is still a work in progress, even though very significant strides have been made.

Security-environmental controls integration

Tridium (http://www.tridium.com/) of Richmond, Virginia, develops and markets a universal software platform - known as the Niagara Framework - that allows companies to build software applications for accessing, automating and controlling smart devices over the Internet or intranets. Tridium's second product, Vykon, was designed specifically for the building-automation industry. Using the Niagara Framework, Vykon allows users to manage control devices from different manufacturers by integrating them into a common system.

Tridium achieved a five-year growth rate of over 13 000%, making them the second fastest growing technology company in Virginia. Ed Merwin, director, field sales for Tridium, provides an example of the cost-savings that open protocols and interoperability have produced for environmental controls. Merwin says, "Today we can provide a Modbus interface to a generator on only two wires for about $1000. Formerly, and to obtain less information, the interface would have cost $25 000 - meaning that it just was not practical for most applications. Today's interfaces provide significantly better information. They let us predict problems before they occur, instead of simply detecting them after the fact. We do not monitor just the running status of the equipment ('working' or 'failed'); we monitor the health of the equipment."

NovusEdge (http://www.novusedge.com/) is a provider of IP-based access control and asset protection solutions for industries including healthcare, government, education, and retail. NovusEdge was founded in 1999 as Novus Security Systems and changed its name in 2004 to reflect the natural extension of its strategy to embrace expanded network-edge solutions. According to Robert A. Smith, vice president of marketing for NovusEdge, "By continuing to move intelligence to the edge of the network, the NovusEdge architecture will serve as the foundation for a new class of applications that require, and leverage, device-to-device and machine-to-machine communication." In support of IT infrastructure assurance, the NovusEdge system uses the Niagra Framework to provide IT with water, temperature and humidity alerts while at the same time providing immediate access to live and recorded video of the alarm area.

Tridium has developed a Niagara Framework 'door object' for NovusEdge that allows an environmental controls system, among other things, to provide lights only for the after-hours cleaning crew, or lights and HVAC for an employee, based upon the NovusEdge access control system's card access privilege.

Note that the NovusEdge applications described are combined security system-environmental control system applications. In the past this kind of integration (alarm monitoring, after-hours building control) required extensive relay interfaces or custom ASCII text message interfaces between systems. Today, the interfaces are accomplished via standard Ethernet and computer operating system level messaging.

Interoperability and IT convergence are making it possible for systems to work together, so that customers can view and operate their building from their own facility management perspectives.

Security interoperability

Little has been done with regard to interoperability across security industry brands. But security system interoperability with other building automation systems is already being embraced, and not just by relatively new companies like NovusEdge. GE Security (http://www.gesecurity.com/) and Bosch (http://www.boschsecurity.us/) both have developed OPC (OLE for process control) interfaces; GE in its Facility Commander product and Bosch in its System 3T product. The interfaces are based upon the work of the OPC Foundation (http://www.opcfoundation.org/).

These systems reflect the influence of IT on security. Facility Commander incorporates features based upon IT industry standards. It runs on commercial, off-the shelf operating systems including Windows, Linux and AIX. It supports popular databases like SQL, Informix, DB2 and Oracle. GE also provides a Facility Commander Software Development Kit (SDK) and open APIs for the development of plug-and-play drivers for existing digital video equipment and software. Bosch's System 3T contains security provisions, such as configurable firewalls and encrypted data transfer.

This is a start, but does not embrace what Emerging Trends conference attendees had as their highest interest: interoperability between like security systems of different brands.

Leveraging convergence for customer satisfaction

The renewed interest in Intelligent Buildings, and the convergence of information technology into security systems, position the security industry to leverage off the key differences between environmental controls industry and the security industry.

* 10-year head start. Security manufacturers can look to the history of interoperability in environmental controls, adopt the things that have worked in terms of cooperation and standard-setting, and avoid the things that have irked customers and delayed progress. Developing interoperability for existing systems would minimise customer replacement expenditures and leave more money available for integration components and site-specific integration work.

* Higher financial returns of environmental controls projects. Incorporating security systems into larger environmental controls projects and integrating the systems, would allow security to leverage off an existing infrastructure and be part of a picture that has an overall higher ROI than security alone.

* Higher demand for convergence benefits. As the demand for intelligent building benefits increases, so will the demand for the integration of interoperable security systems with other building automation systems.

Not all buildings are currently engaging in environmental controls projects. However, growing general awareness of the convergence trends in building controls will still benefit security manufacturers and vendors who can provide interoperable systems.

Key points to consider

Security customer feedback and the development history of interoperability for environmental controls tell us:

* Strong motivations encourage proprietary differentiation among manufacturers.

* Customers know the interoperability they want is technically possible.

* Achieving interoperability is not easy or rapid, but is inevitable due to customer demand.

* Customers cannot postpone security improvements forever (to wait for interoperability) and hate being forced into proprietary solutions.

* Customers resent needing an industry (security) that does not seem to care enough about customers' needs for interoperability.

The key challenge for the security industry is to transition from holding onto customers by means of proprietary lock-in, to holding onto customers by virtue of how well security services and products make the customers' jobs easier and more productive. Convergence factors have made it technically possible for the security industry to address this challenge in the very near future. The organisations already exist through which the required coordination and collaboration efforts can be accomplished. What will your part be in helping to make this happen?

Open protocols and security systems

The security market has not adopted many standards to communicate between manufacturers. The primary focus of standard protocols in security systems has been at the card and reader level (ABA, Wiegand) and the biometric level (BioAPI, BAPI, CDSA/HRS, CBEFF, X9.84, M1) but not at the device and system levels. This has been a protectionist move on the part of security vendors. The manufacturers have been successful in countering the end-users desire for competitive project bidding with the fear of potential security holes in the system.

There is justification for the argument they are using. When BACnet and LonMark were developed, security applications were not initially considered, and protecting the data was not part of the design. The open protocols mentioned in this paper are open to anyone using a compatible tool. Any person can plug into vendor A's network, and potentially take control of all of vendor A's devices. This hole is unacceptable for security applications. Life safety systems have felt comfortable using BACnet, since they can present critical data as 'read-only'; and the fire panels make the critical decisions on their own and typically do not need to be re-programmed on a regular basis.

With an access control system, decisions and programming are constantly being made from a workstation that needs to securely communicate the instructions and updates to the field panels. An access control system is programmed whenever a card record or a door schedule is changed. Information about who enters or leaves a facility is highly sensitive and should be available to only the appropriate operators. The same is true for viewing live and recorded CCTV images.

The BACnet committee (ASHRAE SSPC-135) is approaching deficiencies in security systems in two ways. First, the Network Security working group (WG-NS) has been actively developing user-based security and outlining standard encryption methods for BACnet as a means to secure the network. The other enhancement to BACnet currently in development by the Life Safety and Security working group (WG-LSS) is access control objects and services. As with all ASHRAE committees, these security enhancements are being made with a collaborative effort between end-users and security manufacturers. The result will be an application-focused design that will allow security devices from BACnet manufacturers to interoperate using current and newly created rich services.

- From a Solutions White Paper by Andover Controls titled, 'BACnet without Limits'.

Ray Bernard is board-certified as a physical security professional (PSP) by ASIS International. Ray is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides high-security consulting services for public and private facilities. This article is based upon material in his upcoming book, Shifting Sands: The Convergence of Physical Security and IT. For more information about Ray Bernard and RBCS go to www.go-rbcs.com

Share this article:

Further reading: