printer friendly version

Designing and procuring an integrated solution

This Honeywell paper aims to help you ­identify how to go about designing and procuring a ­security technology solution which will enhance your organisation’s security strategy.

In today’s business environment, ensuring the safety of people, facilities and information is paramount. Responding to security threats requires complex co-ordination between understanding your vulnerabilities, improving your internal processes and choosing technology appropriate to your security goals.

Smartcards, intelligent video and biometric credentials are some examples of security technology that is rapidly advancing and becoming increasingly specialised. For security managers this represents both an opportunity and a risk. The opportunity is to provide greater security and response capability as well as improve operational efficiency through these emerging technologies. The risks are that:

* Expectations of technology performance may become unrealistic as technology is seen as a solution to everything.

* The technologies become complex islands that add little to the overall security plan.

* There is the risk that technology potential is never realised because operational processes and the capability of staff does not keep pace through lack of training or recruitment of operators without the necessary contemporary technology skills.

Security strategy

An effective security technology solution is a response to a clearly defined need. The first step in determining your security technology requirements is to clearly review your security objectives to form a security strategy. Your security strategy will need to address:

* Detecting threats and vulnerabilities.

* Controlling people and assets.

* Managing resources.

* Responding to incidents.

* Analysing why incidents occur.

* Prosecuting perpetrators.

* Photo identification.

* Visitor management.

* Fire detection.

* And other subsystems like building control if required.

There are many organisations that can help you with developing your security strategy. So how do you then translate your security strategy into a technical solution?

Operational requirements

When it comes to selecting security technology to support your security strategy, you will find that there are some common operational requirements which will dictate technical solutions. In an ideal world, your security technology should:

* Provide you with a single overarching view of all security aspects of your business.

* Be easy to use and assist the operator in handling security incidents. Remember, operators will be under stress when they are responding to a security incident so the system should make it easy to see all the relevant information.

* Allow you to choose the best technical solution for the problem you are trying to solve – be it the best camera for surveillance, the most appropriate biometric credential or the latest perimeter detection technology. All these solutions are likely to come from different manufacturers.

* Maximise your asset utilisation and efficiency – if you already have a network, the system should use this. If you already have an HR system with personnel data – the security system should source directly from these existing assets. The security system can actually help improve operations.

Most importantly, your system should be able to evolve over time as your requirements change and as technology advances.

Technical requirements

If you translate these operational requirements into technical requirements, the technical solution needs to have the following characteristics.

* Single management system – all the various security components and technologies need to come together at some point into a single management system to consolidate data and allow for a single incident response.

* Single operator interface. Your operators should be using a single operator interface to monitor and respond to a security incident with the complete information in front of them.

The system should allow multiple technologies from multiple vendors to be linked together and to exchange information so that the system acts intelligently. The total system should provide functionality which is greater than the sum of the parts.

* Existing infrastructure should be used wherever possible. Security systems should use standard network infrastructure, commodity hardware, and link to data sources already in your organisation.

* Your technology should be able to be upgraded easily when it becomes outdated without wholesale system replacement.

If you review these requirements, you will see that there is a fundamental conflict which needs to be resolved. On the one hand, you want a single system which provides a consistent interface to manage all your security information – on the other hand, you want the flexibility to be able to pick and choose technologies, upgrade parts of the system over time and not be locked in to a single supplier. It is possible to resolve this apparent conflict when creating your security solution through a combination of integrated design and collaborative procurement approaches.

Integrated design

An integrated security management system will address these requirements. It is important to define systems integration in the context of high end mission critical security. Many systems over the years have often been promoted as integrated but are little more than a number of disparate subsystems with separate operator interfaces in the same control room. The operator is, in fact, the integrator. An integrated security management system has multiple independent security subsystems operating together such as:

* Access control.

* Intrusion detection.

* Surveillance.

These subsystems are connected at the physical level through a common communications infrastructure – which is a standard TCP/IP network. They are connected at the operational level by a single management interface which provides the operator with a single user interface, a single set of graphics integrated with a single alarm management process and data from a single authoritative source. Not only does this make the system easier to use and manage, but it enables the system to act intelligently – such as only record video when an intrusion is detected.

Fortunately, the development of open systems standards is starting to penetrate the security industry allowing standards such as BACnet, LonWorks, XML etc, to be used to integrate security subsystems together.

Using good design, a contemporary integrated security management system will allow sub-systems to remain independent, with their functionality and integrity not compromised by being integrated with other systems.

However, this does not mean that integrated security management systems are without their challenges.

The following is a list of major design and procurement challenges:

* How can a system be future proofed when there is so much pressure to meet an immediate need?

* How can the investment of technology be offset by an increase in productivity?

* How can available future budgets be planned for and aligned with emerging technology?

* How can contestability be ensured when pro­curing will not end up with a series of non-compatible sub-systems?

* How can the system in itself be secure if the very nature of the products are open protocols?

Challenges of design

Future proofing your system

These challenges can be addressed by looking at some real world examples drawn from Honeywell’s experience in complex, integrated security systems.

The dimension that is often ignored when designing a system is that of time. The example of Australian Parliament House shows the evolution of its security management system over multiple generations of technology. The initial system was installed in the mid 1980s and at the time was based on mini-computers which were expensive, difficult to operate and required highly specialised equipment and maintenance – but they were the only computers with the power and reliability to manage such a critical system.

Over time, as technology advanced and slowly became more commoditised, the security management system was able to migrate firstly to the UNIX platform and then ultimately to the Windows-based PC platforms currently in use. The field controller hardware followed a similar story.

Back in the 1980s it was not possible to envisage the requirement of the system over the next 10 years yet the product that was being installed at the time had a life span of 10 years plus. The ability to maintain the investment but at the same time add newer technologies as they become available is fundamental business management. This was achieved by ensuring that the initial systems were designed with future integration and upgrade potential. In the 1980s and ’90s this was normally achieved by a manufacturer of the security management system developing custom interfaces to third party subsystems or alternatively the manufacturer produced its own subsystems that had backward integration capabilities and allowed previous generations to coexist on the one integrated system.

A drawback of this approach historically, was that clients felt that once they had made their initial purchase they became locked into a single manufacturer as the switching costs to another company could be very high both in terms of lost investment in the original equipment plus the costs of installing a new system. Even if they did change, they were potentially only jumping out of the proverbial frying pan and into the fire. On the other hand, technology advances were slower and the security environment more stable than today and the need for ongoing rapid change and upgrades were not as pressing.

These days, due to the advent of interoperability through open systems standards, it is much easier to integrate subsystems from multiple vendors together into a single integrated security management system. You can use these technical advances to help future proof your system.

You need to ensure that you are constantly planning where you hope to be in a few years time and progressing your technology and your budgets in this direction. By using the flexibility of open systems, you can incrementally change out old components and put in new components as they become available from different vendors. In this way, you are able to continually migrate your system forward with minimum disruption to your business. This is a much more cost effective and manageable strategy than ripping out your system every 10 years and starting afresh and with today’s open systems technology, much more feasible.

Productivity improvements

Many organisations see security as a cost of doing business. All investments in security are considered to be sunk costs for which little return is expected except for peace of mind. However, by integrating your security management system into your business processes, you can actually use it to improve productivity. For example, Sydney Airport Corporation is an issuing body for the Aviation Security Identity Card (ASIC). This requires a complex process for managing and maintaining information about ASIC cardholders as well as updating and renewing passes.

Sydney Airport also has an integrated security management system which is used to control access in and around the Sydney Airport site. This system is used to issue photo identification passes to airport staff. Because the system already captures photographs and personal information for airport staff, it can be used to manage the creation of the ASIC cards. Not only that but, the airport was able to create special reports in the security management system which automatically recognised when cardholders’ ASIC passes were about to expire, created a letter of renewal and printed this letter populated with the relevant information for that cardholder to remind them to renew their ASIC pass.

In summary, the information and capabilities of the security management system were able to be used to significantly improve an administration process at the airport. For those of you about to grapple with a similar issue surrounding the Maritime Security Identity Card (MSIC), you should consider how you can achieve some administrative efficiency while also fulfilling your regulatory obligations.

The design of an integrated security management system should encompass productivity goals. As in other forms of business life new technology has been responsible for tremendous productivity gains. As security technology budgets increase they can be offset to some extent by improved productivity.

Collaborative procurement

As we have seen, not only is there a need for technology to meet the operational requirements of a system over time but there is also a need to proactively manage this process. The design and procurement challenges have similar underlying core issues namely; a need for action and delivery, a need for knowledge of current and emerging technologies, a need for vision, a need for planning and a need for an overarching integration plan. When a system is large and mission critical, the other key requirement is to ensure end to end accountability for system functionality and performance.

At Honeywell, we have increasingly become a high-end systems integrator providing a high degree of product/vendor independence but at the same time, maintaining total (end to end) responsibility for system functionality and performance. This has led to a number of clients contracting with us over a long period of time. In most cases this relationship has endured effectively over a 10–20 year timeframe in an informal alliance. However, in some recent cases, clients have sought a more proactive approach to ensure they can plan effectively to achieve five year plus goals. In order to achieve this they have turned to formal alliancing. By selecting an alliance partner for their integrated security system requirements they are able to ensure amongst other things that they will have a consistent integration approach over a realistic period of time. The key basis on which the alliance partner is chosen is on technical expertise, integration technology, quality systems, delivery capability (project management) and servicing capability rather than cost. The latter can be handled separately because the bulk of future expenditure on installation and products can be handled jointly by the alliance partnership in an open tender format at the time of purchase. Costs that are directly associated with the alliance partner such as hourly rates, integration hardware and software are established from business as usual analysis by an independent auditor. Similarly, business as usual margins are established that will apply to all direct costs and third party procurement costs. It is important that the alliance integration partner is responsible for delivering end-to-end systems. For this approach to work both the client and the technology company must have a common set of goals and believe in a win-win outcome.

An example of this approach is the collaborative working arrangement (CWA) signed in 2005 with the NZ Department of Corrections to deliver integrated security management systems across four new regional prisons over a 7-year period. Honeywell was selected as Corrections’ technology partner after a RFP process and a round of in-depth interviews. By getting Honeywell on board in this manner the client has addressed two challenges:

* They ensure continuity of the integration capability and can therefore plan ahead for both their budget and their technology.

* They have a designer, contractor and project manager on board very early in the programme with full end to end accountability for delivering systems which work together.

The benefits of this approach extend also to the ongoing maintenance of the system. Corrections has a single partner responsible for ensuring that the system is kept in a state of readiness, operators are trained and accredited and that there is continuous improvement in the way the system operates through the life of the partnership.

A similar arrangement has recently been signed with the Queensland Department of Corrective Services for a 5-year perimeter security upgrade for all of its correctional facilities. The challenge of contestability is always a concern especially for the public sector. If a technology partner is to be selected this must not only meet strict probity requirements but there must also be an ongoing transparency over the life of the agreement. In summary, you get the best value for money and system continuity by contesting once for a technology partner for a period of time, and contesting multiple times for commodity subsystems for each project.

Physical and IT security

The last challenge: How can the system be secured if using open protocols is emerging as a very hot topic. There is a very real concern that advances in communications technology as applied to security systems will be a double edged sword. While these advances open up significant possibilities for cost effective security functionality they also make the system potentially more vulnerable to outside attack by the very nature of their openness. Hacking into security systems could become as real an issue as Internet banking fraud. There are a number of ways to secure your system from outside attack while still reaping the benefits of an open systems approach as long as you recognise that the primary goal is security. The next phase of technology that we are already starting to see is the convergence of physical security technology and IT security technology.

For example, your physical security credential will become a smart card or biometric credential. Not only will this give you access to your company’s physical asset such as the buildings, it will also give you access to your company’s data through using this credential to log on to your corporate network. Similarly, the IT security infrastructure in place to support business systems will also be protecting the integrated security management system from unauthorised attack.

Conclusion

In summary, there are three points to be emphasised:

* Firstly, there has to be an overall vision for security management. This is often overlooked. While there is usually a well documented threat assessment this often has not been translated into technology requirements. You need to be clear about what you are trying to achieve and how any technology will enhance your ability to achieve your vision not detract from it.

<i.* From your security vision you need a technology roadmap which will outline an enduring technology design.</i> This will show at a high level where the system currently stands and how it could develop over time. Emerging technologies together with planned version upgrades will be noted for future consideration at the appropriate time. By using this roadmap approach, you are able to make decisions today that do not lock out possibilities in the future. The upside is that as the technology has become smarter, it has also become more open to integration with other sub-systems which means that, providing the right integration platform is selected, the sub-systems can be chosen from an array of global suppliers. The best fit and value for money product can be chosen.

* Finally, you need a procurement model which reflects your vision and your technology roadmap. The traditional model of writing detailed specifications and then tendering the whole system as a one-time installation is time-consuming, costly and risky due to constantly changing technology and requirements. An alternative to consider is a partnership approach with a recognised and proven systems integrator. The core competency of the systems integrator is overall system design, R&D, applications specialisation, knowledge, project management and maintenance. You can then work with them so that your system evolves along with your business requirements over time.

Share this article:

Further reading: