And it's not your older brother's security either. The physical security industry is advancing at a breakneck pace driven both by shifting threats and advancements in technology. Security practitioners are continually faced with finding new costeffective countermeasures. It is easy to be blinded by the sea of alluring technology and take the premature step of purchasing before fully understanding the impacts to the organization. The leading edge of the technology boom is not perfect and requires caution in its application and implementation.
This discussion will focus on the traditional physical security world and three major trends facing the industry. Information Technology (IT) security is also facing the same type and magnitude of changes. These deserve to be discussed in a separate and more comprehensive forum.
Of course, some things haven't changed in the physical security world. The same assets and people are still the focus of protection. Many believe the events of 9-11 caused a paradigm shift in defining present-day security practices. In reality, with the exception of the Department of Defense and the like, most organizations are focused on enhancements to the same security practices. Many more years and major investments will be needed to truly improve security and take it to the next level. What has occurred over the last few years, though, has built the foundation for what is needed and will come in the future.
Much investment and effort have gone into improving the overall physical security landscape. It should not be understated that 9-11 did cause a tremendous change in how security is viewed and implemented today. It has also brought increased regulation, particularly for banking institutions. Most commercial entities are focused on business continuity and systems redundancy. The overriding efforts are being applied to ensure businesses can continue to perform with little or no down time after an event. Business continuity requires the efforts of more than the traditional Chief Security Officer to implement and successfully thwart the security threats facing most modern organizations. This movement is applicable across the board from commercial business to local and federal government agencies.
It also is what is causing and allowing different, nontraditional organizations to enter the security arena. With the fall of the dotcoms in the late 1990s, many IT companies had to reevaluate and adapt to new markets. Based on the changes occurring in the industry, many can and are developing capabilities to now compete in the traditional security industry.
Looking forward, three megatrends have emerged that make traditional physical security vastly different today than even just a few years ago. These include the concept of IT/security convergence, equipment and software technology advancements, and the development of security standards. These three trends will provide the much-needed foundation for security and continue to drive it far into the future. None are a panacea, and each will require careful planning prior to implementation to provide better security than is currently in place.
Security convergence is generally defined as the integration of physical security hardware and software with information technology equipment and software. Simply stated, it allows security devices to be directly connected to local and wide-area networks to allow for monitoring and event memory storage and management. Convergent networks are meant to replace traditional proprietarytype, closed network designs. The future for either type is not "either/or" but both.
The prime mover for convergence is to reduce project costs and reduce implementation schedules. If well-implemented, it can also reduce labor costs and improve performance. Convergence provides an "open architecture" for security organization structures and systems required to support them. This is important when interfacing with other organizational systems such as the banking and human resource systems. Security convergence is also leading to technology advances as equipment companies have an incentive to develop individual products that can just "hang on the network." It represents a new frontier with little standardization and few comprehensive convergent systems currently operating. Those firms developing and installing these systems are truly working out there on the "edge."
Equipment has been developed, and continues to be advanced, that connects directly to IT networks similar to a printer or scanner. Closed-circuit television cameras are leading the parade. Network-based electronic access control and intrusion-detection systems are not far behind. As reported by Security Systems News, CISCO has developed a CCTV camera aimed at the small-business market that retails for less than $300.1 The camera is wireless, with no PC required, and has its own IP (Internet Protocol) address that can be accessed through its own URL (Uniform Resource Locator). The camera's features include motion detection, and the camera can record video and provide an audio signal upon alarm. Alarm notification alerts can be made via e-mail, pager or mobile telephone.
In the past, many security systems have been installed in a piecemeal fashion. Some were integrated, which usually involved combining access control, intrusion detection and CCTV systems, and monitoring in some fashion. Convergence goes much farther and includes the sharing of wiring systems, servers, networks, information and software. The battle for the marketplace is shaping up to be a clash of the titans as traditional IT companies such as CISCO enter the security market to compete against the traditional security equipment manufacturers.
As could well be expected, convergence presents major political and cultural challenges in most organizations. Security and IT departments traditionally have operated independently with separate budgets, goals and personnel. The toughest battles with implementing convergent solutions will be getting these two departments to work together. Local, single-site organizations are generally considered easier to deploy convergent solutions than larger, distributed organizations and sites. These operational issues need to be carefully worked out or the convergent solutions will be doomed to failure due to the operational security faults, incompatibilities or system limitations. IT professionals should advance the industry and practice, not dictate the security solutions.
It also cannot be overemphasized that implementing security on the company's network adds a new dimension to securing the network. Previous to this convergence movement, security systems' "security" relied on a closed architecture where only select "trusted" personnel had physical access to them. Today, many of these converged systems are accessible by anyone with a terminal linked to the network. This is often unfamiliar and unsavory ground for many security practitioners. It is simply the "more-eggs-in-one-basket" scenario. As critical as the network is to business continuity, adding the company access control or video surveillance system must be implemented with the same or greater network security provisions as the data side. This includes good use of firewalls, encryption, virtual private networks (VPNs) and password protection.
While many systems deployed today come with "good"encryption, password protection and other security provisions, many systems' security protections are not configured during installation. Frankly, many of these systems move under the IT radar and are not properly configured or commissioned. IT departments are finding their most vulnerable points are through newly installed security systems often many months after their deployment on the network. Many installers to date have little IT security training, something that has to change with the times.
The toughest battles with implementing convergent solutions will be getting security and IT departments to work together.
Although convergent systems probably will not be universally implemented in the future, they are expected to grow quickly in popularity and market share. They will become one more viable option when designing a security network. It is envisioned that the balance of security networks will continue to be proprietary, closed systems due to unique security requirements specific for particular facilities.
Equipment and Software Technology
There has been an explosion of equipment devices and software enhancements over the past few years in almost every aspect of the security industry. Arguably, perhaps two of the most notable examples are in the CCTV and Smart Access Control Card areas. Biometric verification devices and Radio Frequency Identification Devices (RFID) deserve an honorable mention, but as of yet have not reached their true potential.
CCTV cameras are also becoming more "intelligent." The transition from analog tubes to digital chips shifted camera capabilities into hyperspace. The advent of DVRs has taken them to the next level. Now, this intelligence is being pushed out from the DVR to the camera itself. With greater information-gathering functionality of video cameras, more information and analytics can be used from them.
Depending on whom you ask, the digital video market is growing anywhere from 25 percent to 40 percent a year. Up to 80 percent of new video recording systems now deployed today are digital. Although the IP-based video cameras have been in the market for many years, many are completely digital, and owners are not configured to utilize them. This is mostly due to incompatibilities with the owners' legacy systems, which are not able to monitor or record IP cameras.
Anther newcomer for CCTV systems is intelligent video. Intelligent video, simply stated, provides camera systems with analytical capabilities, where the video stream is analyzed for rules configured in the system. Rules like object tracking, suspicious activity, vehicle or pedestrian crowding and tailgating identification provide the end-user improved situational awareness of a given facility.
Smart cards provide new capabilities for the security practitioner. Smart cards are unlike any other card technology because they carry integrated cardholder information in the card. Many organizations from the Department of Defense to large banking institutions have adapted to the smart card technology because of its ability to provide critical information about the cardholder in a relatively secure manner. Smart cards have tamper-resistant properties managed by electronic chips that contain microprocessors. Tamper-resistant (not tamper-proof) capabilities include a secure crypto-processor, secure file system and human-readable features. Smart cards provide capabilities for secure information sharing while maintaining confidentiality of information in the memory chip. The smart card terminology is often confused by the security industry. Many security practitioners purchase smart cards and are faced with product incapability with conventional security systems.
Smart cards are being developed for many applications from Department of Defense ID cards to credit cards. The Federal Information Processing Standards Publication 2012 is leading the way for Personal Identity Verification (PIV) as a common identification standard. There are several drawbacks with the technology, but many believe smart cards are the best solution for the time. Conceivable (futuristic) considerations are to implant smart chips into humans to provide improved security. Over one billion smart cards are being bought and shipped globally every year.
The standards are coming. After many years of discussion, jostling and positioning, the security and standards industry has finally developed and issued a variety of different standards and guides that will aid in security planning, equipment development, installation, interoperability and "true" security convergence. These standards will help form the foundation of future security efforts by setting levels of installation quality, encouraging equipment development and interoperability, and rational security threat and risk analysis.
A few of the key organizations that are involved in these efforts include:
- National Fire Protection Association (NFPA).
- Security Industry Association (SIA).
- Professional Alarm Ser vices Organizations of North America (PASONA).
- Central Station Alarm Association (CSAA).
- ASIS International.
NFPA has developed and published the first editions of NFPA 730 Guide for Premises Security3 and NFPA 731 Standard for Installation of Electronic Security Systems.4 These standards represent the combined efforts of a variety of users, special experts, listing agencies, insurance, public officials, manufacturers and security associations to develop security standards. The documents have been through two public comment periods and are now entering their second code cycle for proposed revisions.
NFPA 730 is occupancy-based and was developed for the protection of premises, people, property and information. NFPA 731 is an installation standard for electronic security systems and is written in language suitable to be adopted into law by state and local government. It is intended to set minimum standards for installation and performance of systems, including improving performance and reducing nuisance alarms. The scope of the standards is considered more extensive than any developed by other organizations to date. It is envisioned that NFPA 731 will become the de facto commercial standard and benchmark for installation of systems.
The Security Industry Association (SIA) is developing and releasing various security standards associated with improving performance and nuisance alarm reduction of security devices, such as passive infrared detectors. A key set of standards is being developed to define basic convergence open-architecture parameters that will allow future development of other protocols for interfacing specific convergence hardware and software.
One particular SIA standard, CP-01,5 details recommended design features for security system control panels and their associated arming and disarming devices to reduce the incidence of false alarms.
An important set of SIA standards currently under development is the specification of the framework for the Open System Integration and Performance Standards (OSIPS) family of standards. The primary objective of these standards is to enable the easy exchange of information between security and other system components in furtherance of the objectives of system builders. Those shared elements will be specified in the OSIPS framework for use by independent manufacturers developing convergent compatible devices.
The Central Station Alarm Association (CSAA) has developed model ordinances and programs that municipalities can adopt to help reduce false and nuisance security alarms.
ASIS International has recently published six security guidelines and has three others under development to assist security practitioners in everything from business continuity to general risk assessments.
These standards represent current best practices and combine the knowledge and insight of highly competent security specialists. They will assist in the development of the industry by setting consistent standards for the application of security and installation of security systems. Consistency will be necessary to efficiently ensure the required performance necessary to protect assets and business and governmental continuity in the most costeffective manner.
Charles Hahl and Mark Hankewycz are with The Protection Engineering Group, PC, Chantilly, VA.
1Pfeifle,L., "Cisco's First IP Security Camera," Security Systems News, July 2006.
2Personal Identity Verification (PIV) of Federal Employees and Contractors, Federal Information Processing Standards Publication 201-1, National Institute of Standards and Technology, Gaithersburg, MD, 2006.
3NFPA 730, Guide for Premises Security, National Fire Protection Association, Quincy, MA, 2006.
4NFPA 731, Standard for the Installation of Electronic Premises Security Systems, National Fire Protection Association, Quincy, MA, 2006.
5ANSI/SIA CP-01, Control Panel False Alarm Standard, Security Industry Association, Alexandria, VA, 2000.