This is the seventh article in a series of articles that explores the convergence of physical security technology and information technology, and its impact on Security departments and IT departments, their personnel and their vendors. This is not just the convergence of physical security and IT security, but a larger convergence of information technology with physical security systems.

This article focuses on the broader aspects of convergence for building control systems, of which security systems are just one part, and upon the demand for interoperability that convergence brings.

Here, There and Everywhere

The growth of information technology (computers, networks and electronic data) has resulted in convergences in many industries. For example, “Advertising” is converging with “entertainment”, and so is “news and information” (infotainment). The convergences are powered by computing technology. The security industry is simply one industry of many that is faced with one type or another of computer-driven convergence.

Telecom and Network Convergence

To the Telecom and Networking industries, convergence means the delivery of voice, video, data and applications over one network – wired or wireless. You can get a free Convergence Briefing Pack from Nortel Networks , and download a video on Nortel’s Architecture for the Converged Enterprise, in a section of the Nortel website dedicated to convergence . One result of the convergence is the changing role of the mobile telephone from a person-to-person communications device to a more general purpose audio-visual communications terminal.

Network World magazine’s online component Network World Fusion lists convergence as one of its 16 key research topics, for which it maintains a home page that is updated as related news and information becomes available.

Looking at the terms multimedia, voice and data, one can’t help but think about the video, audio and access/alarm data that security systems deal with. It’s the convergences in telecom and networking that enables the capabilities of many security systems. For example, if network switches from Cisco and others couldn’t handle streaming video over a network, many security video applications wouldn’t be able to function.

Telecom and networking, building automation, and factory automation are all industries with convergence impacts—impacts that are affecting the security industry at many levels.

Building Controls Convergence

As shown by Figure 1 below, Security systems are one component of building automation controls, along with Safety systems, which also fall into the security domain.

Figure 1. Building Automation Systems.

Convergence impacts on lighting and HVAC control include the building occupant’s desire to have PC desktop control over temperature and lighting settings; zone-specific control for after-hours occupancy; and occupancy-based comfort control for conference rooms and other frequently-unoccupied areas. The general trends all involve situation-specific response in real-time. Blinds, shutters and lighting can be automatically controlled based upon the occupant’s preferences and the current level of sunlight, with an orientation towards reducing cooling requirements (by minimizing direct sunlight into the building).

Ken Sinclair, Editor/Owner of the online magazine AutomatedBuildings.com, points to the arrival of new network based technologies for buildings, such as digital signage. Sinclair says, “In addition to the direct IT solution for our industry, new concepts such as networked Digital Signage Systems are opening up new communication conduits with the exciting medium of inter-building communications. A digital sign is a display device, which is used as an electronic sign to present constantly changing, computer generated, full motion video, photo-realistic graphics, text, and animation. It is a dynamic venue as opposed to static billboards and posters.” The security implications of dynamic building signage are obvious with just a little thought. See the AutomatedBuidings.com website for additional articles about convergence in building automation controls .

Other computer-technology-based building technologies are appearing that have security implications. Seismic Warning Systems, Inc. (www.seismicwarning.com) of Scotts Valley, California, has introduced the QuakeGuard™ earthquake early warning system. Earthquake warnings can be broadcast via email, web page, cell phones and pagers—any device capable of real-time information display. The system can be used to isolate hazards, such as shutting off gas and water main valves to prevent fire and water damage; activate and lock /unlock electronic doors to protect assets and people; isolate chemicals, gases, and fuel tanks. It can prevent accidents in operating rooms, initiate shutdown of industrial processes, and improve transportation system passenger safety. It can also be used to open critical doors that could become inoperable through building deformation activate emergency power generation, and park elevator cars. The greater the integration of QuakeGuard with other building systems, the greater its benefits are. The same statement can be made for many building automation devices and systems.

Building Intelligence

The incorporation of computer intelligence and network connectivity into devices and systems—the basic convergence influence—allows systems to be of greater and greater real-time benefit to the systems users. This was the original promise of the “Intelligent Building” movement in the late 1980’s. The movement declined when the building controls industry did not swiftly address the primary barriers: connectivity and interoperability.

Now the widespread deployment of personal computers and networks has resolved, for all practical purposes, the connectivity barrier. Driven by relentless customer demand for improved systems, a number of standards and technologies have been developed over the past 10 years or so to address the interoperability barrier. (See the ST&D March 2004 article titled “Open Systems Protocol” by Lionel Silverman, PE., and the September 2004 article titled "Is There Gold at the End of the Building Automation Rainbow?" also by Lionel Silverman.)

Interoperability doesn’t necessarily mean that any device or control panel from one manufacturer can be substituted for a similar device from another manufacturer, in mix-and-match fashion. A more practical definition of interoperability would be the ability of equipment or systems from different manufacturers to share information for the purpose of daily operation. For security systems some examples of this information are:

• viewing and editing schedules for monitoring and access control
• receipt and acknowledgement of alarms and access events
• access privilege status for access tokens and associated biometric data
• real-time status of alarm and access control devices and their networks
• user status information such who is “in” or “out” of an controlled area or building
• real-time and recorded audio and video streams
• historical report information (alarms and access events)

To exchange such information requires common standards and protocols.

Security Lags Behind

Unfortunately, with only a few exceptions (mentioned later), the advances in interoperability don’t involve security systems. This is the chief complaint about the security industry from security system customers, as was evidenced at the ASIS International Emerging Trends conference in Chicago two years in a row (2003 and 2004). During a panel discussion session on physical security systems in each conference, the dominant topic was the lack of interoperability of existing systems. Many attendees had security systems were replaced for year 2000 issues, and others had systems that were purchased or expanded after September 11, 2001. These systems are too new to warrant wholesale replacement. The Emerging Trends conference attendees participating in the discussion expressed their extreme frustration at the lack of interoperability. One said that it felt more like a “betrayal” of the customers by the security industry. Most had been told by system providers that to have the security systems of their facilities interoperate would require replacing them all with a single brand from one manufacturer. A few of the 2004 panel attendees had already taken that route (less than 5%) and the rest simply did not have the option to do so.

Convergence of Expectations

Interoperability is common in two realms, IT and building environmental controls (HVAC and lighting). Knowledge of that interoperability affects the customer expectations for the security industry. One of the aspects of convergence that has plagued security system manufacturers and security dealers since the industry’s introduction of PC security system software has been the carry-over of end user expectations from information systems. In the early 1990’s dealers would commonly hear complaints like this: “I can get that kind of report from my dBase software, a $500 product. Why can’t I get it from your system that I’m paying $30,000 for?” Ten years later end users continue to be frustrated over the glaring gap between state-of-the-art information systems and state-of-the-art security systems.

Key Industry Differences

It’s important to note some key differences between the environmental controls industry (HVAC and lighting controls) and the physical security industry, both of whom today have to deal with convergence issues:

• Environmental controls systems have about a 10-year head start on interoperability.
  
• Improvements in environmental controls provide tangible financial returns in terms of energy savings. Security improvements rarely provide the same kind of tangible return.
  
• Improvements in environmental controls provide a noticeable and continuous impact on the comfort of building occupants, which contributes to a higher level of demand for improvement and for convergence benefits.
  

What is most important about these three points, as we’ll address later in this article, is that the existence of these three differences could very well enable the security industry to deal with its interoperability and convergence issues much faster, benefiting both customers and the overall health of the security industry and its companies.

Interoperability Challenges

From some perspectives, it’s understandable why security manufacturers haven’t embraced interoperability earlier. One reason is explained in a Solutions White Paper by Andover Controls titled, "BACnet without Limits". See the sidebar “Open Protocols and Security Systems” which contains Section XI of that white paper, and explains why security issues regarding open protocols have been a valid concern.

System interoperability faces the same types of technical, financial and business culture challenges in security as were faced in environmental controls. However, the liability stakes are much higher for security systems, due to the loss of property and loss of life potentials. This aspect of the security industry has always inspired a reluctance factor on the part of manufacturers to change their products. In a smaller way, it has also contributed to some reluctance on the part of some customers to buy “new and improved” systems; they want to avoid the potential security system problems. Improvements in building security systems can’t offer customers the same financial returns that improvements in environmental controls can. Thus, although security systems customers demand improvements, they often are less willing and able to bear the cost of them.

Other security system manufacturer’s concerns about introducing interoperability are:

• Manufacturers don’t want to give away their secrets and enable their closest competitors to be able to “take over” their installed systems.
  
• Makers of the highest quality systems don’t want to enable the addition or integration of lower quality components to their systems. This creates a potential support burden for them, and complicates the product liability picture.
  
• Manufacturers often bundle the software with their hardware at no cost or at a reduced price; open protocols and separately available hardware would require a different pricing structure and sales strategy—one that the customer is not prepared for.
  
• Open protocols could result in a “lowest common denominator” situation, where the advanced or market-specific features of some systems and products are not welcomed or supported during protocol development.
  
• Open protocols won’t directly increase the security or user-level operability of high quality systems, but will increase their costs due to the added engineering cost of supporting open protocols.
  
• Interoperable systems are likely to require a greater level of knowledge and training of the vendor, knowledge that is more in-depth than was previously required to achieve a working system.
  
• As has been discovered already in the in the world of environmental controls, specifications writers will have to state specifically what functionality is intended to be interoperable, and what commands and data must be shared between which specific subsystems. This would result in a new and continuous educational burden for manufacturers and specifiers alike, which would be another factor contributing to increased project costs.
  
• Manufacturers fear the scenario where the costs of being a leader (i.e. being responsive to the customer demands for interoperability) could make them non-competitive price-wise, while the very customers they aim to serve continue to make low-price buying decisions. This would, in effect, accomplish a transfer of market share from one manufacturer to another, thus penalizing the leading manufacturers.

On the other hand, some customer concerns about the lack of security system interoperability are:

• Use of a single manufacturer’s systems and components across the board means that the customer is sometimes paying for advanced features and capabilities that are not needed in specific locations or applications.
  
• If local authorized system integrators for a brand don’t provide sufficiently good service, customers are left with no options for good service, due to proprietary lock-in. Global enterprises can’t use the strategy of select the best of local security vendors because the vendors don’t all carry the same brand of system.
  
• Although generally the prices of computers and computerized equipment continue to fall, security systems prices won’t fall because they won’t have to, due to proprietary lock-in.
  
• IT departments disdain the prevalence of proprietary systems and components in physical security systems, and corporate security customers have to overcome IT reluctance to get involved in security system projects. This can hamper the efforts of security managers to obtain support for new system purchases or for system expansions, especially when IT states that new system’s design uses outdated technology.
  

The same kinds of considerations on the part of environmental controls manufacturers slowed their adoption of interoperability, but in the end customer demands for interoperability prevailed. However, the 10-year head start of the environmental controls industry is just that—a head start. Environmental controls interoperability is still a work in progress, even though very significant strides have been made.

Security-Environmental Controls Integration

Tridium Inc. (www.tridium.com) of Richmond, Virginia, develops and markets a universal software platform—known as the Niagara Framework—that allows companies to build software applications for accessing, automating and controlling smart devices over the Internet or intranets. Tridium’s second product, Vykon, was designed specifically for the building-automation industry. Using the Niagara Framework, Vykon allows users to manage control devices from different manufacturers by integrating them into a common system.

Tridium achieved a five-year growth rate of over 13,000%, making them the second fastest growing technology company in Virginia. Ed Merwin, Director-Field Sales for Tridium, provides an example of the cost-savings that open protocols and interoperability have produced for environmental controls. Merwin says, “Today we can provide a Modbus® interface to a generator on only two wires for about $1,000. Formerly, and to obtain less information, the interface would have cost $25,000—meaning that it just wasn’t practical for most applications. Today’s interfaces provide significantly better information. They let us predict problems before they occur, instead of simply detecting them after the fact. We don’t monitor just the running status of the equipment (‘working’ or ‘failed’); we monitor the health of the equipment.”

NovusEdge Inc. (www.novusedge.com) is a provider of IP-based access control and asset protection solutions for industries including healthcare, government, education, and retail. NovusEdge was founded in 1999 as Novus Security Systems and changed its name in 2004 to reflect the natural extension of its strategy to embrace expanded network-edge solutions. According to Robert A. Smith, vice president of marketing for NovusEdge, "By continuing to move intelligence to the edge of the network, the NovusEdge architecture will serve as the foundation for a new class of applications that require, and leverage, device-to-device and machine-to-machine communication." In support of IT infrastructure assurance, the NovusEdge system uses the Niagra Framework to provide IT with water, temperature and humidity alerts while at the same time providing immediate access to live and recorded video of the alarm area.

Tridium has developed a Niagara Framework “door object” for NovusEdge that allows an environmental controls system, among other things, to provide lights only for the after-hours cleaning crew, or lights and HVAC for an employee, based upon the NovusEdge access control system’s card access privilege.

Note that the NovusEdge applications described are combined security system-environmental control system applications. In the past this kind of integration (alarm monitoring, after-hours building control) required extensive relay interfaces or custom ASCII text message interfaces between systems. Today, the interfaces are accomplished via standard Ethernet and computer operating system level messaging.

Interoperability and IT convergence are making it possible for systems to work together, so that customers can view and operate their building from their own facility management perspectives.

Security Interoperability

Little has been done with regard to interoperability across security industry brands. But security system interoperability with other building automation systems is already being embraced, and not just by relatively new companies like NovusEdge. GE Security (www.gesecurity.com) and Bosch (www.boschsecurity.us) both have developed OPC (OLE for Process Control) interfaces; GE in its Facility Commander product and Bosch in its System 3T product. The interfaces are based upon the work of the OPC Foundation (www.opcfoundation.org).

These systems reflect the influence of IT on security. Facility Commander incorporates features based upon IT industry standards. It runs on commercial, off-the shelf operating systems including Windows, Linux and AIX. It supports popular databases like SQL, Informix, DB2 and Oracle. GE also provides a Facility Commander Software Development Kit (SDK) and open APIs for the development of plug-and-play drivers for existing digital video equipment and software. Bosch’s System 3T contains security provisions, such as configurable firewalls and encrypted data transfer.

This is a start, but doesn’t embrace what Emerging Trends conference attendees had as their highest interest: interoperability between like security systems of different brands.

The Security Industry Association (SIA) recognizes the importance of interoperability. The draft agenda for the SIA Standards Committee’s Security Communications Subcommittee meeting included this statement:

“The competitive position of the security industry relies on the ability of its members to develop fully open and interoperable products in an integrated environment. When such systems combine IT, fire/burg, access and CCTV systems—a message set accepted and open from the security industry for at least the last three is essential to the long term health of SIA and its membership.”

There are several interoperability efforts, each one with its own particular focus.

Security Industry Association (SIA)

The Security Industry Association (SIA) (www.siaonline.org) has an Open Systems Integration and Performance Standards program (OSIPS), which is producing standards in two areas: Security Systems Integration Standards and Security Equipment Performance Standards. The Security Systems Integration Standards are intended to assist in the more flexible and more effective application of security technologies and systems. SIA will identify common integration and communication protocols, submit them to the Security Industry Standards Council (SISC) consensus process for American National Standards (ANS) status from the American National Standards Institute (ANSI).

The currently active standards subcommittees are:

• Architectural Graphics
• Audio Verification
• Biometrics
• CCTV/CCV
• Digital Video
• End Users & Specifiers
• Mobile Security Devices
• Security Applications Software
• Security Communications
• Security Control Panels
• Sensors

Security systems integration standards have not yet been developed that address interoperability between like systems of different brands.

SIA standards development is performed by volunteers. Any materially interested party may participate in standards development, regardless of membership affiliation with SIA. Significantly more participation is required if progress is to be made at the level needed by the security industry.

Open Security Exchange (OSE)

The Open Security Exchange (OSE) (www.opensecurityexchange.com) is an independent, cross-industry forum that promotes enterprise security management by addressing the lack of integration commonly found in today’s security infrastructure. The OSE drives the creation and adoption of interoperability standards by working closely with existing standards bodies. An advisor to government and commercial organizations, the OSE also leverages its combined expertise to educate security professionals worldwide about best practice security.

The first technical specifications document that was issued by the OSE addresses interoperability between physical and cyber security technologies. Recently the OSE announced a liaison with the Liberty Alliance, the premier open standards organization for federated identity and identity-based services. Federated identity allows users to link identity information between accounts without centrally storing personal information—meaning that users can be authenticated by one company or Web site and be recognized and delivered personalized content and services in other locations without having to re-authenticate or sign on with a separate username and password.

“Our alliance with the OSE will help Liberty Alliance to extend federated identity standards into the realm of physical security,” said Michael Barrett, president of the Liberty Alliance and vice president for privacy and security for American Express. “Liberty Alliance’s mission has always been to promote interoperability and federated identity across industries and across platforms. Together with OSE we can build federated identity into the wireless and physical security worlds.”

As with SIA’s standards program, the level of activity of the OSE must be raised significantly in order to help advance the security industry at the needed rate. One specifications document per year will not be nearly enough.

Open Building Information Exchange (oBIX)

The Open Building Information Exchange (oBIX) (www.obix.org) is a focused effort by industry leaders and associations working toward creating a standard XML and Web Services guideline to facilitate the exchange of information between intelligent buildings, enable enterprise application integration and bring forth true systems integration. Based on Standards widely used by the IT Industry, the oBIX guideline will improve operational effectiveness giving facility managers and building owners increased knowledge and control of their properties. Comprised of representatives from the entire spectrum of the buildings systems industry, oBIX includes professionals from the security, HVAC, building automation, open protocol and IT disciplines.

Like the Open Security Exchange, oBIX is a year old. To date the only corporate member of oBIX from the security industry is Hirsch Electronics (www.hirschelectronics.com), who is to be applauded for leading the way. Much greater participation is needed from security system manufacturers for the security industry to make significant interoperability strides.

Leveraging Convergence for Customer Satisfaction

The renewed interest in Intelligent Buildings, and the convergence of information technology into security systems, position the security industry to leverage off the key differences between environmental controls industry and the security industry.

• 10-year head start. Security manufacturers can look to the history of interoperability in environmental controls, adopt the things that have worked in terms of cooperation and standard-setting, and avoid the things that have irked customers and delayed progress. Developing interoperability for existing systems would minimize customer replacement expenditures and leave more money available for integration components and site-specific integration work.
  
• Higher financial returns of environmental controls projects. Incorporating security systems into larger environmental controls projects and integrating the systems, would allow security to leverage off an existing infrastructure and be part of a picture that has an overall higher ROI than security alone.
  
• Higher demand for convergence benefits. As the demand for intelligent building benefits increases, so will the demand for the integration of interoperable security systems with other building automation systems.

Not all buildings are currently engaging in environmental controls projects. However, growing general awareness of the convergence trends in building controls will still benefit security manufacturers and vendors who can provide interoperable systems.

Key Points to Consider

Security customer feedback and the development history of interoperability for environmental controls tell us:

• Strong motivations encourage proprietary differentiation among manufacturers.
  
• Customers know the interoperability they want is technically possible.
  
• Achieving interoperability is not easy or rapid, but is inevitable due to customer demand.
  
• Customers can’t postpone security improvements forever (to wait for interoperability) and hate being forced into proprietary solutions.
  
• Customers resent needing an industry (security) that doesn’t seem to care enough about customers’ needs for interoperability.

The key challenge for the security industry is to transition from holding onto customers by means of proprietary lock-in, to holding onto customers by virtue of how well security services and products make the customers’ jobs easier and more productive. Convergence factors have made it technically possible for the security industry to address this challenge in the very near future. The organizations already exist through which the required coordination and collaboration efforts can be accomplished. What will your part be in helping to make this happen?

From Security Technology & Design Magazine, July, 2004.