This is the 43rd article in the award-winning “Real Words or Buzzwords?” series about how real words become empty words and stifle technology progress.
By Ray Bernard, PSP, CHS-III
Electronic physical security systems are cyber-physical systems, and we must update our security design thinking to include what “cyber-physical system” means given the rapid advance of computing and networking technologies.
★ ★ ★ GET NOTIFIED! ★ ★ ★
SIGN UP to be notified by email the day a new Real Words or Buzzwords? article is posted!
Real Words or Buzzwords?
The Award-Winning Article Series
#1 Proof of the buzzword that killed tech advances in the security industry—but not other industries.
#2 Next Generation (NextGen): A sure way to tell hype from reality.
#3 Customer Centric: Why all security industry companies aren't customer centric.
#4 Best of Breed: What it should mean to companies and their customers.
#5 Open: An openness scale to rate platforms and systems
#6 Network-friendly: It's much more than network connectivity.
#7 Mobile first: Not what it sounds like.
#8 Enterprise Class (Part One): To qualify as Enterprise Class system today is world's beyond what it was yesterday.
#9 Enterprise Class (Part Two): Enterprise Class must be more than just a top-level label.
#10 Enterprise Class (Part Three): Enterprise Class must be 21st century technology.
#11 Intuitive: It’s about time that we had a real-world testable definition for “intuitive”.
#12 State of the Art: A perspective for right-setting our own thinking about technologies.
#13 True Cloud (Part One): Fully evaluating cloud product offerings.
#14 True Cloud (Part Two): Examining the characteristics of 'native-cloud' applications.
#15 True Cloud (Part Three): Due diligence in testing cloud systems.
#16 IP-based, IP-enabled, IP-capable, or IP-connectable?: A perspective for right-setting our own thinking about technologies.
#17 Five Nines: Many people equate high availability with good user experience, yet many more factors are critically important.
#18 Robust: Words like “robust” must be followed by design specifics to be meaningful.
#19 Serverless Computing – Part 1: Why "serverless computing" is critical for some cloud offerings.
#20 Serverless Computing – Part 2: Why full virtualization is the future of cloud computing.
#21 Situational Awareness – Part 1: What products provide situational awareness?
#22 Situational Awareness – Part 2: Why system designs are incomplete without situational awareness?
#23 Situational Awareness – Part 3: How mobile devices change the situational awareness landscape?
#24 Situational Awareness – Part 4: Why situational awareness is a must for security system maintenance and acceptable uptime.
#25 Situational Awareness – Part 5: We are now entering the era of smart buildings and facilities. We must design integrated security systems that are much smarter than those we have designed in the past.
#26 Situational Awareness – Part 6: Developing modern day situational awareness solutions requires moving beyond 20th century thinking.
#27 Situational Awareness – Part 7: Modern day incident response deserves the help that modern technology can provide but doesn’t yet. Filling this void is one of the great security industry opportunities of our time.
#28 Unicity: Security solutions providers can spur innovation by envisioning how the Unicity concept can extend and strengthen physical access into real-time presence management.
#29 The API Economy: Why The API Economy will have a significant impact on the physical security industry moving forward.
#31 The Built Environment: In the 21st century, “the built environment” means so much more than it did just two decades ago.
#32 Hyper-Converged Infrastructure: Hyper-Converged Infrastructure has been a hot phrase in IT for several years, but do its promises hold true for the physical security industry?
#33 Software-Defined: Cloud-computing technology, with its many software-defined elements, is bringing self-scaling real-time performance capabilities to physical security system technology.
#34 High-Performance: How the right use of "high-performance" can accelerate the adoption of truly high-performing emerging technologies.
#35 Erasure Coding: Why RAID drive arrays don’t work anymore for video storage, and why Erasure Coding does.
#36 Presence Control: Anyone responsible for access control management or smart building experience must understand and apply presence control.
#37 Internet+: The Internet has evolved into much more than the information superhighway it was originally conceived to be.
#38 Digital Twin: Though few in physical security are familiar with the concept, it holds enormous potential for the industry.
#39 Fog Computing: Though commonly misunderstood, the concept of fog computing has become critically important to physical security systems.
#40 Scale - Part 1: Although many security-industry thought leaders have advocated that we should be “learning from IT,” there is still insufficient emphasis on learning about IT practices, especially for large-scale deployments.
#41 Scale - Part 2: Why the industry has yet to fully grasp what the ‘Internet of Things’ means for scaling physical security devices and systems.
#42 Cyberspace - Part 1: Thought to be an outdated term by some, understanding ‘Cyberspace’ and how it differs from ‘Cyber’ is paramount for security practitioners.
#43 Cyber-Physical Systems - Part 1: We must understand what it means that electronic physical security systems are cyber-physical systems.
#44 Cyberspace - Part 2: Thought to be an outdated term by some, understanding ‘Cyberspace’ and how it differs from ‘Cyber’ is paramount for security practitioners.
#45 Artificial Intelligence, Machine Learning and Deep Learning: Examining the differences in these technologies and their respective benefits for the security industry.
#46 VDI – Virtual Desktop Infrastructure: At first glance, VDI doesn’t seem to have much application to a SOC deployment. But a closer look reveals why it is actually of critical importance.
#47 Hybrid Cloud: The definition of hybrid cloud has evolved, and it’s important to understand the implications for physical security system deployments.
#48 LegacyHow you define ‘legacy technology’ may determine whether you get to update or replace critical systems.
#49 H.264 - Part 1Examining the terms involved in camera stream configuration settings and why they are important.
#50 H.264 - Part 2A look at the different H.264 video frame types and how they relate to intended uses of video.
More to come about every other week.
“A cyber-physical system (CPS) is an integration of computation with physical processes. Embedded computers and networks (such as in a vehicle, vacuum cleaner, manufacturing line, robotic surgery system, or city traffic management system) monitor and control the physical processes, usually with feedback loops where physical processes affect computations and vice versa.”
In the May 2018 issue of Security Dealer and Integrator magazine (since rebranded Security Business), Joe Gittens, Director of Standards for the Security Industry Association (SIA), in his article titled, “NIST’s Cyber-Physical Systems (CPS) Framework: A closer look”, wrote, “CPS are more than individual devices or systems – they are systems of systems, and physical security integrators will play a key role in deploying security services that fit harmoniously into a CPS approach.”
To me this was the most important sentence in the article, which discussed cybersecurity for physical security systems, which Gittens stated is a key focus of the Cyber:Secured Forum annual event presented by ISC, PSA Security Network and SIA.
Systems of Systems
Today’s automobiles are good examples of systems of systems. When you see the list, you’ll realize that the auto industry has been working on computing-based vehicle capabilities for several decades. Here are 19 of the many computer-controlled systems, excluding the major electric and hybrid vehicle systems and many autonomous driving systems:
- Airbag system
- Anti-lock braking systems (ABS)
- Automatic windshield wipers
- Backup camera
- Battery management system
- Blind spot monitor
- Cruise control
- Dashboard electronic instrument cluster
- Electronic fuel injection
- Electronic Ignition
- Engine control unit (ECU)
- Entertainment systems
- Power door locks
- Rear-view mirror data display
- Self-dimming headlights
- Self-retracting side-view mirrors
- Tire pressure monitoring system
- Transmission control module
The dashboard electronic instrument cluster itself a good example of a system of systems. It’s displays depict or present the data provided by many systems, one such system being the wireless tire sensor system. Pirelli, an Italian tire company who is a leader in premium and prestige automobile and motorcycle tires, makes such a system, which they call the “Cyber Tyre”.
Microsoft Research provides an interesting high-level technical look at the system, in a 2016 video presentation by Anurag Kumar, Director of the Indian Institute of Science, titled, “Cyber Physical Systems (CPS) over IoT: Inference and Control over Resource Challenged Wireless Networks.” Think of the design challenges involved in taking a sensor that is smaller than a one-half inch cube affixed to the inside of a tubeless tire, and must accurately measure the tire pressure while the tire is bouncing along on a road at 60 miles per hour (10 revolutions per second) and must transmit the tire pressure data to the dashboard’s electronic instrument cluster and/or the car’s electronic control unit.
In his presentation, Kumar describes the future vision for the tire sensor system, which includes reporting not only tire pressure, but also temperature, tire wear, revolutions and providing an imminent failure alert. Furthermore, the system must provide driver decision support including road conditions (slippery, dry, wet, icy) and inform drive train and braking control. Ideally, another system will harvest the motion from the tire and axle, eliminating the need to change the car battery.
It’s a system that collects information and provides it to other systems, all of whom evaluate that and other data collected from multiple systems, and continually updates its digital twin of the vehicle, so as to support automated vehicle management as well as provide driver decision support.
This kind of thinking is nothing new for the auto industry. In my original automotive design engineering role, we had systems thinking drummed into us. When determining the performance requirements of a spring for a passenger compartment’s ashtray lid (no longer a vehicle feature), we’d have to consider the forces operating on the ashtray lid. That included a driver slamming on the brakes, a tire running over a bump or a hole in the road, or a collision impact. All of these had different force dynamics affecting the ash tray, and we had to make sure that the ashtray would remain closed during all of them, so that a still-burning cigarette butt wouldn’t be thrown out of the ashtray and land on the upholstery or carpeting, starting a vehicle fire.
Security Design Thinking
This kind of systems thinking is decades old in the auto industry, but not in the physical security industry. That’s only natural, given the history of security product development and what was feasible to accomplish with earlier technologies.
Now, given the advancement of computing, data processing and related information technology trends, we must update our system design thinking to encompass capabilities and address risks that never before could be considered. This is especially important given the emergence of modern artificial intelligence technologies, IoT, and today’s Internet capabilities.
What does it mean to cyber-enable our physical security operations? That is a question that many of the new AI firms are answering, although they have been keeping those answers under wraps as most of them have been in “stealth mode” for the past few years while they develop and validate their concepts.
Milestone revealed this year that they have an R&D division that’s primarily focused on AI. Milestone Systems unveiled an R&D project that uses AI deep learning to configure video cameras in real time, optimizing their performance based on real-time lighting and other conditions to ensure that the camera is always performing optimally for its specific purpose. See the demonstration video here.
Our security design thinking must change in many ways, including how we think about intelligent devices. Milestone wants to gather camera and AI partners who can help each camera accomplish its mission.
Each intelligent device is a system unto itself. For example, a camera is a sensor system that can provide metadata about what it sees in its field of view, in three dimensions, and provide that information via an API. It contains a web server for manual configuration capabilities and to support the API transactions.
A camera is its own system and can also acts as a part of other systems, such as a security surveillance system a city traffic management system, and a retail store customer behavior tracking system.
This is a novel idea, that devices will have a mission, a role, and active responsibilities within a larger system. They must take direction from a larger system and serve the overall mission and purpose.
This is the vision that Milestone and several of the emerging AI companies have, but overall as designers and employers of modern systems-based technologies, we haven’t fully grasped what this means and thus neither have our customers.
Betamax In a Streaming World
We haven’t fully grasped the implications of the systems of systems concept, including its implications for cybersecurity. Watch the 20-minute June 2019 video in the article titled, “Video: How organizations are coping with today’s cyber-physical security threats”, from Verint’s recent Engage 19 event in Orlando. SecurityInfoWatch.com Editor-in-Chief Joel Griffin sat down with Valerie Thomas, Executive Consultant at Securicon, Eric Michaud, CEO and Founder of Rift Recon, Joe Luna, Founding Partner at Furtim, and Terry Gold, Principal Analyst at D6 Research, to discuss where organizations stand when it comes to protecting physical security systems against cyber threats as well as other cybersecurity trends impacting enterprises today.
Terry Gold starts the discussion off with a description of the state of physical security industry product and system architecture, acknowledging that the security industry is no longer ignoring IT and cybersecurity issues. However, there is still a long way to go, as many industry companies are coming out with a new feature here and there, but still don’t understand how poor the commonly accepted architectures are. Gold stated, “Right now we have an architecture in physical security that’s a wall-to wire, 30-to-40-year old architecture, and we have companies basically coming out with a new feature here and a new feature there, but it’s still Betamax. It’s like Betamax in a streaming world.”
Making Real Progress
The industry won’t make real progress unless we: (a) understand what today’s technologies are capable of and where they are going, and (b) learn from what other industries are doing so that we don’t waste time and money re-inventing the wheel.
Before we can continue with the cyberspace series of articles, we need to finish our examination of cyber-physical systems, because these are now Internet-connected and part of cyberspace. Not the original cyberspace as we first learned of it, which for its first decade had connection points numbering in the hundreds of thousands, none of them cyber-physical. The new cyberspace now has connection points in the billions, many of them cyber-physical and stemming from the Internet of Things (IoT), including our security systems.
We need to understand the design concepts of full-blown cyber-physical systems, not just the kind of security products and systems we have now, which are “baby” systems compare to, for example, self-driving cars and city-wide traffic management systems. We have to explore the possibilities of using IoT technology, not just being labelled as such, so we can answer questions like these:
- What would it look like to fully cyber-enable our physical security operations?
- How could we detect and respond to cyber-enabled adversaries?
- How can a security department provide technology systems that are the systems within other company systems such building automation systems and business operations ?
We’ll answer these questions in the upcoming articles.
I have put together an outstanding panel of experts, including Terry Gold, which I’m moderating for a special session at the September ASIS GSX event in Chicago. Here is a short description of that session.
The Flat and the Furious
Session # 6210 on Wednesday, September 11 from 2:15 p.m to 3:15 p.m.
Global cyber-physical gamers can seriously kick your assets and disappear into thin air! Thomas Friedman’s best-selling book – The World is Flat – doesn’t mention cyber-risk or the Internet of Things. Yet today our super-flattened physical world is cyber-activated with over 23 billion cyber-physical touchpoints.
Being furious in the cyber world has levels of energy, violence and intensity of scale and speed that you don’t want coming at your physical world assets. Don’t have your security cameras hijacked and weaponized for cyber-attacks, or your factory machinery or cars going wild. Cyber-physical experts (security, insurance and technology) explain where cyber-physical threats and counter-measures are going and how you can and must cover your assets now.
I hope to see you there.
Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s Top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS.
© 2019 RBCS