Real Words or Buzzwords?: Scale (Part 2)

Print Friendly, PDF & Email

This is the 41st article in the “Real Words or Buzzwords?” series about how real words become empty words and stifle technology progress.

By Ray Bernard, PSP, CHS-III


Why the industry has yet to fully grasp what the ‘Internet of Things’ means for scaling physical security devices and systems.

  • Recently I attended a webinar in which the speaker said, about the physical security industry and video surveillance in particular, “Internet of Things? We’ve been doing IoT long before it was even called IoT.” Statements like this are what prompted me to start writing this Real Words or Buzzwords? series.

    Let’s Get Real

    The accurate statement would have been: “The physical security industry has been mis-doing IoT long before it even heard the word.” As soon as it heard the word, manufacturers began labeling themselves as “IoT companies” and calling their devices “IoT devices” even though the most dangerous thing you could do with them was to connect their devices to the Internet. How do you think millions of cameras and recorders were used to create the largest hacker botnets to date each year for the past three years?

    Regarding scalability, the greatest claim to fame to date for physical security industry devices is that they could be used to build the largest botnets in the world. Why is it that global hackers can manage botnets in the tens and hundreds of thousands of devices, yet we can’t manage a few thousand of them?

    As I mentioned in Scale – Part 1, Rodney Thayer recently pointed in a members-only Security Industry Association “SIA Cyber Office Hours” webinar, that if nearly any end-user customer with high camera counts was told by the FBI, “We have a credible threat against your electronic physical security systems, so update all your firmware and change your passwords immediately,” it would take them months to do it. Worse yet, according to the research my company has done, one-third or more of their cameras would be seriously past their manufacturer’s end-of-life (like some still-very-alive 12- and 14-year old Axis cameras) whose firmware isn’t updatable.

    It seem that Axis Communications, The Boring Lab, Eagle Eye Networks, Milestone, TrendMicro, Viakoo and Vivotek have some clue regarding manageability and cybersecurity, but where is everybody else? Yes, I do know that 29 security industry manufacturers have hardening guides and cybersecurity advice, but how many of them provide true device manageability at a large scale? Less than a handful.

    And I’m only talking about one aspect of scalability – whether you can easily and quickly manage devices at a large scale or not. Hackers can do it – which means there is no excuse for physical security industry companies. But hackers have only focused on managing them for malware operations purposes – not for video management purposes. We just haven’t focused on managing at scale for our purposes, while  hackers have for theirs. Shame on us. This has been seriously bad news for industry customers for some time now – they just don’t complain about it much because they have such low expectations for security industry products.

    I’m saving the rest of the “how we still don’t get the Internet of Things” issues for a future article, because this article is about the appropriate concepts of scale that seem to be absent from our current security industry “thinking caps.”

    Why Do We Have Industry Scale Lag?

    So far, the concepts of scale in our industry have had only three dimensions:

    1. Grow your security system (readers, cameras, alarm points, etc.) to a larger device count without having to rip and replace system components – a 30-year old concept.
    2. Add as many devices as you want to – made possible by expanding the device address scale beyond 255 – another 30-year old concept.
    3. Manage by hierarchy of regions, sites or locations and buildings – a 20-year old concept.

    One of the historical reasons why the physical security industry overall has not expanded its concepts of scale beyond these, is that we weren’t forced to in the same ways that the IT industry was.

    Business information systems have hundreds and thousands of individual users. Physical security systems have historically had a dozen or less system end users, but lots of devices. Device management was performed by contracted installing and servicing personnel. Few end user companies maintained their own physical security technology. That’s different from IT’s situation.

    When IT users, and the number of user computers, grew into the thousands, manageability became a significant challenge that IT solved via automated software tools. That was during the rip-and-replace era of IT – when an organization’s servers and end-user computers were “refreshed” periodically. Decades ago IT refreshes were five to ten years, but soon became every two or three years, at which point refreshes became impractical, and cloud computing arrived – with its continuous delivery approach – in response to four things: the exponential advancement of information technology, higher network bandwidth rates, the emergence of the Internet, and the arrival of mobile personal computing devices.

    Lagging in information technology adoption by at least five to ten years, rip-and-replace physical security system refresh cycles and very low system user counts remained the order of the day until now – when personal Internet-enabled mobile devices and cloud computing in the consumer world created the demand for anywhere, anytime access to security system functionality. Self-service access and visitor management, as well as emergency notification and personal safety features, along with mobile device personal access credentials, have begun to drive security system user accounts up into the hundreds and thousands. However, many deployed physical security system deployments don’t yet include mobile access credentials and personal safety mobile apps.

    Very Different Industry Drivers for Scale

    Thus, the system and end-user-device dynamics for the physical security industry have been very different than for the business systems portion of the IT industry – and so we missed out on many of the drivers for system scale. Business IT systems began serving hundreds and thousands of end users more than two decades ago. Security systems high user counts are a new emergence. Instead of high end-user counts, we got high end-point device counts: readers, door locks, cameras, and intrusion sensors.

    What happened in our industry that was different from IT is that our end-point devices don’t have live end-users. Thus we didn’t get end-device-related complaints like IT did from its end-point device users. And our industry didn’t understand the technology context differences from IT and just didn’t realize that we were about to experience the high-device-count management problems that IT was already busy solving for itself. Our end-point devices were different from IT’s, and our industry was only discussing the convergence of physical security and IT. We didn’t realize that we were building a different type of system than the systems of the business IT world.

    This is also part of the reason that we didn’t catch on to what IoT meant for physical security. Our own personal experiences with IoT have been with consumer IoT devices, which are small-scale systems.

    Article Revision (5/8/2019)

    I added this section the day after this article’s publication. Through some immediate reader feedback I discovered that my use of the term “Enterprise IoT” confused some folks, because it has been variously defined and its definition is still evolving. Enterprise IoT is more a convenient term of reference to frame the scope of a discussion, than it is a technical term with a specific meaning. Some folks classify smartphones as IoT devices (and include them in global billion-scale device counts), and some folks are adamant in excluding them because they are smart devices and they assert that IoT devices are not smart devices. So that means some folks would say that security cameras are IoT devices, and some would say they are not. So I replaced “Enterprise IoT” with “Enterprise IT” and revised the section below.

    Regarding the case of smartphones vs. security cameras as IoT devices, it seems that a workable definition of “Things” for the Internet of Things is any device whose primary purpose is to interoperate with other networked devices rather than acting primarily as a human user interaction device.  That gives us a clear point of differentiation between smartphones and intelligent security video cameras, and I think more broadly applies to many other kinds of connected devices.

    However, we’ve now strayed outside my intended purpose for this article. I think it’s worth examining the various terms relating to IoT, which I’ll do in a separate Real Words or Buzzwords? article. Now back to the discussion at hand about scale.

    User Count and Device Count Scales

    Historically, enterprise high device counts have been computers (workstations, laptops, tablets and now smartphones) used for human interaction. Those number in the thousands or tens of thousands for large enterprises. Security end users have been few per system, until now as web-based applications have emerged for self-service visitor management, self-service physical access control, mobile device  physical access credentials, and personal safety apps all for a building’s occupants and visitors. But historically, we had this picture:

    • Enterprise IT (high end-user counts, high end-user device counts)
    • Industrial IoT (low end-user counts, high sensor and control end-device counts)

    Building control systems (aka building automation systems) and physical security systems are two types of Industrial IoT having potentially high device counts and until now low user counts. My point regarding physical security systems is that we haven’t dealt well with high device counts, and haven’t dealt at all with high end-user counts, and we now need to be doing both well.

    Cyber-Physical Systems

    Cyber-physical systems are systems in which the cyber (computer and networking) elements interact with the physical world as well as the cyber world (what we used to call cyberspace). So thinking about security system devices as IoT devices gives us an incomplete mindset. We must stop thinking of our technologies just as IoT and consider their full cyber-physical system implications before we really understand what IoT, cyber and the Internet mean to our technology.

    I mentioned cyber-physical systems earlier in the Internet+ article, where I provided links to a couple of books that are now very relevant to the physical security industry and our roles in it.

    Wikipedia has a short but good article with an illustration that depicts the various aspects of cyber-physical systems – but it never mentions physical security systems!

    Thus our continuing discussion about scale and security systems requires that the next article looks very closely at the cyber-physical-systems anatomy of physical security systems. In that article we’ll see how physical security systems differ from all the other types of cyber-physical systems, and what the specific aspects of scale are including what IT calls horizontal scaling (adding more hardware instances) and vertical scaling (such as adding more CPU power and RAM). Originally, I thought I’d be writing about those aspects of scale in this article, but I realized that the above discussion needed to come first.

    Cyber-Physical Systems Special Note: I have put together an outstanding panel of experts which I’m moderating for a special session at the September ASIS GSX event in Chicago. Here is a short description of that session.

    The Flat and the Furious

    Session # 6210 on Wednesday, September 11 from 2:15pm to 3:15pm

    Global cyber-physical gamers can seriously kick your assets and disappear into thin air! Thomas Friedman’s best-selling book – The World is Flat – doesn’t mention cyber-risk or the Internet of Things. Yet today our super-flattened physical world is cyber-activated with over 23 billion cyber-physical touchpoints. Being furious in the cyber world has levels of energy, violence and intensity of scale and speed that you don’t want coming at your physical world assets. Don’t have your security cameras hijacked and weaponized for cyber-attacks, or your factory machinery or cars going wild. Cyber-physical experts (security, insurance and technology) explain where cyber-physical threats and counter-measures are going and how you can and must cover your assets now.


    Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s Top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS.

    © 2019 RBCS