This is the 48th article in the “Real Words or Buzzwords?” series about how real words become empty words and stifle technology progress.
By Ray Bernard, PSP, CHS-III
How you define ‘legacy technology’ may determine whether you get to update or replace critical systems.
★ ★ ★ GET NOTIFIED! ★ ★ ★
SIGN UP to be notified by email the day a new Real Words or Buzzwords? article is posted!
Real Words or Buzzwords?
The Bi-Weekly Article Series
#1 Proof of the buzzword that killed tech advances in the security industry—but not other industries.
#2 Next Generation (NextGen): A sure way to tell hype from reality.
#3 Customer Centric: Why all security industry companies aren't customer centric.
#4 Best of Breed: What it should mean to companies and their customers.
#5 Open: An openness scale to rate platforms and systems
#6 Network-friendly: It's much more than network connectivity.
#7 Mobile first: Not what it sounds like.
#8 Enterprise Class (Part One): To qualify as Enterprise Class system today is world's beyond what it was yesterday.
#9 Enterprise Class (Part Two): Enterprise Class must be more than just a top-level label.
#10 Enterprise Class (Part Three): Enterprise Class must be 21st century technology.
#11 Intuitive: It’s about time that we had a real-world testable definition for “intuitive”.
#12 State of the Art: A perspective for right-setting our own thinking about technologies.
#13 True Cloud (Part One): Fully evaluating cloud product offerings.
#14 True Cloud (Part Two): Examining the characteristics of 'native-cloud' applications.
#15 True Cloud (Part Three): Due diligence in testing cloud systems.
#16 IP-based, IP-enabled, IP-capable, or IP-connectable?: A perspective for right-setting our own thinking about technologies.
#17 Five Nines: Many people equate high availability with good user experience, yet many more factors are critically important.
#18 Robust: Words like “robust” must be followed by design specifics to be meaningful.
#19 Serverless Computing – Part 1: Why "serverless computing" is critical for some cloud offerings.
#20 Serverless Computing – Part 2: Why full virtualization is the future of cloud computing.
#21 Situational Awareness – Part 1: What products provide situational awareness?
#22 Situational Awareness – Part 2: Why system designs are incomplete without situational awareness?
#23 Situational Awareness – Part 3: How mobile devices change the situational awareness landscape?
#24 Situational Awareness – Part 4: Why situational awareness is a must for security system maintenance and acceptable uptime.
#25 Situational Awareness – Part 5: We are now entering the era of smart buildings and facilities. We must design integrated security systems that are much smarter than those we have designed in the past.
#26 Situational Awareness – Part 6: Developing modern day situational awareness solutions requires moving beyond 20th century thinking.
#27 Situational Awareness – Part 7: Modern day incident response deserves the help that modern technology can provide but doesn’t yet. Filling this void is one of the great security industry opportunities of our time.
#28 Unicity: Security solutions providers can spur innovation by envisioning how the Unicity concept can extend and strengthen physical access into real-time presence management.
#29 The API Economy: Why The API Economy will have a significant impact on the physical security industry moving forward.
#30 Future-Proof: What does Future-Proof mean in an era of managed services, continuous delivery, and ever-accelerating technology advancement?
#33 Software-Defined: Cloud-computing technology, with its many software-defined elements, is bringing self-scaling real-time performance capabilities to physical security system technology.
#34 High-Performance: How the right use of "high-performance" can accelerate the adoption of truly high-performing emerging technologies.
#35 Erasure Coding: Why RAID drive arrays don’t work anymore for video storage, and why Erasure Coding does.
#36 Presence Control: Anyone responsible for access control management or smart building experience must understand and apply presence control.
#37 Internet+: The Internet has evolved into much more than the information superhighway it was originally conceived to be.
#38 Digital Twin: Though few in physical security are familiar with the concept, it holds enormous potential for the industry.
#39 Fog Computing: Though commonly misunderstood, the concept of fog computing has become critically important to physical security systems.
#40 Scale - Part 1: Although many security-industry thought leaders have advocated that we should be “learning from IT,” there is still insufficient emphasis on learning about IT practices, especially for large-scale deployments.
#41 Scale - Part 2: Why the industry has yet to fully grasp what the ‘Internet of Things’ means for scaling physical security devices and systems.
#42 Cyberspace - Part 1: Thought to be an outdated term by some, understanding ‘Cyberspace’ and how it differs from ‘Cyber’ is paramount for security practitioners.
#43 Cyber-Physical Systems - Part 1: We must understand what it means that electronic physical security systems are cyber-physical systems.
#44 Cyberspace - Part 2: Thought to be an outdated term by some, understanding ‘Cyberspace’ and how it differs from ‘Cyber’ is paramount for security practitioners.
#45 Artificial Intelligence, Machine Learning and Deep Learning: Examining the differences in these technologies and their respective benefits for the security industry.
#46 VDI – Virtual Desktop Infrastructure: At first glance, VDI doesn’t seem to have much application to a SOC deployment. But a closer look reveals why it is actually of critical importance.
#47 Hybrid Cloud: The definition of hybrid cloud has evolved, and it’s important to understand the implications for physical security system deployments.
#48 Legacy: How you define ‘legacy technology’ may determine whether you get to update or replace critical systems.
#49 H.264 - Part 1: Examining the terms involved in camera stream configuration settings and why they are important.
#50 H.264 - Part 2: A look at the different H.264 video frame types and how they relate to intended uses of video.
More to come about every other week.
When it’s not a personal decision (such as a watch or phone) but is an organizational decision, getting legacy technology replaced may not be a simple matter or easy undertaking. It may include accurate documentation of the current state (including operations value) and sound planning that accounts for legacy technology risk, availability of financial resources, synchronization with organizational technology funding cycles and collaboration between the security function and IT.
Reasons for not updating system platforms or an entire class of devices that do need updating include:
- Replacement would be very disruptive.
- Replacement would be too costly (new product plus replacement services).
- Technical risk of the replacement platform falling short of operational needs.
- Critical platform customizations that replacement products don’t include.
- Emerging technologies can provide new capabilities but aren’t complete enough in their features and functions to be able to replace existing technology.
- It’s not worth the money to get the same or just slightly better functionality for a huge expenditure, given that the outdated technology is still operational and being supported.
For decades, the last item on the list has been an often-heard reason for not replacing outdated physical security technology. That’s a reason – right or wrong – why many analog cameras, early-generation IP cameras and Wiegand card readers are still in use. However, the chances of that last bullet item being accurate are becoming slimmer and slimmer, given the nature of technological advancement, the threats against it, and the value of emerging technologies.
Carl C. Weber, in a white paper written for the U.S. Cybersecurity and Infrastructure Security Agency (CISA), warns that just because such systems may be running well, they are not free from risk, because “. . . they were originally designed at a time when security was not a design issue, computer crime was rare (or invisible), and the mechanisms for attack were different, generally relying on physical access and inside knowledge.” This applies to many electronic physical security systems (EPSS). Many security system applications and devices are still being sold that are based on outdated architectures and software code. Because outdated physical security systems detrimentally affected only a handful of staff, there was little chance of employee rebellion over that circumstance. Besides, security personnel are generally highly dedicated to their security objectives and are often more tolerant of technological hardships because technology is just one part of the people-process-technology picture.
However, while their outdated technologies have been standing still, there has been exponential technological advancement both with security technology and with the black hats who wish to attack it.
Therefore, a legacy system shouldn’t be defined just by its age, but by the degree to which it has shortcomings in meeting the needs of the owning or leasing organization, including system cybersecurity. These shortcomings pose operational risks that should be assessed and communicated to high-level risk and finance decision-makers.
8 Ways Legacy Technology Can Fall Short
EPSS technology can fail to be satisfactory even if it still functions as it was originally intended to. Here are eight ways that legacy EPSS technology can represent an operational risk to an organization.
- End of Support Life.
- Cost of Service.
- Relatively Diminishing Operations Value.
Legacy Technology Assessment Factors
Legacy technology should be rated on each of the factors listed above, to enable an overall determination of whether it is feasible and reasonable to eliminate the legacy shortcomings by upgrading to more modern technology now or in the near future. It’s not just about old technology being replaced by new. It’s about eliminating unwarranted operational risks and costs and enabling more efficient and effective security operations.
Cybersecurity. The first generation of IP video cameras were designed without consideration to cybersecurity risks, with most manufacturers advising that they should be installed only on secure networks. The cyber risks from cameras have been well-publicized in recent years. However, due to the early history of camera firmware updates being timely and troublesome, with some cameras bricking, most organizations with high camera counts (several thousand to more than ten or twenty thousand) have made it a practice not to update firmware unless absolutely necessary.
Fortunately, Viakoo has developed a way to properly manage and automate camera firmware updates. Through integration with video management software, Viakoo’s Camera Firmware Update Manager automatically stops camera streaming before the firmware update and restores it afterwards, eliminating a common cause of camera firmware update problems.
Cameras beyond their end of support life (no firmware updates available) should be replaced as they remain a source of cyber vulnerabilities.
End of Support Life. End of support life means that cameras can’t be updated when cyber vulnerabilities are discovered. Prudent planning would include two elements. First, identifying replacement models and monitoring the status of camera vulnerabilities, so that on vulnerability discovery the cameras can be replaced. Second, developing an approved camera replacement program that includes optimizing the cameras functions for their designated purposes and target areas.
Scalability. In a recent Real Words or Buzzwords? article about the manageability of EPSS platforms I wrote, “‘Management at scale’ is a concept that seems to have avoided the general physical security industry mindset.” Many security system software platforms don’t scale up well as the size of the technology deployment increases. Because it’s a problem that grows gradually, security operations personnel “learn to live with it” even though there are many valid reasons for upgrading or replacing such software. It’s something to be considered when evaluating the state of EPSS technology.
The same “learn to live with it” situation can exist at the corporate level for organizations having disparate brands of access and video systems for a variety of reasons, including the fact that earlier technologies did not scale up to the numbers of sites that current technologies support. This can be a frustration for corporate security investigative personnel who are unfamiliar with the variety of systems installed and must rely on others to search through logs and records. There is the additional challenge of collecting evidence across disparate systems when trying to make the business case for changes to security or business processes or procedures.
Modern technology, like the AI-enabled video analytics product line from BriefCam, can provide corporate and business personnel with uniform advanced video review and data analysis capabilities across all facilities for security and business operations, including dashboards enabling cross-facility data comparisons. These are especially valuable for retail organizations because they provide daily insight into common oversight factors including quality of merchandise displays, general store appearance and stock room status, customer interactions as well as the effectiveness of promotional campaigns on a per store basis.
Such technology can be used to provide a unified experience across disparate legacy systems on an immediate basis, providing significant operational benefits while legacy site technology is upgraded over time, prioritized according to site needs.
Integration/Interoperability. When there are potential integrations of value to security operations that the current technology cannot support, that along with other improvements may be a valid reason to upgrade.
Compatibility. Often new technology is not supported by legacy systems, another reason to evaluate what security operations capabilities could be like if more modern technology was in place.
Cost of Service. Sometimes the cost of servicing legacy EPSS deployments rises over time for a variety of reasons. Charting the cost over time can reveal what the cost trend is and when it makes sense to perform an upgrade or replacement. See these articles: Total Cost of Ownership and Are Integrators Overlooking Total Cost to Serve?.
Relatively Diminishing Operations Value. Many security industry companies have adopted the product development practice of continuous delivery, and many EPSS product capabilities advance on a continuing basis. As a result, tracking the capabilities of potential replacement products it requires more than occasional trade show attendance. Furthermore, tracking product roadmaps is even more important, so that you can get advanced approval of the upgrade you want to perform when the new technology operational capabilities match your needs.
Non-Compliance. Recently, an electric utility company had to replace nearly 40% of its video surveillance cameras, all of which were functioning well. These cameras – some 14 years old – were beyond their end of support date and had firmware that could not be updated to eliminate the now-known cyber vulnerabilities. This was a situation unacceptable under the NERC-CIP security standards.
Fortunately, they had planned to phase them out and did so over a two-year period. In the process, they obtained the opportunity to upgrade low-resolution cameras to higher resolution models where that made sense. Other organizations in the same situation who didn’t plan ahead found themselves faced with sizeable expenditures, resulting in delays to funding for business improvements.
A bigger issue can be non-compliance with IT policies and practices for the cybersecurity of the organization’s networked systems. Now that video is easily sharable on consumer devices like phones and tablets, many business sectors have found significant operations value in sharing security video with non-security personnel.
Many organizations that have more than a dozen or so cameras have a mix of old and new cameras. It’s often the case that the cybersecurity risk from older cameras is not being considered, in violation of existing company policy and practice for networked systems and devices.
Legacy Upgrade Planning
An EPSS legacy assessment should include a planning step that prioritizes EPSS technology upgrades and replacements based on the criticality of the eight factors listed above. As I wrote about it for Security Technology Executive magazine, in the IT domain it’s called technology lifecycle management. UNICOM Government published a very helpful white paper about it that covers all the bases. Some of the material in my article and their paper may assist you in developing your legacy technology update strategy.
About the Author:
Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS.