This is the 48th article in the “Real Words or Buzzwords?” series about how real words become empty words and stifle technology progress.
By Ray Bernard, PSP, CHS-III
How you define ‘legacy technology’ may determine whether you get to update or replace critical systems.
The Gartner definition of a legacy system is: “An information system that may be based on outdated technologies, but is critical to day-to-day operations.” That makes sense. If it’s not critical to day-to-day operations, being outdated is not that big of a thing. If it is critical, then the fact of being outdated can cause problems beyond just “not looking modern” or “not being the latest.”
When it’s not a personal decision (such as a watch or phone) but is an organizational decision, getting legacy technology replaced may not be a simple matter or easy undertaking. It may include accurate documentation of the current state (including operations value) and sound planning that accounts for legacy technology risk, availability of financial resources, synchronization with organizational technology funding cycles and collaboration between the security function and IT.
Reasons for not updating system platforms or an entire class of devices that do need updating include:
- Replacement would be very disruptive.
- Replacement would be too costly (new product plus replacement services).
- Technical risk of the replacement platform falling short of operational needs.
- Critical platform customizations that replacement products don’t include.
- Emerging technologies can provide new capabilities but aren’t complete enough in their features and functions to be able to replace existing technology.
- It’s not worth the money to get the same or just slightly better functionality for a huge expenditure, given that the outdated technology is still operational and being supported.
For decades, the last item on the list has been an often-heard reason for not replacing outdated physical security technology. That’s a reason – right or wrong – why many analog cameras, early-generation IP cameras and Wiegand card readers are still in use. However, the chances of that last bullet item being accurate are becoming slimmer and slimmer, given the nature of technological advancement, the threats against it, and the value of emerging technologies.
Carl C. Weber, in a white paper written for the U.S. Cybersecurity and Infrastructure Security Agency (CISA), warns that just because such systems may be running well, they are not free from risk, because “. . . they were originally designed at a time when security was not a design issue, computer crime was rare (or invisible), and the mechanisms for attack were different, generally relying on physical access and inside knowledge.” This applies to many electronic physical security systems (EPSS). Many security system applications and devices are still being sold that are based on outdated architectures and software code. Because outdated physical security systems detrimentally affected only a handful of staff, there was little chance of employee rebellion over that circumstance. Besides, security personnel are generally highly dedicated to their security objectives and are often more tolerant of technological hardships because technology is just one part of the people-process-technology picture.
However, while their outdated technologies have been standing still, there has been exponential technological advancement both with security technology and with the black hats who wish to attack it.
Therefore, a legacy system shouldn’t be defined just by its age, but by the degree to which it has shortcomings in meeting the needs of the owning or leasing organization, including system cybersecurity. These shortcomings pose operational risks that should be assessed and communicated to high-level risk and finance decision-makers.
8 Ways Legacy Technology Can Fall Short
EPSS technology can fail to be satisfactory even if it still functions as it was originally intended to. Here are eight ways that legacy EPSS technology can represent an operational risk to an organization.
- End of Support Life.
- Cost of Service.
- Relatively Diminishing Operations Value.
Legacy Technology Assessment Factors
Legacy technology should be rated on each of the factors listed above, to enable an overall determination of whether it is feasible and reasonable to eliminate the legacy shortcomings by upgrading to more modern technology now or in the near future. It’s not just about old technology being replaced by new. It’s about eliminating unwarranted operational risks and costs and enabling more efficient and effective security operations.
Cybersecurity. The first generation of IP video cameras were designed without consideration to cybersecurity risks, with most manufacturers advising that they should be installed only on secure networks. The cyber risks from cameras have been well-publicized in recent years. However, due to the early history of camera firmware updates being timely and troublesome, with some cameras bricking, most organizations with high camera counts (several thousand to more than ten or twenty thousand) have made it a practice not to update firmware unless absolutely necessary.
Fortunately, Viakoo has developed a way to properly manage and automate camera firmware updates. Through integration with video management software, Viakoo’s Camera Firmware Update Manager automatically stops camera streaming before the firmware update and restores it afterwards, eliminating a common cause of camera firmware update problems.
Cameras beyond their end of support life (no firmware updates available) should be replaced as they remain a source of cyber vulnerabilities.
End of Support Life. End of support life means that cameras can’t be updated when cyber vulnerabilities are discovered. Prudent planning would include two elements. First, identifying replacement models and monitoring the status of camera vulnerabilities, so that on vulnerability discovery the cameras can be replaced. Second, developing an approved camera replacement program that includes optimizing the cameras functions for their designated purposes and target areas.
Scalability. In a recent Real Words or Buzzwords? article about the manageability of EPSS platforms I wrote, “‘Management at scale’ is a concept that seems to have avoided the general physical security industry mindset.” Many security system software platforms don’t scale up well as the size of the technology deployment increases. Because it’s a problem that grows gradually, security operations personnel “learn to live with it” even though there are many valid reasons for upgrading or replacing such software. It’s something to be considered when evaluating the state of EPSS technology.
The same “learn to live with it” situation can exist at the corporate level for organizations having disparate brands of access and video systems for a variety of reasons, including the fact that earlier technologies did not scale up to the numbers of sites that current technologies support. This can be a frustration for corporate security investigative personnel who are unfamiliar with the variety of systems installed and must rely on others to search through logs and records. There is the additional challenge of collecting evidence across disparate systems when trying to make the business case for changes to security or business processes or procedures.
Modern technology, like the AI-enabled video analytics product line from BriefCam, can provide corporate and business personnel with uniform advanced video review and data analysis capabilities across all facilities for security and business operations, including dashboards enabling cross-facility data comparisons. These are especially valuable for retail organizations because they provide daily insight into common oversight factors including quality of merchandise displays, general store appearance and stock room status, customer interactions as well as the effectiveness of promotional campaigns on a per store basis.
Such technology can be used to provide a unified experience across disparate legacy systems on an immediate basis, providing significant operational benefits while legacy site technology is upgraded over time, prioritized according to site needs.
Integration/Interoperability. When there are potential integrations of value to security operations that the current technology cannot support, that along with other improvements may be a valid reason to upgrade.
Compatibility. Often new technology is not supported by legacy systems, another reason to evaluate what security operations capabilities could be like if more modern technology was in place.
Cost of Service. Sometimes the cost of servicing legacy EPSS deployments rises over time for a variety of reasons. Charting the cost over time can reveal what the cost trend is and when it makes sense to perform an upgrade or replacement. See these articles: Total Cost of Ownership and Are Integrators Overlooking Total Cost to Serve?.
Relatively Diminishing Operations Value. Many security industry companies have adopted the product development practice of continuous delivery, and many EPSS product capabilities advance on a continuing basis. As a result, tracking the capabilities of potential replacement products it requires more than occasional trade show attendance. Furthermore, tracking product roadmaps is even more important, so that you can get advanced approval of the upgrade you want to perform when the new technology operational capabilities match your needs.
Non-Compliance. Recently, an electric utility company had to replace nearly 40% of its video surveillance cameras, all of which were functioning well. These cameras – some 14 years old – were beyond their end of support date and had firmware that could not be updated to eliminate the now-known cyber vulnerabilities. This was a situation unacceptable under the NERC-CIP security standards.
Fortunately, they had planned to phase them out and did so over a two-year period. In the process, they obtained the opportunity to upgrade low-resolution cameras to higher resolution models where that made sense. Other organizations in the same situation who didn’t plan ahead found themselves faced with sizeable expenditures, resulting in delays to funding for business improvements.
A bigger issue can be non-compliance with IT policies and practices for the cybersecurity of the organization’s networked systems. Now that video is easily sharable on consumer devices like phones and tablets, many business sectors have found significant operations value in sharing security video with non-security personnel.
Many organizations that have more than a dozen or so cameras have a mix of old and new cameras. It’s often the case that the cybersecurity risk from older cameras is not being considered, in violation of existing company policy and practice for networked systems and devices.
Legacy Upgrade Planning
An EPSS legacy assessment should include a planning step that prioritizes EPSS technology upgrades and replacements based on the criticality of the eight factors listed above. As I wrote about it for Security Technology Executive magazine, in the IT domain it’s called technology lifecycle management. UNICOM Government published a very helpful white paper about it that covers all the bases. Some of the material in my article and their paper may assist you in developing your legacy technology update strategy.
About the Author:
Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS.