IoT Makes New Security Partnerships Essential

Bringing physical security and IT security together can enhance both

For several years now, security professionals have been a part of a remarkable convergence of two worlds – physical and digital. Security systems integrators are shifting from being strictly focused on hardware and electronics to taking into account services, software and networks, and security purchases are increasingly being rolled into IT because the hardware solutions need access to the network. The resulting turf battles have been as predictable as they are heated, with facility managers and CIOs each struggling to do what they think will be best for the facility and its occupants.

But while those battles are being fought, there is another, even bigger, shift that is just beginning to ripple through not just the security industry, but the entire world. The Internet of Things, or IoT, is not just a new trend, it is the next evolution in the revolution that began with the invention of the Internet. It represents a fundamental change to the access control industry that not only affects the kinds of tools we use and how we use them, but also who makes the decisions on the customer side of the table. Most importantly, it is disruptive, in the best and worst possible ways, and we have only just begun to see its potential impact on our lives. Security dealers and integrators have a major role to play here as industry knowledge is critical to preventing consumer exposure to unforeseen difficulties and dangers.

Industry knowledge is critical to preventing consumer exposure to unforeseen difficulties and dangers.

What is the IoT?

The phrase “Internet of Things” was coined by British tech pioneer Kevin Ashton in 1999. The simplest definition and vision of IoT is that billions of sensors and smart devices will connect and share information with each other to enhance the collective experience of the end user. This is done by collecting, cleaning and analyzing the data provided. This, then, allows for predictive and real-time actions to take place on behalf of the user and the associated community.

Getting past the inertia of indecision can often be managed through detailed communication and concrete information about how a building’s systems can live side-by-side and how integration can benefit the customer in the long run.

It helps to think of IoT as the Internet itself, evolved for a third time. In the first two evolutions (or waves) of the Internet, people were connecting via either a desktop computer or laptop or on a mobile device, like a smartphone or a tablet. In the third evolution, smart devices will communicate and deliver information to the Internet without human intervention on a scale that has never been seen before. By the years 2020-2025, it is projected that there will be as many as 50 billion connected devices operating on the planet, generating data in volumes previously unseen.

Irrational Exuberance and (Not So) Irrational Fears

As with any new technology, IoT has given rise to both exuberance and fear. It has become a megatrend, and investors are willing to place significant bets on the perceived desires in the marketplace.

Being able just to connect a product to the Internet is no longer sufficient, and the ability to make a connected security device does not necessarily mean that a company understands how to effectively apply this new technology. A good example of this is the focus by some providers on the convenience of proximity-based auto-unlocking. In some cases, the wow factor has overshadowed the potentially dangerous exposure that comes with opening a door without a clear intent of some kind expressed by the user. The approach to these types of solutions differentiates the thought processes of a security and safety provider from those who see an opportunity but may not have the experience to identify the potential life safety implications.

“As long as organizations treat their physical and cyber domains as separate, there is little hope of securing either one. The convergence of cyber and physical security has already occurred at the technical level. It is long overdue at the organizational level.”
– Scott Borg

At the other end of the spectrum are those who recognize that exponentially increasing the number of connected devices simultaneously increases the number of potential access points for hackers to exploit. According to security industry analyst Gartner, the black market for fake sensors that would allow data to be compromised or manipulated will be worth upwards of $5 billion by 2020.

And hackers are not the only ones that consumers will need to worry may be spying on them. In February, U.S. Director of National Intelligence James Clapper told a Senate panel, “In the future, intelligence services might use the [Internet of Things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.”

When added to the almost daily announcements of the latest organization whose data has been hacked, from Target to Neiman Marcus to the U.S. government’s own Office of Personnel Management, all of this creates the not unreasonable impression that digital security solutions are less secure than mechanical ones. It is this public perception of the vulnerability of connected security systems that can create an even greater risk – inaction.

All or Nothing

It is easy to understand why many would feel as though there is not a connected system out there that is “fully secure,” so why spend money on any of them? Consumers are well aware of the risks associated with being an early adopter of any technology or product. No sooner do they invest their money in one item than a competitor will introduce a much better one that, of course, is not compatible with their system.

But doing nothing is not a plan for anything except failure. Instead, one must plan for everything to be hacked from the beginning of the selection process. For example, picking a lock is a hack, as is stealing and using a master key.

What matters most is how quickly and effectively somebody is able to respond to the attack. In many cases, digital solutions can facilitate a faster and more robust response to these situations than a traditional mechanical lock or solution. If the master key is stolen, is it easier to physically rekey each lock, or is it faster and more efficient to change the firmware remotely controlling all of the locks at once with minimal touring? All of these things must be considered when selecting a solution.

Getting past the inertia of indecision can often be managed through detailed communication and concrete information about how a building’s systems can live side-by-side and how integration can benefit the customer in the long run.

Building Automation

The front lines of IoT in the security industry can be seen in building automation. Security integrators are realizing that there is a business opportunity in every building, and access control is just one piece of that potential business. This new technology is enabling the deployment of electronics within a building’s ecosystem of services, from physical access control and logical access to lighting and HVAC systems.

Consider a building where employees scan a badge or present a smartphone-based credential for access. When access is granted, the building’s other systems are triggered to turn on the lights, adjust the temperature and alert security that someone has entered the building. During the day, the network monitors water use, sending an alert to facilities if a restroom faucet is left running or if a normally locked door is left ajar. At the end of the day, the access credential is used to exit the building, triggering the reverse actions of the morning – lights are dimmed, temperatures are adjusted, doors are locked and security is notified. While access control may be the “trigger” for all of these functions, the entire system is based on a sophisticated network.

Doing nothing is not a plan for anything except failure. Instead, one must plan for everything to be hacked from the beginning of the selection process.

Every aspect of a building’s operation ties into a network, including lighting, intercoms, access control, video, fire safety and climate controls. This is further driving the interoperability of these previously disparate systems to enable services such as location-based decision-making that will provide a new level of value to end users.

Creating ROI for End Users

In order to effectively sell a multi-part integrated network, it is critical to be able to pinpoint an end user’s possible return on investment. This can be achieved by a detailed cost analysis that compares current use and expenses to the results that can be achieved through upgrading equipment and integrating technology:

• Upgrading to stand-alone intelligent controllers can reduce lighting expenses by as much as 40 percent.
• Buildings with strong southern light exposure can adjust HVAC and lighting based on actual conditions, rather than a fixed schedule, taking advantage of natural heat and light to reduce energy use.
• Buildings with door and window sensors can detect when doors and windows are open, signaling the system to automatically turn off the HVAC system while also alerting security personnel to a possible unauthorized entry.

These examples of ROI are significant whether customers occupy large commercial office buildings, health care clinics, restaurants, hotels or even manufacturing facilities. Buildings waste a lot of energy. Just propping a door open can cause the HVAC system to go into overdrive, pumping out air and creating significant energy waste. The ROI on building automation can sometimes free up money for other projects while enhancing technology, comfort and security. This can be a game changer for customers in the education, health care and government markets.

When groupings of these smart devices work in unison, they can reveal previously unseen patterns and opportunities. This can generate huge opportunities and, in the case of the security industry, a much more personalized experience for the building user and greater efficiencies for the owner.

Changing Landscapes

Even as this technology is fundamentally changing the traditional boundaries of security, so too is it causing a shift in the decision-making authority from facility managers to IT leadership. This is a trend that began when companies migrated to IP-based video surveillance and access control systems, and IT managers became increasingly involved in physical security decisions. However, in many companies, there still remains a clear division between the physical access control and IT security departments, with little interaction between the two.

Facility managers are frustrated that they are expected to adopt the new IoT technology without much experience. They are also worried about the implications of this change, as they will ultimately be held responsible for it.

Helping to create a working relationship between the CIO and the facility manager is crucial to the successful adoption of IoT in access control.

The CIO is largely unfamiliar with the physical security implications and has serious concerns about the impact this technology will have on the network. Both parties are concerned that, when a building is fully automated and networked, a failure in one area can cause failures in others.

Security dealers, consultants and integrators have a critical role to play in this situation. Helping to create a working relationship between the CIO and the facility manager is crucial to the successful adoption of IoT in access control. Educating the CIO about physical security and bridging the knowledge gaps for the facility manager will be a key differentiator for successful dealers, consultants and integrators as the industry moves to a more IoT-centric mindset.

Providers and integrators are the glue for the coming wave of IoT-enabled facilities. They should present themselves as a coordination point for IoT, where they act as knowledgeable, trusted mediators between the CIO and the facility manager. IoT implementation will move at the speed of that relationship.

Communication is Key

So how does one foster communication between the two worlds of digital and physical security?

• Start early. Make sure the leaders of both areas are involved from the beginning. This will set the tone for working together to jointly develop a solution.
• Make sure both sides have the opportunity to voice their concerns. This will give security the opportunity to understand IT infrastructure and how the addition of locks or cameras can affect the network. It will also give IT a better appreciation of the liability and reputation risks of not having a proper security solution in place.
• Speak both languages. Stay current on the latest fire, life safety and building codes and understand their implications on the products being specified or sold. At the same time, providers and integrators must be able to demonstrate to IT that they can speak their language and understand how the system is being utilized.
• Clearly identify capabilities. Several questions need to be asked, such as:
  • What IT security policies and standards are in place?
  • Can the system support security beyond PCs?
  • How is cabling installed?
  • Is the server environment virtual?
  • Do you maintain backups or do you want the integrator to do that?
  • How do you onboard a new application?
  • How do you want to handle maintenance of the security solution?
  • Think long term. It is important to view the partnership beyond the basics of installation, implementation and maintenance. Consider how to partner throughout the life cycle of the security solution, three, five and even 10 years down the road. This will enable the solution to continue to be effective as security needs – and technology – evolve.

Building Successful Partnerships

Security projects are becoming increasingly complex, often requiring the expertise of several professionals, including architects, IT personnel and even device manufacturers. The challenge is bringing together all of the consultants and working collectively and collaboratively toward a common goal. Because technology, security hardware products and building codes change regularly, or have nuances to them, it is important that a large security project be approached from several angles. One individual or company does not typically possess all of the knowledge that any security project requires, but by garnering the collective brainpower of many advisers, the consultancy team can identify and develop the best solution for a facility today, as well as in the future.

As with any group project, communication is key to ensuring that there are no misunderstandings about who is responsible for what. Once the entire team is assembled, it is helpful to formalize the working relationship by developing an official statement of work that clearly outlines deliverables and expectations for each member of the team. This is also a good time to:

• Clearly outline the project scope
• Identify the expected deliverables
• Prioritize the key elements
• Develop a preliminary timeline
• Estimate a budget range
• Create a list of internal stakeholders

One of the most important decisions will be the selection of the right manufacturer. Security practitioners have the challenge of evaluating all of the people who present their solutions. Some will have incredible funding behind them, but inherent knowledge is crucial as there can be real dangers associated with some of these products. Companies that have experience partnering with other consultants and stakeholders – architects, integrators, IT, one-card providers, building owners, facility managers, etc. – to develop comprehensive solutions are often the best qualified.

Convergence

Many IT departments are struggling to cope with the convergence of so many new technologies on their network infrastructure. In addition to traditional network security threats, they must now also monitor equipment such as HVAC systems and smart grid power monitoring and control devices, as well as IP-based access control systems and networked surveillance cameras, to prevent exploitation of these potentially vulnerable network nodes.

But connected security is also heavily dependent on physical security. An attacker gaining physical access to a terminal where a memory device can be plugged in is all that would be necessary to create a tool to be used in an attack. The lack of integration between physical and connected security creates a number of challenges that can be exploited.

“As long as organizations treat their physical and cyber domains as separate, there is little hope of securing either one. The convergence of cyber and physical security has already occurred at the technical level. It is long overdue at the organizational level.”
– Scott Borg

As Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, recently commented, “As long as organizations treat their physical and cyber domains as separate, there is little hope of securing either one. The convergence of cyber and physical security has already occurred at the technical level. It is long overdue at the organizational level.”

Ultimately, protecting the most important asset of any company – its people – requires a combination of physical security and cybersecurity. Integrating the two will allow companies to more effectively maximize the strengths and minimize the weaknesses of both while creating a safe, secure, efficient, interconnected and fully automated environment.

Some of these technological changes will occur rapidly, while others may take years to be fully implemented. If the speed of adoption of connected electronics and IoT is to increase, it is vital that people who understand the core elements of physical access control lead the application of these new tools wisely. With the proper focus, this technology can be adopted safely and will generate great benefits.

---

Rob Martens (robert.martens@allegion.com) is the futurist and director of connectivity platforms at Allegion (www.allegion.com).