Now more than ever the importance of integrated security solutions, including access control, alarms, CCTV and automation with remote management capability, have come to the fore. But despite the hype, there’s nothing easy about integrating security and automation solutions.
INTEGRATION has been the Holy Grail of electronic security for decades, as security managers seek ever more powerful situational awareness using technology more effectively and more efficiently. Advances in networking and management software, as well as SDK’s and API’s, have made the creation of integrated solutions easier, but there’s still nothing simple about creating an overarching management system.
According to Brad Sheen of Inner Range, the key to successfully integrating access control, automation and video surveillance is all about obtaining situational awareness.
“It’s about empowering the security operations team with a simplified and single user interface, rich in graphics and able to provide targeted data on demand is the key,” Sheen says. “The system needs to provide a detailed action plan quickly upon the receipt of an alarm or escalated alert. The information needs to be accurate without being overwhelming or lacking key details.
“The same goals need to be achieved when generating reports for the users regarding automated devices, intrusion sensors and much more. Given the evolution in the CCTV space, Inner Range’s Melbourne-based engineering team works closely with our technology partners, ensuring features obtained from modern analytics and innovations are seamlessly integrated.”
A key choice when it comes to integration is going for an open or a proprietary solution. In Sheen’s experience, open and proprietary solutions have pros and cons that are sensitive to individual applications, and he says a healthy balance is the best option.
“Closed protocol deployments are typically restrictive and limited in functionality, integration capability, and lack service providers who are factory-supported, which could affect local stock availability,” Sheen explains.
“Open protocols could jeopardise security, deliver solutions which have never been tested and could cause conflict in other areas of the system. Best practice is to only use open protocol devices or integrations which have been tried, tested, endorsed and are supported by both manufacturing parties.”
Something else that’s vital with integrated solutions is ensuring end users focus on realistic operational goals during the planning process, while avoiding over promising on what can be achieved at a realistic cost.
“It’s essential to ensure the client has clear operational goals and an understanding of the expected functionality that comes from deploying an integrated system,” Sheen says. “The integration is being completed for a purpose – that might be simplicity of management, detailed reporting and a high level of control. Or perhaps the integration allows data to be compiled in one system, reducing operational and training costs, improving data consistencies, saving time on administration and delivering reports via a single source of truth.
“But if the integration is not deep enough and the delivered solution doesn’t meet the client’s operational goals and expectations, simplicity is not achieved, and the systems may perform to perform better if left segregated.”
Sheen argues open protocol systems are not necessarily security risks.
“Open protocol does not mean open-door security risk – these ideas should not be confused,” he explains. “The key word here is protocol. It is preferential to integrate using open protocols, because the source code of these protocols is freely available and subsequently scrutinised by the cyber security industry to the benefit of the protocol and its users.
“Open protocols are used all the time to secure our communications, systems and databases, for instance SSL/TLS, IPSEC, DNSSEC, SSH, WPA2, etc. Ensuring only the required strings of data and their associated populations are disclosed is what creates a secured network. To reduce the challenge of integrating third party systems, be sure to integrate systems that use standard/open protocols and have been integrated in a deep and mature way by their developers.
“These mature integrations are feature-rich and have overcome the setup and operational challenges that hamper integrations with less real-world feedback. As a mature solution, Inner Range integrates to over 60 different systems across a variety of industries, for instance, CCTV, BMS, intercoms, visitor management, lifts, duress, etc.”
Is the network side the most important part of an integrated solution, in Sheen’s opinion?
“The network is the veins to feed the brains,” he explains. “Without quality network infrastructure and suitable data communication permissions, the teamwork between the integrated solutions can’t make the dream work. Restrictions or delays in data communications will create a faulty integrated solution. When used for automation applications, this can create a snowball effect of failures throughout the flow of processes.
“Networking is certainly a leading consideration in integrating a modern IP-based security platform with an IP CCTV solution,” Sheen says. “Networking maximises ease of deployment so multiple databases can migrate and populate data seamlessly from a LAN device all the way through to servers – whether on site, remote or virtual machines.
“As a manufacturer, it’s essential for us to maintain up to date integrations with our many CCTV technology partners and their individual, evolving platforms and versions. Given Inner Range’s engineering team is based in Melbourne, we have the best resources available to ensure integrations are maintained at the highest level for our local Australian and global market.
“With a networked, integrated system it’s also essential to consider the data management and associated risks in deploying a single, or multiple IP based integrations on a network. Increased traffic of data is required to flow seamlessly for the integration to perform. The potential for cyber-attacks could increase given the volume of devices needing to communicate and their individual methods in communication.
“The best standard practices about hardening a system and network always apply, for instance, changing default passwords, patching/updating, isolating systems and network, password policy, etc. Deployment of closed protocol integrations, which are endorsed by both manufacturer parties, is also suggested. When deploying a custom integration, it’s suggested to engage a network professional to ensure cyber security protection is paramount and the deployment and maintenance will not expose the client to any potential risks.”
A decision some security managers and their integrator partners are going to battle with will be how to manage an integrated solution – through a video management system, a security management system or a PSIM. According to Sheen, there’s no single answer – the solution depends on the needs of the customer, specifically on their risk profile.
“Some customers will largely be focussed on access control and alarm management, with a lesser focus on CCTV/VMS – for example an infrastructure or utility provider with a huge number of remote assets, many of which have low-bandwidth links that support alarm/access management, but not CCTV,” he explains. “In this case, a powerful security management system with sophisticated alarm management capabilities built from an underlying access and intruder system would be most beneficial.
“On the other hand, some customers will drive their security operations through the CCTV/VMS – a shopping centre which only needs a handful of access control doors but has hundreds of CCTV cameras.”
When it comes to the physical installation challenges of any major integration there’s plenty for integrators to think about.
“An initial consideration involves the communication methods to circulate data to and from every device – WAN/LAN, Mobile or RS-485 BUS communication,” Sheen explains. “In the case of Inner Range, considerations for solutions should consist of IP-based head end controllers which offer both flat or deep architectural expansion though our TCP/IP, fibre, wireless or RS-485 BUS of modules and field devices to maximise the expansion. The Inner Range Multipath T4000 uses 3G/4G communication to provide live bi-directional communication for mobile assets or sites with no existing communication infrastructure.”
Another consideration is ensuring physical space is made available to enclose the controlling hardware and thought is given to maximising the efficient use of that space. An example is the innovation of hinged expansion plate which can increase enclosure capacity by up to 30 per cent. Also having over 6 different enclosure designs, supplying the best solution for the required project or the consideration for the likes of 2RU rack-mounted secure drawer.
For Gallagher’s Mike Margrain, the key to successfully integrating access control, automation and video surveillance is by starting with clearly defined requirements.
“Knowing what you want to achieve and why is the foundation for any successful integration – this ensures your solution will not only meet functional requirements but do so in a reliable way,” Margrain explains. “A robust interface between systems typically relies on mature SDKs or APIs, and reliable networking, whatever that transmission medium may be.
“When it comes to realistic operational goals, the most realistic part will often come down to project capital. A lot is achievable with the right amount of development effort — ultimately translating to dollars. A realistic goal will therefore be one that aligns technology with budget, and a solution that meets functional requirements with an intuitive interface for operators.”
When it comes to open or proprietary solutions Margrain says each approach has its benefits.
“Open systems or protocols have the benefit of peer review from a wide industry, which is particularly important when it comes to cyber security,” he explains. “Sometimes open standards can be very fluid, especially in early development stages, which can create issues of compatibility or reliability. This open approach can mean slower development or even a lack of features—trying to do too much for too many systems. Where an open solution works, it works very well.
“Meanwhile, proprietary solutions can address issues where a single vendor is not constrained by the needs of others and is free to develop robust and secure technologies at a faster rate. Ultimately, it can be said that the best systems will employ a combination of open and proprietary technologies—where each will have a fit in different parts of the platform.”
The greatest challenges when integrating the most common access control solutions and CCTV solutions can revolve around each system’s capacity to integrate, according to Margrain.
“Robust and well documented SDK’s and API’s are critical to the success of these integrations,” he says. “Vital, too, are strong, clear paths of communication between all parties involved. Test harnesses also assist in ensuring everything works right through the development process. Missing/ambiguous documentation or poor support and backup can severely impact the success of an integration, leading to extended projects, poor outcomes and massive cost overruns. Thankfully, most systems now tend to have a long history of lessons learnt.”
Is it easier to manage an overall solution via the VMS, the access control and alarm system, or via a PSIM, in Margrain’s opinion?
“An ISMS/PSIM tends to provide a better platform for centralised management than a VMS typically can, given these systems have much stronger frameworks in place to manage incidents and provide site reporting,” he explains.
“Regardless, there is value in enriching the VMS with information from the SMS so an operator utilising either system can perform a function with more useful information than would otherwise be available. No integration will ever replace all functions of a subsystem and there is always value in making some low-level functions available to experienced operators within those individual systems.”
For Margrain, the robustness of underlying SDKs or APIs is the most important part of any successful integrated solution.
“Without this the necessary functions may not exist, or the solution could be unreliable,” he says. “In today’s world, cyber security is a crucial aspect that must be handled well and maintained with evolving threats. A reliable network is still critical, but some integrations may still perform well under high latency, packet-loss, or jitter — subject to the functional requirements and capabilities of those endpoint systems.
“The security of a total solution is only as strong as its weakest link and unfortunately not all systems treat cyber security in the same way,” Margrain says. “Many systems still have no encryption at all, let alone strong encryption. Utilising open standards with peer-reviewed cryptography, strong ciphers and keys, adequately securing keys and certificates, and employing perfect forward secrecy where possible are all areas that should have serious focus for any vendor serious about cyber security.
“Further, constant improvement is important in this space as what is treated as secure today, may not be secure tomorrow. End-users should ensure that their vendors have dedicated penetration and cyber security review teams, utilising both internal and external audits and vulnerability disclosure policies should be made available, with clearly defined patch and support mechanisms in place.”
Is it fair to say that open protocol subsystem communications are a serious security risk in Margrain’s opinion?
“Not necessarily – the benefit of an open system is that it’s able to be peer reviewed by a large part of the industry and this brings with it a level of collaboration and transparency that’s especially important with cyber security,” Margrain says. “Unfortunately, many open protocols are old and were developed when cyber security was an after-thought, so they are not at the standard considered best practice today.
“Conversely, some newer open protocols end up with compromises in order to be interoperable with a wide number of systems. The suitability of open protocols and the security of them should absolutely be part of the decision-making process during vendor or product selection.”
For security integrators, how difficult is managing the integration process – what should they be looking out for in terms of controlling the process and the wider circle of interest groups, in Margrain’s opinion?
“Security integrators should have a clear understanding of functional and non-functional requirements with system integrations,” he says. “This requires a strong level of collaboration with the end-user – and a consultant if involved – as well as relationships with vendor product management and support staff. This ensures questions can be answered quickly and issues resolved adequately and promptly. Problems tend to arise when there is no communication, or when there is separation causing slow progress. Strong communication channels are crucial during this process.”
Meanwhile, Genetec’s Lee Shelford argues the key to successfully integrating access control, automation and video surveillance is having a single application to install, maintain and train users on – as well as a single pane of glass to laser focus the operator’s attention and workflow.
“This helps simplify and enhance the customer experience, but integration only gets us halfway there,” Shelford explains. “It’s the unification of video surveillance, access control and automation, along with other key systems like license plate recognition and intrusion, that drives optimal results.”
When it comes to open or proprietary solutions, Shelford says everything can work.
“I believe freedom of choice should be something that everyone has access to – whether in their personal, professional or security lives,” he says. “End users should be able to choose hardware based on their preference or requirement, be it aesthetics or advanced security features, budget or local support capability.
“As an industry we saw this with the standardisation of IP camera codecs with ONVIF – today security managers wouldn’t even contemplate adding a proprietary CCTV device to their network. Why shouldn’t access control customers have the same level freedom of choice with open platform systems allowing multiple access control brands to be connected to the same system via a single unified platform?
“The unification of systems allows for much deeper functionality between them because they’re all part of the same system, rather than being integrated via a potentially limiting API or SDK. Having a unified solution allows customers to push their operational goals further than previously imagined. It also allows the software vendor to educate the customer on how we can help improve their operations using unification and technology.”
When it comes to the greatest challenges when integrating the most common access control solutions and CCTV solutions, Shelford says a few points stand out.
“When the access control hardware manufacturer is part of the software vendor’s ecosystem there are usually very few challenges, as both R&D teams work together,” he explains. “With Genetec for instance, this also applies to our CCTV technology partner eco-system; we write and test firmware, drivers, extensions and the application together, so devices are connected securely at their maximum potential to the platform.
“When an integration outside this ecosystem is required, we are in the hands of how much functionality can be accessed by the API or SDK – sometimes it’s either technically or purposely restricted by the 3rd party manufacturer. There are also often version control complexities, as well as security risks. For instance, how do you know how secure your integration is if it was written by the 3rd party manufacturer or even an independent developer? You are only as strong as your weakest link in the chain.
“The ideal scenario when 2 systems do require integration via API’s and SDK’s is that both vendors collaborate on the integration, with a comprehensive and functional plugin developed internally by the software vendors themselves. This kind of close collaboration ensures that security, functionality and version control are all maintained.”
Is it easier to manage an overall solution via the VMS, the access control and alarm system, or via a PSIM, in Shelford’s opinion?
“When a unified platform is leveraged and the front-end administration and management is conducted via a single application, report filters and layouts are identical across all functions,” he explains. “Further, this allows for assets from CCTV, ACS, intrusion and LPR to be included in the same report or dashboard.
“This is perfect for a Monday morning email or a glimpse at the monitor wall dashboard to see exactly how well your system is performing, if you have any offline devices and how well the day is going to go. All this can be achieved without the cost and version control complexity of having a PSIM over the top of everything.”
When it comes to automation, how big a challenge is it to automate third party systems in a meaningful way?
“It can be a huge challenge to tap into IoT and automation edge devices and systems,” Shelford explains. “A major challenge is making sense of the sea of additional data we need to ensure we can shape, visualise and act upon. Genetec uses a protocol gateway device to translate and transform this data. This is very powerful, as it allows us to run analytics at the edge to make even more sense of what we are receiving. We then securely pass this refined metadata onto our IoT platform to leverage computer learning and correlation engines to further filter and act upon the data in a meaningful way.”
According to Shelford, a customer’s network is always important, but in a unified platform the network just needs to connect edge devices to the core platform. The different roles within the platform – video, access control, LPR, automation, intrusion, etc – are part of the same code and application, so all communication over the network between them is encrypted and secure in flight, even the video.
“And obviously the security of security is of paramount importance,” he says. “A unified approach allows network security by default and with an open platform ecosystem, the platform is able to advise when connected hardware, whether it be CCTV cameras, ACS controllers, LPR cameras or other devices, have weak or default passwords, old or vulnerable firmware, or have been attacked or compromised.
“It’s absolutely not fair to say open subsystems are not secure; the use of open protocol subsystems and standards allows for increased standardisation across the industry. It’s the transport method in which these subsystems communicate that needs to be secure and encrypted, like SRTSP, HTTPS and SIPS with TLS for example.”
According to Shelford, in terms of controlling the integration process, integrators working with a unified solution will find it allows for reduced risk and exposure during deployment or migration, single application training and configuration, and the ability to deliver native redundancy across all of the platform’s roles to minimise downtime and ensure zero risk during version upgrades. Most importantly, it means one phone number for support, with no finger pointing in the event of an issue.
“With a unified platform supporting all the required roles and tasks, including video, access control, SIP audio, LPR, automation and intrusion, the physical installation has never been simpler,” he explains. “All of the software is part of the same platform, sizing and design is risk-free, you know exactly how many servers or virtual machines you need to deploy for the number of cameras, doors, SIP devices, LPR cameras, etc.
“With a unified software solution coming from a single vendor, the use of appliances with hardware designed from the ground up with the application and performance in mind allows for maximum density, hyper convergence, cyber hardened out of the box and even the application pre-installed. This further reduces deployment delays and risk for the SI and end user.”
According to Trent Schroeter of Saab Australia, the key to successfully integrating access control, automation and video surveillance is to look at the whole outcome sought, rather than focussing on individual sub-systems, or integration platform/subsystems being used to provide whole of system integration.
“The solution can be bigger than the individual parts by allowing each subsystem to augment the functionality of another to achieve a multiplier effect,” he explains. “The subsystem or dedicated integration platform chosen to provide the integration must be easy to use, as success is measured equally in terms of user acceptance, as well as a measure of pure functionality provided.”
When it comes to open or proprietary solutions, Schroeter says open systems allow the integrator to have total flexibility over the choices of solutions they can use to achieve the integration.
“Proprietary systems do not allow this level of flexibility, so they do not always provide the best outcomes for the client, as they often restrict choices that can be made either during initial system delivery, or as part of system life cycling,” he explains.
“It’s very important that the system integrator conducts extensive and collaborative user workshops with stakeholders and end-users to ensure that all parties understand up front what is planned and what can be achieved as part of the integration. User workshops allow a customer to dream the dream operationally – to understand what is possible and feasible.”
According to Schroeter, some of the greatest installation challenges include finding a match between the functionality required and the features supported across subsystems that support integration to each other.
“They may not be a combination of vendor subsystems that when combined provide the entire set of features sort as part of the system integration,” he explains. “That’s when the use of an integration platform to allow the missing ‘glue’ to be inserted often becomes invaluable.”
On the question of managing an integrated solution via VMS, access control and alarm management system, or via PSIM, Schroeter has clear ideas.
“It’s definitely easier to manage the overall solution via a PSIM, as a PSIM is designed specifically to provide a single integrated solution for a control room,” he explains. “It means that you can decouple the rollout of the subsystems from each other, allowing parallel rollout and focus on ensuring that each subsystem is able to be progressed without cross-dependencies.
“Once a solution is in service, a PSIM-based solution will provide greater flexibility, in the way that life cycling and enhancements can be progressed. By design, a PSIM abstracts and amalgamates the functions of the underlying subsystems. This allows new subsystems to be introduced, for example, a new CCTV subsystem, with little or no impact to the end-user. This then allows an integrator or maintainer to seamlessly expand or lifecycle an existing solution with a different subsystem, without impact to the end-user.”
The size of the challenge to automate third party systems comes down to a ‘depends’ response, according to Schroeter.
“If the site is a greenfield integration then it is not a challenge to achieve, as an experienced integrator will ensure that the total requirements of the integration are understood prior to the selection of the underlying subsystems,” he explains. “This selection process is dependent on the experience of the integrator with a number of subsystems in each of the functional areas of VMS, access control and intruder detection.
“Having a number of candidate suppliers of technology for each of the subsystems means that an integrator can choose the subsystems that meet the automation requirements for the project, rather than being forced to use a subsystem because it is already present (brownfield site). That’s where the ‘depends’ comes in. No matter how good your integration platform (or PSIM) is, trying to obtain suitable integration from an existing 3rd party system running at a customer site outside of the control of the integrator can sometimes present a challenge when trying to achieve the desired level of automation.”
Is it fair to say open protocol subsystem communications are a serious security risk and if so, what’s the solution?
“Security through obscurity is not a valid mechanism,” Schroeter says. “Open protocol subsystems are not any less secure than closed protocol subsystems. An open protocol does not inherently mean there are security risks, assuming that the protocol has been designed to be secure. If a protocol is open it can be easily scrutinised by others to identify potential flaws or security concerns in the design.
“I would clarify that an open protocol is not the same as open communications. Open communications imply all data is sent and received in an easily interpretable format, including plain text, which can be a major concern for information leakage, privacy and information interception, and network attacks.
“Working around this is now very easy, with the availability of certificate-based authentication and perfect-forward-secrecy based encryption protocols supported by class leading subsystems or provided by network infrastructure. Layered over this should be a restrictive network design, to ensure that communications are restricted to those communications that are expected, via appropriate traffic routing and firewalling.”
Is the network side the most important part of an integrated solution, in your opinion?
“The network is not the most important part, as the network is an enabler for the deployment of a solution, rather than the solution to the problem,” Schroeter explains. “Having said that, a network that has not been properly desired to meet redundancy requirements, sized based on expected traffic flows and properly installed will undoubtedly cause issues to the overall outcome of a solution. But equally, deploying network dependent solutions is not a skill requirement unique to the security industry, and there are plenty of resources, training courses and best practices available to ensure a top tier integrator can deploy a scalable, redundant and secure network.
“Cyber security is core to any networked solution because security needs to be designed into and be integral to a solution. It cannot be added in later. I know that’s a short answer, but that is really all that needs to be said. Performing a penetration test on a solution will only highlight the problems. Putting in place a design with mitigations already in place is really the only way to achieve a demonstrably secure solution. Band-aids after the fact generally don’t work.”
For security integrators, how difficult is managing the integration process – what should they be looking out for in terms of controlling the process and the wider circle of interest groups?
“As a security integrator, you need to make sure you have direct access relationships and commercial arrangements to ensure unfettered access to your key dependencies and stakeholders,” Schroeter says. “Many projects suffer from either long communication chains or lack of commercial arrangements to set expectations up front and ensure direct communication between parties occurs when required. This does not mean integration needs to become an unstructured or uncontrolled process. But managing the integration process can be more difficult if these arrangements have not been formalised prior to a project.
“When it comes to the physical installation challenges of any major integration you are talking available rack space, continuous A/C and power, control room refurbishment constraints, obtaining temporary commissioning and operating locations, with an acceptable live staged cut-over strategy. Just the normal things that require up front planning and preparation, rather than hoping an integrated solution will somehow come together during delivery.”
#securityelectronicsandnetworks.com
