Coopetition Arrives

Oct. 27, 2008
Open standards will bring more choices, lower costs and a stronger industry.

Long-term business success comes not just from knowing your industry, but also from being an active participant in shaping that industry’s future. This allows you to create opportunities for future success in your security program, which lowers your business risks. The alternative is to simply make do with whatever the industry brings, which heightens your business risks—especially in an industry that is undergoing significant change, like the security industry.

Coopetition Breeds Benefits
In the 1980s, Novell founder Ray Noorda began asserting that networking industry companies should adopt a new strategy: cooperating with the competition. In Noorda’s words, “You have to compete and cooperate at the same time.” He coined the word “coopetition” to refer to this principle. Noorda’s attitude was that the network computing industry was huge and there were profit dollars available for all. He believed that if vendors cooperated on open standards and protocols, there would be more total profit than if companies tried to force their customers to choose sides in protocol wars.

The essence of “coopetition” is that you cooperate with others to increase the size of the pie, and then compete in cutting it up. This idea was brought to mainstream business by authors Barry J. Nalebuff and Adam Brandenburger in their 1997 book Co-opetition. Cooperation that helps build a larger overall market benefits everyone. Standards development is one such form of cooperation. It benefits security users as well as product and service providers.

Rich Anderson is president of Phare Consulting, a leading industry consulting group with a practice in convergence. Anderson, who has long been a proponent of open standards, explained, “The key end user benefit is the freedom to build the best solution possible for your situation using whatever manufacturer’s components make sense. You are not trapped buying obsolete add-ons from a vendor that does not offer today’s best answers. You also won’t be forced to ‘forklift’ a relatively new proprietary sub-system such as a DVR, just because you can’t get it to talk to the new integrated system you want to buy. Just as importantly, a standards-based solution takes much of the risk and expense out of integrating security systems to the rest of a company’s IT infrastructure. Not only is the task easier, but specifying standards that the IT department already understands makes project approval much less painful.”

Security end users can reach for these benefits by taking action to encourage open standards in our industry.

Refusing To Be Locked In
It is easy for any technology industry to become too strongly focused on products and too weakly focused on customers. One sign that our industry’s companies have fallen away from a value-based view is their reliance upon proprietary lock-in as a success strategy. Security programs of all types and sizes have fallen prey to this strategy for years, but it succeeds only for the short term. Sooner or later, users buy themselves out of locked-in situations, even if it only means getting locked into something better. And large organizations with big security programs sometimes simply refuse to be locked in.

Witness the U.S. government’s development of smart card interoperability standards, after repeated requests for them to the card industry fell on deaf ears. Once they’d developed the standards, the government refused to purchase non-complying products and systems. Security users have begun a revolt, sending the message that proprietary lock-in is out of hand.

The lack of security interoperability is being felt even more now, due to the trend towards enterprise-wide ID management for organizations that have a number of premises with employees in different locations, both nationally and globally. The incompatibility of systems in each company location can require employees and regular visitors to be re-identified and re-badged whenever they visit different premises. With multiple systems from multiple vendors, it can also be difficult and expensive for an organization to incorporate any new security technology, such as biometrics or digital video, across the enterprise.

End Users in the Driver's Seat
One company that is familiar with the challenges of interoperability is Datacard Group of Minnetonka, MN, the world leader in high-volume card issuance and secure identity solutions. Kevin Gillick, head of corporate marketing for Datacard, explained, “Even minor integration to other internal systems can be a major development project when customizing for each different system. This can result in an organization following a rip-and-replace strategy, rather than integrating an ID management solution that bridges legacy systems across the business.”

In 2003, Intel Corporation, a Datacard customer, asked Datacard to help them avoid the “rip-and-replace” scenario. Their research showed that rip-and-replace costs to standardize on a single existing proprietary system would be in the millions of dollars. Intel asked Datacard to develop a front-end system that would talk to their enterprise collection of existing security systems panels. However, they did not want to end up with yet another closed proprietary system. One reason Intel had selected Datacard was the company’s long history of active contribution to open standards initiatives with such organizations as ISO and ANSI.

Datacard devised a two-phased solution. First, they asked the manufacturers of Intel’s existing panels to provide their native protocols to Datacard. Current interfaces include Apollo, CMS Security Systems, Continental, and HID. Second, as soon as possible the system would be extended to support open standards. Several manufacturers immediately saw the benefits—including keeping their existing customer base in the short term and moving towards open standards in the long term.

Standards Development
The value of interoperability standards has become so obvious that even organizations famous for holding onto lock-in strategies are beginning to see the light. For example, in June Microsoft pledged to replace its proprietary Microsoft Office file formats (such as Word, Excel and PowerPoint) with Extensible Markup Language (XML) formats as the default file formats in 2006.

Interoperability standards development is long overdue in the security industry from two perspectives: by comparative analysis with other industries that have benefited by standards development (such as financial services and building controls), and by the consensus of security directors and other end users who for nearly a decade have been clamoring for standards-based interoperability.

Three main factors have recently strengthened the business case for interoperability within the industry: the continued increase in projects that involve integration between security systems and non-security systems, the demand for enterprise-level system integration, and initiatives to use the same credential for physical and IT systems security.

ASHRAE and BACnet
One of the first security interoperability standards to emerge is BACnet, a non-proprietary data communications protocol standard for building automation and control networks, developed by the American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE). BACnet has been adopted by the American National Standards Institute (ANSI) as ANSI/ASHRAE Standard 135-2004 and by the International Organization for Standardization (ISO) as Standard ISO 16484-5. It was developed with the cooperation of nearly every major vendor of building automation, controls and mechanical equipment.

In recent years there have been significant efforts to simplify how interoperability needs are specified. The result was the definition of BACnet Interoperability Building Blocks (BIBBs), which provide a way for a specifier to write a performance specification without the need to understand all of the technical details of how it would be implemented. This revision to the standard was based upon the work of a group of experts in specifying building automation systems.

PolarSoft Inc. of Pittsburgh, PA, is a leading provider of BACnet software tools as well as training and other BACnet-related services. PolarSoft has been involved in BACnet development since the beginning, and additionally has developed highly successful BACnet training courses for ASHRAE.

David Fisher, president of PolarSoft, said, “With tens of thousands of installations, and a worldwide presence, BACnet is fast becoming the only serious choice for full-scale building automation where interoperability is an issue. The fundamental robustness of the standard, coupled with the advances in specifying technique and a rapidly expanding product base, has spawned a growing trend toward BACnet-based interoperability specifications in North America, Europe, and the Pacific Rim. Besides the English language version, the standard has been reproduced in Japanese, Chinese, and Korean versions.”

In July ASHRAE completed a draft document that provides BACnet extensions for access control. The purpose of this protocol extension is to facilitate integration on a BACnet network between access control systems and other building automation devices and systems. The proposed access control extensions—which provide an outstanding abstraction of access control system functionality—are worth review by access control system providers regardless of any participation in the standards review process. If even a small percentage of the “tens of thousands of installations” are candidates for security integration, that’s a potential market worth considering.

It is also important to note that widespread use of the BACnet standard did not really take off as expected until after the standard was expanded to facilitate the writing of high-level functional specifications for an integrated BACnet system.

This is just one example of how the security industry can benefit by the study of other standards development efforts, instead of learning lessons like this one by lengthy trial and error. While the development of interoperability standards in other industries has taken five to 10 years, the security industry efforts can be much shorter if they incorporate the lessons learned in other industries.

Industry Cooperation
Rob Zivney is vice president of marketing for Hirsch Electronics, a company with a long list of industry product and service awards. Zivney has an extensive background in building control systems and is well aware of the importance of interoperability standards for the security industry.

As an example of industry cooperation, Zivney points to the BACnet Manufacturer’s Association (BMA). BMA takes up where the charter of AHSRAE leaves off, working to ensure the commercial viability of standards by providing testing services and educational events. BMA holds an annual interoperability workshop known as PlugFest where vendors can test their BACnet products in a neutral and friendly environment with BACnet devices from other vendors. Last year more than 75 BACnet engineers representing 22 companies attended PlugFest and improved their implementation of BACnet and testing methods. The 2005 PlugFest adds roundtable testing, the goal of which is to exercise the ability to create a single BACnet system using products from every vendor to create one ultra interoperating system. Zivney said, “The building controls industry has done an outstanding job working together to ensure the value and workability of interoperability standards. BMA’s PlugFest is just one example of the kind of cooperation that benefits everyone.” Zivney has also been active in championing standards through the Security Industry Association, where he is a member of the Board of Directors, and the Open Building Information Xchange. This June, for his efforts in forwarding interoperability standards within SIA, Zivney was awarded SIA’s 2005 Standards Service Award.

oBIX and Enterprise Level Integration
The Open Building Information Xchange is a focused effort of building controls industry leaders and associations to create a standard XML and Web Services guideline to facilitate the exchange of information between intelligent buildings, and to enable enterprise application integration and true systems integration. Based on standards widely used by the IT Industry, the oBIX guideline will improve operational effectiveness, giving facility managers and building owners increased knowledge and control of their properties. Comprising representatives from the entire spectrum of the buildings systems industry, oBIX includes professionals from the security, HVAC, building automation, open protocol and IT disciplines. More than 100 companies participate in the oBIX initiative.

Integration of various software systems is not in itself sufficient to ensure organizational efficiency and effectiveness. Somehow the systems have to relate to the objectives, business processes and workflow of the organization and the individuals managing it. This level of integration is referred to as enterprise-level integration.

oBIX uses the term “instrumenting” to refer to its concept of enterprise-level integration. An automobile’s instrument panel serves as an example. A driver shouldn’t have to be concerned about whether his engine has a fuel injection system or a carburetor system. What matters is the information that helps him decide how to operate or maintain the vehicle, and this is presented in the dashboard instruments: speedometer, fuel level, engine temperature, and warning lights. With these instruments, the operator can drive a car without knowing anything about its control systems.

It is the objective of oBIX to similarly facilitate building management by making the appropriate information and control capabilities available to the business managers of the enterprise, without requiring them to have detailed technical knowledge of the workings of the building systems.

SIA Interoperability Data Models
The Security Industry Association has recently released four new interoperability standards comprising more than 500 pages: the Access Control Interface Data Model, Credential Reader Controller Interface Data Model, Digital Video Server Interface Data Model and Pan Industry Data Model (to address properties, functions, and concepts shared in potentially different forms by many components throughout the industry). This tremendously valuable work signifies a critical turning point for the industry—where results are replacing lip service with regards to achieving interoperability.

Open Security Exchange
The Open Security Exchange was the first group to publish a high-level interoperability standard, PHYSBITS (Physical Security Bridge to IT Security) 1.0, which is a vendor-neutral approach for enabling collaboration between physical and IT security to support overall enterprise risk management needs. OSE continues to bring together manufacturers, consultants, integrators and end users to pursue cross-industry solutions.

What Can You Do?
• Write to manufacturers of key products you use to let them know you are interested in systems based upon open standards. Ask them to keep you informed of any work they do or plans they make along this line. Let them know that when evaluating products and systems in the future, you will be considering the progress or stance of the company with regard to open standards. If they have personnel participating in open standards efforts, tell them to publicize it or otherwise get the word out to customers.

• Write or talk to systems integrators and consultants you work with. Tell them that you expect them to keep you posted on standards work that relates to your interests.

• If you are a large company or government agency with full-time technicians for system management or maintenance, consider having them participate in open standards efforts, such as those of the Open Security Exchange and SIA. Most open standards work is open to public review and comment before the standards are officially adopted and released.

• At trade shows and presentations by vendors, ask what they are doing right now with regard to open standards.

• Collect the information you come across about open standards initiatives. Make a file folder in which to put references and information about the standards work of manufacturers and integrators that are relevant to your interests. It won’t take much effort, but the bits of knowledge you gain can make your discussions more credible.

Shaping the Future
The appearance of these standards means that security industry companies and individuals are stepping forward to help shape the future of the industry. From these good starting points much more work remains to be done, and done quickly, for the industry is seriously behind with regard to open standards development.

Although the development of security open standards has just begun—which means that you can’t today buy systems based on open standards—you will soon be able to start choosing products and services from companies who have made a demonstrated commitment to open standards. Now is the time to get on board.

Ray Bernard, PSP is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides high-security consulting services for public and private facilities. Mr. Bernard has provided pivotal direction and technical advice in the security and building automation industries for more than 18 years. This article is based upon material in his upcoming book, Shifting Sands: The Convergence of Physical Security and IT. For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788.