The Convergence of Physical Security & IT

Sept. 25, 2004
The convergence of physical security technology and information technology, and its impact on security and IT departments.
Security Systems and Networks

Two decades ago there were no corporate PC networks. Physical security functions were performed by separate equipment systems, each functioning independently - access control (mainly used for parking), alarm monitoring and CCTV cameras.

For the most part the access control systems and alarm systems ran unattended - there was no PC or terminal to interact with. Access control programs were managed by the personnel department and alarm notification went to an off-site alarm monitoring company or security guard service. Management information systems (MIS) departments had little or no interaction with security. Thus when PC networking was introduced to physical security systems, it was done independently of MIS concerns.

In the general corporate realm, PCs first proliferated as non-networked computers, which were rarely under MIS management. As network applications such as e-mail matured, corporate PCs were put onto the corporate network and moved under the umbrella of MIS (now IT) departments. Security systems were installed by vendors who were contractually responsible for keeping the systems fully functional on a constant basis. The vendors preferred installing and maintaining the security networks themselves, so they would have complete control over that for which they were held responsible.

For most security departments, the initial attempt at involving the MIS department in security system issues occurred when the first computer-based security systems were being purchased. Usually, the security department personnel were unfamiliar with the terminology in the computer portions of the specifications, so they asked MIS to review them and comment.

In most such circumstances, the computer portions of the specifications contained errors or omissions that were unacceptable (and sometimes shocking) to MIS, which out of concern often reacted by trying to hijack the approval process, at least for the computer-related aspects of the purchase.

Due to the technology language barriers and MIS's unfamiliarity with the typically small requirements of security system computers at that time, more often than not MIS and security would clash over issues involving the computerized system. When that happened, both security and the vendors regretted having invited MIS to the table.

For many organizations this initial experience served to make security gun-shy about involving MIS in security system projects. The non-involvement of MIS/IT continued until recent times. With the emergence of enterprise-class security systems that could interconnect multiple facilities in different cities and even different countries, interconnections had to rely upon corporate- and Telco (telephone company)-based wide-area networks (WANs).

The expansion of video camera usage beyond security and into the domain of corporate operations meant that there were valid business cases for connecting security networks to corporate networks, even for local-area networked (LAN) systems. Putting a security network over the corporate network backbone, or connecting the security network to the business network, meant that IT had to be involved.

Security & Business Internetworking Scenarios

Several factors will determine what internetworking issues will have to be dealt with in security projects. These factors include the size of the security network, the nature of the security system functions that are being networked, and the nature of the business network that will host security network connections.

There is a wide range of possible internetworking scenarios for any facility. The picture is simplest when there is a single security LAN and a single business LAN, with no internetworking between them, as shown in Figure 1. A slightly more complex model involves a single security LAN and single business LAN with internetworking.

Up a step from this scenario is one in which multiple security LANs are connected over a business WAN backbone, but there is no interconnection to any business LANs. Or, multiple security LANs with multiple video servers may be connected over a business WAN to multiple business LANs.

In the most complex example, multiple security LANs with wireless indoor and outdoor security devices and multiple video servers are connected over a business WAN to multiple business LANs with wireless devices.

Internetworking Issues

The internetworking of security networks with business networks introduces a number of new issues to deal with on both sides of the fence.

Some security system workstations are located in areas that are much more accessible to the public than corporate networked PCs. Building lobbies and parking lot booths are two such locations that are often not very secure and are often unattended after hours.

  • Firewalls on business networks may not respond well to security network traffic, such as streaming video, and may require some reconfiguration to support it.
  • Security applications, such as software used to access live and recorded security camera video, may need to be installed on business workstations. In most situations these applications have not been tested or approved by IT.
  • Security budgets don't include funds for extending the security network for business operations use.
  • Security system administrators don't have network training and are not familiar with business network security policies, procedures and electronic security measures, which may need to be extended into the security network.
  • Some security workstations must be used by contracted guard force personnel, who normally would not be permitted access to any computer on the corporate network.
  • Where the security network and business networks are interconnected, problems with business servers or server maintenance can require temporarily taking down some or all of the business network, disabling part of the security network as well. Thus, the scheduling of routine server and network maintenance requires coordination with security, which may have to institute temporary security procedures until the network is fully restored.
  • It is common for security system vendors to have dial-in access to security system networks, for the purposes of providing technical support and responding to service calls. For interconnected security and business networks, such dial-in will require full compliance with business network security requirements.
  • When IT departments provide network connectivity for security networks, the security system vendors have to be provided with a means to test the network connectivity and available bandwidth at any time. The test capability must be available throughout the entire security system installation process.
  • For security to maintain responsibility for security network integrity, and for IT to maintain responsibility for business network integrity, security devices like routers or firewalls must be deployed on both sides of each security/business network interconnection. Properly configuring these devices means close coordination between security and IT. This also means that security needs a network-savvy specialist, or has to provide special training to an existing security technologist.
  • Both security and IT should have a physical "off-switch" capability that requires no technical expertise to use. This allows disconnection of the business and security networks quickly in the event of a detected network security breach on either side.
  • Acceptance testing of computerized or networked security systems should require sign-off by IT.
  • Virtual private networks (VPNs) can be used to economically provide remote access to security networks over business networks or the Internet, but security personnel have little understanding of the technical aspects of VPNs. See Figure 2 for an illustration of the VPN concept.
  • The increase in the popularity of wireless networked devices on both business networks and security networks increases the potential for conflicts and requires that standards exist and be enforced for the selection and management of wireless connections and devices on both sides.
  • Internetworking products and security system networked products continue to evolve. This requires a synchronization of knowledge between security and IT at least every six months - and a recalibration of security projects that haven't yet reached the purchasing stage - to ensure optimal system design and maximum return on investment.

Addressing the Issues

Properly addressing these issues requires active participation from IT in the security project. Involve IT at the initial concept stage. Brief them on all relevant aspects of the project, including the purpose and objectives, initial timetable and general approach. Don't make the mistake of thinking that it's just IT security personnel that must be involved.

There are usually significant network design and evaluation tasks involved, in addition to network security. Have security provide IT with a single-line diagram of the computers and network connections of the proposed security system, including all wireless devices. The drawing should show what kind of data will be sent between what computers (such as e-mail, video streams, reports of alarm history, data entry to enroll users), and any external systems interfaced, such as paging systems or radios.

Identify the protocols that will be used for each type of security data to be carried on the network. When in doubt as to whether to include information, include it. If computers on the business network require access to the security system, include the business computers in the diagram as well. Identify those elements that are "must-have" and those that are desirable but not absolutely necessary.

Include the estimated bandwidth requirements for each network connection. You may have to consult with current or prospective vendors to get the information you need to determine the bandwidth requirements using scenario-based requirements assessment, for which I've included guidelines later in this article. Share the method used to estimate the security network bandwidth with IT.

Have IT determine how many of the internetworking requirements can be supported by existing network infrastructure, and what new infrastructure (if any) would be needed, along with ballpark estimates on the costs involved. Have IT present this information to security, and answer any questions that result.

Have IT provide a list of computer operating system, software and hardware standards, network standards, and network security standards (such as for remote access) with which any security system vendor must comply. Have the vendor review the requirements and incorporate them into any proposed system project.

Have IT provide a drawing of the network infrastructure that it will furnish for the security network and for the business network connections. The drawing should identify the type of each network segment (microwave, Telco line, etc.) and the maximum bandwidth capability of each segment.

Have the security system vendor verify the compatibility of security system network traffic with the proposed network infrastructure. This will require discussions with IT department personnel and perhaps also with vendors that provide the network technology to IT.

If any incompatibilities are discovered, get together with IT, the security system vendor and the network technology vendors to explore the possible resolutions. Review the security project budget estimates and incorporate any new information provided by the IT and security vendors.

Review the security project schedule to make sure it takes into account the time frames for installing any network infrastructure that doesn't yet exist.

A significant amount of work is involved in most of these steps, especially for those who have not been through them before. While these are not necessarily all the information sharing steps that need to be taken, they are the major ones, and the remainder should fall out from these.

Security Network Bandwidth

Bandwidth is one of the most troublesome issues in internetworking projects. Bandwidth generally refers to the amount of information that can be carried in a given time period (usually a second) over a wired or wireless communications link. Any digital or analog signal has a bandwidth.

The word originated as a reference to radio transmission signals. Frequency band - or just band, for short - means a specific range of frequencies in the radio frequency spectrum. This spectrum is divided into ranges from very low frequencies to extremely high frequencies. Each band has a defined upper and lower frequency limit, which establishes its bandwidth. The wider the bandwidth, the more signals can be transmitted within the band, much the same as a wider highway can allow more cars to travel at the same time.

Frequency is measured in the number of cycles of change per second, or hertz. In analog systems, bandwidth is calculated as the difference between the highest-frequency signal component and the lowest-frequency signal component. The full range of the human voice is 300 Hz to about 5 kilohertz (kHz), which is a 4.7 kHz analog bandwidth. Most speech occupies a smaller portion of that range, giving typical voice signals a bandwidth of about 3 kHz.

In digital systems, bandwidth has come to mean the measure of the maximum data speed. Bits per second (bps) is a common measure of data speed for computer modems and computer data transmission carriers, and means the number of data bits transmitted or received each second.

A network is often composed of multiple segments, each segment being one point-to-point wiring or radio connection between pieces of network equipment, or between network equipment and computers. Different segments can have different bandwidths, depending upon how much network traffic they are designed to carry.

For security networks that involve WAN connections, bandwidth requirements may have significant cost or network resource impacts. For example, Telco-based connections have a recurring monthly cost. If the security network requires expanding the capacity of a Telco connection, that will mean an increase in the monthly cost.

Usually, one-time costs come from a capital budget while recurring costs come from an operations budget. These two budget categories are entirely separate, with entirely separate budgeting processes and revenue streams.

CCTV is the main reason security network bandwidth is an issue. An analog television broadcast video signal has a bandwidth of 6 megahertz (MHz) - 2,000 times as wide as a voice signal. This provides an indication of why sending CCTV video streams over a network can use up all available network bandwidth, and why the capacity of standard telephone lines is insufficient for transmitting continuous video. The bandwidth requirements of video are much higher than either voice or computer data.

In addition, digital video management software makes it possible to view live and recorded video by computer over an Ethernet network, using a technique called video streaming. The larger the CCTV system, the greater the potential for multiple users to be viewing multiple cameras.

Each camera requires its own data stream. Even with video data compression techniques, security-quality video can take up to 1 Mbps of bandwidth per camera, for each person viewing the camera signal. Multicast technology (routing a single video stream over the network to multiple users) can reduce the number of streams to a single stream per camera, regardless of the number of users viewing the video stream.

However, currently only two or three security video management software applications have multicast capability.

Video technologies will continue to improve, requiring less and less bandwidth per camera. On the other hand, the demand for higher-quality video (with higher bandwidth requirements) will also continue to increase for both security and operations use.

It wouldn't be wise to look to technological improvements to reduce security's overall requirement for network bandwidth. As security functions increase and improve, and as camera technologies both improve and lower in price, stronger security and business cases can be made for increased utilization of CCTV.This means that estimating security bandwidth requirements will remain an important element of security system design and planning, especially for large-scale security networks that involve WAN connections.

Estimating Security Network Bandwidth

Security networks have to be designed to handle the "worst case" scenario in terms of bandwidth. This would be a situation in which multiple security and operations personnel would have to make maximum use of networked equipment, such as examining live and recorded video from multiple cameras. This could easily require 10 or 20 times the network capacity that is normally needed for security.

Usually IT personnel bristle at the thought of so much bandwidth going unused 99 percent of the time. Unlike business network bandwidth, a good portion of security network bandwidth can be considered as insurance - you need to have it, but you hope you don't have to use it.

The activity patterns for security networks are different than for business networks. Business networks usually have typical daily and weekly activity patterns which result from the patterns of operations of the business. Security network activity is generally light until an alarm or security incident occurs, and there is no predicting when that will be.

Although this article discusses the impact of security video on networks, it's not only heavy security camera use that can elevate network bandwidth requirements. Redundant server restoration, testing or upgrades can require full-bandwidth utilization of high-speed network segments for a good portion of a day. If it takes too long to synchronize a backup server and restore redundancy, the system could be left vulnerable for too long a time.

Scenario-based Security Network Assessment

To accurately assess security network bandwidth requirements, a scenario-based approach must be used that examines security system use during various security and business conditions, including security incident response and emergency incident response.

For example, during the World Trade Center attacks of September 11, security personnel were able to use CCTV surveillance cameras to assist in evacuating the buildings by informing emergency personnel by radio and telephone about building conditions that were obscured by smoke or otherwise outside the emergency personnel's field of view. In such a situation, as many available personnel are put on such a task as is practical, and all available security video workstations are put to use.

It takes a bit of homework, but the various security and emergency scenarios can be worked out. Start working backwards from what you will need to accomplish under each circumstance and how you want to accomplish it. Then determine how the security system capabilities will be used and what network bandwidth will be required.

Usually security personnel can identify a half-dozen security and emergency scenarios that are of concern to them and that are representative of the kinds of responses they would have to make. These scenarios should be written out, including what security information is required for the security and emergency personnel to make an informed response. IT should also provide scenarios involving network incidents that would result in loss of part or all of the security network. Alternate methods of accessing security system functions should be explored for each of the network loss scenarios.

Security Should Be Pro-IT, and Vice-Versa

There are many reasons for security to be pro-IT. IT can help establish network security requirements and provide network security tools that will be needed for the security network. They can help answer networking questions, and they can provide project support for specifications and for testing relating to the computer and network aspects of the project. In-house IT can provide ongoing support for security computer and network issues. As security systems incorporate more and more information technology, IT knowledge will become more important to security.

Security should designate someone to be an IT liaison as a permanent role, not just for the duration of the next security project. Security system upgrades and expansions will need to be coordinated with IT, and security will want to stay abreast of network expansions in case they provide an opportunity for security to further its objectives.

Similarly, IT should designate a liaison to security. Security will continue to expand, so it behooves IT to learn more about physical security. IT will have the task of augmenting security's network infrastructure based upon security needs. They may also have opportunities to piggyback off of required security network upgrades and accomplish some of their own objectives sooner, perhaps at a reduced cost. Security can contribute to IT's planning for physical security measures as part of its information security plan.

Sometimes IT needs alone or physical security needs alone won't be a strong enough case for network upgrade expenditures, but together they can tip the scales.

Today's security systems are based upon information technology. This requires a good working alliance between security and IT departments. The result of this alliance will be, of course, stronger and more capable security systems.

About the Author: Ray Bernard is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides high-security consulting services for public and private facilities. Ray is a technical consultant and writer who has provided technical advice in the security and building automation industries for more than 15 years. This article is based upon material in Ray's upcoming book, Shifting Sands: The Convergence of Physical Security and IT. For more information about Ray Bernard and RBCS, go to www.go-rbcs.com or call 949-831-6788.