David G Aggleton, CPP, CSC, has been developing security system design solutions for building managers and tenants in more than 150 commercial office buildings. He is a member of the International Association of Professional Security Consultants (www.IAPSC.org) and the ASIS Security Architecture & Engineering Council. He can be reached at email@example.com.
The wave of security system migrations to network-based communications is riding high with manufacturers and resellers of Internet Protocol (IP) security devices announcing record volumes. However, considerable planning and coordination is required when you start encroaching on the hallowed ground of the Information Technology (IT) department for the implement of an IP-based system on your organization’s local area, wide area or global network (LAN, WAN or GAN).
If you plan to use a dedicated, purpose-built network just for security systems, your project may fall outside of the IT department’s jurisdiction but, in many organizations, IT will claim responsibility anyway. In these days of hacking, malicious code and denial-of-service attacks, IT’s most important task is to audit any new technology — hardware or software — that could impact their resources or operations. IP cameras and access control field panels may be very familiar to us, but they are foreign to the IT folk and they will require time to get to know them before they can be allowed to run within IT’s domain.
Let’s first review the differences between analog and IP technology, and how it all connects before discussing the operational, organizational and coordination aspects of a migration project. This article will concentrate on video systems technology, although most of the elements are also applicable to IP-addressable intercom stations and door control panels.
Analog and IP Technology
IP technology encompasses IP-addressable items (e.g., cameras, workstations and servers) and to the cabling and network equipment needed to interconnect all of the components into an Ethernet networked system. Analog systems — although many of the devices may be digital — refer to older technology where Ethernet protocol is not used (e.g., coaxial cable video transmission protocols).
Just to confuse the distinction between analog and IP some more, there are some blurry lines. Some examples: coax cable can be used for Ethernet transmission; hybrid video management system (VMS) hardware can accept analog video signals using internal or external encoders that convert from analog to IP signals.
The Migration Path
Analog: There are both benefits and detriments to analog and IP technologies. If your existing analog system is local — where all the security devices are located and system monitoring is performed at a single site where connectivity is relatively easy — the system and any upgrades or device additions are less expensive, less complicated (truly plug-and-play) and easier to operate if kept as an analog system. Since you are not using corporate local area network (LAN), the connections between the digital video recorder (DVR), network video recorder (NVR) or video management system (VMS) and any additional monitoring or administration workstations must be dedicated.
It should be noted that the video “head-end” is usually an IP-addressable computer, even if the cameras are not, and could be monitored and/or administered from other sites via the internet and an internet service provider (ISP). However, your IT department may raise red flags since they are justifiably leery of network threats from the internet, and their charter may give them responsibility for all IT connectivity within the organization, regardless of who initiates, designs or installs it.
Hybrid: A hybrid solution is the next step along the migration path and offers the benefit of maximizing the investment in your existing video system while providing greater access to new IP camera technology for upgrades, replacements and add-ons.
Existing analog cameras continue on coax (or other) cabling and their signals are encoded prior to connection to an NVR or VMS (some units have built-in encoders), and IP cameras connect via Ethernet cable — CAT 6 — to a network switch. Another option along the migration path is to replace the existing analog cameras but, if they still have plenty of useful life, you can reuse the existing coax cables with converters at the camera and network switch ends of the cable. The cost is about $150 for the two converters which is considerably less expensive than replacing the cable. The video network that is now added (cable and switches) can be dedicated to the video system with no connections to the corporate network or can be part of the IT department’s infrastructure.
Full IP: The last step on the migration path is an all-IP solution with new IP cameras, Ethernet cable, network switches and an NVR/VMS head-end. To make most economic use of the existing IT infrastructure, the video network should be part of the corporate network, although a dedicated video network may still be an option.
Most network cabling uses Category cable which consists of four twisted pair of solid copper. Different grades of Ethernet cable — CAT 5, CAT 5e, CAT 6 and CAT 6e — have different performance characteristics, typically related to transmission speeds, but all of them are specified for distances up to 300 ft. between the IP device and the network switch.
If your IP device is further away and adding a switch as a repeater is not an option, alternative cabling schemes with Ethernet converters need to be considered. Candidate schemes include the use of coaxial cable for transmission up to 1000 ft., or fiber optic cable for transmission over miles. Fiber is for connection to exterior cameras where electrical surges from lightning strikes are a possibility.
The Ethernet cable will transmit video data from the camera to the VMS, camera configuration data back to the camera, and, if the device is a pan/tilt/zoom model, it can also transmit positioning data to the camera.
Whereas analog cameras require a separate power cable, an important benefit of using IP cameras with Category cable is the availability of Power-over-Ethernet (PoE). In addition to providing data signals, a PoE network switch can provide up to 15.4 watts (standard) or 25.5 watts (PoE Plus). A power injection device, separate from the network switch, can also be used. This is certainly enough power for most fixed cameras (make sure that the camera specs state that they will work with PoE power) and also most PTZ cameras. Separate power cabling is probably required is the camera requires environmental conditioning — heating and/or cooling.
Planning and Coordination with the IT Department
As discussed earlier, once you step foot in the IT department’s domain and look to add IP addressable security devices to their network (or even your own dedicated network), you become subject to their rules. They are tasked with ensuring high degrees of reliability, availability and maintainability for the business information “pipeline” that is their purview.
Security’s requirements for transmitting data — video, access control, alarm and administrative — must conform to their technology and business model without any negative impacts. IT’s planning and implementation processes may be far more rigorous than typically encountered in the security world, and someone on your team needs to understand their brand of techno-speak to successfully negotiate through the jungle.
Some of the requirements may include:
Computer hardware for the security system may need to conform to IT’s standard platform: IT may insist on purchasing and configuring this equipment themselves, including loading their current version of an operating system (OS), communications, computer security and database (DB) software. You must check if these systems are compatible with the security system manufacturer’s current offerings.
IT may require the development of a detailed test plan: This includes running the security system hardware and software configuration in a test environment, which may require the purchase of a separate test system.
IT will want to perform version control: IT will control installing updated versions for all of the support software as well as the security applications software and firmware. The test system noted above would be used to validate the proper functioning of these changes before being released to the production system.
IT will want to look at your migration plan: If you are migrating from one system to another, IT will want to know what is expected of them when systems are run in parallel and the timing of the cutover to the new system. The migration plan may also include sections on data migration (conversion of the access control cardholder and door hardware configuration databases from the old system to the new one) and access management (development of a logical access privilege scheme.)
IP Address Control: The IT department controls IP addresses and will require a list of all of the devices that require an IP address.
Device certification: This may be required if any of the devices are “foreign” to the IT staff, such as cameras, intercoms and door control panels. They may want to study their specifications for intrinsic “hack resistance” and network bandwidth impact, and even put them through separate testing.
While the list of planning tools above may seem onerous, and it certainly adds an additional level of expense and schedule creep, these IT tasks raise the level of professionalism used to implement a new IP security system or to migrate from an analog system. The planning is intended to ensure that there are no unintended impacts on the business systems being supported by the network and to guarantee a smooth transition from one system to the next.
David G. Aggleton, CPP, CSC, has been actively engaged in the design of new and upgraded security system since 1978. He can be reached at firstname.lastname@example.org.