Connectivity is the Key and IoT is the Link

July 12, 2017
Access control customers are using myriad devices to controls their doors

Connectivity is the name of the game when it comes to satisfying the almost insatiable thirst customers have for their static and mobile devices. Now, a growing number of access control vendors are incorporating the power of connected devices into their technology development. I recently sat down with several top access control vendors to discuss their specific roadmaps related to IoT and the future trends users can expect throughout the industry in general. Roundtable participants include:

  • Jimmy Palatsoukas, Director of Product Marketing at Genetec Inc.
  • Stuart Tucker, Vice President, Enterprise Solutions at AMAG Technology
  • Matt Barnette, President at Mercury Security
  • Peter Boriskin, VP of Commercial Product Management at ASSA ABLOY Americas
  • Robert C. Martens, Futurist and Vice President of Strategy & Partnerships at Allegion
  • Michael Coniff, Global Product Marketing Manager at Honeywell
  • Jason Ouellette, Senior Product Line Director for Access Control at Tyco Security Products

Steve Lasky, Editorial Director of SouthComm Security Media: What role will IoT play in conventional electronic access control in the near future and beyond?

Palatsoukas: Our customers are naturally looking for greater connectivity between devices. IoT is a catalyst for vendors to continue to integrate new sensors and also find ways to better present the information so it is easily digestible by users. From an access control system (ACS) perspective, IoT will be the driving force for new devices that connect to an ACS system. That includes devices that help extend physical security coverage outside of a building and towards the perimeter. Examples include automatic license plate recognition cameras, radar systems, and so on.

Tucker: IoT is already playing an ever-expanding role in electronic access control.  Many large companies are embracing mobile and other devices in their current plans.  We see many instances of mobile credentials, mobile identity and access management, situational awareness and even augmented reality in place or testing now. Additionally, new “IP-enabled things” such as drones, robots, beacons, and others are finding their way into projects to extend the notions of what a physical security system can do.

Barnette: There is a lot of buzz around the IoT and physical access control and time will tell to what degree the two technologies intersect and leverage each other.  One influence the IoT will have on the industry today is that it will push hardware manufacturers to develop and build their hardware to easily integrate, communicate and secure IoT devices.

For example, Mercury is ahead of the curve by starting to add the MQTT protocol to our panels.  MQTT is a protocol for how devices communicate with each other in a more connected environment – specifically for the Internet of Things.  We are helping to make it possible to create such a connected environment by enabling our panels to communicate with each other as well as with third-party systems. Our first iteration of this is through the integration of our panels into an elevator destination dispatch system that offers tenants and visitors personalized elevator service while improving the flow of building traffic. Instead of pressing traditional up or down buttons, passengers enter their destination floors using keypads or interactive touch screens before entering an elevator.  This is one of the many use cases in a more connected and smart building in an IoT environment. 

Boriskin:  On the residential side, IoT is being driven by the connected home and our solutions play an important role in that ecosystem. For example, IoT allows homeowners to manage access to their home remotely using their smartphone. With our Yale Look Digital Door Viewer, you can actually have a video chat with someone who arrives at your door and sends a mobile key directly to their phone to let them in the house.

More so than ever before, the growth of technology in the home is now driving adoption in business.  This is especially true with IoT. For the institutional market, the ability to provide intelligence and sensing to centralized systems for complex reporting is critical. For the IIoT (Industrial Internet of Things), we now have the capability to leverage what is being done in small business environments and bring that into the commercial and institutional space. An example of this would be quick service restaurants leveraging access control to see when locations are opened and closed as a way to monitor employees without being onsite. We are bringing intelligence and decision making out to the edge instead of it being done exclusively at a centralized management system. The ability to de-centralize systems allows us to make intelligent decisions faster and provide greater functionality. 

Coniff: The way devices themselves are becoming more intelligent through IoT is going to play a big role in the shift of conventional electronic access control in the near future and beyond. As an alternative to general end devices, we now see devices learning and optimizing on their own. And beyond the devices themselves, the data and information they collect are going to be utilized more and more – especially within security systems.

For instance, a traditional access control system has a panel connected to a reader, and that often is connected to a video or alarm system. But now, end users are now looking for a singular system that can take advantage of any available information within a building. These devices, once deployed to meet safety codes and perform simple security and energy functions, are evolving into smarter, sleeker and more aesthetically pleasing systems. The information and data now captured extends beyond simple surveillance and focuses on improving the overall user experience of the entire system, whether in emergency situations or everyday operations.  

Martens: The IoT stands to play a large role in conventional access control in the near future and beyond. The costs involved with sensor and connectivity technology continue to trend down, while functionality and capability trend up. This is a great recipe for manufacturers, solution providers, and integrators to focus on new, enhanced use cases and productivity gains for their customers and end users.

Ouellette: I see this as providing a justification and acceleration for the shift towards cloud-based access control.  IoT and cloud technology will allow the conventional providers to start to leverage the larger sensor aggregated data to provide improved security solutions and services.

Lasky: One of the main benefits of IoT is the aspect of connectivity. How does systems connectivity improve basic door access control and how does it improve managing large multi-door EAC systems?

Palatsoukas:  Several areas are greatly improved. The speed of communications of IP has led to real-time connectivity with ACS, from both a monitoring and command & control perspective. With real-time connectivity, threat level management and the instantaneous lockdown of an area or building is now possible with door controllers. Central management of multiple remote and independent sites, such as issuing credentials centrally or configuring systems remotely, is that much easier with greater connectivity. IP has also led to being able to manage or monitoring your ACS from mobile apps and receive push notifications in real-time.

Tucker: By adding functionality via new types of devices, you expand the notion of what is physical security, for example, when you can merge basic access control with things like GPS positioning, Bluetooth beacons, and video analytics you can do things that were not possible just a few years ago.  This is true from an administration side as well as from a user perspective.  Imagine you can correlate a person's position at all times with beacons and provide manned or automated responses through IP-based intercoms or even drones.  This is a game changer in critical situations where you can minimize risk and still have full capability to communicate, see, and even react.

Barnette: IoT will be an integral part of enabling systems to share data more easily and in a more standardized format.  It might also enable data to be shared in multiple ways, such as with OEM partners who have deep integration with our products through API for control and command and work within their systems.  The role of the IoT may also make it possible for Mercury to open secondary and tertiary paths of communication to such things as preventative maintenance programs for integrators who have cloud-based maintenance applications.  In this scenario, the IoT potentially gives integrators direct communication to Mercury controllers, providing data on how the device is performing.  This is one of the many examples of how the IoT can impact the industry from the perspective of the panel hardware.

Boriskin: This level of connectivity dramatically reduces infrastructure costs, and takes advantage of the network to expand the system at a much lower cost. Without networked devices, you would have to run separate cable and power supplies for access control with all of the processing done at a central location. Facilities would incur additional infrastructure costs simply to bring the devices online and would still not have an avenue for device-to-device communication.

Coniff: Today, our lives are centered on a smartphone. We don’t need to be sitting in front of a computer in order to feel connected. It’s this mobile-first mentality that has everyone demanding immediate and instantaneous access to everything – both at home and at work.

For example, a building owner with a traditional access control system has to run specific software on one or two computers within the facility in order to access secure data on a server. But now, building owners want to access their control systems on a mobile device. They want to add a new card user by taking a picture with their phone and creating a mobile badge. They want to be able to send credentials for an expected visitor, have them already know where to go and be approved to access the building before they arrive. Building owners want to be capable of working wherever, and whenever, without being tied to a computer. You also see changes in connectivity with small- to medium-sized business owners who manage a handful of locations that require quick access via a mobile device. For example, they can unlock the building to let a worker in on the weekend, then lock back up remotely once they have left. In addition, when combined with a camera focused on that door, the user can quickly verify that it is the correct user and that the user has entered the building. This ease of being able to quickly access any facility, no matter where they are all from a mobile phone isn’t just a luxury – it’s a necessity in today’s always-connected world.

Martens: Systems connectivity can vastly improve door access control when implemented properly. First and foremost, the ability to identify the “real-time state” of any given opening without actively having to be present is of great value. No touring capabilities can greatly enhance a facility executive’s productivity- allowing team members to audit the state of their equipment remotely or to manage access without a physical interaction. Historically, we have seen electronic access control limited to the perimeter doors of a facility. With the introduction of enterprise class interior door hardware, electronics are now being brought to those doors at a fraction of the cost that they once were. The ability to override manual actions and to monitor openings throughout the entire facility drives a whole new level of use case, security and productivity at a rational cost.

Ouellette: From a big data perspective, IoT allows for better-converged visibility across physical and logical access to more practically detect stolen or lost credentials or cyber-attacks.

Lasky: What array of connected devices do you see building out a future electronic access control system and how will that system be managed?

Palatsoukas:  We believe that physical security systems will continue to move towards a unified platform. This platform will manage not only ACS devices but also cameras and encoders, communications (intercom) devices, intrusion panels. Newer integrations will include connectivity and management of elevator dispatch and perimeter detection devices. 

Tucker: Smartphones, ID sensors (Beacons), drones, and robots.  The key is to come up with a solution that allows simple configuration of workflows that incorporate all of these things to solve current issues that are difficult, dangerous, or extremely routine. For example, in an active shooter or fire evacuation, drones or robots with embedded cameras could go to the critical areas and stream live video back, enabling security to make intelligent decisions based on what is happening right now, even if traditional cameras are not in operation in a specific location.

Barnette: Access control systems will join advanced smart building applications through cloud-based monitoring applications that deliver robust analytics capabilities used to proactively pinpoint and troubleshoot potential system failures. These applications will also monitor secure connections between PACS peripherals and trigger firmware updates to address potential cyber threats.  IoT functionality will be embedded in PACS panels as app extensions to enable connections to the cloud-based services; these IoT connections will deliver preempted alerts, real-time diagnostic information to the cloud to ensure protection against emerging vulnerabilities and streamlined system operations.

Boriskin: It’s many of the same things we are connecting to today such as intrusion, video, fire, emergency notification and access control. The difference is not the what, but the how. Today, to tie into all these systems you have to do an integration that is unique to each system, and as the system evolves it likely has to be redone each time. With IoT, there is the potential for devices to communicate and provide meaningful data to one another. In the future, it’s possible there will be a standardized approach to add and change systems with devices that become part of an eco-system.

There will also be a variety of openings that need to be managed, including high traffic openings such as transportation hubs and higher education environments. The benefit will be a more de-centralized approach to access control, which will make the system more resilient. If there is an emergency such as a power outage, it will only take out a specific area and not necessarily an entire building.

Coniff: We are going to see a focus on mobile interfaces that provide instantaneous connections. With that, the devices that will have the ability to interact with these advanced security systems are almost unlimited. Manufacturers are taking advantage of what they currently have, such as access, video, intrusion and smart energy devices, while simultaneously leveraging the data and information from these individual devices, in order to bring everything together into an interconnected, cloud-based, mobile-first environment. As the industry shifts to devices, with buildings becoming smarter and interconnectivity becoming easier, we’re going to look at things beyond security. We’re transitioning from the traditional capabilities of a security company and moving into all the ways we can make someone’s life easier, safer, and even more productive using the equipment and software we provide.

Martens: Many of the usual suspects will be in play- electronic locks, smart panic bars, smart closers, readers, motion sensors, and cameras. That said, the vast majority of these devices will be IP-based, with an emphasis on connectivity and the flexibility to be upgraded and maintained over time. Use cases based on increasing ROI will drive certain categories to new heights of interest and emphasis. Touring physical devices will become less and less frequent, and these devices will share their status with administrators when they require attention. A wide array of low-cost, high-functioning sensors will be embedded in devices that are not typically thought of as being “smart” today.

Ouellette: I think open standards will come to bear under the pressures of scalability, sustainability and the sheer economics of the connectivity of devices.  Many manufacturers will be looking at how to provide software-based solutions and services on the value of the number of supported devices and the solutions they can provide based on the data.

Lasky:  Much discussion has taken place related to how the IoT presents a new set of security challenges for video. But as more IP-centric access control solutions begin to appear, what special issue do they face?

Tucker: I don't really see IoT as a challenge but as an opportunity.  You now have thousands of IP-based mobile devices in an enterprise that can now be leveraged, whether for video, physical security, situational awareness or mobile administration.  The real challenge is in managing the large numbers of devices. However, with well-designed integrations and proper planning, deploying IoT devices in bunches should not become a burden for IT or security teams.

Boriskin: As the network becomes more populated, there are more identities to manage than ever before. The challenge becomes creating a federated identity for so many different devices, whether it is a laptop, server, or part of the physical security system. We are now at the point where it is necessary to manage the identities of devices in the same way we manage identities of individuals. This shift from a person-centric approach to a device-centric approach requires a comprehensive review of the policies in place for how devices are used, accessed, managed and to whom they are available. 

Barnette: There are many concerns when it comes to the IoT and electronic access control.  Connecting, more devices and systems, plus sharing more data opens new potential security threats, and work still needs to be done to better understand the potential associated risks.

A major consideration to prepare for the IoT is a comprehensive cybersecurity strategy that begins at the hardware level to establish a solid foundation of protection against potential threats.  For example, our approach includes secure design lifecycle practices; proactive testing of our products through third parties; and industry-standard data encryption methods for end-to-end secure communications. Beyond ensuring a multi-layered approach to cybersecurity at the hardware level, we recommend that access control software manufacturers also carefully review their code and control all possible connection points supported by their software, given that vulnerabilities are discovered in commercial software platforms on a regular basis. It is also recommended that hardware and software manufacturers work with professional labs to conduct vulnerability analysis on a regular basis. 

Coniff: In many respects, the access control system is often considered the gatekeeper to a facility. People often ask how to make access to system configuration easier for the end user. While this may provide more convenient access for building and security staff, it also makes it easier for others to gain access through non-conventional means. It’s a constant balance – designing products that are easy to use and modify for approved users, while also protecting against external threats. The ultimate goal is to make it easier for security managers and operators to efficiently, effectively and securely manage their facility using smart devices, while also protecting against unauthorized access.

Martens: Connectivity at the device can provide tremendous benefits, but it also can expose the user to heightened risks when applied and or maintained improperly. The secure storage and transmission of information are table stakes in the burgeoning world of the Internet of Things. Whether it is a lock or a video camera, certain basic elements must be observed by manufacturers, service providers, integrators and end-users. One of those key elements is the ability of these devices to securely receive updates. This allows the firmware or software elements of the smart device to maintain its level of security, functionality, and robustness through updates from the manufacturer or service provider. Another key element would be to never leverage pre-set administrative settings or passwords. Just following these two simple suggestions will greatly enhance your level of security and ability to respond to an incident. Another element to consider is how you maintain your network itself. Does a member of your organization manage your firewall? If so, how comfortable are you that they are at the same level of understanding and skill as someone at AWS, Google, Microsoft, etc.? Malware and ransomware can be fought at many levels, so companies need to decide where their core competencies exist and where they don’t.

Ouellette: Access control devices will need to be made Wide Area Network (WAN) friendly and address the problems presented by having to open ports for firewalls which create cyber vulnerabilities.  The manufacturers will need to provide the means for getting software and firmware updates for operating systems as well as devices that minimize truck rolls and lengthy deployments while providing notifications of any corrective actions for identified cyber-security issues that allow a customer to provide a highly secure and reliable solution.  Manufacturers of the access control solutions will need to be engaged with vulnerability scans and open source code scans during product lifecycle development to minimize risks to IP-centric solutions and provide higher degrees of assurance that the products they manufacture are cyber ready, responsive and secure. 

About the Author

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive

Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes the magazine's Security Technology Executive, Security Business, and Locksmith Ledger International, and the top-rated website SecurityInfoWatch.com. He is also the host of the SecurityDNA podcast series.Steve can be reached at [email protected]