SubscribeThe general perception in the security management world is that this is a dynamic market with huge growth potential.
Due to a range of global factors, there are more and more cogent reasons to invest in security. And all over the world companies are transforming breakthrough technologies into innovative products and rushing them to market.
However, a visit to a Security trade show reveals that this picture does not reflect reality. The average event looks remarkably similar to the previous one, with the same people at the same booths. And when colleagues ask "Have you seen anything new?" the usual answer is "No, not really..." Perhaps the only exception is the CCTV sector, where innovation is driven by developments in consumer electronics.
Compare this to an IT trade show. The sheer noise level reflects the buzz and excitement in this market place. Almost all of the booths feature new product ranges and innovative solutions, with one major development after the other.
So, why is there such a big difference between the security and IT markets? Perhaps we can learn something by studying the IT market and use the insights thus gained to rekindle interest in the security market.
The IT market
First, let's go back a few decades. In the early 1980s, if you needed a device for writing a letter, doing calculations and storing information, your IT department would probably have given you a Wang word processor, a HP12C calculator and an IBM 3270 terminal with access to a database on a mainframe. Three separate devices for three functions.
Of course, this was a major step forward, but very soon users started to complain. It was not possible to integrate calculations within a document. Sharing a printer was difficult. And if you required new functionality, the chances were that you would need to replace at least one of the devices.
This all changed the moment IBM introduced the first PC. It was not so much the device itself that made such a huge impact on the IT market, but more a vision of how computers should work. Instead of dedicated devices that only do one thing well you now had a generic, all-purpose tool that could do many things for you.
Just install the right software and your PC could do a whole host of useful things. And the introduction of Microsoft Office made the integration of spreadsheet calculations and merged information from a database within a word processing document even simpler.
Software became hardware independent and users could enjoy enhanced hardware performance at ever lower prices. Moore's Law - that data density would double roughly every 18 months - proved remarkably accurate.
With the introduction of open standards it became much easier for third parties to use software developed by others within their own solutions, resulting in a dramatic increase in the speed of innovation. These and other developments such as the Internet have led to the dynamic IT market we see today.
The Security Management market
Now compare this to the security management market. Two decades ago, if you requested a way to control access, detect intrusion and keep track of events, your security manager would have proposed a separate access control panel, a separate intrusion detection panel and a CCTV camera.
Integration of these functions would of course be a challenge. And introducing new functionality often meant replacing at least part of the hardware.
Twenty years later, the answer to your question would be almost exactly the same. Probably your access control panel would be called something like System 3000 instead of System 2000, but it would still offer almost exactly the same functionality. The use of an existing Local Area Network might reduce the amount of cabling, but integration would still be difficult and time-consuming.
While the IT market blossomed, the security market stagnated. So, why is there such a big difference between these two markets?
The Nedap AEOS unit
The difference
First of all, the security market is extremely fragmented. Hundreds of companies develop and manufacture their own systems. Hardly any have a turnover in security systems of much over ₤25 million and those that do usually have multiple product lines without any common components. It is clear that with these turnover levels the amount of money available for developing innovative products is severely limited.
Typically, the architecture on which the current security management products are based is over 15 years old. Although some new products are occasionally introduced, the basic design principles remain unchanged.
A good example of this is the switch to IP-enabled controllers for access control. Over 80% of the systems currently available made this switch by integrating a standard serial-to-TCP/IP converter in their controller. The controller can now be connected to the LAN using a Cat 5 cable, but the communication between controller and server is still based on the old original serial protocols, leaving all of the other opportunities offered by true IP-based communication unused.
Furthermore, these aged architectures are without exception based on closed, proprietary protocols. This makes it virtually impossible to leverage innovations by other suppliers. Functionality such as firewalls, encryption and authentication, which are currently required by most customers, has to be developed by the manufacturers themselves.
The main bottleneck
If you study the underlying architecture of all of the security management systems on the market today, you will find that the main bottleneck is the controller. For years, controller hardware and software have scarcely evolved at all.
This is partly why newly developed secure contactless chip-card technology has yet to make a big impact on the market. All of the research and development in encryption and authentication is rendered useless if readers can only be connected to old-generation controllers through a standard Wiegand protocol - with no protection whatsoever!
Biometrics could already have made big inroads if controllers were able to store more than 32 or 64-bit credentials. Now a complex solution is required with biometric templates stored on chip cards instead of on the controller itself. Although biometrics promises identification without cards, in practice you are still stuck with badges due to the limitations of today's controllers.
One of the reasons why controllers have not evolved over the years is that writing reliable distributed real-time software that runs on a controller is particularly challenging. Since a lot of this embedded software was developed many years ago, old-fashioned software languages were used, making software maintenance extremely laborious.
Because, in the past, microcontrollers had limited capabilities and memory was very expensive, a lot of effort has been put into optimizing the embedded software to get the required performance at the right price. This means that most controller software is very hardware-dependent. Adopting a new, vastly more powerful microcontroller - at a fraction of the price - would be prohibitively expensive due to the costs of rewriting all the embedded software.
Efficient visitor and contractor management
A new generation of controllers
So, is the security market irrevocably stuck in the past? Not necessarily.
Fortunately, a few companies have taken up the challenge and started developing new security management systems from scratch, the first step being controller design.
For the heart of the system - the microcontroller - a number of options are available. Currently, the Intel XScale RISC processor family is a promising candidate with an attractive price. Most current PDAs and other handheld devices are based on this processor, ensuring ready availability and competitive pricing.
Then you can install some memory (e.g. 64 MB RAM and 64 MB Flash) and, by adding an USB host controller, a wide range of expansion possibilities become available (e.g. expanding memory with a memory stick or adding peripherals such as keyboards or small VGA screens).
In addition to this hardware platform, an appropriate operating system needs to be selected. Since it is essential to have control of all the software on a controller, an operating system with full access to the source code is essential. Open source Linux is therefore the most suitable candidate, especially as there are no license fees. If you go for Linux, a wide range of standard functionality becomes available such as firewalls, encryption, databases, etc.
But you're not there yet. In order to be fully hardware-independent, the new controllers must have a Java Virtual Machine onboard. We are in much the same situation as the mobile phone industry where new phones are introduced every few months.
In order not to be forced to rewrite all of the embedded software for each model, third party software developers are adopting the Java programming language because it enables them to write hardware-independent programs. Nowadays, every mobile phone is equipped with a Java Virtual Machine that is capable of running Java software, so you can expect a similar development with controllers.
This new generation will be so generic that it is very likely that a few companies will step in and make them a commodity. In the United States, HID has already launched their own VertX Linux-based controller line. As a result, the average sales price will drop significantly.
Since these controllers will apply well-documented open industry standards, third parties will be able to focus all of their resources on developing innovative solutions.
The introduction of these next-generation controllers could have the same impact on the security management market as the introduction of the PC in the IT market. A couple of companies have already started with developing totally new security management systems based on them.
An example
With the introduction of AEOS, Nedap introduced one of the first examples of the new generation of security management systems. AEOS consists of a new hardware line based upon a Linux/Java-based controller, new embedded software and sophisticated server software.
The server software is web-enabled, so you no longer need to install client software - all users require is a standard Internet web browser. The Java 2 Enterprise Edition-compliant server software ensures scalability, robustness and serviceability.
An interesting feature of Nedap AEOS is behaviour components. These software modules determine the actual behaviour of the controllers. Standard access control plus more complex behaviour such as 'patient-wandering' functionality, which is required in many hospitals, can be installed on the controller.
Full intrusion detection functionality can be added by simply deploying the right behaviour component. Standard PLC-like behaviour such as AND-gates, OR-gates and timers is also available and, with a graphical editor, the components can easily be combined.
Since all embedded and server software is written in Java, the software is hardware independent. This means that hardware and software development can be undertaken independently, reducing lead times significantly. This year Nedap intends to introduce their third-generation Java-based controller within five years, with a 20-fold increase in performance at a third of the original price.
Nedap head quarters in Groenlo
Advantages
Although developing a totally new security management system does not come without its challenges, numerous buildings throughout the world have already been equipped with Nedap AEOS.
One example is the Headquarters of ABN AMRO Bank in Amsterdam. The bank required migration from the old system to the new one during a single weekend. Despite all of the detailed preparations, when the moment for the migration arrived, there were some surprises.
Technical drawings did not reflect the actual wiring, turnstiles worked differently than described in the manual, all the sorts of things that tend to happen on any large installation project. However, the technical engineers were able to overcome all of the technical challenges without dedicated firmware or PLCs thanks to the system's flexible configuration and the ability to combine behaviour components.
AEOS is designed to facilitate full peer-to-peer communication. The input on one controller can be linked directly to an output on another, thus bypassing the central server and using the full power of the TCP/IP protocol.
When AEOS was installed in the new building of the Dutch Ministry of Education, for example, the original plan was to use conventional wiring from the security desk to many of the entrances. However, the use of AEOS peer-to-peer communication via an existing Local Area Network saved the Dutch government over ₤50,000 in cabling costs.
At the Rijksmuseum in Amsterdam the most valuable paintings are put on display, so security is a key issue. By combining the access control and intrusion detection behaviour components on the same controllers, the museum was able to considerably reduce its investment in hardware.
Implications
This kind of development will have a major impact on the security market. Firstly, only a few companies will have the financial resources, skills and stamina to undertake such a large and risky development project. As a result, a very limited number of manufacturers will be both willing and able to develop these new platforms.
Secondly, the current pricing model will need to be replaced. The industry currently earns most of its money on hardware, while most of its costs are in software development. Due the commoditization of controllers, hardware prices will drop rapidly and so a new revenue stream needs to be established. A new price model is required whereby end-users pay a license fee for the functionality on the controllers.
In much the same way as companies pay for the software packages installed on the PCs at their premises, this model allows for differentiation in charges. Standard access functionality can be priced attractively compared to high-end functionality with integration of biometrics and weight verification.
The hundreds of companies that currently sell outmoded systems will face a tough 'make or buy' decision. The vast majority will procure the new platform from one of the few dedicated manufacturers and use it to develop their own solutions, but they will tailor to the needs of a specific market niche.
With the advent with new and open security platforms, it will become much easier to develop new functionality. Third parties are already focusing on developing truly innovative solutions by adopting a security platform that adds value for end-users without being hampered by rigid, old-fashioned, closed architectures.
Developments in other markets such as IT or consumer electronics can easily be leveraged into better security systems. And the number of product introductions will increase to meet ever-growing customer needs.
So, maybe we can finally look forward to visiting exciting Security trade shows again.
by Ruben Wegman
Managing Director Nedap NV
December 2005