Role of IT in Access Control System

Role of IT in Access Control System

It is a fact that IT is becoming more involved in the physical security world. In a small minority of companies, these two departments are actually merging, although this is a mammoth task fraught with problems, not only in terms of technology, but primarily in terms of culture.

In the access control world, one could say it’s normal for IT to be involved in networking (assuming the access systems make use of the corporate network and/or the IP protocol), but the scope of IT has slowly been creeping into more of the access control functions. In smaller companies, for example, it’s not unusual for the service provider responsible for the company’s IT to also take the responsibilities of physical security.

So how far has IT made inroads into the access control world in general? HID Global broadcast arrange a webinar in October 2018 in which it revealed some new research into the increasing role IT departments and personnel are playing in the physical access control world. The webinar was hosted by HID Global’s Brandon Arcement and Matt Winn. After discussing the findings of the research, they went on to advise physical security operators as to how they can embrace their IT colleagues further, with the goal of improving the holistic security posture of their organisations.

The survey was conducted by The 05 Group, sponsored by HID and was completed in March 2018. As the title of this article notes, the research found that IT departments are now more involved than ever in organisations’ physical access control decisions and implementation, and that trend is set to increase.

The 05 Group surveyed 1 576 individuals from more than a dozen industries, including education (19%), information (16%), government (11%), manufacturing (8%), health services (8%), and security, professional and business services (8%). Of the respondents, 35% were IT managers, 26% were IT directors, 13% were IT staff, 8% were CIO/CTO, and 3% were VPs of technology. The survey also spanned companies of different sizes, with 24% having less than 100 employees, 22% 101-500 employees, 11% have 501-1000 employees, 17% have 1001-5000, 6% have 5001-9999, and 6% have 10 000-24 999 employees. The results therefore cover a broad spectrum of companies and industries.

 The numbers tell a story

The research offers a significant amount of data about the role of IT in access control, however the webinar brought out a few pertinent facts (a link to the white paper written by HID from the research is at the end of this article). When asking the organisations being surveyed “Who is primarily responsible for physical access control in your organisation”, the responses were as follows:

• 29% said both IT and physical security.

• 26% said IT only.

• 25% said facility management handles the job.

• 12% said physical security only.

• 8% said the property management company was tasked with access control.

With a quarter of the respondents already saying IT is responsible for access control, and a further 29% saying it is shared between the two departments, it’s clear that the divide between IT and physical security is rapidly vanishing – and in some cases, altogether gone. And this is a trend that will continue; in organisations where IT is not involved in access control, 36% of the respondents said it will be within the next five years.

For those organisations where access control responsibilities are shared, 47% of the respondents report it had been shared within the past five years. Similarly, where IT owns the responsibility, 42% of the companies say they were given this task within the last five years. Once again we see that IT/physical security convergence in the access world is an expanding reality.

We mentioned IT’s influence in access control above in terms of the networking of access systems, however, this is an old function. The webinar showed that both IT professionals as well as physical security professionals see IT being involved in all areas of access control. When it comes to physical security professionals:

• 66% of physical security professionals see IT involved in influencing the decision-making process.

• 48% see IT’s involvement in integrating access and other systems.

• 37% see IT involved in implementation.

• 22% see IT involved in managing the systems.

From the other side of the table, IT professionals have a similar view:

• 76% expect to influence decision making.

• 72% will be involved in integration.

• 59% will be involved in implementation.

• 39% expect to be involved in managing systems.

Not all wine and roses

Of course, as these different cultures work together, there are bound to be some issues. It is in the field of integration where IT sees problems. Half of the IT people surveyed have issues with the lack of integration of access systems with other IT systems. This is an area in which the access control industry could make significant changes in the short-term to ensure their software and hardware can be more easily integrated with existing business management and security systems.

When it comes to new access control systems, the IT school has a few things it wants to see on the vendors’ to-do list. They want improved ease of use (71%), the ability to support or add new technologies (68%), mobile access (59%), and integration with existing security platforms (54%).

It’s also clear from the survey that IT is not all that comfortable with access control technology. Areas such as credential management, decision making with respect to access control systems, how system components work and also individual features within access systems can cause a bit of nervousness among the IT folk. These are areas in which physical security professionals can make their mark, as they are more skilled in dealing with these issues as well as others unique to their industry. 

Helping IT in access

The driver behind this convergence is not a technical issue, but is itself a convergence of a number of separate drivers. HID notes the primary drivers are:

• Converged threats that impact both physical and logical infrastructure. If you have a physical vulnerability it puts your logical systems at risk, and vice versa.

• Proliferation of networked devices in the age of IoT (the Internet of Things) which all require both physical and logical security. Interestingly, the webinar held its own real-time survey of the attendees and this topic was selected as having the biggest impact on access control’s shift to IT with half of the audience selecting it.

• Compliance to new regulations, which again rely on both sides of the table.

• Budget consolidation, which we are all suffering through.

• A shift in reporting structures as executives try to get a handle on the seemingly endless threats companies face on all fronts.

When it comes to the role of physical security professionals and how they can assist in the convergence between the two sides and help improve organisational security, 80% of the respondents said they play a role in establishing best practices, while 50% see physical security having a role in preventing unauthorised access in general, and 49% say they can help in achieving compliance. In order to streamline collaboration, the HID webinar suggests, among other issues, that both sides need to work on aligning project priorities and determining responsibilities, and balancing the technical acumen of IT when it comes to access products and management. 

A converged example

The webinar went on to provide an example of how the two divisions could work together in an access control installation. When it comes to the physical access control host, HID advises organisations to integrate physical access control systems (PACS) with an IT source of identity such as LDAP. Furthermore, administrators should ensure there is a set policy around regular software updates and patches, while they should also take advantage of IT’s experience (and equipment) to ensure high availability.

When it comes to the controller, HID advises organisations to settle some of the issues raised above by requiring an open controller platform that can be integrated with other technologies and other vendors’ products. Preventing vendor lock-in is a costly lesson IT departments have learned. It also suggests considering an ‘IP-at-the-door’ topology, keeping controller firmware updated to the latest versions, using strong passwords and encrypting communication between controllers and hosts (and using OSDP – Open Supervised Device Protocol – for encrypted reader communications).

Another strong warning was to take care when selecting access credentials as many of the card and fob technologies available are easy to replicate, making it simple for the wrong people to easily gain access. There are secure card technologies out there and these should be used as a standard. A business benefit of these more advanced credentials is that they can also be used for additional business functions, such as secure printing, vending machines and network logon.

The webinar presenters also touched on the benefits of using users’ mobile devices as credential holders. These can offer higher levels of authentication, easier administration and more user convenience that does not come at the expense of the company’s security.

Whether you are on the IT or physical security side, the most important part of the research (depending on your biases) can be seen in the answer to the question “Do you believe that increased collaboration between physical security and IT can improve the overall security of your organisation?” An overwhelming 95% of all the respondents said “yes”.

While the full convergence of physical and logical security is still some way off, people in the access control sector obviously understand that IT and physical security working together is critical to develop a successful security defence strategy for their organisations. In the access control industry this may be easier to achieve, but as noted in the introduction, it is often a question of culture (or ego, to be blunt) that prevents collaboration and results in organisations being vulnerable to the ever-increasing threats they face from well-organised criminal syndicates, as well as unhappy teenagers with too much time on their hands.

End of the article thanks to Mr. Andrew Seldon, for valuable time to us & security sa team.

PoE Access Control Systems

PoE Access Control Systems

Is PoE technology a viable solution for your access control system?

Power Over Ethernet is being widely advertised as a panacea for access control system users. Certainly we have all looked forward to the day when a single network drop at the door will satisfy all of the system wiring requirements between the controller and the doors. One simple cable that will replace the multitude of cables currently needed for reader communications, request to exit, door position, and lock power.

As is commonly the case, along with technology that is new to our industry comes advertising claims and counter claims by various vendors each vying for a prominent spot at the top of the tech-tree. This paper will address this emerging technology, the standards that guide it's implementation, and the claims that warrant further scrutiny. Its focus is to help you sort out what is viable in real world applications and what is advertising hype.

The Objectives of PoE

The primary objective of any PoE system is to reduce costs. The technology was designed as a solution for the implementation of various network appliances in applications where it would be too expensive or inconvenient to provide a separate power supply and wiring. It is commonly used to power wireless network access points, remote network switches, and IP telephones. Stringing wire throughout a building for a proprietary access control network has long been a cost prohibitive proposition and often the most expensive part of the total system. Certainly if any system commonly found in today's modern building needs an alternative to hardwired devices, it is the access control system.

Cost of wire

Although not as costly as the labor needed to install it, the various combinations of wire needed for a full fledged access control system can represent a significant cost. For today's typical system you will need a 6 conductor, 22 AWG, stranded, shielded for the reader; a 4 conductor, 18 AWG, stranded for lock power; a 2 conductor, 22 AWG, stranded for door position; and a 4 conductor, 22 AWG, stranded for request to exit. The outer limit for this wiring architecture is usually 500 feet and is often pushed to that limit. The advent of modern customized bundled cables allows the required combination of conductors to be incorporated into a single cable which makes installation much easier but can still represent a significant cost. By injecting power onto the readily available, commonly installed CAT 5 or CAT 6 cable, PoE promises to bring down the cost of installation.

Cost of labor

If you have ever been on the pay check writing, or even cost estimating, end of a security system installation contractor you clearly understand that labor will represent the bulk of the costs associated with providing today's systems. The installation of wire is responsible for the lion's share of those labor costs. A "rule of thumb" that has long been used in the industry is the 60/40 rule. This rule states that roughly 60% of your costs will be in labor and the remaining 40% will be in equipment costs. To the extent that this rule is true, innovative alternatives such as PoE can dramatically reduce the overall cost to the end user for these security related systems.

PoE System Components

Along with the CAT 5 (or better) cable infrastructure, a basic PoE system will consist of powered devices (PD) and power sourcing equipment (PSE).

Powered Devices: An example of a PD is PCSC's Fault Tolerant (FT) access control system door interface module (DIM). The DIM is installed away from the Master Controller (MC) and near the associated door. Through the DIM, power is distributed to the reader, door locking mechanism, and request to exit device (REX). The door status switch and and REX status are also monitored by the DIM.

Power Sourcing Equipment:

This switch was designed to meet the below detailed IEEE P802.3at specification and specifically for networks consisting of IP video cameras and other security related devices.

Relevant Standards

PoE - IEEE P802.3af - 2003f: Since 2003 the applicable IEEE standard for PoE has been P802.3af. This standard calls for a maximum allowable 12.95 watts of power per port and allows the use of CAT 3 cable. As PoE has become more popular, more and more devices have been designed for its use. The power limitation of this standard has stifled the device manufacturers ability to meet the demands of the marketplace.

PoE Plus - IEEE P802.3at

The new PoE Plus (or Hi PoE) standard is nearing completion and is expected to be ratified soon. Switch manufacturers are already producing switches that conform to this standard, at least to the extent that they can anticipate the final standard's requirements.

It is important to note that PoE Plus requires the use of Cat 5 (or better) cable. The eight wires of CAT 5 cable verses the four wires of CAT 3 allows more power to be transmitted.

Draft 3.0 of the new AT standard, dated March 2008, states that the maximum current will be nearly twice the current allowed under the AF standard.

One objective of the IEEE P802.3at Task Force was to ensure that PoE Plus will operate in modes compatible with existing requirements of IEEE P802.3af. This is good news for forward thinking companies that have already made a significant investment in PDs designed to the older standard. Another objective of the Task Force requires PoE Plus PDs, which require a PoE Plus PSE to provide an active indication of that requirement when connected. This will alleviate the inevitable problems caused by connecting PDs designed to the new AT standard to PSEs that comply only with the older AF standard. Conversely, PoE Plus PDs that operate within the more limited power range of P802.3af will work properly with 802.3af PSEs.

Power Requirements

Power requirements for PDs vary according to the device type, manufacturer, load, cable length, and other factors. Our example PD, PCSC's FT system DIM, requires 200mA at 12vdc or 2.4W. A typical door locking mechanism may require 500mA at 12vdc or 6W. A REX sensor may require another watt. A card reader may require 3W. Even without allowing for environmental factors and cable length, a fully loaded access control system can easily start to approach the upper limit of the older AF standard.

Powered Device (PD) at the door / Required Power

Door Interface Module (DIM) / 2.4W

Reader / 3W

Lock / 6W

Request to Exit (REX) device / 1W

Total / 12.4W

Back-up Power

One of the biggest advantages offered by the PoE infrastructure is the inherent ability to facilitate system wide power back-up. If your system is PoE based, then backing up power for the entire system is simplified. Employing an emergency generator or a network UPS will ensure that the access control system continues to be fully functional during a power outage. Legacy systems typically employ battery back-up techniques that fail to provide sufficient power for critical components such as door locks or request to exit devices.

Security for the Security System

When considering PSEs for PoE based security systems look for features that will provide protection for the system that protects your facility. Temperature will greatly affect the performance of your PoE system. AFI's C10e switch, for example, provides local and remote environmental sensing and alarm generation. If a fan fails and your PoE switch is overheating, you want to know about it immediately. A good PoE command center will also have the ability to constantly poll activity on the power output ports to establish trends and anticipate problems.

Power Sharing

Caveat Emptor: An important concept to recognize when considering the deployment of a PoE network is that of power sharing. This concept has largely been ignored by PoE marketeers. Simply stated, power sharing is when the total power available from a PSE is shared across all of its ports. So if the PSE delivers 12.95W of power and 9 or 10 watts are required on each port, your PSE will only power one port. The slight of hand that the industry marketing fails to acknowledge is that yes, while you can power your access control system with an older IEEE P802.3af PSE with 12.95W of available power, they don't tell you that you'll need a switch for every access control door in the system. Not every pre-IEEE P802.3at switch employs the power sharing principle, but it is something that any potential PoE system user needs to be wary of.

Today's Switches: Newer systems, such as our example of American Fibertek's Commander C10e switch do not utilize this methodology. Each port can be configured by the operator to deliver a specific class of power. This ensures that your purchase of an 8 port switch will enable you to power the PDs required at eight different doors if needed.

Conclusion

PoE is quickly becoming a viable alternative for access control system designs. Network switch manufacturers, like American Fibertek, are producing power sourcing equipment (PSEs) designed specifically for our industry and at least one access control manufacturer (PCSC) offers PoE capable powered devices (PDs) for their new Fault Tolerant (FT) access control system.

Well designed PoE based access control systems will:

1.) Utilize PSEs that avoid power sharing across the various PoE ports of the device.

2.) Comply with the new IEEE P802.3at standard including CAT 5 or better cable and Hi PoE power availability.

3.) Incorporate a cascading technique that employs smaller switches in a distributed architecture.

4.) Consist of PDs that have been designed and tested to meet the PoE Plus standard.

5.) Incorporate power back-up systems that keep the access control functioning during a power failure.

6.) Have built-in protection features that help your security system stay secure.

The long awaited panacea for access control systems may very well be a reality given the new, soon to be ratified, IEEE P802.3at Power Over Ethernet specification. Be careful when looking through the marketing hype to identify those access control system and PoE device manufacturers that understand and conform to the developing industry standards.