How have standards changed the security market?

When designing a product to be used in the security market, it can be argued that interoperability is the key to success; as manufacturers innovate and extend product capabilities, ensuring customers can seamlessly use features is essential. As such, standards that help guide this process allow organisations to deliver technology that facilitates scalability and flexibility. Standards, such as those put forth by ONVIF, have changed the security market through the ability to bring integration to the forefront, enabling various technology pieces to work cohesively, conglomerate numerous data points and present relevant information to security leaders. Additionally, a subtle but important improvement facilitated by standards is that end-to-end solution vendors wanting a seamless user experience for their customers no longer need to develop every part of their solution themselves; they can partner with experts in complex or niche fields without the concern that their technology might be hard to integrate.

In a world that’s growing more connected by the day, benchmarks like ONVIF’s IP-based, physical security protocols are creating a new standard of interoperability across the security industry—among manufacturers, developers and integrators alike. Gone are the days of individual products competing for attention. The market, today, is moving decidedly toward unified solutions, making IoT architecture, compliance and interoperability more important considerations than ever. These standards aren’t alone in changing industry norms, either. Regulations such as GDPR are instilling a heightened awareness of cybersecurity worldwide, which directly influences the way the manufacturers develop their products and customers select their solutions. In the world of data storage, for example, integrators are favoring hard drives built with software encryption, pseudonymisation, hardware encryption and secure erase features. Going forward, the security market is expecting more from its stakeholders.

Beyond ONVIF, standards are a prerequisite for the security industry, period. They are a must-have. Standards are the enabler of many things – from the screws used to mount hardware, to the electricity used to drill it in. Everything uses standards and within the ONVIF sphere, our specifications standardise basic video system functions such as video compression technologies, metadata streaming and alarm and event management, all of which are crucial to enabling interoperability within systems.

Fundamentally, standards are a positive thing. They give end users and installers peace of mind that the systems they are using or fitting are fit for purpose. With such a complicated range of products available to buy, it makes it easier to choose the best ones for your security needs. However, the proliferation of different testing bodies in different regions or countries can be very confusing, and those of a more suspicious nature might even view them as potentially a cynical non-tariff barrier. Some markets appear to insist on the adherence of their certification, but in reality have little difference in their test modalities from many others. By contrast, the ONVIF protocols have made it much easier for manufacturers to ensure the full interoperability of their products and systems with other manufacturers, which is clearly beneficial to security providers, buyers and users across the global security market. 

Security standards are changing as quickly as physical security is digitising. In fact, digital transformation is the driving force behind the current “blended threat” environment and has essentially redefined business risk. Therefore, the practice of security and risk management must evolve around standards and certifications to counter creative criminal actors. Security standards and certifications run the gamut of specific products and industry sectors. What is important to understand is that the security of data (at rest and in transit) is at the heart of our digital networks and security maturity models. Information security, which protects people and machines, is a subset of the larger practice of security management. Given the convergence of physical systems, IT architectures, and cybersecurity in the context of Digital Transformation, the NIST Standard is at the forefront of security and risk management best practices.

Standards have long played a role in access control and will continue to build momentum. For example, enabling broader compatibility, many RFID readers and credentials for electronic access control first emulated magnetic stripe data standards developed by the International Organization for Standardization (ISO) defining many of the card’s attributes, including size and data formats. Today, many access control panel providers comply with the Institute of Electrical and Electronics Engineers (IEEE) standard IEEE 802.3 which defines the backbone of Ethernet technologies. New standards, such as the Open Supervised Device Protocol (OSDP) specification, which offers the promise of widespread functional integration of disparate card readers, electronic access control panels and other security management systems, will allow for new features and even greater interoperability.

The challenge that physical security currently faces is the standards created at the C-level, specifically with the Chief Information Officer (CIO) and Chief Information Security Officer (CISO). The Physical Security and IT departments have become more aligned with one another as we have become more reliant on IT for connectivity, access, and control. Therefore, as Physical Security professionals, we must follow the same standards and regulations set forth by the IT Departments. Manufacturers, integrators, and solution providers must understand the specific standards and regulations within each customer’s vertical. With growing cyber threats, these standards are continuously evolving to protect our networks. Consequently, we all must keep up. Trade organisations, such as the National Institute of Standards and Technology (NIST), Open Web Application Security Project (OWASP), and North American Electric Reliability Corporation - Critical Infrastructure Protection Committee (NERC-CIPC), are great resources that our customers use to build their standards and policies.

It may seem counterintuitive, but standards are huge drivers and facilitators of innovation and unique ideas. They have changed industries by normalising the basic elements of a system and allowing resources to instead be spent on pioneering new features, functionalities and ideas. Video surveillance is an example, from the early standards in analog video to the modern IP interoperability standards. What is important to our industry today is to keep these technical specifications open and accessible. As an example, with our free and open Security and Safety Things operating system for security cameras, based on Android Open Source Project (AOSP), we are set to establish a new standard in close cooperation with the Open Security and Safety Alliance (OSSA) that drives standardisation in our industry. Such a standard OS empowers developers around the world to build applications without wasting resource on customising them for a diversity of proprietary operating systems.

Standards are constantly evolving, especially those associated with people's safety and security. Regardless of the type of standard, physical or technical, precedence continues to be established, best practices identified, and new rules created. This will never change. The change that will make the biggest impact is how standards are enforced and the penalties of non-compliance. Take OSHA as an example, of the top 10 penalties awarded in 2019, 60% of them where a result of a complaint or referral, it's no longer just about the inspector. Combine that with the fact that the maximum penalty per violation in now sitting at over $134K, and that these indiscretions will go viral, resulting in a direct hit to your reputation and sales. Operations simply can’t afford not to comply! What needs to change is how operations measure and manage compliance. Logbooks, checklists, and to-do lists are no longer going to cut it!

These are the standards used to designate vehicle impact conditions. Four types of vehicles are defined by the U.S. Department of State’s Bureau of Diplomatic Security. They are:

1. Small Passenger Car: The car must have been manufactured in the last 10 years and weigh 2430 +/- 50 pounds (1100 +/- 22 kg).
2. Pickup Truck: The truck must be a ¾-ton model, manufactured within the last 10 years and weigh 5070 +/- 100 pounds (2300 +/-46 kg).
3. Medium Duty Truck: This vehicle must have a diesel engine with a vehicle mass of 15,000 +/- 300 pounds (6800 +/- 136 kg).
4. Heavy Goods Vehicle: This must be a tandem axle dump truck or tandem axle with drop axle truck, tested at 65,000 +/- 1300 pounds (29,500 +/- 590 kg).

While defining the types of vehicles, the Bureau also established penetration ratings:

• P1 - Less than or equal to 3.3 feet (1 m)
• P2 - 3.31 to 23.0 feet (1.01 to 7 m)
• P3 - 23.1 to 98.4 feet (7.01 to 30 m)
• P4 - 98 feet + (30 m +)