Network-centric security at USC
Nov 1, 1999 12:00 PM
G. F. Bryant Jr.
As proprietary security systems evolve into client/server-based open architecture systems, security system designers and integrators enjoy unparalleled freedom and flexibility in system design. Such flexibility was a major part of the design criteria in a recent security upgrade at the University of Southern California (USC), Los Angeles.
The integrated computer management system at USC was designed by Bryant and Associates of Greensboro, N.C. and was provided by UAC Security Systems of Fullerton, Calif. UAC teamed with Lenel Systems International, Rochester, N.Y., to use OnGuard 5.5E security management software, the latest upgrade to Lenel's OnGuard suite of integrated security systems, as the basis for the system.
Like many universities, USC has a large campus that includes many off-site facilities with security needs similar to the main campus. The university's enrollment is more than 28,000, and an additional 15,000 faculty and support staff work on the various campuses.
The University Park campus has 200 buildings encompassing 155 acres. Eight miles away, the Health Sciences campus has 23 buildings and is 30 acres. Before the upgrade, the university had two existing access control systems. Tying into access control was an AT&T Campus Wide system featuring debit cards on which access control functionality was piggybacked on the magnetic stripe. With Y2K issues looming related to the institution's intrusion detection systems, a system-wide update was undertaken. The goal was to preserve the features of the campus-wide one-card system, and to salvage as much of the installed base of card readers as possible. The university also wanted a system with maximum flexibility to increase future functionality, such as adding access control at academic buildings and even controlling access to campus computers.
Because many of the remote sites do not have a signal path on USC's property, the signals must route through the Telco Cloud (telephone lines), or the university's own Network Cloud (LAN) to get to their destinations. The campus has an ever-changing set of security requirements stemming from special events that may be held anywhere on the main or remote campus sites. Additionally, in the event of an abnormal security incident, security planners wanted the ability to instantly deploy a command post to provide remote surveillance and control anywhere in the system.
The department of public safety at USC was faced with the dilemma of how to tie distant remote communication hubs together, yet remain flexible enough to allow rapid deployment of access, sensing and surveillance devices. The potential requirement that a portable command post for emergency operations be available at any site on campus added to the project complexity.
Lenel OnGuard 5.5E is built on Microsoft BackOffice-certified OnGuard 5.5, which integrates access control, CCTV, alarm monitoring, ID card production and personnel management for mid-to-large-sized corporations, facilities and universities planning for regional or global expansion. The expanded scope of support in Lenel OnGuard 5.5E increases the range of the system while reducing the total cost of ownership. It also requires less time to install and maintain the system.
New features of OnGuard 5.5 include support for elevator control, updated database and operating systems support, and enhanced hardware and alarm control capabilities.
Security on the network The first step at the University of Southern California was to create a network-centric security system by putting all of the electronic security onto a network. For example: When a network-based access control system is interfaced to a network-based CCTV system, security officers can control and monitor access control and CCTV systems that are hundreds or even thousands of miles away from the security command center. Alarm transactions such as "invalid time zone error" or "invalid access level error" may cause a camera to route automatically to the command center for observation by security administrators. Access control decisions are made at remote sites, yet databases are updated and alarm information is passed in real-time over the network. Likewise, CCTV is switched at video servers at remote locations, where it is encoded and then shipped to the command center as virtual real-time video over a 10BaseT/100BaseT network.
At the remote locations, video switching servers are created by adding internal video matrix switching boards, video encoder boards and special network-based switching software. This allows the PCs to cross-point matrix-switch video from any camera to any monitor, like a conventional switcher except some of the monitors can be blocks or even thousands of miles away. The matrix-switched video is directed to a bank of video encoders in the PC that digitize and compress the video streams so they can then be transmitted as packaged data over the network to the security command center. The video equipment is provided by Javelin Systems, Torrance, Calif.
At the command center, the decoding process is done by hardware. Decoders receive the digital signals from the network, then convert them to analog for switching to the monitor, array at the central console display. Any of the digitized signals may also be sent to an authorized client, such as the PC at a supervisor's desk, or to a mobile command post.
Supervisors use standard, non-proprietary desktop PCs, which are converted into digital video receiving workstations by adding a video decoder and loading the appropriate client applications software. Based on the client's need to know and need to perform, any or all of the system may be controlled from that location. Using hardware for the decoding process allows the PC to continue to run normal Windows-based applications such a security payroll spread sheets, review of incident reports, investigative reports from the access control system, etc. The network-centric CCTV program is merely another Windows-based application that may be running in the background until needed. Video recorded to a computer's hard drive can be called us easily - days after the fact.
Since part of the design criteria mandated the ability to create a remote command post instantly to handle an abnormal security incident, it was also important to be able to do decoding by software, so the application could be loaded on a high-powered laptop. Although this technique consumes the majority of the resources of the laptop, if the laptop is fitted with a network card and has an IP address that is recognized by the system, the field commander is able to gain access anywhere on the network. Once on the network, the rapidly deployed command post can see and control any camera in the security system, receiving virtual real-time video.
Because the campus has special events, sometimes occurring at a moment's notice, the design criteria dictates the ability to place analog cameras anywhere on the network by using a pre-designated IP address. The interface is a small portable sheet metal enclosure that contains an encoder and a power supply. On the interface box is a BNC type connector for video from the analog camera, a DB/9-pin connector for transmitting pan, tilt and zoom commands with pre-sets to the rapidly deployed camera and an RJ-45 connector plug to accept the Category-5 cable to the network hub.
The resulting CCTV matrix switcher, interfaced alarm monitoring system, and forthcoming digital CCTV recording system allow existing conventional (analog) camera signals to be fed to the closest server location; they are then either switched to local monitors and recorders or directed to encoders that digitize and compress the signals to transmit live or recorded signals to remote, requested client locations in an IEEE 802.3 Ethernet environment.
For remote transmission, control and monitoring, the system uses modern, worldwide telecommunications standards that take advantage of existing network infrastructure. Additionally, data communications may be supervised and may take advantage of redundant data paths wherever possible.
These new systems are designed to operate in a 10BaseT environment using TCP/IP (Transport Control Protocol/Internet Protocol) where interface to the network is via network interface cards (NICs) for data and PCMCIA cards for the encoders and decoders. Systems running on IEEE 802.3 Ethernet standards are embraced by 70 percent of American businesses today and virtually all enterprise-wide networks operate in this environment. These same systems are able to run in 100BaseT, 1000BaseT (Giganets), ATM and Sonnet environments as well.
When compared to other, earlier popular algorithms, the H.261 compression ratio used at USC is substantially more efficient than the traditional industry workhorses of MPEG and MJPEG. Bandwidth efficiency translates into cost savings for end- uses in the ongoing costs of leased lines and storage media. The H.261 standard was initially developed for teleconferencing using packaged data. This technology will allow the system to be used for non-traditional considerations which include, but are not limited to the following:
* Incidents that trigger a partial or total site evacuation. The technology allows one to conduct a site assessment while off-site at a temporary command post. During off-site command post operation, it may be desirable to rev iew real-time surveillance as well as archived surveillance to assess a situation rapidly and to preserve evidence. In a network architecture, these objectives may be accomplished from authorized off-site client workstations.
* Incidents or special events that require an immediate deployment of additional surveillance cameras, additional monitoring devices and/or storage. The rapidly deployed surveillance gear can simultaneously observe and record activity from new locations. Additionally, remote-control pan, tilt and zoom are possible. Such rapid deployment may be accomplished easily by connecting stand-alone servers with integral digital storage or even surveillance cameras to interfaces that connect them directly to a local, wide or global area networks.
* System or component failure, when it is essential to be able to easily retrieve parts from a local storage of on-site spares. Modular design addresses this issue and offers a simplified list of spares affecting switching, transmission and storage drives. A handful of boards can now support an entire system architecture. Because the newest systems may use end-user PCs, a spare PC from down the hallway may be used to restore a system rapidly.
* An incident or special event that causes regular system operators to be unavailable for their watch. New operators can be trained quickly (in a matter of minutes) in the operation of the system. Human factors dictate that the design criteria include simplified man-machine interfaces including graphical user interfaces. Sites may back each other up when operators miss a watch.
* During adrenaline-filled incidents where security officers are handling an actual incident. Specific storage playback is possible alongside real-time situation assessment, with little or no required operator intervention.
The design criteria includes automated alarm handling that includes real-time switching, tours, pre-sets, etc., of affected sectors, or potential escape paths. The video information can be routed to whomever needs to see it during a crisis. This network-centric approach allows the networks to make input and output data available for use on a moment's notice.
* Special events that require stored data forwarded to enforcement, military or intelligence community agencies for immediate assessment in preparation of assistance. This network-centric approach was first used during Operation Desert Storm, where various commands saw real-time video during assessment and response.
A networked system approach can provide a secure client workstation and storage capture medium at remote locations where such help requests are handled. Workstations communicate to either a centralized or distributed mass storage system via an existing or secured local, wide, or global area network. Use of redundant routers - with the second router having additional user profiles embedded in its secured setup - it is possible to allow such agencies access at the flip of a switch as part of a pre-planned crisis contingency plan.
The network-centric CCTV system at USC is being installed by RAMTEC Controls Corp. of Northridge, Calif., and is manufactured by the Javelin Systems, a divison of the Ademco Security Group. This system provides security designers and practitioners new freedom in design. It clearly provides the ability to take closed-circuit television somewhere it has never been before ... everywhere.