Inside the Stories
Pitfalls Lurk in Access Control Planning
Not all electronic access control systems are created equal, yet facility executives who don’t explore their options often fall prey to this myth, say experts in building security. Facility executives frequently fail to examine the big picture of their security requirements.
They assume that the access control system that has proven successful in one facility will be equally successful in another. This is particularly troublesome when the buildings are of different sizes and house different types of tenants.
“A lot of customers and even system designers have the mentality that they can put together a boilerplate system that can be used in a health care facility or a bank,” says Max Stevens, director, Special Systems Design Group. “That is not the case.”
Another common mistake in access control system selection is to rely on a security vendor who is not looking at the best system for the client, but merely selling the products they represent, says Mark Hankewycz, senior security manager for Gage Babcock and Associates’ Washington D.C. office. If a facility executive announces a project budget, there will be vendors who will design an access control system to fit that plan. The danger is that the system most likely won’t be tailored to the building’s specific needs. The resulting system could be excessive for the facility or it might not offer enough protection.
Accepting the lowest bid isn’t a wise idea either, he says. The lowest bid could translate to inferior products or an insufficient system.
Another mistake is installing a system that can’t accommodate growth. “The trap that people fall into is not procuring a system that is modular in features and scalable in terms of expansion,” says Terrence Gillick, vice president of technology systems for Syska Hennessy. “People find themselves locked into a system because the system can’t grow.”
Another more critical trap is assuming the building is secure once the system is installed.
“If a facility executive doesn’t take into consideration the human aspects as well as electronic elements, and then take a holistic look at the entire system, they’re likely to have a false sense of security,” Gillick says.
Doing the Homework
To avoid these costly mistakes, facility executives must do their homework, and that homework begins with a security audit. Depending upon the size and use of the building, the audit can be a basic assessment of how many doors the building has and how they are installed, to a thorough analysis that evaluates everything from external threats to perimeter and location.
“If facility executives fail to perform a proper audit, the system can be over-designed with too much equipment, under-designed with not enough equipment or just too expensive,” Stevens says. “Facility executives should analyze the building, point by point.”
A $30,000 audit might show that a planned $300,000 installation might be better served with a $100,000 system.
“If you don’t do a proper audit, you could end up with problems,” Stevens says. “You could end up with a system that won’t meet your needs and won’t do what you need it to do.”
“Another component of the security audit is to ensure that the system is not easily bypassed,” says Donald Skorka, senior vice president of Custom Design Communications Inc. Are all the doors properly watched? Is the loading dock properly secured? Do air ducts need some sort of security system?
“Many times facility executives aren’t even aware of all the threats,” Skorka says. “Part of the risk assessment includes training and making facility executives aware of what threats are.”
Skorka recommends that facility executives seek the help of law enforcement experts to help them identify soft targets and other risks.
A security audit also might compare the cost of security to the costs of business disruption. In other words, if a building is evacuated because a utility entrance is breached, how much did that disruption cost as compared to the cost of securing the entrance in the first place?
Once access control requirements are identified, facility executives must educate themselves on the products available so they can ask detailed questions.
- Is the access control system expandable? Is it built on open architecture or a propriety platform? Are products available from multiple vendors?
- How much will the system cost?
- Will the system accommodate different levels of access, such as staff access and visitor access? Will the system have any additional functionality, such as smart card applications? Is there a need to integrate other security subsystems, such as surveillance and intrusion detection systems, and how will that be done? Is the system capable of producing reports, such as audits of specific events?
- What kinds of locking mechanisms are proposed? How will these locks function if there is a power failure? How will the access system function in the event of an emergency? Will the access control system have a dedicated generator?
- Who will administer and maintain the system? Will those functions be outsourced?
An important area that’s easily overlooked is building codes. The facility executive should find out what codes the access system must follow and who has jurisdiction over those codes. The same goes for the question of how the system addresses Americans with Disabilities Act issues.
“Facility executives are extremely cost conscious,” Skorka says. “They know they have to provide a sense of security, so they install a card access system, but often they don’t pay attention to the codes because it invites additional cost. If they violate those codes, they’ll have to fix the problem. It’s better to have it done right the first time and reduce all risks later on.”
Electronic access control selection should include input from all departments that will have some involvement in the operation of the system. This could include human resources, network managers and, of course, security. Because the access control system should be compatible with the organization’s culture, aesthetics could become relevant.
Bells and Whistles
Technology is one area where facility executives often need a crash course. In the not-so-distant past, technology questions were less critical. There were few dramatic changes in security devices, perhaps explaining why facility executives still tend to adopt systems they are familiar with. Security system manufacturers focused less attention on research and development, Skorka says.
That has changed, and the rising threat of random terrorism has speeded the process. Facility executives are cognizant of new risks, and manufacturers are responding with accelerated product development programs. This acceleration is fostered by the advent of various Internet-based technologies and their logical application to access control systems.
At the network architectural level, system integrators are converging multiple low-voltage systems — such as security, communications and information technology — onto a single backbone, Gillick says. Installation is easier and more cost-effective, and the finished product is easier to manage and maintain. Technologies also can link the access system to additional security tools, such as Web-based closed-circuit television.
Such tight integration on a common backbone enables links to be made at higher levels. For example, access control software can be integrated with human resources software, establishing a single point for creating and disabling employee accounts. In university settings, additional technology layers such as smart cards or common access cards can extend system functionality to include the ability to charge cafeteria or store purchases.
In settings that require a higher level of security, biometric access control systems clearly are on the leading edge. Biometric systems include facial and voice recognition technologies and retinal, iris, fingerprint and hand scanners.
Additional security can be provided by multilevel means of authentication. That might mean a card access system combined with a keypad system so that an employee would have to present a card and then enter a PIN. A more high-tech version of that approach might see biometrics used in conjunction with smart cards. An occupant would present a smart card embedded with personal biometric information, then have a hand or eye scanned. If the two don’t match, the person wouldn’t be allowed to enter the facility, Stevens says.
Multilevel authentication can be configured so that access is more tightly controlled during specific times, Stevens says. For example, during the day, the system might require only one level of authentication, such as a hand print. Workers wouldn’t have to carry their access cards with them. But after hours and on weekends cards would be required as well.
The widespread implementation of biometrics has been held back by two main concerns: cost and privacy. Early biometric systems were too expensive for all but the most secure locations, such as high-level research labs or top secret Department of Defense facilities. The dot com boom changed that, Gillick says. During the 1990s, these systems were deployed on a regular basis, driving costs down and reliability up.
Privacy is a major concern with employees, Stevens says. In older systems, biometric information is housed on a database, which itself might not be secure; employees also are concerned about the information not being purged once they leave the organization. With the biometric information written on a smart card, the employee is in control of the information. Retinal scanners were once considered too invasive because they required immediate contact with the person. Newer systems can scan an eye from up to three feet away.
Still, people feel secure with tried-and-true systems. As a result, facility executives are trying to find ways to adapt older technologies to new scenarios.
“As long as it’s done right, it can be OK,” Skorka says. “But most of the time, it’s a bad thing because the new technology is faster, lighter, cheaper, easier to install and more feature-rich.”
A significant disadvantage of older technology is that it is at a higher risk of exploitation. “There are organizations that buy technologies and play with them, looking for ways to defeat them,” Skorka says.
A new system doesn’t necessarily mean brand-new technology. When examining access control options, facility executives must ask, where does the technology stand in terms of its life cycle? Where has this system been installed previously and what is the nature of those sites? Have all the bugs been worked out? Are the installers trained and certified so problems can be resolved quickly?
Those issues make selecting an access control system a delicate balancing act.
“Some facility executives only want to use well-established systems,” Hankewycz says. “They don’t want to use newer technology. On the other hand, there are some facility executives looking at future technologies to better manage facilities with improved access control and systems with more capabilities.”
Regardless of functionality, an electronic access control system is not a set-it-and-forget-it proposition. It always will require some level of administration, maintenance and monitoring.
No matter how advanced the electronic access control system is, the human element remains a vital component of an overall security system. Opinions vary on how much state-of-the-art access systems reduce the numbers of security guards, but all agree that these systems allow guards to work more effectively.
The Human Element
For example, with an effective electronic access control system in place, one guard can monitor multiple points from a single location, leaving others free for other activities. Web-based technology even allows guards to monitor multiple facilities in multiple locations across multiple time zones.
“What electronic systems do is make guards work more intelligently and more efficiently,” Stevens says. “Because they complement each other, building management can concentrate guards where they are needed most for those things that do require human power.”
One theory suggests that a properly designed access system is more reliable and cost-efficient than human guards, thus reducing the number of people required. Electronic access systems never take time off, and they are more accountable for their actions. For example, guards may wave people they know through, leaving no record of who is in the facility.
“There is no longer a need to have a guard at each entrance to check ID,” Stevens says. “If the person is authorized to go in, the guard doesn’t need to do anything.”
However, Hankewycz points out that many corporations can’t control all access points with card systems because of factors such as visitors and deliveries. In those cases, access must be controlled by guards.
What’s more, visible guards offer a greater sense of security, Skorka says. Even with an electronic access control system in place, a human presence can be an added protection to be sure the person coming in has credentials that belong to them. What’s more, guards can prevent people from working around an access control control system by propping doors open and letting others through.
Also, guards would be the first responders in the event of any security breach.
“An electronic control system can be a substitute for some guards, but not all,” says Skorka.
High Security, Israeli style
– By Barbara Horwitz-Bennett
Since the tragic events of Sept. 11, 2001, facility executives in the United States have been diligently working to come up with effective ways to better protect buildings against new threats of terrorism.
“We’ve lived in a country where there wasn’t a perceived terrorist threat,” says Mike Shea, a senior vice president with Ross & Baruzzinni, St. Louis. “There’s a lot to do and develop and we’re far behind where we need to be.”
To help catch up, some U.S. building professionals have begun to look overseas for help. “We’re learning lessons around the world from our neighbors who have had to deal with terrorism,” says Roger E. Frechette III, president, mid-Atlantic region, Vanderweil Engineers, Alexandria, Va.
One place to find that expertise is in Israel, a country that has experienced more than 40,000 recorded terrorist attacks since 1968. According to David Mead, vice president of security design services for A. Epstein and Sons International, Chicago, Israelis are considered to be world leaders in security.
With a greater focus on facility security in the United States, including such higher standards for buildings as the new Department of Defense requirement that laminated glass be installed in all its buildings, it may be worthwhile for U.S. facility executives to examine the strategies used in Israel.
Relatively standard for Israeli buildings are reinforced structural designs to protect against progressive collapse. One common technique is what’s known as alternative load transfer where the shock of an impact from a blast is distributed and absorbed throughout the building structure.
Consider Jerusalem’s new Foreign Ministry building. In the event of a blast, the facility’s flexible steel structure and heavy beams work to transfer horizontal forces around the building to prevent progressive collapse, says Randy Epstein, a partner with the Jerusalem architecture firm, Kolker Kolker Epstein. In addition, horizontal beams and stainless steel cables, which appear as attractive architectural elements in the building’s main lobby, have been designed to catch imploding glass.
According to Reuben Eytan, owner of Eytan Building Design, Tel Aviv, “Reinforced inner cores, elevator shafts and stairwells also work to keep buildings from collapsing.”
Other common security measures are blast-resistant windows and curtainwall. Eytan points out that there are several levels of protection provided by reinforced glass, the lowest level being windows with security film, which is often used in the United States, but not nearly as much in Israel.
“Our experience is that this (security film) doesn’t help too much,” he says. “The glass may not break into small pieces, but it will still break and blow in.”
Higher on the protection spectrum are using laminated glass, strengthening the frame and reinforcing the window’s connection to the wall to prevent it from blowing in.
More advanced levels of protection put energy-absorbing systems behind the window to catch imploding glass, as is the case with the Foreign Ministry building. This approach is commonly used in Israeli facilities, says Eytan, particularly for the ground and first floors of a facility.
Even higher levels of blast resistance are being developed, Eytan says. But at the present, the methods just mentioned are the most cost-effective ones available.
Another noted difference between security practices in the United States and Israel is the caliber of security guards employed to protect buildings and occupants.
“Most security jobs in Israel are staffed by highly educated, motivated young people, who are either university students or post-military young men and women,” says Moshe Safdie, AIA, owner, Moshe Safdie & Associates, with offices in Toronto, Boston and Jerusalem. “The salary level is relatively high for these positions, whereas in the U.S., most security jobs in airports and other checkpoints are held by low-wage personnel who come from a completely different segment of the work force.”
Liat Mordechai, formerly employed by a private firm as a security guard at an Israeli border checkpoint, concurs that the typical skill set of Israeli security guards is quite high. Having served in the military for at least three years, Israeli security guards are often in good shape, know self defense and have strong shooting skills. In addition, Mordechai points out, “we know how to recognize suspicious people and how to deal with explosives.”
Typically found guarding most banks, grocery stores, office buildings, malls and the more frequented restaurants, Israeli security guards are commonly accorded a higher level of respect than security guards in the United States. That’s particularly true for those employed by Israeli government buildings and airports, as their judgment is trusted and relied upon.