 Think Tech Hawaii, civil engagement lives here. Oh, and welcome to the Think Tech Hawaii studios. This is another episode of Security Matters Hawaii, and we've got Matt Barnett here with us today. Actually, he's remote today, but we've got him on the show. He's the president of Mercury Security, a access control system hardware manufacturer, and we're going to talk kind of about the state of the industry. Matt, I really appreciate you joining us today. I know you're a busy gal. He's on the road, so glad we got you somewhere to sit for 30 minutes and talk with us. Well, thank you for inviting me, Andrew. This is great. No worries. Hey, I'd like to start off and just take the security folks that I get in, kind of ask them, you know, from a security perspective, what keeps you up at night lately? Yeah, it's a fun question to ask. Luckily, I'm a heavy sleeper, but when we look at what's going on in the industry, obviously, the word lately is all about cybersecurity and rightfully so. So it's long overdue. And I know you've been a proponent of this conversation for a long time, as well as Bill Bozeman at PSA. And it certainly has been in the news recently in this industry and in general. So I never want to be the name that's in the press when it comes to having an issue with cybersecurity. So we're spending an inordinate amount of time and effort to make sure that our products and our customers that use our products are protected. Yeah, and we're definitely going to get into a little bit of SIA and OSDP and all the work you folks have done there. I know, yeah, this week, interestingly, after we had scheduled this, we saw, you know, there's a lot of talk about that research that was done at Google, which I think to some of us on the inside of the industry was kind of old news, but it sort of got rehyped. And, you know, this vulnerability challenge that we've got around encryption is something that, you know, if you dig deep enough into products, you can find problems. I know Mercury's done a whole lot to get us from sort of the legacy place that we were and to adopt these new OSDP standard. I wanted to talk briefly and kind of start back with that legacy stuff so you could get a chance to give us your history. You know, I came from the days of all serial communications. And I remember we had Landtronics modules that got us onto the network. And from there, we kind of went berserk. What, you know, from your perspective on the history of the industry, did it take too long? Kind of give us your, you know, where it went, how it went along and, you know, what you experienced along the way. Yeah, so I've got hard to believe 27 years in physical, security, electronic security, starting on the integrator side of the business. So understanding what you and the others in the industry and the integration side have to deal with and really for the last 18, 19 years being on the manufacturer side of the business. So really got to see it from both sides, which I think is helpful in my position to understand, you know, what the, what the channel to market has to deal with when they're installing and maintaining these products. But certainly, as you said, going back to the old hardwired copper days and then modems, and it's kind of crazy to think that in a lot of ways it's probably more secure than what a lot of systems have today being connected on an IP network. Because the good point, good point, you know, having, having the dedicated copper connecting these points was a closed system loop. And as the, as the industry progressed and using the available backbone in most companies using their IP network, it just made a lot of sense to tie these devices onto that network because it allows you so much more flexibility, but it also now opens up a lot of, you know, potential doors to external threats. And so I think we, as an industry, have been probably a little late to the market on how to not only provide products that are hardened against these potential threats, but there's a lot of education that has to go along with that as well to make sure that the products are being installed in the appropriate manner. And I think there's still a ton of work that needs to go. So, you know, manufacturers like Mercury and our parent company HID can have the most robust feature sets in the world when it comes to cybersecurity, encryption, OSDP and others, but they a lot of times have to be configured and enabled in the field. Right. And that's, that is a potential missing link right now that, that we really need to do a better job on. Yeah, I gave talk last week with the Armed Forces Communication Electronics Association and I shall we share people, processes and products as the, the vulnerability I was talking about sort of our industry as a, as a supply chain threat. And it's interesting when I shared with them some of just, just some, just in maps of some devices and some taking a look at some of the certificates on the devices and point out some of the flaws. It's funny that these, these guys are all kind of in charge of security networks, senior networks, military networks and they were surprised at the low level of, of a configuration that a lot of people in our industry do. And that's, you know, that's a training thing as you pointed out. It's, it's funny. I, I don't talk to many integrators and, you know, we, we have a large body of them through PSA that are seem really proactive. You know, what's your, what's your feeling about getting from sort of legacy into this modern idea of encrypting these networks, encrypting these communications? You know, you travel quite a bit of what are you seeing? There's definitely momentum building in the marketplace. I think as IT has gotten more involved in the security in different companies around the world, certainly they're looking at the devices that are on their networks and, and coming to the realization that they have problems that they're going to have to solve by upgrades. And in a lot of cases, you know, it's really not an upgrade. It's really a forklift replacement. So, you know, it's happening, but it's not happening at the speed that you might, you know, you might think the reality is in our sector, the business and access control, you know, these products are installed and customers expect them to be installed for 10, 15, 20 years and without a lot of, you know, not a lot of fiddling around with them, so to speak. So, you know, there's a bit of a legacy mindset that, you know, these things don't have to be touched once they've been put, you know, in a building and controlling the access or even video being installed, you know, even going back and doing firmware upgrades in a lot of cases just doesn't happen. So, there's a lot to be done there. There is, there is definitely some momentum when we're getting, you know, customers that are, that are talking to us directly about what they should be doing going forward, but it's, you know, budgets are what they are. And this is sometimes a hard one to get through. Yeah, I, I tend to talk about, I still believe that 90 percent, maybe more of the, of the access control systems that are out there are still running, you know, Wagon. They're using legacy hardware that cannot support the newer protocol. So it's got to be forked with it. I think, I think the 125k prox car may still be 90 percent in use out there. Does that, do you think in North America that's a reasonable statement? Really, I think, I would say currently that maybe one to two percent of the card readers installed in North America are OSDP. Wow. It's, it's, you know, gaining momentum. But, you know, that spec was released 10 years ago now, so it's not new. We've, Mercury has had OSDP on the panel for 10 years, but, you know, it's really been the last couple of years now that we start to see a momentum building, people saying, we only want to go now OSDP. So, you know, we'll be testing the waters. We released a panel recently that doesn't have a weekend, it only has OSDP reader connections on it, and we'll see if the market is really going to be accepting of that, because if that product doesn't sell well, then we'll know how serious is the market about having secure protocol down to the reader level. Does it, do you feel it, you said customers are coming to you, Derek, do you feel it's enterprise, are they, I know DoD's concerned obviously, right, so I'm, I'm getting, we're getting questions out of those guys and they have our, our taxpayer dollars, so it's not like an bottomless pit, but, you know, they, they tend to move in these directions, they have more regulatory guidance, but I'm, I'm getting questions in healthcare, I'm getting questions from my financial sector and in critical infrastructure, but are you seeing commercial enterprise, are they concerned, are they coming to you guys, are they looking for solutions? The verticals you mentioned are really the ones that are kind of the bulls-eye here that are, that are progressive about this, certainly some of the, you know, Fortune 100, you know, they're, they're also the ones that are kind of, kind of push this along and, you know, they see the vulnerability and they know, based on some of the other news stories that have been out there, they don't want to be the ones that, that have a problem because they had systems on their network that weren't, that weren't encrypted, so they tend to be the ones out in the forefront, where, you know, you're not, I don't think we're going to see, you know, 80% of the market is, is 16 card readers or less, those are not going to be the companies that are going to be looking for perhaps the most cyber secure systems available. They just want to have something, if anything, installed, but the, the enterprise accounts are the ones that are going to push this as well as the critical infrastructure and government, as you said. Yeah, I have, I talk a lot about the, the supply chains out here, obviously in the DOD's kind of, I think at the forefront of asking for more robust protection from its supply chain, not only for the data that maybe government data they're handling, but that extends to the, the physical perimeter of those facilities, you know, as we need cybersecurity, we need physical security kind of combined. Do you think it's going to take that or do you think, I mean, do you think the industry will heal itself, even for those small guys, or do you think it's going to take sort of a more of a regulatory push to get this commercial sector active in upgrading or replacing these, these products? Well, again, I think some of the bigger commercial sector is going to move, you know, we end up building products for those companies, and then it, you know, the feature sets go downstream from there. So it's, it's not like we're going to have one product for the low end of the market that doesn't have those. I would say if you're releasing a product today that's not cyber secure, then you may not be in business in four or five years. Go back to the drawing board. Yeah, so, you know, we're building it into the product and if it's used in an enterprise or if it's used in a small office with two card readers, they have the feature sets on board to make it work. Now, whether again, they're turned on or not is going to be, you know, based on the end user and the integrator installing it. Yeah. So I know there's a big, we have a specifier show coming out Ray Cologne show pretty soon. Do you think we need to, or do you think manufacturers will push some of this education out? I mean, I remember talking with Axis how they've had 8021X embedded in the product forever and they said no one uses it. So I'm kind of wondering if, you know, if you're providing it in the integrator community is not configuring it because the customer doesn't know how to ask for it. How much of an issue do you think that is? I mean, you know, it's a it's problematic to my to my way of thinking. Yeah, it is a big issue and we had a roundtable at our last consultant event and it was only supposed to be 30 minutes and we went well over an hour just talking about this one topic. We never got off this question. The, you know, we build these features in and I think the consultants have done a good job, but there's more work to be done and making sure that any system that's going to be bid on a project that they're writing a spec for needs to have these features in them or they shouldn't be allowed to participate. And that's the only way to get really the manufacturers to make sure that they're building products with these protocols and these encryption technologies built in. And then again, the consultant and the end user are going to have to hold the integrators responsible to make sure that they're being enabled and turned on. So, you know, there's been an issue that we found we had encryption between panel and panel and it was an option. You had to turn it on in the in the feature set. And we found that I'm doing some survey work of end users that nine times out of 10, it wasn't enabled. So our latest generation, we just turned it on by default. And then for some reason, they want to turn it off. They have to go in and manually do it. So I think manufacturers, we need to build products that are, you know, maybe easier to configure and install and turn these things on. And you really have to go out of your way to turn them off. So almost, you know, making it harder to defeat, if you will. Yeah, secure by default. I love it. I think I think in a lot of cases, we need that sort of help. Tell you what, we got to take a we got to pay some bills. So we'll take about a one minute break for commercial time. And then we'll be right back with Matt Barnett from Mercury Security. Aloha. My name is Mark Shklav. I am the host of Think Tech Hawaii's Law Across the Sea. Law Across the Sea is on Think Tech Hawaii every other Monday at 11am. Please join me where my guests talk about law topics and ideas and music and Hawaiiania all across the sea from Hawaii and back again. Aloha. Aloha. I'm Wendy Lowe and I'm coming to you every other Tuesday at two o'clock live from Think Tech Hawaii. And on our show, we talk about taking your health back. And what does that mean? It means mind, body and soul. Anything you can do that makes your body healthier and happier is what we're going to be talking about, whether it's spiritual health, mental health, fashion health, beautiful smile health, whatever it means. Let's take healthy back. Aloha. Hey, welcome back to Security Matters. I'm Andrew, the security guy. We're here with Matt Barnett from Mercury Security Products today. And we're kind of taking a drive through the industry. So we talked about some of the legacy problems that we have. We talked about some of the adoption issues that we're seeing out there. And you know, we know how to do it right. Wide spread is not happening. Sometimes it's budget considerations. Sometimes it's lack of knowledge. I love your idea of secure by default. I talked to some folks about some camera folks about the last thing the camera ought to do is give me video. I should have to secure it. I can't get video out of it until it has a checkbox for all those security settings that you know, people turn, plug it in, they get video and they walk away, right? That's a problem, I think. So good on Mercury for doing that. You, Mercury supplies hardware for a lot of different software providers, right? So we have got, so you're the big legacy gas from United Technologies down to we've got a lot of new players in the market that are doing cloud. How's the, you know, it reminds me of the old phone line days we talked about earlier, but what do you think about cloud adoption with access control? I think it's a natural progression in this industry. I made the comment at an event last year that five years from now we'll look back and say, you know, why do we do it any different than having these systems all cloud based? It just makes, it makes too much sense from a service supportability aspect, you know, one of the biggest obstacles that most large end users have is the upgrade process for their system is massive. And you have to typically have the entire system upgraded worldwide all at one time because the systems can't have, you know, disparate versions running. So, you know, for an enterprise customer with locations around the world at running software, that's a big expense and it's a logistical nightmare. So, you know, having a cloud based solution for access control video, I think it's a natural progression. It'll take a while again, these systems take a long time to migrate, but luckily on the mercury side, you know, our system doesn't care. You plug it into a network and it'll talk to a local server, it'll talk to a server in the cloud, it, you know, it can be configured either way. And we've, you know, put the technologies into allow for that TLS level encryption, you know, 1.2 TLS version. So it's as secure or more secure than doing a credit card transaction on the Internet. But there's a, you know, there's a ways to go. So the obstacles that we keep hearing about, again, the user base tends to be a little skeptical, especially in the security and users when IT is involved, usually less skeptical and more accepting of moving directly to the cloud. So a lot of manufacturers are, in the traditional sense, are trying to catch up with cloud-enabled software. There are new entrants into the market that are just cloud by default. And I think they're having success in that area where really nobody else is filling the void today. Yeah, we've had great success with some of those providers. And I, for me, it's, I think it's important that, you know, especially, you know, from your perspective that mercury can fill all of those niches, right? So you've got the, you got the big as you want to, you know, the server huggers, they're always wanting to own their things. But the cloud gives us a lot of agility with product upgrades and things that you mentioned that we just haven't had in the past. I think that's going to lower costs substantially. I wanted to, I wanted to, I don't know how much we can sort of talk about this, but, you know, you've got competitors out there who make their own product as, you know, it's kind of a silo, right? They make their hardware and their software. And some of which have also, I think have a bit of a controller, but they're starting to use your hardware as well. Or they can use their hardware or your hardware. Do you get a sense of how those guys think they're going to compete? I mean, to me, mercury's kind of really expanded into a lot of different software manufacturers are using mercury. So I don't know how, if I'm making my own hardware against a mercury based hardware, you know, offering, I don't understand how it can be competitive long term. I think the market is shifting and, you know, the end users have become much more educated. You know, the internet has allowed them to do research. And now they're asking a lot more in more in depth questions of what systems they're going to use going forward. You know, so those proprietary manufacturers, I don't think they're going to go away anytime soon. But it's getting harder and harder. The investment they have to make to keep these technologies up to date is only going to accelerate with the cyber security aspects and other things. So as new standards are being released by the governments around the world, not just the U. S. government, but, you know, other governments around the world are coming on board with higher assurance identification. They want to make sure that the systems aren't hackable from the car to the reader, the reader to the panel, and then on to the network or to the cloud. That's going to require a lot of investment or they're just not going to play in those in those areas. And so I think it gets very expensive. And we see the investment that we're doing here at Mercury and H. I. D. I think it becomes very difficult for smaller players in this market to compete if they're trying to build everything from scratch when they can certainly use a product like Mercury or like the H. I. D. Vertex products that they've got really great technology right out of the box. And the secret sauce is really in their user interface, whether they want to be a on-premise solution or they want to be a cloud solution. You know, the feature sets what they end users, you know, that's what they see and that's what they use. And I think that's really where the focus should should be when it comes to, you know, those those manufacturers. Yeah. Well, we talk about other other manufacturers and integration access control platforms tend to really be the basis of many of the, you know, the video gets integrated, the audio gets integrated, the intrusion gets integrated and the operate sort of from the access control platform as the monitoring tool and the integration platform. Are you folks asked to do that from your from a hardware perspective or do you tend to leave that to the other software manufacturers or do a play there? I think as best as we get into cloud, it could become, you know, some of each. I don't I was kind of wondering the status of that. Yeah. So it's a valid question. Our panel says have moved now to the Linux operating system and we've introduced our first panel with Linux about five years ago. And we had so much success with that that we decided to update the entire intelligent controller line and they all run Linux now. So those were all released back in July. And when you're running on that type of an operating system, it allows for a lot more third party development capability. And so we've embedded, you know, we call them drivers, but they're basically apps that run on the panel that we talk to, you know, as the abloy wireless locks and a legion wireless locks and others in the in that category. We have integrations to elevator destination dispatch that are being deployed in most, you know, multi tenant high rise facilities around the world. And so those are basically apps that are similar to what you would run on your iPhone or your Google device, your your handset. So they having these different apps. And so what else can we tie in? We've tied in life safety power and their intelligent power supply. We're working with electronics. So they were providing the data. So maybe Mercury is not directly in that, you know, in that market segment per se, but we are a conduit and becomes really an appliance on the network. What else do you want to do with it from a security standpoint? And quite frankly, in the future, it may be other systems in the building, IOT, other building control systems. So we have the ability to tie in to those and we'll continue to work with manufacturers that specialize in that side of the sides of the market. So once you've got that built in and you can perform the integration, it's really just a matter of them being able to display that in their software or in their UI in the way that the customer needs to consume it. Yeah. So we're, you know, we're a collection point of data and we can send, we can store the data locally or we can send it to a, you know, a database in the cloud or on an on-premise server. And, you know, then it can be displayed in a dashboard or you can do business analytics on it. So a lot of work that HID and I know some of our other partners are doing is collecting that data and then be able to, you know, action off that data. So if this facility, for instances, typically have a hundred people on a Monday morning, you know, that show up between seven and eight and for some reason there's, you know, only 10 people show up. Somebody might want to know about that. And so having the collection of that data and then being able to action on that I think is is certainly very valuable. So we're, we're going to see more, you know, they call it AI now, but it's based on business intelligence. Going to be run against the data and having that data in the cloud just allows you to do, you know, much more with it a lot easier to work with quite frankly than having disparate databases of information around, around the network. Yeah, you know, we had Andreas from Arkulis, Andreas Paterson recently and, you know, their take on security. Yeah, it's they have a video product, but everything they're doing is based on Google, you know, machine learning and business intelligence, business analytics. It sounds like you guys are tapping right into that as well. And but your idea is not to be to offer the capability and then the, the, it'll be on the software manufacturer I guess to mine that out. Is it a service that you'll provide to them you think or how do you think it'll be consumed by the software providers that are using your hardware? Yeah, I don't think that'll be something that Mercury directly is involved in, but certainly HID is working on that. So our parent company is is providing those as cloud services. So companies that can subscribe to that data that's being collected. And so it's part of a you know, a future connected architecture scenario. Some of the larger players, you know, they'll build that capability themselves or they could also partner with HID and subscribe to that type of data. But we just want to be the conduit to, you know, collect that data locally since we, you know, almost always going to be on on premise. We're a collection point for not only access, control, the alarm and other data. Again, tying in other devices. So, you know, the ability to not only monitor but also from a serviceability standpoint, you know, what version is this panel running? What version is the card reader running? Can you update the firmware in the reader remotely from the cloud? And so from an enterprise perspective, you know, being able to manage your your entire portfolio from a from a dashboard. I think it's a missing link today and certainly we're enabling that type of functionality with our parent company HID as well as some of the others that you mentioned, Arkely's it's something that that they're certainly very interested in doing as well. Yeah, and I know we, we did see you guys been really helpful and would see a developing OSDP along the way. And an interrupt this year actually pushed information out to a card reader so that, you know, the bi-directional capability of OSDP is amazing. We didn't really get to talk about that too much today. But how's that partnership with C? Are they fun to work with over there? It seems like a great group. You guys have gotten a lot done. Yeah, I think they're they're focused on the manufacturer side. It's certainly been great for companies like Mercury and others. So this was, I think their first and it's maybe still there. They're only back that's been written. You know, Mercury and HID at the time were instrumental in getting the OSDP spec written. And it's a continuous effort, right? So, you know, the new version is out that they had some addition that they call secure channel that encryption. So again, you mentioned bi-directional. But, you know, to me that that is important. The other technology that as you said, we didn't talk about, you know, being able to upgrade the reader firmware via the Mercury panel that may be connected to a cloud service. It may be an on-premise server. But having the ability to manage the readers, you may in a transition going from, you know, prox to smart card, you know, you might want to turn off prox at some point. If you're moving to mobile credentials, you might want to turn off functionality in the reader. Today, that's more of a manual process with most systems. But in the future, that really should all be a checkbox in a cloud portal, right? So we're enabling that using the OSDP standard. But there are some other really cool things that we're working with manufacturers, HID and others to enable through the, you know, edge devices, whether it's a biometric reader, you know, facial recognition, iris scan. You know, we're tied into all of those and we're trying to really bring, you know, new technologies to market that make end users' lives easier. Amazing stuff. Mercury's really taken the lead in the access control industry out there. Matt, I really appreciate your time today. We've run out of time. I'll have to get you back in here in six months and see where we're at with the industry. Really appreciate it. Aloha. Glad to come out and visit. Thank you.