INTERVIEW: Abloy and “the next generation of keyless access control”

We recently sat down with Pip Courcoux, who heads up the Digital Transformation team at Abloy UK, to find out more about the company’s latest Bluetooth padlock launch, as well as his thoughts on the uptake of mobile technology in the sector and why it marks an important next step for the protection of critical national infrastructure sites.

IFSEC Global: Hi Pip, could you tell us a little more about your background in the sector?

Pip Courcoux: I’ve always been very technology orientated. I initially worked freelance for a web development company, but then went into access control after leaving college. Not longer after, I joined Abloy when we were based in Watford – one of my previous colleagues had mentioned they were the ‘Rolls Royce of locking’, and I still believe that’s a great description.

Starting off in electronic repairs, in 2011 I moved into product management working on CLIQ, our cloud-based software as a service (SaaS), electronic key system. I was then responsible for launching CLIQ into the UK market, where we sell into a variety of different sectors, from high-end residential through to infrastructure and healthcare.

I now head up a ‘digital transformation’ team, as we see it. Within that team, we focus on product management for some of the latest solutions, and provide a full helpdesk and support offering to our customers, as well. A hospital could, at any moment, need an explanation of how to programme a key or remove data from their system, so it’s imperative we offer that support.

So, how do you feel Abloy has changed since you started?

Over the past 10-20 years or so, we’ve changed from simply providing components for ‘fit and forget’ products. We actually sell electronic solutions driven by software, and we have a much more communicative ‘subscription-based’ relationship with our customers, because we’re constantly running software updates and explaining the new features.

It’s really changed us from being a component manufacturer to a solution provider.

I think we’ve gone on quite a similar ‘digitalisation’ journey to a lot of companies, and fortunately for us within the the security sector, we’re at the top end of the pyramid. We sell quite niche solutions and focus a lot of attention on compliance and specification. But then, because of all of that, our customers have quite high demands and a lot of requirements as well.

So, in terms of moving with the digital transformation of security, how has the issue of cyber security impacted you? What cyber secure measures do you implement in your solutions?  

We have, yes. It’s always been a cornerstone of our sales process, into infrastructure, that we work very closely with influencers on the market, such as CPNI, and the BRE and the Loss Prevention Council, so that we are meeting specific UK standards. Cyber is now part of that.

When we launched CLIQ in 2011, I ensured we invested in our own, secure server and we spent an awful lot of time developing our solution to be as secure as possible in that software as a service environment. For example, we have multi-factor authentication and rely on key public infrastructure certificates, much like the banking sector does. We also provide 24/7 application support, monitoring and patching to ensure the security is always up to date.

READ: Using the latest tech to secure CNI sites

The ‘cyber issue’ has generally created a lot more checking, with customers asking more questions than we’d previously seen. And that’s good, I think it’s important people take it seriously. But, I can quite comfortably say, we’ve not had a single specification from a customer that we haven’t been able to meet with our existing cyber security procedures we’ve got in place.

Do you think the current standards are suitable for electronic, physical security products?

It’s important that products maintain a good balance between physical security and the electronic security. The reality is that there aren’t actually many standards that exist around electronic solutions. While there are all sorts of standards for mechanical padlocks, for example, because they’ve been around a long time, we’re only beginning to see standards introduced for electronic padlocks.

EN16864 was released in 2018, and we’re only just seeing testing bodies able to carry out that test. It takes time for standards to catch up with technology, which can hold digital transformation back at times, but I suppose that’s also a good thing, as customers need to be assured that these products stand up to rigorous tests. They’re buying them for security, after all, so they need to be secure!

Sure, and particularly with the types of CNI projects Abloy’s products are involved in, it is crucial to ensure they’re as secure as possible – in all aspects.

So, moving on to the launch of Abloy BEAT. What’s the new padlock all about?  

In terms of our ‘journey with keys’, Abloy BEAT represents the next generation. Incorporating the same levels of physical security as our grade 4 mechanical Protec 2 padlock, and the same electronic security as CLIQ, BEAT differs because it doesn’t require a physical key at all. It also features Bluetooth low energy technology, and a SEOS credential that allows you to open the padlock just through an app on your smartphone.

For infrastructure customers, it solves the challenges of key management, such as duplication of keys and missing keys, which may result in the changing of all the mechanical locks. CLIQ solved some of these issues, but with BEAT, we’re able to offer a solution that doesn’t need a key at all.

BEAT allows the decentralised management of sites. Contractors, third-parties, or even employers of these infrastructure customers can be faced with a lock that they need to get access to. They can contact whoever it might be, either in advance, or whilst they’re physically there at the lock, and receive a credential through to their mobile phone, via our ABLOY OS platform.

As we start going to market, we’ll probably find that there are lots of additional unique niche scenarios where this solution would work better, too.

So, I take it the person needing access would also need the app on their phone?

Yes. Our control software, the Abloy OS system, may be in the alarm receiving centre of the utility for example, which is then linked to a backend system for BEAT, which generates the encrypted credentials.

Via this web management platform OS, you can enrol new users into it. They should then receive a text message to download the app – which is free from all the usual application stores – with a verification code to authenticate who they are, and authenticate their app with the system. Their credentials will then be sent down to the app through the OS system.

So it’s quite a simple, seamless setup for the actual end user that’s going to use the key. And, once you’re enrolled in the system and you’ve got the app, it’s even easier next time.

It also enables an extra element of control – disabling of credentials can be done very quickly – meaning the end user ends up with complete control over their system.

It is of course reliant on the phone, but I believe that the use of the phone as a component of network infrastructure rather than just a tool will be the next important step that we take in for improved infrastructure security.

As you see it, BEAT represents the ‘next stage’ in keyless access control solutions. What kind of support can you offer to customers taking this step?

The support on offer is probably quite unique to Abloy. Our Abloy OS system has developed with our journey, and our customers with that, too. You can use the software to control everything from our mechanical key system, to CLIQ, through to BEAT– many of our customers have therefore moved with us on this ‘digital journey’.

This will mean users may end up with a combination of multiple technologies. You can have this wonderful digital key system in BEAT, on the main entrances of your sites for an extra layer of control, but you perhaps you don’t need an electronic digital key system on your store cupboard, so you use a different solution. All controlled via Abloy’s OS.

The investment that customers have made with us so far, particularly infrastructure customers, will only continue and enable them to future proof their businesses. The speed of technology change has forced everyone to react – customers no longer expect to buy a padlock that will last 20 years to fit and forget. Customers want data, control and continual security updates to products, which is what we can offer – many will only be adding to their security systems with Beat. And, we’ve got exciting additions to come for the range, too.

Have you had much feedback from the market so far?

We’ve had a huge amount of interest, even with the situation at the moment where events are being rescheduled. Having done several presentations on BEAT to customers already and I’ve received really positive feedback.

‘Efficiency’ has been the buzzword. BEAT presents a solution so that contractors don’t have to drive potentially hundreds of miles to collect a key, then drive back to the site, then drive back again to drop the key off. Or, as is often the case, users won’t need to wait for the key holder to come to the site, which just results in wasted time and resources. And these efficiencies start to extend into the environmental benefits, too – think of the fuel and emission savings!

The next step will be in encouraging customers to see a phone as an extension of their network infrastructure, rather than just a phone. Many CNI sites are located where network coverage is poor, and even with the advent of 5G, your phone is then the next best way of getting a network connection onto these sites. If the IT department treat that phone as if it’s a network router, as if it’s part of their core network infrastructure, then we will really start to see the uptake of this type of technology. Because people will say: ‘OK, I will secure that phone as part of my infrastructure, and I therefore trust it’.

You can connect to anything, anywhere in the world, because of the 4G networks that exist now, and the 5G networks that are going to exist over the next few years. And so, once there’s trust placed in that mobile network, everyone will benefit.

On that note, what are your thoughts on the security of networks and 5G?

Ultimately, you shouldn’t just rely on communication protocols to provide security. With our CLIQ system, for example, we have our own public key infrastructure security. We use AES encryption to make sure that everything is encrypted when it’s in transit, and when it’s at rest.

We have Bluetooth low energy technology as a protocol that we’re using as a communication protocol between our phone and our BEAT padlock. But, we don’t rely on the Bluetooth to provide the security, we use an encrypted Assa Abloy SEOS proprietary credential to provide that security.

So I think the reality is, the 5G, the 4G, the internet, that’s the platform. That’s what allows you to have the communication. If you rely on that for the security then it’s probably not going to be very secure. So, we need to respect that and encrypt data as standard.

We take responsibility for Abloy OS, for instance – both for our own security and our customers’. We don’t want to rely on an unsecured network, so we have our own encryptions and security methodology to mitigate potential risks.

And, 5G is going to be phenomenal in terms of what it enables us to do. It’s also an absolute necessity, for us to move forward, for infrastructure to move forward in the way it wants to move forward.

I suppose that’s why the help desk and support team you head up exists?

Exactly. There are elements of what we do that, in certain markets, the customer will never be able to do. We probably provide more support to healthcare for example, because it’s an incredibly busy and frantic environment, and they don’t have teams of people to manage security systems. My team is there to answer the phone, answer an email, for people that just need to turn a key on.

This relates to the ‘subscription economy’, which we’re moving into, but not everyone in security is there yet. Providing daily, weekly, monthly communication to our customers is vital – you don’t just buy the product, there’s constant support with updates, integration, and security patches.

Everything is starting to come together more. Customers are integrating access control, HR databases, surveillance, health and safety etc. That doesn’t happen overnight, it’s a two- or three-year process of building.

And is BEAT available globally?

Absolutely, BEAT is ideal for the emerging markets, for example. Maybe they don’t have a significant 3G network. Maybe they never rolled that out. So that’s why, quite often, they’re ahead of the UK in terms of 4G and 5G and things like that, making it easier to adopt new technologies such as BEAT.

A lot of the emerging markets have embraced the full potential of the smartphone, and embraced technology faster than we may have here in the UK. And naturally, as a mature market, we’re a little more cautious – particularly when it comes to protecting CNI.

Pip, thanks for your time. Fascinating stuff, and good luck with the launch of BEAT!

Read more about Abloy BEAT

Abloy has unveiled a new whitepaper on how the critical infrastructure sector can unlock the potential of smartphones in the workplace to improve employee mobility, job satisfaction and productivity. Read ‘Smartphones: The future of access control?

Free Download: The Video Surveillance Report 2023

Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!

Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.

Download The Video Surveillance Report