At the recent CONSULT conference in Nashville, I had the opportunity to sit in on a lively discussion on the use of the Security Industry Association (SIA)’s Open Supervised Device Protocol (OSDP) standard for access control. In attendance were representatives from some of the industry’s largest manufacturers of access control hardware, including HID, LenelS2 and Farpointe Data.
The underlying message of the session – which was moderated by cybersecurity consultant Rodney Thayer and included Scott Lindley of Farpointe, Dean Forchas of HID, David Weinbach of LenelS2 and Steve DeArruda of consultant Business Protection Specialists – was simply this: if you are not aware of and actively specifying OSDP, you are potentially doing your clients a disservice. While I was an early adopter of the technology in my own designs, it was still eye-opening to listen to those responsible for the evolution of OSDP discuss its many benefits – some of which, I was admittedly unaware of.
The End of Wiegand
Simply put, OSDP is an access control communications standard that finally – and mercifully – replaces Weigand. With all due respect to John Weigand, the standard that carries his namesake was long overdue for some improvements.
First, Weigand is an unsupervised, one-way communication protocol. Without bi-directional communications, there is no way to interact with a card reader from a head-end workstation – meaning that routine tasks like firmware updates and configuration changes need to be done at the reader. By today’s standards, Wiegand protocol is also incredibly insecure.
Hackers have shown the ability to exploit Weigand devices and extract data; in fact, at a recurring educational session at ISC West, attendees can see for themselves how easy it is to do (check out “Hacked in 60 Seconds” – an educational session at ISC West presented by Tony Diodato, CTO of Cypress Integration Solutions and Babak Javadi of the CORE Group at www.iscwest.com/Education).
Benefits of OSDP
Developed by a consortium of industry experts formed by SIA, OSDP has been developed from the ground up to be interoperable, highly secure and bi-directional. Communications between the card reader and the panel support up to AES-128 encryption and can be monitored to ensure wiring or field devices have not been tampered with. Readers can be remotely programmed from an OSDP-compliant head-end, reducing costly trips to the field.
The technology is supportive of biometrics and smart card applications. OSDP also uses the equivalent of RS-485 wiring, which is widely available and comes with the added benefit of greater cabling distances. Readers can be daisy-chained, which may prove useful when multiple readers are located at the same opening. If non-RS-485 legacy wiring is in place, it is likely that the OSDP protocol will still work as long as four conductors are available – although potentially at a reduced maximum cable distance.
An increasing number of access control panel manufacturers are supporting OSDP technology. Perhaps most notably, Mercury Security was an early adopter and has since implemented OSDP capabilities in the newest version of panels, commonly referred to as the “Red Boards.” Other proprietary panel manufacturers, including Software House (Johnson Controls Security Products) and AMAG have also incorporated the technology.
Before considering an OSDP implementation, consult with your own service provider or panel manufacturer to confirm compatibility.
Tips for Specifying OSDP
Are all installation conditions appropriate for OSDP? Not so fast, says HID’s Forchas: “Just because the panels, readers, and wiring are in place, OSDP will not work without the head-end software to initiate and configure the OSDP readers to function – it is a commonly overlooked detail,” he says. “Looking at the OSDP specification, there are many desirable features, but if the hardware and software only support some of those features, the others are difficult if not impossible to use. In the case where all is in place for OSDP, then absolutely push it – it is a superior protocol that provides a wide variety of benefits over Wiegand.”
It is also important when specifying an OSDP-based system that the integrator is up to speed on the technology. “Like any other new technology the first time someone is exposed to OSDP they immediately notice something is different,” Forchas says. “The wire count drops from eight or more conductors for Wiegand to only four conductors for OSDP. I have heard about technicians asking ‘where the LED and Beeper wires’ are – as a good business practice, we recommend any integrator to start by wiring up a reader or two on the bench and get familiar with how OSDP works with their particular OEM solution. Although using an OSPD reader is different, it isn’t complicated – and having done it once will make subsequent deployments become routine.”
Building Awareness
As one would expect, awareness of and support for OSDP has grown among security consultants and integrators, but there is still a ways to go. “Awareness is becoming widespread, but in many cases, that awareness is at a rudimentary level,” Forchas explains. “Most security professionals have heard of OSDP and know it promises several advantages over Wiegand, but not all are up to speed on all that OSDP can offer. Adoption of OSDP has been in place for some time with several access control OEMs, but like the level of awareness, there are differences in the level of adoption too. Some have very limited support for OSDP while others are more complete.”
If building awareness of OSDP is a key to helping the security community adopt the technology, then I hope I have done my part. Further resources are available through SIA at www.securityindustry.org, and training is available for integrators through the HID Academy website at www.hidglobal.com/training.
Brian Coulombe is Principal and Director of Operations at DVS, a division of Ross & Baruzzini. Brian can be reached at [email protected], through Linked in at www.linkedin.com/in/brian-coulombe, or on Twitter @DVS_RB.
