This article originally appeared in the October 2020 issue of Security Business magazine. When sharing, don’t forget to mention @SecBusinessMag on Twitter and Security Business magazine on LinkedIn.
With the publication of SIA’s Open Supervised Device Protocol (OSDP) in July as IEC Standard 60839-11-5:2020 ED1 and to be issued by SIA as OSDPv2.2, a wonderful idea more than 10 year into its development has reached an important milestone.
“The fact that OSDP is a standard is a really big deal,” says Rodney Thayer of Smithee Solutions. “It guarantees uniformity and interoperability.”
Adds Sal D’Agostino of IDmachines: “Standardization means having regular, robust meetings, an open process, and an effort driven by consensus.”
Both Thayer and D’Agostino are contributing members of SIA’s OSDP Working Group.
The Nuts and Bolts of OSDP
For those unfamiliar, here is a recap of the significant benefits of OSDP:
Interoperability: The advent of networking and IT technology was significant, as it helped drive the security industry from siloed, proprietary technologies to open standards, protocols (e.g. 802.3 and ONVIF), and a bevy of interoperable products and systems.
Proprietary communications methods, such as up-the-coax camera control and keyboard communication, increasingly fade. “Even though RS-485 was a dominant means for most access control systems to communicate, message structures were largely proprietary, leading to system incompatibilities,” says Mehdi Daryadel, CTO of QuantumTek LLC.
With the OSDP message structure, RS-485 communications can now be formatted in a secure, open and non-proprietary way.
Security: OSDP was created to improve reader-to-controller communications. Why? Because traditional Wiegand transmits its messages in the clear, in addition to being unidirectional, unsupervised and limited in distance. In today’s world, unencrypted security communications is asking for trouble. OSDP uses 128-bit AES encryption.
Device Management and Supervision: Wouldn’t it be nice to communicate with a reader to determine its status, rotate the encryption keys or provide a firmware upgrade? OSDP is bidirectional and provides the means to do so.
Flexibility: RS-485 provides added benefits of multi-drop configurations, higher data rates and increased transmission distance, up to 4000 feet.
Product Compliance: SIA’s OSDP Verified program tests for adherence to the standard. Currently, three manufacturers – Cypress Integration, Farpointe Data and WaveLynx – have products that have passed through this process. According to SIA’s Joe Gittens, who manages SIA’s standards efforts, several more companies are in the pipeline.
Why Some Vendors Have Jumped In
I spoke with the CEOs of the three companies who have OSDP-verified products for their perspectives on why they got on board, rate of industry acceptance, and notable absence of key industry players on the verified list.
“I was shocked at the vulnerability of Wiegand, a 40-year-old technology,” says Paul Ahern of Cypress Integration. “Although 90% of our product line was Wiegand-related, we knew we had to make the move to more advanced technology.”
Hugo Wendling of WaveLynx says their company philosophy “aligns completely with the concept of published and open standards.”
“Early on, we decided we were really in the data communications business more than the radio business,” explains Scott Lindley of Farpointe Data. “Naturally, this led us to be concerned about data security and happy to rally around a much-needed standard.”
We are already seeing interesting innovations using OSDP as a building block. Cypress, for example, uses the protocol in its wireless handheld readers.
WaveLynx has introduced an “auto detect” feature to allow readers to automatically configure themselves from Wiegand to OSDP communication mode over the same two green and white wires, providing an easy bridge from legacy to new technology. “The reader becomes another IoT device,” Wendling says.
Daryadel has designed products that use the OSDP protocol for communication between access control sub-systems, including power supplies. To this point, the protocol allows for vendors to define any number of command and reply messages and associated data structures without any obligation to or authorization by the OSDP community. They may also elect to propose the adoption of any of its Vendor Specific Commands to the OSDP Working Group to become part of the public communications, command and response code base and standard.
OSDP sample code is available open source via GitHub (see https://github.com/topics/osdp) where one can also find python and .net implementations. Gittens projects SIA working on OSDP over TLS next year.
Resistance Still Exists
Although more than 70 companies have professed to support or have embedded OSDP into their products, it appears that a majority are slow, reluctant or resistant to go through the verification process. Lindley believes that this may be the result of additional engineering effort to master the technical complexities, slightly higher implementation costs – including processor horsepower – or a reticence to move to an open standard.
Other observers I have spoken with have a strong sense that manufacturers are holding onto legacy products because of their profitability or because they help to insure a closed, proprietary system, locking customers in. Lessons learned over the history of the American economy – and the security industry in particular – are rife with examples of innovative upstarts displacing established players reluctant to let go of the status quo.
Integrators and Consultants Can Lead the Way
In this age of cyber security concerns and open protocols, I encourage security users and consultants to insist on products providing open, secure, standards-based communications; in fact, many large enterprise users already have, according to Thayer. I also encourage consultants to specify this technology, and, along with integrators, to push manufacturers to speed their implementations and demonstrate compliance with the standard. In the long run, it will be good for business because as D’Agostino states “we should be delivering security systems, not vulnerabilities!”
Check out SIA’s OSDP boot camp, available virtually or, as conditions permit, in a classroom setting. See https://www.securityindustry.org/industry-standards/open-supervised-device-protocol/osdp-boot-camp/ for the latest information.
Ray Coulombe is Founder and Managing Director of SecuritySpecifiers and the CONSULT Technical Security Symposium. Reach him at ray@SecuritySpecifiers.com, through LinkedIn at www.linkedin.com/in/raycoulombe or follow him on Twitter, @RayCoulombe.