How to Upgrade to a More Secure Physical Access Control System
Many organizations have a physical access control system (PACS) that is between one and two decades old, which has components that are past their supported service life but until now have still been working well. Most such legacy systems do not utilize secure communications to the card readers or controllers, and their card credentials are typically cloneable. What improvements can be made without having to rip-and-replace the entire system all at once?
Q: We need to add more card readers to our access control system and replace come failing old controllers. How can we do this using more modern technology so that we’re not continuing to invest in outdated technology? We can’t do a wholesale replacement yet.
A: Look for newer interoperable standards-based components from your existing manufacturer that are compatible with your existing access control system deployment. Dual-technology cards and readers may also help in this situation.
Interoperability refers to the ability of commercial off-the-shelf (COTS) electronic devices and systems to connect and communicate with one another in a secure and timely manner, regardless of manufacturer. Standards-based interoperable products and systems have been a primary driver for the exponential adoption of information technology in many industry and application domains.
In addition to the adoption of IT computer and networking standards, the physical security industry has its own interoperability initiatives under way, three of them for access control systems.
Open Supervised Device Protocol (OSDP)
OSDP is an access control communications standard developed by the Security Industry Association (SIA) to improve interoperability among access control and security products. OSDP defines the communications between a card or a biometric reader and its field control panel.
OSDP v2.1.7 is currently in-process to become a standard recognized by the American National Standards Institute (ANSI), and OSDP is in constant refinement to retain its industry-leading position. OSDP surpasses the common Wiegand protocol for maximum wire distance, data throughput, and security. Its benefits include:
- Constantly monitors wiring to protect against attack threats.
- Supports advanced smartcard technology applications, including PKI/FICAM and biometrics.
- Supports bi-directional communications among devices.
- Supports advanced user interface capabilities, including welcome messages and text prompts.
- OSDP Secure Channel supports high-end AES-128 encryption (required in federal government applications).
- OSDP’s use of 2 wires instead of 12+ allows for multi-drop installation, supervised connections to indicate reader malfunctions, and scalability to connect more field devices.
- Can handle large amounts of credential data, as is required by biometric readers.
Several companies, such as Mercury Security (now part of HID), have newer hardware controllers that support OSDP Secure Channel. Such panels can be added to legacy installations or used as replacements, enabling access control for very critical doors to be highly secure and support biometrics. Other manufacturers that support OSDP include Allegion, Axis Communications, Cypress Integration Solutions, Farpointe Data, Lenel Systems, Rosslare Security Products, Software House, Suprema and WaveLynx Technologies.
LEAF Identity Protocols
The LEAF Consortium is an association of partner entities intent on bringing interoperability to access control and identity credentials. (LEAF is not an acronym, but a brand name chosen by the LEAF Consortium.) The LEAF Standards are a set of specifications and reference designs for access control and identity credential components – including readers, smart cards and mobile-device-based credentials – that facilitate interoperable and secure credential solutions. Companies that provide LEAF-enabled card and biometric readers and card credentials include Allegion, Brivo, E-LINE, EyeLock, IDEMIA, Iris ID, Linxens, RF IDeas, Universal Smart Cards and WaveLynx.
Physical Security Interoperability Alliance (PSIA)
The PSIA is a global consortium of more than 65 physical security manufacturers and systems integrators focused on promoting interoperability of IP-enabled security devices and systems across the physical security ecosystem as well as enterprise and building automation systems. Its Physical-Logical Access Interoperability (PLAI) protocol specification provides a means for organizations to transfer and dynamically update relevant employee data from the “logical” HR system to any PLAI-enabled Physical Access Control System (PACS) including those being operated at different company facilities, some of which may be disparate systems. PLAI enables companies who have disparate access control systems to manage their access centrally without the use of an expensive 3rd party access integration platform. PLAI is a standards-based specification which leverages the LDAP (Lightweight Directory Access Protocol) v3 interface to support a number of commonly-used logical identity directories, including Microsoft® Active Directory®, which is typically used by organizations to hold their information system user data for authentication (identity verification) and authorization (access privilege determination). Companies whose products support PLAI include AMAG Technology, Cruatech, EyeLock, IDEMIA, Kastle Systems, LenelS2, Princeton Identity, and Software House.
Dual-Technology Access Cards
Dual-technology access cards can enable an organization to migrate over time from cloneable proximity access cards to non-cloneable secure smart cards in a way that makes sense financially and operationally. For example, the most critical doors can be upgraded to smart card readers that read the encrypted access data on the card and use the OSDP Secure Channel protocol to communicate with upgraded or new access control panels. Personnel who access those doors can be given new dual-technology access cards immediately. Other cardholders can be given new cards when their existing access cards expire or at a pace that can be easily supported. Existing proximity readers will use the proximity technology on the new cards. When all existing proximity cards have been replaced, all outdated controllers and proximity readers can be upgraded at a pace that makes sense for the organization. Thus, the move to secure access control system communications and non-cloneable access cards can be accomplished in a non-disruptive fashion.
Given the options that are now becoming available, it makes sense for companies with a significant investment in legacy PACS to develop a feasible upgrade path to more secure technology.
Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s Top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS.