This article originally appeared in the January 2021 issue of Security Business magazine. When sharing, don’t forget to mention @SecBusinessMag on Twitter and Security Business magazine on LinkedIn.
Far too often, your customers are forced to make tradeoffs between security and ease of use. As a general rule, the more secure a solution is, the more time is required to establish security protocols.
Access control using the Security Industry Association (SIA) Open Supervised Device Protocol (OSDP) standard is one of those exceptions where security is baked into the solution, providing customers with the security that they require and providing the integrator community with ease of deployment and maintenance capabilities far beyond those of traditional Wiegand access control deployments.
SIA has recently announced the newest version of the specification, SIA OSDP Version 2.2, and with newly deployed OSDP education resources and an ever-growing list of OSDP Verified products, OSDP is poised to become the new normal in access control.
Why OSDP is Important
Security Business readers may recall Ray Coulombe’s Oct. 2020 Tech Trends column, OSDP Goes Mainstream (www.securityinfowatch.com/21154817), which details the benefits of OSDP and provided insights from the manufacturer and integrator community about the long history of the specification and the rapid advancements in the past year.
Here’s a quick recap of the benefits:
1. It is a standard: SIA OSDP was approved as an International Electrotechnical Commission (IEC) standard in July 2020 and is officially listed as IEC 60839-11-5. OSDP works by sending bidirectional RS-485 messages in a standard format. OSDP version 2.2 replicates the IEC formatting, harmonizing the standards efforts.
2. It is more secure than Wiegand: Even in basic operation, SIA OSDP is a bidirectional supervised standard; thus, the command and reply structure serves as a “receipt” that messages were transmitted successfully to the intended device. OSDP’s Secure Channel profile adds AES 128 encryption on top of that.
3. It enables feature-rich implementations: Standard messages allow files to be transferred from the access control units to peripheral devices, enabling features such as reader firmware updates, logos or custom LED color sets sent directly from the control panel.
Product Verification in Full Swing
The SIA OSDP Verified program, launched in May 2020, seeks to bolster another aspect of the OSDP value proposition – an official listing of products that have been tested to conform to the standard.
Due to the nature of the standard’s history – it was originally developed as part of a custom integration between two vendors before being transferred to SIA for development in 2012 – there has never really been an official requirement for vendors to make a claim of OSDP conformance.
There are war stories from integrators and their customers alike in which OSDP equipment delivered for a job could not work together as claimed due to differences in the message sets or versions of OSDP used.
How Verification Works
Seeing well-meaning actors throughout the entire security value chain and the frustration of stakeholders in the midst of Wiegand replacements, SIA – with input from the SIA OSDP Working Group – has partnered with independent technical services providers to verify how devices handle OSDP messages and confirm that they are able to meet the use cases they claim to support.
OSDP Verified tests for four different application profiles:
- Basic: These devices are Wiegand replacements; they provide the supervision benefits of a bidirectional protocol, protecting them from the common “person-in-the middle” attack.
- Secure: These devices meet the Basic profile but can also handle encrypted messages using Secure Channel and can enter and exit Basic and Secure modes as claimed.
- Smart card: These devices can handle the transfer of structured data units required for smart card operations, which allows for use in Federal Identity, Credential and Access Management and Personal Identity Verification environments among others.
- Biometric: These devices can utilize OSDP messages to read and match biometric templates.
Not only can integrators deliver the OSDP solution that a customer needs, but using the OSDP Verified product list, integrators can also validate that a product has been tested within lab conditions to handle all of the required messages, minimizing any mishaps at a customer site.
As of publication, the list of OSDP-Verified (or soon-to-be verified) products contains more than 25 devices from seven different vendors. While that may not seem like a ton, consider that many of these OSDP Verified suppliers are original device manufacturer partners to a number of private-label solutions.
SIA is finalizing a process that will allow these private-label solutions to be listed as OSDP Verified after an expedited testing procedure to ensure that there have been no modifications to the devices; moreover, the vendors listed make up a significant share of the access control market.
The pipeline of devices currently undergoing verification remains active, and SIA is looking to grow the bench of independent validators to increase testing throughput by enabling testing in Europe and the Asia-Pacific markets, where there has been increased demand for OSDP verification upon the release of the IEC 60839-11-5 standard.
Deployment and Training
This increase in demand naturally leads to importance placed on the ability of integrators who are deploying OSDP devices. Systems integrators who have installed OSDP systems in the past may say the biggest issue is finding out that one device does not “do OSDP” the same as another; however, with OSDP Verified addressing this concern, OSDP is not a more difficult installation – it is just different.SIA’s hands-on OSDP Boot Camp (www.securityindustry.org/event/sia-osdp-boot-camp), designed for systems integration teams and end-customers, illuminates the differences between OSDP and Wiegand deployments and covers everything from wiring to the use of terminating resistors (or not), troubleshooting common issues, running message traces, and how to use the configuration tools supplied by various OSDP Verified vendors.
OSDP Boot Camps are currently available virtually for teams of six or more. Interactive OSDP pods are sent to a training facility or central pickup point, and the class is taught via videoconference. SIA continues to monitor the pandemic and tentatively plans to conduct in-person OSDP Boot Camps in the second half of the year at its Silver Spring, Maryland, headquarters and at various industry conferences.