OSDP Offers Encryption Prescription: Why It’s Better Than Wiegand
Combined with modern credentials, OSDP provides a way for secure end-to-end deployments with lower installation and operational costs.
Industry standards provide the structure security devices require to meet performance expectations. For years, the aging Weigand standard, first introduced in 1976, served as the de facto way to wire a reader that helped drive a decades-long expansion of access control.
Today, 98% of small businesses and larger enterprises still fully or partially use the technology. However, the industry has failed to adequately educate end users on the security risks of the 50-year-old technology.
Wiegand is a one-way signal with no encryption between reader and door controllers. This is a fundamental security flaw. But with readers that work reliably for 15 to 20 years and wiring that lasts longer, there’s often no immediate financial reason to upgrade or replace these systems.
Fortunately, there is an opportunity to move to a new standard — the Open Supervised Device Protocol (OSDP). OSDP incorporates the standards-based modern encryption to keep any location more secure.
Combined with modern credentials, OSDP provides a way for secure end-to-end deployments with lower installation and operational costs. OSDP is to-day’s gold standard for access control.
The first version of OSDP was created in 2008 by a coalition of manufacturers, including HID Global, Lenel and Mercury Security. A few years later, the Security Industry Association (SIA) took ownership and further developed and published, with broad industry participation, OSDP v2.17, adding new security and functionality features.
In May 2020, the International Electrotechnical Commission approved OSDP as an international standard captured in OSDP v2.2.
A significant difference between the two protocols is that OSDP offers true bi-directional communication. This importantly provides remote maintenance and configuration management. These features lead to lower total costs of system ownership at each step of the system integration, operation, and maintenance phases of the security system lifecycle.
In addition to added security, OSDP provides added convenience and flexibility for end users. It’s easy to push configuration changes and/or firmware updates and do this systemwide for many OSDP-enabled card readers. Updates to Wiegand readers are made one at a time and require being physically present at each device.
Facility security is enhanced by the ability to create and update individual encryption keys. The OSDP file transfer capability enables end-users to perform reader and controller key management remotely.
This eliminates the time-consuming and cumbersome use of configuration cards. Compared to Wiegand technology, OSDP, offers other advantages, including:
- Readers compatible with a wide range of access control units (controllers and down-stream boards).
- AES-128 encryption that provides security for sensitive information, making life difficult for cyber adversaries.
- Daisy-chaining of OSDP readers reduces the fixed price per door and saves time on cabling and installation. Wiegand technology required homerun cable pulls from the control panel to each peripheral device.
Knowing a system is functioning correctly is vital. OSDP controllers provide end users with messages regarding reader capabilities, status, real-time tamper reporting and more.
Older methods, including Wiegand, only provide one-way communication. This means the reader cannot be supervised as it has no way of confirming if it’s still connected to the controller.
For example, with Wiegand, there is no way for the reader to communicate its operating status except when a card is presented. OSDP provides continuous polling of readers with an acknowledgment and response that includes information about the device’s state.
OSDP works across different bi-directional communication methods, and others the benefits of using RS-485 serial communications or TCP/IP and Ethernet (including wireless communications). Riding on RS-485, OSDP enables cable runs of up to 4,000 feet, whereas Wiegand protocol systems are limited to 500 feet.
Openness is a critical part of OSDP. End-users deploying OSDP gain interoperability among security devices. The standard covers integrating biometric technologies such as fingerprint, facial or iris biometrics, providing options for multifactor authentication. It is agnostic to credential types, allowing readers, panels, and other devices from one manufacturer to work seamlessly with those from another supplier.
By eliminating the need for proprietary readers and controllers, users can choose devices based on performance and price. Also, OSDP is required for integrators working with organizations requiring the highest levels of security, such as the federal government and data centers.
OSDP provides a standard to meet the requirements of the Federal Identity, Credential and Access Management (FICAM) guidelines for secure bi-directional communication.
The Migration Process
Worldwide, many reader installations still work only with the Wiegand technology. Most industry professionals are pushing for the adoption of OSDP as quickly as possible. Yet, a rip-and-replace project is expensive.
There are three components – credential, readers and intelligent controllers – involved in changing an OSDP protocol. And while the protocol is specifically about communications between the reader and the controller, it is essential that credential security also be considered.
Let’s look at a company with 2,000 employees as an example of the costs involved in making a complete switch from Wiegand technology. Those 2,000 employees will need an equal number of new cards at the cost of about $10,000. A total of 200 new readers adds $60,000 to the price.
New readers require new controllers – 50 more devices cost about $50,000 for a total cost of $120,000 for an immediate upgrade. A more realistic plan for most organizations is a measured migration beginning with reader upgrades along the perimeter to protect softer yet critical interior areas.
Inside, place mobile modules behind each reader and upgrade with CRS cards or mobile smartphone credentials. The final step, the heavy lift, replaces all field hardware, meaning the intelligent controllers. This can happen by replacing failed devices configured for OSDP. In some cases, it is also possible to reuse existing wiring, further easing the migration plan.
There are few access control regulations related to an OSDP upgrade. However, it is increasingly found as a requirement. Regulated utilities are one industry that can require the OSDP standards. Simply put, sensitive information needs to be transmitted over secure connections.
OSDP provides a way to address this increasingly common requirement. More often, today’s IT departments (and their auditors) insist that security teams install the technology that best protects the network. Each IoT device in a security system provides an opportunity for hackers to gain network access. Wiegand provides an open door that OSDP closes.
Where have we gone wrong in getting OSDP universally adopted? Though it’s an industry-wide problem, many integrators are still unaware of the standard and what it offers end users. It’s outside the norm, not how they have always done things. Other integration firms balk at the expense and disruption caused by sending technicians to OSDP training classes.
The result is many integrators continue installing Wiegand technology, widely known to be inferior. Some consultants still specify Wiegand, and some access control equipment manufacturers have lagged in accepting OSDP. However, a growing number of progressive integrators no longer install Wiegand protocol devices. They understand that leading with OSDP is a winning strategy.
Also, there is a mentality in general among people that there is no need to make changes until a problem becomes severe. We already see exploits of Wiegand and auditor findings that classify it as a vulnerability that needs mitigation. This will only become more pronounced.
Unfortunately, major reported problems may be what it takes to get end users, consultants and integrators moving. Without immediate changes, doing nothing may ultimately prove much more expensive and damaging to all involved.
The SIA team has worked tirelessly to sell the benefits of OSDP. It is currently enabling manufacturers to add “OSDP Verified” to devices as part of a certification program with growing adoption. All security stakeholders need to get on board and do the same.
The Integrator’s Role
So, where do integrators go next in the battle to make OSDP a universally deployed standard? From salespeople to technicians, we must educate our employees about the benefits and why OSDP is a must and not an option. We must help our customers build transition plans for an orderly migration to the new standard and to help them justify the benefits of a transition.
There’s also a need for integrators to become more network security savvy. The physical security function must be on a secure network, often segmented from other networks with organizational records and other critical data. Integrators must deliver physical security systems that adhere to security and network best practices.
Most integrators aren’t network administrators and rely on their customers to handle these duties. Yet, client IT departments often are not excited about taking responsibility for another system and set of devices, which they must support without a clear understanding of the level of security it can deliver.
OSDP competence provides a way to engage productively in this conversation. SIA has done an exemplary and remarkable job getting competing manufacturers, end users and integrators to buy into the protocol. Now it’s time for all of us to make OSDP a true standard for the added convenience, flexibility and greater security it will provide.
John Nemerofsky is COO for Kent, Ohio-based SAGE Integration.
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!