What Security Integrators Need to Know About OSDP
The Open Supervised Device Protocol importantly offers the option of secured communications between reader and controller.
The Open Supervised Device Protocol (OSDP) is a communications protocol nurtured by a Security Industry Association (SIA) consortium, consisting of some of the smartest individuals from the security industry. Their initial intent was to create a protocol for communications between electronic access control (EAC) devices, such as readers and controllers. It was also created for deployments that require higher security such as government, data facilities and drug manufacturing programs.
A two-way channel paves the way for forward-looking security applications such as the handling of advanced smartcard technology, public key infrastructure (PKI) and mobile device access. Not only does it provide a concise set of commonly used commands and responses, it eliminates guesswork, since encryption and authentication are predefined. How does that impact security equipment manufacturers, integrators and users?
Among other things, it lets security equipment, such as card and biometric readers from one company interface easily with control panels and equipment from another manufacturer. In other words, OSDP fosters interoperability among security devices. It also adds sophistication and security benefits through features such as bi-directional communication and read/write capabilities.
OSDP importantly offers the option of secured communications between reader and controller. The vision behind this was to facilitate an encrypted communication connection between a reader and the controller. This is independent of the encryption between credential and reader.
A basic definition of encryption is the conversion of information and data into a secret code. This is sometimes called a cipher. For example, your access card is programmed with the number 101. You present your card to a reader and the controller also sees ID 101 but, in between the reader and the controller, the data sent looks nothing like ID 101. The card data sent in between the reader and the controller is encrypted into a secret code.
Also, significant to highlight, OSDP is a real SIA approved industry standard. It is not a piece of technology owned by any company and, thus, not proprietary. Today, it is an open standard that is global in scope and available for use by any manufacturer.
Nuts and Bolts of OSDP
OSDP is built on the RS-485 serial transmission standard. RS485 is the physical layer, laying out the actual electrical characteristics of the signal generator and receiver. Think of OSDP as communications riding on this RS485 physical layer.
Key advantages include that RS485 requires just four conductors, two for power and two for data. A cable example might be the popular Belden 8723. Intended for control and instrument installations, it’s a 22 AWG stranded cable with four conductors, each making use of color-coded polypropylene insulation, then twisted into pairs. One pair is red and black while the other pair is green and white. Next, each pair is individually foil shielded and then wrapped together with a stranded drain wire and covered, finally, by a PVC jacket.
RS-485 also provides for longer cable runs between devices, often up to 4,000 feet. Also, when compared to Wiegand, which offers simple point-to-point topologies, OSDP offers point-to-point and multi-drop. Of course, multi-drop also means individually naming, or addressing, the readers in the system.
Encrypted communications between a reader and controller offer a number of real-world benefits. One is that encrypted OSDP communications can be used to prevent man-in-the-middle hacks on data lines. In this type of hack, a hacker intercepts data, then secretly relays and possibly alters the communications between a reader and door controller.
Another benefit of encryption is data integrity, a concept often overlooked. Specifically, by implementing encryption, one can trust that the data being communicated is authentic and unaltered from what was originally communicated. This is a good segue over to the subject of information technology.
In our IT-centric world the concept of IT compliance, the process of meeting a specific set of requirements for digital/cyber security, is an emerging need. For example, these requirements might be generated internally by corporate IT or they may originate from outside the customer’s organization.
Think of an insurance company or government entity. Perhaps, your company agrees to a standard operating procedure (SOP) of only supplying solutions as standard when encrypted. When applied, OSDP can assist in meeting this SOP.
Some Ways OSDP Differs From Wiegand
For years, Wiegand has been the industry standard but it is no longer inherently secure due simply to its original obscure and non-standard nature. Plus, the multiple definitions associated with the Wiegand name have created confusion over the years. OSDP, focused as a standardized protocol between readers and controllers, moves us forward.
It helps ensure that numerous manufacturers’ products will work with each other. Interoperability can be achieved regardless of system architecture. For instance, the specification can handle smartcards by constantly monitoring wiring to protect against attack threats and serves as a solution for high-end encryption such as required in federal applications. The specification for handling LEDs, text, buzzers and other feedback mechanisms provides a rich, user-centric access control environment.
To again emphasize, OSDP provides the option for encrypted channel communications. Wiegand does not. Known as a secure channel, OSDP lets communications traffic between a reader and controller be encrypted. Specifically, this traffic can be encrypted via Advanced Encryption Standard (AES) with a 128-bit key.
This is real encryption, not just data scramble. AES is itself a recognized and widely adopted specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology.
OSDP provides two-way communications. Wiegand is a one-way street for data. For example, this lets the reader be queried as to its status. Think of this as a health check. It’s standard with OSDP, but not that easy to do with Wiegand.
OSDP riding on RS-485 provides longer cable runs while Wiegand is shorter. OSDP offers optional configurations of wiring topology while Wiegand only offers one. This flexibility can be very beneficial in minimizing installation and retrofit operations.
Wiring requirements are also different. An OSDP cable only requires four conductors. Wiegand cabling may require five, or even more, conductors. This makes them larger, heavier and, often, more expensive.
OSDP lets the data rate be adjusted. With Wiegand, that is not the case. The advantage is that larger quantities of data can be transmitted quicker with OSDP. Think of a Personal Identity Verification (PIV) card. This data could be transmitted in less time than it would take with Wiegand.
Convenience With Security
Users of physical access control systems certainly desire convenience but, as equally, expect security. So, first and foremost, OSDP is more secure. The key is the option of encryption. OSDP typically requires less wiring, which saves money. Users may request integrators utilize existing wiring for retrofits.
Looking for a traditional point-to-point topology for increased flexibility? OSDP provides it. Want the cost savings associated with multi-drop? Done, using the addressability of OSDP readers. How about standards? OSDP is an SIA data communications standard built on the RS-485 serial standard. And, it offers the option to use the American Encryption Standard (AES).
Many manufacturers have already implemented OSDP and there are many other companies with OSDP devices in development. To encourage this, the SIA has released tools that will ensure that these numbers continue to grow.
To make things easier, the SIA Open OSDP Test Tool is open-source software that lets manufacturers of OSDP compatible equipment test their products against the specification. The test tool emulates an OSDP peripheral device or an OSDP control panel or acts as a message sniffer between two “real” OSDP devices.
The test tool runs on several widely available and low-to-no-cost platforms and hardware. It reduces physical barriers to achieving interoperability such as shipping prototypes to numerous vendors for testing. The underlying source code, also available, is another aspect of the tool that can be leveraged by device manufacturers in developing their OSDP interoperable products.
Also, there are emerging compliance initiatives pertaining to OSDP. For instance, “OSDP Verified ” is being championed jointly by SIA and IDmachines, creator of the Eidola technical automation platform. Such measures will benefit device suppliers and consumers alike by guaranteeing tested devices comply with all applicable OSDP requirements.
OSDP’s promise is to offer opportunities to meet customers’ needs today and tomorrow. The adoption and deployment of OSDP will facilitate the development of new and advanced features for readers in the field. Basically, by being able to communicate to the reader from a controller, you unlock enhanced device control.
As security professionals, many of us feel an obligation to present the best security options available to our customers. And while some technology may leave you scratching your head, OSDP is logical, practical and imperative. Today, and moving forward, OSDP will greatly influence electronic access control (EAC) reader and controller development.
OSDP is seeing adoption on a global scale and is a highly recommended consideration for new installs. It is suggested that those dealing with smart security in any format will want to start incorporating the use of the OSDP standard in their equipment and systems.
In the sales arena, OSDP should be viewed as a strong selling feature. You should learn it and integrate it into your presentations.
Stephen “Shep” Sheppard is Key Accounts Sales Manager for Farpointe Data.
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!