Open Supervised Device Protocol
Full Title or Meme
OSDP is designed for Internet of Things o limited functionality devices attached to a network.
Context
The OSDP document specifies the Open Supervised Device Protocol for electronic access control systems. This includes communication settings, commands and replies between the ACU and the peripheral devices. This document applies to physical security only. Physical security prevents unauthorized personnel, attackers or accidental intruders from physically accessing a building, room, etc.[1]
Problems
- Vulnerability #1 with regards to OSDP from fall 2023 hashtag#blackhat [2]
Solutions
The transition from traditional Wiegand communication protocols to the more advanced Open Supervised Device Protocol (OSDP) represents a critical step forward for security integrators and end-user organizations alike. Wiegand, a longstanding access control standard in the industry, has served its purpose admirably over the years but is increasingly being surpassed by the capabilities offered by OSDP. This transition marks not just a shift in communication protocols but a leap toward enhanced security, improved interoperability and greater reliability in access control systems.[3]
- The Business Case for Adopting OSDP
OSDP was first developed by Mercury Security and HID Global in 2008, then later donated, free of intellectual property, to the Security Industry Association (SIA). The protocol emerged as a response to the limitations and vulnerabilities inherent in traditional access control communication protocols. Today under SIA’s guidance, OSDP represents a collaborative effort among industry leaders to establish a more secure and standardized method of communication between access control devices.
OSDP was approved as an international standard by the International Electrotechnical Commission in May 2020 and has been published as IEC 60839-11-5. SIA OSDP v2.2, which is based on the IEC 60839-11-5 standard, was released in December 2020.
The need for a modernized protocol became increasingly apparent as legacy protocols like Wiegand struggled to keep pace with evolving security threats and technological advancements. With the support of industry stakeholders, SIA set out to create a protocol that not only addressed these shortcomings but also offered enhanced features such as bidirectional communication, encryption and advanced security measures.
Thus, OSDP was born, providing security integrators and end users with a robust, interoperable and future-ready solution for access control systems, explains Tony Diodato, founder and CTO at Cypress Integration Solutions, Lapeer, Mich. Diodato has been active in efforts to develop OSDP since 2012. He has been co-chair of the SIA OSDP Working Group since 2018.
“Wiegand served well for over 40 years but it is inherently vulnerable and is totally unsupervised,” Diodato says. “Pretty much every signaling method used in the security space has a means of verifying its integrity except Wiegand. The S in OSDP stands for ‘supervised’ and finally implements a standard way of doing so. Security via encryption and authentication is a fundamental part of the OSDP communications protocol.”
Because Wiegand is a one-way broadcast of information to a control panel, Diodato continues, there is no way it can be secured via standard encryption methods.
“Once a low-cost, bi-directional communications medium is established between the access control panel and a peripheral device (reader), there are all sorts of enhanced features that can be easily implemented, such as door control, alarm contact monitoring, etc.,” he adds.
Damon Dageenakis, senior director, product management, HID, Austin, Texas, also emphasizes the vulnerability for Wiegand to be easily hacked.
“Like other legacy protocols, it leaves access control systems open to man-in-the-middle attacks. It also poses distance limitations and scalability constraints, and only allows one-way communication — preventing audio/visual control, configuration changes and other critical updates,” he says. “It also is not interoperable among access control systems.”
Not only can (OSDP-enabled) readers send data to the controllers, controllers can send data to the readers. As a result, whenever you have a firmware update, it can be handled remotely, pushing the update from the cloud out to the readers. — BRACH BENGTZEN, ProdataKey
In contrast, Dageenakis explains, OSDP offers an easy upgrade path from legacy protocols to improvements including:
New levels of security through the higher level of security enabled by its Secure Channel Protocol that supports AES-128 encryption. Bi-directional communications to enable remote reader configuration and management. Interoperability for the freedom to choose different reader and controller manufacturers. Reduced total cost of ownership (TCO). More intuitive experiences at readers through the ability to provide audio/visual feedback. “By moving customers to OSDP, integrators can capitalize on OSDP’s popularity and promote the value of open standards for improved security and other benefits,” Dageenakis says. “This helps to build new customer relationships and win more projects. OSDP also makes life easier by eliminating the complication of trying to retrofit installation alongside a legacy system — which is also expensive for the customer — with its complex wiring requirements.”
Echoing its enhanced security, Brach Bengtzen, vice president of marketing for ProdataKey, Draper, Utah, also cites other compelling reasons why integrators should consider adopting OSDP as the primary communication protocol. These include OSDP’s ability to provide two-way communication. “Not only can readers send data to the controllers, controllers can send data to the readers,” he says. “As a result, whenever you have a firmware update, it can be handled remotely, pushing the update from the cloud out to the readers. By comparison, with a Weigand system, integrators must go onsite and handle the update manually.”
Bengtzen adds, with OSPD integrators can do multi-drop or daisy chaining of readers, utilizing just a single reader port on a controller for up to four doors. “Each door maintains its individual identity. If you do that with a Weigand system, it sees all the doors as one,” he says.
High-quality cabling infrastructure is vital for establishing secure and reliable communication pathways within OSDP-enabled access control systems, ensuring seamless data transmission and system integrity. SHUTTHIPHONG CHANDAENG/ISTOCK / GETTY IMAGES PLUS VIA GETTY IMAGES
Implementing OSDP in access control systems can lead to significant infrastructure savings for new implementations, says Devon Felise, director of sales, Suprema America, Lake Mary, Fla. By example, he emphasizes the comparison of two-wire OSDP deployments and the traditional six-wire Wiegand cable. OSDP/RS-485 wiring can also run at distances up to 4,000 feet, whereas readers with a Wiegand interface are limited to a 500-foot maximum distance from the controller, he explains.
Felise also highlights OSDP’s support for multi-drop/daisy chaining of readers vs. using traditional star topography to achieve cost savings.
“An example is a single Suprema four-door control panel can support up to four Wiegand readers or 132 readers using OSDP/RS-485,” he says. “That’s a significant savings in panels in hardware to installation costs with one panel using OSDP versus 33+ panels with Wiegand.”
- Key Considerations for Initial Planning Phase
The success of an OSDP deployment hinges on planning and foresight during the initial stages of implementation. As security integrators embark on the journey to adopt OSDP for access control systems, careful consideration of various factors becomes paramount. From assessing infrastructure readiness to defining security requirements and ensuring compatibility with existing systems, each step in the planning phase plays a crucial role in shaping the effectiveness and efficiency of the OSDP deployment.
“Training is first and foremost; implementing or converting to OSDP does not seem to be as straightforward as configuring plug-and-play Wiegand,” Felise explains. “I’ve seen high quality integrators implement OSDP systems that fail. As initial blame is usually directed to the manufacturer, it wastes significant time and resources with misdirected troubleshooting just to find out it was a wiring issue when converting from Wiegand to OSDP.”
Real world bench testing should be a key component, Felise adds, “Not just testing each component on its own, but as a completed system with documented firmware versions of the hardware to be as close as possible to the customer site,” he says.
For integrators, the biggest consideration is the risk of not migrating to OSDP, Dageenakis stresses.
“It is common knowledge that today’s organizations value system interoperability — especially with regard to security. The rise of IP-networked devices, such as video and physical access control, has opened up a world of possibilities; however, the security of the data being collected from these devices is paramount to keeping the organization safe from attack,” Dageenakis explains. “OSDP is the only protocol that is secure and open for communication between readers and controllers and is also being widely adopted by manufacturers, including the industry-leading manufacturers for readers and controllers.”
He adds, the fact that OSDP is an evolving, “living standard” — similar to many others that streamline the development of connected devices — makes it a safer, more robust, future-proof option for governing physical access control systems.
As Diodato explains, many OSDP implementations look the same as legacy Wiegand reader-to-panel wiring: two wires for power, two wires for reader signaling. However, unlike Wiegand, the signaling wires are twisted pair, which allow up to 4,000 feet between the control panel and reader. There are no discrete LED or buzzer wires. All functions are controlled over the twisted pair. Therefore it is important to ensure good quality wire that is approved for RS-485 data communication.
“Most implementations are one-to-one, that is, one reader to one port on the controller, like Wiegand. The important aspects of installation are ensuring the correct communication speed is selected as well as the polling address,” Diodato continues. “This ensures panel-to-reader supervision. To get the security, both the peripheral device and access control unit (ACU) must be paired with the same encryption key. This is done ‘out of band’ with an installation mode on the ACU or independent configuration tool. Consider whether this is a complete OSDP deployment, or a retrofit where OSDP readers and converters will replace Wiegand readers, enabling them to securely communicate with a Wiegand panel. Existing cable may be fine for a one-to-one retrofit.”
In addition to selecting devices that bear the OSDP Verified mark, Diodato advises that integrators consider how many readers the OSDP panel supports on a single OSDP port, as well as whether the system will be multi-drop or home-run, the method to configure device addresses and communication baud rate, and how secure channel is enabled.
OSDP is the only protocol that is secure and open for communication between readers and controllers and is also being widely adopted by manufacturers, including the industry-leading manufacturers for readers and controllers. — DAMON DAGEENAKIS, HID
Diodato also provides these additional best practices:
Configure and test devices prior to permanent installation. Plan ahead for how each device will be addressed. Review the manufacturer’s and third-party options for configuring encryption keys out-of-band. Learn how keys are generated and stored. Know how to restore devices to factory default. Among other important aspects to project planning, Bengtzen cautions that integrators must make sure to use the right type of wire. “Don’t use Cat-5 or Cat-6. Don’t use 22/6 shielded wire,” he explains. “Use RS-485. It’s going to give you the best speeds, best transfers, and best communication between your readers and controllers.”
Also, he adds, when an integrator goes to upgrade a site from an older Weigand system to an OSDP system, the correct type of wiring may not be in place. “When quoting a job, integrators should make sure to include the cost of ripping and replacing wire if it is going to be necessary,” Bengtzen says.
Notable Deployment Challenges to Mind While the adoption of OSDP promises enhanced security and efficiency in access control systems, navigating the installation process can present various challenges for security integrators. From interoperability issues to network configuration complexities, the deployment of OSDP-enabled devices may encounter obstacles that require careful consideration and strategic solutions.
By understanding and addressing these challenges proactively, security integrators can ensure a smooth and successful implementation of OSDP, maximizing the benefits of this advanced communication protocol in access control environments.
One challenge may be not having a full understanding of OSDP Profiles (Basic, Secure, Smart Card, and Biometric), explains Dageenakis of HID.
“Our recent blog post addresses these, as well as best practices for implementation from completing a needs assessment and planning for a phased approach to replacing Wiegand devices, to selecting OSDP-compatible devices, installing and configuring them, programming OSDP devices to communicate with the access control system, and integrating OSDP devices with the central access control software,” he says.
regulatory compliance
OSDP stands out by not only ensuring regulatory compliance but also meeting the elevated security standards mandated for U.S. government applications, reinforcing its reputation as a trusted solution for safeguarding sensitive environments. NICOELNINO/ISTOCK / GETTY IMAGES PLUS VIA GETTY IMAGES
Dageenakis adds two other important areas to understand during implementation are testing OSDP devices to ensure proper communication and functionality — verifying that the access control system accurately processes OSDP commands — and training your team to understand operational changes and troubleshooting procedures.
Given the extensive history of Wiegand installations, Diodato of Cypress says what integrators and installers mostly ask about OSDP is, “What does it look like when its working?”
“Most ACUs and PACS software implement some kind of communication monitoring tools,” he explains. “You can see the handshake and information exchange on a working link. However, third-party tools already exist to independently verify that an OSDP peripheral device and access control unit are communicating properly and encryption is enabled.”
Different troubleshooting tools are required with OSDP than were used with Wiegand, Diodato continues. For instance, a configuration method may be provided by a manufacturer, or a technician may use a small device with a simple interface that can attach to a card reader to set the communication speed and ID, as well as confirm that secure channel is enabled.
“With a trace tool, laptop and RS-485 adaptor cable, an OSDP communication link can be monitored,” he adds. “In addition, the trace can be captured and sent to an expert for interpretation.”
One notable challenge can arise when different versions of OSDP do not align closely enough, leading to interoperability issues between devices. This discrepancy can stem from variations in firmware versions, hardware specifications or interpretations of the OSDP standard by different manufacturers.
“We’ve noticed a significant variation of OSDP versions supported between access control panels and reader technologies,” says Felise of Suprema America. “Even a product that is completely compliant and verified by SIA with the latest OSDP protocols may be attached to a product that is using older commands that had been removed.”
Once a low-cost, bi-directional communications medium is established between the access control panel and a peripheral device (reader), there are all sorts of enhanced features that can be easily implemented, such as door control, alarm contact monitoring, etc. — TONY DIODATO, Cypress Integration Solutions
Consequently, integrators may encounter difficulties in establishing seamless communication between OSDP-enabled devices, hindering the overall functionality and reliability of the access control system. To overcome this challenge, thorough compatibility testing and firmware updates are essential.
Felise advises that integrators obtain a list of all features being requested by the customer, both the minimum list and a future wish list. The devices should be connected in their lab and tested thoroughly — do not conduct this vital stage in the field.
Integrators should ensure that all devices within the OSDP ecosystem adhere to the same version of the protocol and undergo rigorous testing to verify interoperability. Additionally, maintaining open communication channels with manufacturers and staying informed about updates and revisions to the OSDP standard can help integrators address compatibility issues promptly and ensure a smooth installation process.
“I can’t emphasize enough that bench testing is very important to confirm OSDP variants will work and techs learning how to implement,” Felise says.
References
- ↑ SIA, Open Supervised Device Protocol Standard Version 2.2 (2022) https://www.securityindustry.org/industry-standards/osdp-v2-2/
- ↑ Dan Petro, Badge of Shame: Breaking into Secure Facilities with OSDP BishopFox (2023-08-09) https://bishopfox.com/blog/breaking-into-secure-facilities-with-osdp
- ↑ Rodney Bosh, Building Tomorrow’s Access Control Infrastructure Today With OSDP SDM (2024-04-08) https://www.sdmmag.com/articles/102988-building-tomorrows-access-control-infrastructure-today-with-osdp