301.519.9237 exdirector@nesaus.org

OSDP enables a physical access control system to support advanced smartcard technology applications, including PKI/FICAM and biometrics, and other enhanced authentication protocols used in applications that require FIPS compliance and interactive terminal capabilities. (SIA)

7.19.19 – SSI

Open Supervised Device Protocol is a communications standard developed to improve interoperability among access control and security products.

The physical access control system (PACS) is rapidly becoming the hub of smart building innovation. Already the ubiquitous solution for safeguarding people, places and things, it is now also uniquely positioned to help unleash the full potential of smart buildings, hospitals and government offices.

The marriage of access control with mobile and Cloud technologies has enabled it to deliver a host of connected-workplace experiences that depend on common understanding of trusted identities that define who individuals are and what benefits can be granted to them, so they can understand, assist with and even predict what they intend to do.

To make this possible the latest access control solutions have moved to open architectures and standard communications protocols that ensure product interoperability and implementation flexibility, while making it simple and economical to upgrade to new capabilities.

These solutions incorporate everything needed to connect to and interact with a building’s other security systems, services and enterprise applications. This enables today’s PACS solutions to boost building security and performance while giving users the same kind of digital convenience at the office and in other buildings as they have come to expect at home.

Standards Evolve to Improve Interoperability

Physical access control technology has advanced as new threats and vulnerabilities emerged, security protocols were updated, and requirements for integration grew. An example is the Open Supervised Device Protocol (OSDP), which was introduced a decade ago as an alternative to clock-and-data and Wiegand protocols that are now antiquated and vulnerable.

Upgrading to access control systems that adhere to OSDP standards significantly enhances overall security. At the same time, it delivers other advantages that increase the value of adopting it, including increased flexibility and operational efficiency for the long term. Organizations that understand the benefits of OSDP can more easily support both current and future technology requirements.

Organizations that don’t move to OSDP-based PACS solutions leave themselves extremely vulnerable to security threats. Legacy clock-and-data and Wiegand protocols were widely adopted in the early 1980s as the de facto standard for interoperability between access control readers and physical access controllers.

Those de facto standards were later formalized and adopted into industry standards by the Security Industry Association (SIA) in the 1990s. Their weaknesses include the lack of encryption protocol to protect from “man in the middle” attacks and vulnerabilities from reader to controller.

Also, the retrofitting installation alongside a legacy system is complicated for integrators and expensive for organizations, as most readers require dedicated home-run wiring. Extensive wiring on a large-scale project such as a school or corporate campus, results in considerable — often prohibitive — costs for installation of a PACS.

These weaknesses pushed the security industry to adopt OSDP, an access control communications standard developed by Mercury Security and HID Global in 2008. It was donated, free of intellectual property, to SIA to improve interoperability among access control and security products. It is the only protocol that is secure and open for communication between readers and controllers and is also being widely adopted by industry-leading reader and controller manufacturers.

OSDP also is an evolving, “living standard,” making it a safer, more robust, future-proof option for governing physical access control systems.

OSDP offers a variety of significant benefits. First, it increases security through its use of the Secure Channel Protocol (SCP), which supports AES-128 encryption that is required in U.S. federal government applications, and by constantly monitoring wiring to protect against tampering, which removes guesswork since the encryption and authentication are predefined.

Another benefit is OSDP’s bidirectional communication capability. Communication protocols such as Wiegand that are unidirectional require that external card readers send information one way to a centralized access control platform. In contrast, OSDP provides the ability for information to be collected, shared and acted upon using bidirectional communication for configuration, status monitoring, tampering and malfunction detection, and other valuable functions.

Beyond its security benefits, OSDP creates an open and interoperable PACS architecture. Because it supports IP communications and point-to-point serial interfaces, system functionality can be flexibly enhanced as needs change and new threats emerge. Organizations can proactively add new technology that enhances their ability to protect incoming and outgoing data collection through a physical access control system.

OSDP also makes it possible to reduce installation costs. Its use of two wires (as compared to a potential of 11 wires with Wiegand) allows for multi-drop installation, supervised connections to indicate reader malfunctions, and scalability to connect more field devices. OSDP also supports daisy-chaining which enables systems to accommodate many readers connected to a single controller, which eliminates the need to run home-run wiring for each reader.

Additionally, the use of a four-conductor cable achieves up to 10x longer distances between reader and controller than Wiegand while also powering the reader and sending/receiving data.

An additional benefit is OSDP’s improved ease of use. OSDP gives credential holders audio and visual feedback such as colored lights, audible beeps and the ability to display alerts on the reader. There are convenience benefits for security administrators, as well. OSDP-enabled readers can be remotely configured from network-connected locations. Users can poll and query readers from a central location, eliminating the cost and time to physically visit and diagnose malfunctioning devices.

Finally, OSDP delivers unlimited application enhancements. It enables a PACS to support advanced smartcard technology applications, including PKI/FICAM and biometrics, and other enhanced authentication protocols used in applications that require Federal Information Processing Standards (FIPS) compliance and interactive terminal capabilities. Audio-visual user feedback mechanisms are available here as well to provide a new richer and more user-centric access control environment. 

access control osdp

An OSDP-supported access control system can create new functionalities such as time & attendance, recording entry time and exit time through an integrated workforce management system.

Creating User-Centric Experiences

Once an organization has upgraded its PACS to support OSDP, it can more easily create new user experiences across a growing variety of applications. Following are just a few examples:

Optimized Physical Access Control. The building identifies individuals and grants access to the areas of the building for which they are authorized — from the elevator granting access to the right floors, to unlocking a private office, to approved-access meeting rooms and common spaces. Areas that require stricter access control can add a layer of biometric verification, if needed.

Frictionless People Flow. When disparate systems are connected by a shared capability of authenticating individuals, the effect is a smooth and seamless transition for employees and visitors alike as they proceed from the parking garage to the elevator, from to the office to the conference room — accessing each point along the way with the same credential.

Seamless User Authentication. In a connected workplace, users gain access to the company network and secure cloud applications like Office 365 with the same identity credential they used to enter the facility. Multifactor authentication — requiring a PIN, presence or biometric data — can be added for an additional layer of security.

Time & Attendance. As employees approach the door to enter the building, the same credential that opened the door can record entry time and exit time through an integrated time and attendance (workforce management) system. Their trusted identity can be used to establish proof-of-presence — providing managers with key insights to where employees are spending their time.

Predictive Analytics. From streamlining maintenance needs across building operations to automated services such as brewing coffee at peak use times of the day, the data captured in the connected workplace offers many ways to cut operational costs while meeting employee demands for a customized and productive workplace.

Flexibility for the Agile Workforce. Open floor plans utilizing Hot Desks and Smart Lockers have replaced traditional offices as many organizations strive to optimize their real estate costs and employee work options. Access to both, granted through the same identity credential used to enter the building, gives them the freedom to perform daily tasks and collaborate with colleagues anywhere — without sacrificing the benefits of an individualized workstation.

Secure Print. The connected workplace includes centrally-managed, identity-aware printers that offer users the convenience of being able to securely print to any device they choose. Identify-aware printers contain embedded readers and upgraded firmware allowing printing only when the user presents a properly authenticated credential and fulfill most regulatory compliance directives.

Cashless Cafeteria & Vending. The connected workplace offers the convenience of purchasing meals and refreshments through a secure, closed-loop payment system — eliminating the need for cash or easily-misplaced credit cards.

Modern Meeting Room Management. An identity-aware meeting room combines a smart door lock with a smart door display to simplify the reservation process. Access can be issued or revoked remotely, streamlining the process for visitors. An authenticated personalized credential also grants access to audio visual and conferencing services.

As OSDP makes it easier to implement these transformative user experiences, it also adds security and real-world efficiencies. Its interoperability enables organizations to integrate systems from multiple manufacturers to protecting their critical data.

OSDP also streamlines installations and upgrades n a campus environment while eliminating the expense of replacing readers if a new access control solution is implemented. Finally, OSDP delivers service and maintenance benefits by encouraging continuous monitoring of system uptime and enabling readers to be remotely configured or upgraded.

access control osdpBrandon Arcement is Senior Director, Product Marketing with HID Global.