The transition from traditional Wiegand communication protocols to the more advanced Open Supervised Device Protocol (OSDP) represents a critical step forward for security integrators and end-user organizations alike. Wiegand, a longstanding access control standard in the industry, has served its purpose admirably over the years but is increasingly being surpassed by the capabilities offered by OSDP.
This transition marks not just a shift in communication protocols but a leap toward enhanced security, improved interoperability and greater reliability in access control systems. Ahead, subject matter experts from the manufacturing community help outline a broad roadmap for security integrators looking to navigate this transition smoothly, ensuring a seamless adoption of OSDP while maximizing the benefits it brings to modern access control environments.
The Business Case for Adopting OSDP
OSDP was first developed by Mercury Security and HID Global in 2008, then later donated, free of intellectual property, to the Security Industry Association (SIA). The protocol emerged as a response to the limitations and vulnerabilities inherent in traditional access control communication protocols. Today under SIA’s guidance, OSDP represents a collaborative effort among industry leaders to establish a more secure and standardized method of communication between access control devices.
OSDP was approved as an international standard by the International Electrotechnical Commission in May 2020 and has been published as IEC 60839-11-5. SIA OSDP v2.2, which is based on the IEC 60839-11-5 standard, was released in December 2020.
The need for a modernized protocol became increasingly apparent as legacy protocols like Wiegand struggled to keep pace with evolving security threats and technological advancements. With the support of industry stakeholders, SIA set out to create a protocol that not only addressed these shortcomings but also offered enhanced features such as bidirectional communication, encryption and advanced security measures.
Thus, OSDP was born, providing security integrators and end users with a robust, interoperable and future-ready solution for access control systems, explains Tony Diodato, founder and CTO at Cypress Integration Solutions, Lapeer, Mich. Diodato has been active in efforts to develop OSDP since 2012. He has been co-chair of the SIA OSDP Working Group since 2018.
“Wiegand served well for over 40 years but it is inherently vulnerable and is totally unsupervised,” Diodato says. “Pretty much every signaling method used in the security space has a means of verifying its integrity except Wiegand. The S in OSDP stands for ‘supervised’ and finally implements a standard way of doing so. Security via encryption and authentication is a fundamental part of the OSDP communications protocol.”
Because Wiegand is a one-way broadcast of information to a control panel, Diodato continues, there is no way it can be secured via standard encryption methods.
“Once a low-cost, bi-directional communications medium is established between the access control panel and a peripheral device (reader), there are all sorts of enhanced features that can be easily implemented, such as door control, alarm contact monitoring, etc.,” he adds.
Damon Dageenakis, senior director, product management, HID, Austin, Texas, also emphasizes the vulnerability for Wiegand to be easily hacked.
“Like other legacy protocols, it leaves access control systems open to man-in-the-middle attacks. It also poses distance limitations and scalability constraints, and only allows one-way communication — preventing audio/visual control, configuration changes and other critical updates,” he says. “It also is not interoperable among access control systems.”
In contrast, Dageenakis explains, OSDP offers an easy upgrade path from legacy protocols to improvements including:
- New levels of security through the higher level of security enabled by its Secure Channel Protocol that supports AES-128 encryption.
- Bi-directional communications to enable remote reader configuration and management.
- Interoperability for the freedom to choose different reader and controller manufacturers.
- Reduced total cost of ownership (TCO).
- More intuitive experiences at readers through the ability to provide audio/visual feedback.
“By moving customers to OSDP, integrators can capitalize on OSDP’s popularity and promote the value of open standards for improved security and other benefits,” Dageenakis says. “This helps to build new customer relationships and win more projects. OSDP also makes life easier by eliminating the complication of trying to retrofit installation alongside a legacy system — which is also expensive for the customer — with its complex wiring requirements.”
Echoing its enhanced security, Brach Bengtzen, vice president of marketing for ProdataKey, Draper, Utah, also cites other compelling reasons why integrators should consider adopting OSDP as the primary communication protocol. These include OSDP’s ability to provide two-way communication. “Not only can readers send data to the controllers, controllers can send data to the readers,” he says. “As a result, whenever you have a firmware update, it can be handled remotely, pushing the update from the cloud out to the readers. By comparison, with a Weigand system, integrators must go onsite and handle the update manually.”
Bengtzen adds, with OSPD integrators can do multi-drop or daisy chaining of readers, utilizing just a single reader port on a controller for up to four doors. “Each door maintains its individual identity. If you do that with a Weigand system, it sees all the doors as one,” he says.
Implementing OSDP in access control systems can lead to significant infrastructure savings for new implementations, says Devon Felise, director of sales, Suprema America, Lake Mary, Fla. By example, he emphasizes the comparison of two-wire OSDP deployments and the traditional six-wire Wiegand cable. OSDP/RS-485 wiring can also run at distances up to 4,000 feet, whereas readers with a Wiegand interface are limited to a 500-foot maximum distance from the controller, he explains.
Felise also highlights OSDP’s support for multi-drop/daisy chaining of readers vs. using traditional star topography to achieve cost savings.
“An example is a single Suprema four-door control panel can support up to four Wiegand readers or 132 readers using OSDP/RS-485,” he says. “That’s a significant savings in panels in hardware to installation costs with one panel using OSDP versus 33+ panels with Wiegand.”
Key Considerations for Initial Planning Phase
The success of an OSDP deployment hinges on planning and foresight during the initial stages of implementation. As security integrators embark on the journey to adopt OSDP for access control systems, careful consideration of various factors becomes paramount. From assessing infrastructure readiness to defining security requirements and ensuring compatibility with existing systems, each step in the planning phase plays a crucial role in shaping the effectiveness and efficiency of the OSDP deployment.
“Training is first and foremost; implementing or converting to OSDP does not seem to be as straightforward as configuring plug-and-play Wiegand,” Felise explains. “I’ve seen high quality integrators implement OSDP systems that fail. As initial blame is usually directed to the manufacturer, it wastes significant time and resources with misdirected troubleshooting just to find out it was a wiring issue when converting from Wiegand to OSDP.”
Real world bench testing should be a key component, Felise adds, “Not just testing each component on its own, but as a completed system with documented firmware versions of the hardware to be as close as possible to the customer site,” he says.
For integrators, the biggest consideration is the risk of not migrating to OSDP, Dageenakis stresses.
“It is common knowledge that today’s organizations value system interoperability — especially with regard to security. The rise of IP-networked devices, such as video and physical access control, has opened up a world of possibilities; however, the security of the data being collected from these devices is paramount to keeping the organization safe from attack,” Dageenakis explains. “OSDP is the only protocol that is secure and open for communication between readers and controllers and is also being widely adopted by manufacturers, including the industry-leading manufacturers for readers and controllers.”
He adds, the fact that OSDP is an evolving, “living standard” — similar to many others that streamline the development of connected devices — makes it a safer, more robust, future-proof option for governing physical access control systems.
The Open Supervised Device Protocol (OSDP) incorporates robust encryption and authentication mechanisms to ensure the confidentiality and integrity of data transmitted across the network. By implementing advanced cryptographic protocols, such as the Advanced Encryption Standard (AES), OSDP encrypts sensitive data exchanged between access control devices, protecting it from unauthorized interception or tampering.
Additionally, OSDP utilizes secure authentication methods, such as challenge-response mechanisms, to verify the identity of communicating devices, preventing unauthorized access to the system. These security features not only safeguard sensitive information but also enhance the overall integrity and reliability of access control systems, providing peace of mind to organizations seeking to protect their assets and personnel.
“Encryption and authentication are fundamental components of the OSDP protocol. It is designed to be extensible to accommodate increasing levels of security methods,” says Tony Diodato of Cypress Integration Solutions. “Currently, AES-128 is the common encryption method. All payload content is encrypted once the peripheral device (PD) and access control unit (ACU) are paired and provisioned. It is part of the OSDP Verified Program to certify that a peripheral device adheres to the ‘Secure PD’ profile.”
Secure channel communication with AES-128 encryption and authentication measures prevent eavesdropping on the data connection, Diodato explains.
“Wiegand has a known vulnerability; it allows threat actors to skim and replay credential and biometric data from the attack side of the door to access facilities, block legitimate credential holders and use skimmed data to clone credentials,” he continues. “OSDP is a bidirectional RS-485 two-wire protocol for two-way communication (half-duplex), while Wiegand is a one-way interface. OSDP also supervises the connection, so the panel is alerted if a reader is tampered with, removed, malfunctions, or loses power.”
Implementing OSDP standards result in higher levels of security required in U.S. government applications, including public key infrastructure (PKI) for Federal Identity, Credential and Access Management (FICAM) solutions.
“OSDP constantly monitors wiring to protect against tampering, removing the guesswork, since the encryption and authentication are predefined,” explains Damon Dageenakis of HID. “It also helps overcome and address the growing threat of man-in-the-middle attacks, such as when a bad actor uses a tool to penetrate and secretly alter the communication between reader and controller to gain access to a secured location.”
While the increased security of OSDP gives organizations added protection against attacks, Dageenakis says the real-world efficiencies will be immediately evident to those managing the security infrastructure.
“The interoperability of OSDP alone is a factor crucial in today’s security landscape,” he adds. “As CSOs seek to upgrade systems and invest in infrastructure that maximizes protection of critical data being transmitted across various channels, OSDP interoperability ensures that customers can utilize systems from numerous manufacturers.”
As Diodato explains, many OSDP implementations look the same as legacy Wiegand reader-to-panel wiring: two wires for power, two wires for reader signaling. However, unlike Wiegand, the signaling wires are twisted pair, which allow up to 4,000 feet between the control panel and reader. There are no discrete LED or buzzer wires. All functions are controlled over the twisted pair. Therefore it is important to ensure good quality wire that is approved for RS-485 data communication.
“Most implementations are one-to-one, that is, one reader to one port on the controller, like Wiegand. The important aspects of installation are ensuring the correct communication speed is selected as well as the polling address,” Diodato continues. “This ensures panel-to-reader supervision. To get the security, both the peripheral device and access control unit (ACU) must be paired with the same encryption key. This is done ‘out of band’ with an installation mode on the ACU or independent configuration tool. Consider whether this is a complete OSDP deployment, or a retrofit where OSDP readers and converters will replace Wiegand readers, enabling them to securely communicate with a Wiegand panel. Existing cable may be fine for a one-to-one retrofit.”
In addition to selecting devices that bear the OSDP Verified mark, Diodato advises that integrators consider how many readers the OSDP panel supports on a single OSDP port, as well as whether the system will be multi-drop or home-run, the method to configure device addresses and communication baud rate, and how secure channel is enabled.
Diodato also provides these additional best practices:
- Configure and test devices prior to permanent installation.
- Plan ahead for how each device will be addressed.
- Review the manufacturer’s and third-party options for configuring encryption keys out-of-band.
- Learn how keys are generated and stored.
- Know how to restore devices to factory default.
Among other important aspects to project planning, Bengtzen cautions that integrators must make sure to use the right type of wire. “Don’t use Cat-5 or Cat-6. Don’t use 22/6 shielded wire,” he explains. “Use RS-485. It’s going to give you the best speeds, best transfers, and best communication between your readers and controllers.”
Also, he adds, when an integrator goes to upgrade a site from an older Weigand system to an OSDP system, the correct type of wiring may not be in place. “When quoting a job, integrators should make sure to include the cost of ripping and replacing wire if it is going to be necessary,” Bengtzen says.
The SIA OSDP Boot Camp offers a comprehensive one-day training sessions focused on the design, configuration and deployment of modern, interoperable access control systems compliant with the Open Supervised Device Protocol.
The daylong sessions are geared for anyone interested in implementing OSDP as a protocol and/or seeking to deploy modern access control systems. Participants regularly include installation technicians, corporate or government security practitioners, system architects and engineers, and specifying consultants.
According to SIA, participants gain valuable insights into effectively engaging with advanced security firms, receive essential training materials for team education on OSDP, acquire the necessary skills to transition from legacy access control to cutting-edge technologies, and much more.
Upcoming OSDP boot camps:
- April 9 at ISC West in Las Vegas
- May 16 at PSA Tec in Dallas
- Sept. 30 at SIA headquarters in Silver Spring, MD
- Nov. 19 at ISC East in New York City
For more information and to register, go here.
Notable Deployment Challenges to Mind
While the adoption of OSDP promises enhanced security and efficiency in access control systems, navigating the installation process can present various challenges for security integrators. From interoperability issues to network configuration complexities, the deployment of OSDP-enabled devices may encounter obstacles that require careful consideration and strategic solutions.
By understanding and addressing these challenges proactively, security integrators can ensure a smooth and successful implementation of OSDP, maximizing the benefits of this advanced communication protocol in access control environments.
One challenge may be not having a full understanding of OSDP Profiles (Basic, Secure, Smart Card, and Biometric), explains Dageenakis of HID.
“Our recent blog post addresses these, as well as best practices for implementation from completing a needs assessment and planning for a phased approach to replacing Wiegand devices, to selecting OSDP-compatible devices, installing and configuring them, programming OSDP devices to communicate with the access control system, and integrating OSDP devices with the central access control software,” he says.
Dageenakis adds two other important areas to understand during implementation are testing OSDP devices to ensure proper communication and functionality — verifying that the access control system accurately processes OSDP commands — and training your team to understand operational changes and troubleshooting procedures.
Given the extensive history of Wiegand installations, Diodato of Cypress says what integrators and installers mostly ask about OSDP is, “What does it look like when its working?”
“Most ACUs and PACS software implement some kind of communication monitoring tools,” he explains. “You can see the handshake and information exchange on a working link. However, third-party tools already exist to independently verify that an OSDP peripheral device and access control unit are communicating properly and encryption is enabled.”
Different troubleshooting tools are required with OSDP than were used with Wiegand, Diodato continues. For instance, a configuration method may be provided by a manufacturer, or a technician may use a small device with a simple interface that can attach to a card reader to set the communication speed and ID, as well as confirm that secure channel is enabled.
“With a trace tool, laptop and RS-485 adaptor cable, an OSDP communication link can be monitored,” he adds. “In addition, the trace can be captured and sent to an expert for interpretation.”
One notable challenge can arise when different versions of OSDP do not align closely enough, leading to interoperability issues between devices. This discrepancy can stem from variations in firmware versions, hardware specifications or interpretations of the OSDP standard by different manufacturers.
“We’ve noticed a significant variation of OSDP versions supported between access control panels and reader technologies,” says Felise of Suprema America. “Even a product that is completely compliant and verified by SIA with the latest OSDP protocols may be attached to a product that is using older commands that had been removed.”
Consequently, integrators may encounter difficulties in establishing seamless communication between OSDP-enabled devices, hindering the overall functionality and reliability of the access control system. To overcome this challenge, thorough compatibility testing and firmware updates are essential.
Felise advises that integrators obtain a list of all features being requested by the customer, both the minimum list and a future wish list. The devices should be connected in their lab and tested thoroughly — do not conduct this vital stage in the field.
Integrators should ensure that all devices within the OSDP ecosystem adhere to the same version of the protocol and undergo rigorous testing to verify interoperability. Additionally, maintaining open communication channels with manufacturers and staying informed about updates and revisions to the OSDP standard can help integrators address compatibility issues promptly and ensure a smooth installation process.
“I can’t emphasize enough that bench testing is very important to confirm OSDP variants will work and techs learning how to implement,” Felise says.
