OSDP Takes the Next Big Step

April 9, 2021
An updated version of the access control spec and a growing list of verified products pave the way for widespread adoption.
All images courtesy of SIA
The OSDP Product verification process has been completed for three products from Wavelynx. Other approved products include those from Farpointe Data and HID Global.
The OSDP Product verification process has been completed for three products from Wavelynx. Other approved products include those from Farpointe Data and HID Global.

This article originally appeared in the January 2021 issue of Security Business magazine. It has been updated to reflect the latest information.

Far too often, your customers are forced to make trade-offs between security and ease of use. As a general rule, the more secure a solution is, the more time is required to establish security protocols.

Access control using the Security Industry Association (SIA) Open Supervised Device Protocol (OSDP) standard is one of those exceptions where security is baked into the solution, providing customers with the security that they require and providing the security pro community with ease of deployment and maintenance capabilities far beyond those of traditional Wiegand access control deployments.

SIA recently announced the newest version of the specification, SIA OSDP Version 2.2, and with newly deployed OSDP education resources and an ever-growing list of OSDP Verified products, OSDP is poised to become the new normal in access control.

Why OSDP is Important

OSDP is an access control communications standard developed by SIA to improve interoperability among access control and security products. It has received rapid advancements over the past year.

Here’s a quick recap of the benefits:

1. It’s a standard: SIA OSDP was approved as an International Electrotechnical Commission (IEC) standard in July 2020 and is listed officially as IEC 60839-11-5. OSDP works by sending bidirectional RS-485 messages in a standard format. OSDP version 2.2 replicates the IEC formatting, harmonizing the standards efforts.

2. It’s more secure than Wiegand: Even in basic operation, SIA OSDP is a bidirectional supervised standard, so the command and reply structure serves as a “receipt” that messages were transmitted successfully to the intended device. OSDP’s Secure Channel profile adds AES 128 encryption on top of that.

3. It enables feature-rich implementations: Standard messages allow files to be transferred from the access control units to peripheral devices, enabling features such as reader firmware updates, logos or custom LED color sets sent directly from the control panel.

Product Verification

The SIA OSDP Verified program, launched in May 2020, seeks to bolster another aspect of the OSDP value proposition through an official listing of products that have been tested to conform to the standard.

Because of the nature of the standard’s history — it originally was developed as part of a custom integration between two vendors before being transferred to SIA for further development in 2012 — there never really has been an official requirement for vendors to make a claim of OSDP conformity.

There are war stories from security pros and their customers alike in which OSDP equipment delivered for a job couldn’t work together as claimed because of differences in the message sets or versions of OSDP used. That no longer should be the case.

SIA, with input from the SIA OSDP Working Group, has worked with independent technical-services providers to verify how devices handle OSDP messages and confirm that they’re able to meet the use cases they claim to support. OSDP Verified products test for four different application profiles:

  • Basic: These devices are Wiegand replacements; they provide the supervision benefits of a bidirectional protocol, protecting them from the common “person-in-the middle” attack.
  • Secure: These devices meet the Basic profile but also handle encrypted messages using Secure Channel and can enter and exit Basic and Secure modes as claimed.
  • Smart card: These devices can handle the transfer of structured data units required for smart-card operations, which allows for use in federal identity, credential and access management and personal-identity verification environments, among others.
  • Biometric: These devices can use OSDP messages to read and match biometric templates.

Not only can security pros deliver the OSDP solution that a customer wants, but by using the OSDP Verified product list, they also can validate that a product has been tested within lab conditions to handle all of the required messages, minimizing any mishaps at a customer site.

As of publication, the list of OSDP Verified (or soon to be verified) products contains at least 26 devices from at least 10 different vendors. That might not seem like a lot, but consider that many of these OSDP Verified suppliers are original device manufacturer partners to a number of private-label solutions.

SIA is finalizing a process that will allow these private-label solutions to be listed as OSDP Verified after an expedited testing procedure to ensure that there have been no modifications to the devices. Moreover, the vendors listed make up a significant share of the access control market.

The pipeline of devices undergoing verification remains active, and SIA seeks to increase the number of independent validators by enabling testing in Europe and the Asia-Pacific markets.

Deployment and Training

An increase in demand naturally leads to the necessity for security pros who are interested in deploying OSDP devices to be trained. Security pros who might have installed OSDP systems in the past might say the biggest issue is finding out that one device doesn’t “do OSDP” the same as another. Now, with OSDP Verified addressing this concern, OSDP isn’t a more difficult installation — it’s just different.

SIA’s hands-on OSDP Boot Camp (www.securityindustry.org/event/sia-osdp-boot-camp) is designed for security pros and end users. It illuminates the differences between OSDP and Wiegand deployments and covers everything from wiring to the use of terminating resistors (or not), troubleshooting common issues, running message traces and how to use the configuration tools supplied by various OSDP Verified vendors.

OSDP Boot Camps are available virtually for teams of at least six. Interactive OSDP pods are sent to a training facility or central pickup point, and the class is taught via videoconference. SIA continues to monitor the pandemic and tentatively plans to conduct in-person OSDP Boot Camps in the second half of the year at its Silver Spring, Maryland, headquarters and at various industry conferences.

Joseph Gittens is director of standards for SIA, where he works closely with SIA members who volunteer their expertise to guide OSDP and other standards and technology initiatives. He can be reached at [email protected].