OSDP Update: Is true interoperability just a dream?

April 19, 2023
While Wiegand still rules the day, OSDP makes inroads among security pros

Imagine a world … where access control products, systems and solutions work seamlessly together and can communicate securely and with ease – yes, the dream of interoperability! But is it just a dream? The jury is still out on whether we will ever reach that true state of security nirvana where convenience meets secure, but the industry is at least in agreement that better interoperability among manufacturers is a good thing. We are truly entering a world of open (and hopefully secure) application programming interfaces (APIs). In the end, access control professionals want to be able to solve an end user’s problems without having to rip and replace or reconfigure to a completely new system to ensure compliance with standards, and to provide for and meet the needs of the end user.

“The adoption of the Open Supervised Device Protocol (OSDP) usage continues to grow year over year; however, the Wiegand devices still dominate the market,” notes Security Industry Association (SIA) Director of Standards and Technology Edison Shen. “IPVM polled integrators on OSDP usage in 2022, and more than 70% of integrators reported that less than 30% of their access control projects used OSDP with almost 50% of integrations saying 9% or fewer of their projects were using OSDP. This highlights the importance of continued education of OSDP and potential need to engage security designers and specifiers.”

The silver lining of this finding, Shen points out, when comparing 2019 and 2022 OSDP usage reports, is data indicating strong increases in OSDP usage.

“We have also seen over 50 separate companies and brands self-report some level of OSDP protocol support in their products, and we have seen nearly 20 companies go through the process of having their solutions third-party tested to be OSDP Verified,” he adds, noting that the adoption is international, too, with companies in North America, Europe and Asia adopting this protocol.

“This is a logical step, and everybody should say Hallelujah,” says Glenn Younger, owner, Grah Safe and Lock, a full service security company based in San Diego, Calif. “I think it helps to create an expansion of their market no matter where they're at. If they're one of the big manufacturers on the access side, or on the system integration side, burglar, electric or a national electrical firm, they should say yes.”

The confusion just makes it more expensive for everybody to get to the end user, Younger points out, “so the market will expand because it'll become 10% less expensive to do everything if I just know that I can go out and it's plug and play. And so the cost to the consumer goes down, or the cost of the end user goes down, which will expand the market.”

What is OSDP?

Open Supervised Device Protocol (OSDP) is an access control communications standard developed by SIA to improve interoperability among access control and security products. OSDP was approved as an international standard by the International Electrotechnical Commission in May 2020 and has been published as IEC 60839-11-5. SIA OSDP v2.2, which is based on the IEC 60839-11-5 standard, which was released in December 2020.

In terms of adoption, manufacturers including Cypress, HID Global and Mercury are already on board. SIA recommends specifying OSDP for any access control installations that require real security and/or will be used in government and other higher-security settings. SIA OSDP is particularly valuable for government applications because it meets federal access control requirements like PKI for FICAM.

“OSDP has really hit its stride, with incredible market adoption of the standard and a lot of training going on with our OSDP Boot Camps, which are for integrators/installing companies and are relevant for locksmith professionals, and are also attended by vendors and practitioners,” explains SIA Senior Director of Marketing Geoff Kohl. “We have seen a lot of product companies take the extra step and go beyond simply adopting the standard in their solutions; many have taken the added step of having their products OSDP Verified by SIA, which involves SIA bench testing these products to ensure their compatibility. To date, roughly 130 products have become OSDP Verified, and that list is growing steadily, which means a competitive set of interoperable (and secure) products are available in the access market.”

Boot Camps

The OSDP Boot Camp program has been the culmination of 18 months of development through the “tireless efforts of the SIA members and companies addressing the need of educating specifiers, integrators, practitioners, and manufacturers on the deployment and troubleshooting of OSDP devices,” says Shen.

At present SIA has hosted more than a dozen bootcamps since its inception in 2018. “Even during COVID we managed to continue hosting these bootcamps on the virtual platform,” noted SIA Director of Learning & Development Dr. Elli Reges. “Our current plan is to host at least four bootcamps a year, two during ISC East and West, one hosted at SIA headquarters in Silver Spring, Md.  In August and another virtually during PSA TEC. We also have had the opportunity to partner with organizations to host private bootcamps for their entire staff.”

OSDP Boot Camp has two sessions, an interactive lecture session and a hands-on lab session. “We have received great feedback on this structure as attendees will have an opportunity to immediately put into practice what is learned,” explains Shen. “After the boot camp, attendees will be able to confidently describe the technical principles of OSDP, summarize the advantages of OSDP over Wiegand, configure and commission OSDP devices, and troubleshoot systems with the methods and tools of debugging.”

The OSDP Boot Camp is a daylong in-depth training on how to design, configure and deploy modern, interoperable, OSDP-compliant access control systems. During the first part of the day, attendees are introduced to the technical principles of OSDP and relevant cybersecurity requirements. “Our trainers will customize the focus of the lecture portion of the course to cover the products and devices most used by the attendee audience,” notes Dr. Reges. “During the hands-on portion of the course, participants learn how to configure and deploy OSDP devices from various vendors using prefabricated training pods. Instructions explain to maintain and troubleshoot OSDP products in the field to ensure participants leave with a full understanding of the device lifecycle.”

Relevance for Locksmiths and Installers

Dr. Reges explains that the OSDP Boot Camp is an essential course for installation technicians, system architects and locksmiths who are responsible for integrating and deploying modern access control systems. Locksmiths who work with electronic access control systems benefit from an increased understanding of device communications, networking, and cybersecurity best practices for OSDP complaint systems,” she says. “They are better equipped to perform work on these systems and advise their clients on proper device management for integrated security systems.”

Shen adds, “The OSDP Boot Camps have been the industry’s response to the education gap of advancing access control technology. The program allows both companies and professionals to stay competitive through the expansion of their products and services offerings. The training allows quick onboarding to OSDP from no knowledge to being able to install and commission this advanced security solution.”

To learn more about OSDP Boot Camps, visit https://www.securityindustry.org/industry-standards/open-supervised-device-protocol/osdp-boot-camp/

OSDP Verified

Many manufacturers have taken the added step of having their products “OSDP Verified” by SIA. The testing program was created as a collaboration between the OSDP Technical Subcommittee and OSDP subject matter experts. “Each device will go through a comprehensive list of test cases linked to the prescriptive requirement stated in the OSDP standard,” notes Shen. “The test is conducted by an experienced independent tester. Once the test is complete, the tester will review the results with the manufacturer and if non-conformances are identified assist with a remediation plan.”

Shen says the program, which has historically been administered by SIA, this year is inviting OSDP Verified participants to join an OSDP Verification Working Group meant to help govern and steer the program into the future. To learn more about OSDP Verified, visit https://www.osdpverified.org.

“We are pleased with the tremendous growth of OSDP Verified of more than 130 verified devices and 18 different brands in just three years,” says Shen. “It reaffirms our hypothesis that the market needed a differentiator between claims OSDP support and conformity assessment OSDP implementation through third-party testing. We see this trend continue as more companies make inquiries to participate in the program.”

SIA has also seen increased adoption of OSDP by specifying consultants, and practitioners at some very large tech companies, financial institutions and government agencies, which now spec and adopt OSDP. “Often, these practitioners have turned to OSDP for the increased cybersecurity that it provides compared to common, older protocols like Wiegand,” explains Kohl. “But there is no doubt that we still have a long way to go. We’re fortunate that OSDP has been a strong educational topic at events like SecuritySpecifiers’ CONSULT event.

Shen added, “We will also be looking to educate specifiers and consultants on the benefits of specifying to OSDP Verified, and utilizing technicians who have gone through OSDP Boot Camp.”

While it is important for security professionals to jump on board with OSDP, Younger says it is equally if not more important for manufacturers to help move that forward. “That will help reduce the cost to service their systems in the field,” he explains. “And if they can help reduce the cost of servicing systems, end users are happier – everybody is happier – so we're all better off if they can make that easier. So I think it's good for us as locksmiths, and I think it's good for end users, too.”

Is true Interoperability possible?

While we may be far from the holy grail of seamless interoperability and widespread open and secure APIs, the OSDP standard is helping to create a more competitive set of interoperable (and secure) products available in the access market.

The success of the two previously mentioned programs is underpinned by the OSDP standard,” explains Shen. “The standard was originally designed to grant the access controller the ability to supervise the reader. This feature has now expanded additional benefits such as interoperability between different vendor devices, security through the support of high-end AES 128 encryption, advanced functionalities like file transfer, audio-visual feedback, smartcard applications and many more. We look forward to the continued expansion of OSDP features as the standard and technology progresses.”

Looking to the future, the OSDP Technical Subcommittee is continuing its work on the development of the standard. “We look forward to announcing the release of OSDP version 2.2.1 to address previously identified errata and errors,” says Shen, noting that once version 2.2.1 is published the subcommittee will be back to work on version 2.3 to add additional features.

Looking at interoperability among locksmiths, Younger points out, “We've got a 20-year track record of locks that are basically interchangeable, both residential and commercial locks. And the fact that the electronic systems are saying, ‘Let's have a standard so we can all plug and play. We can take this out and put that in and we shouldn't have to do a whole lot of extra work to do that.’ I think that makes sense.”

And with cloud-based systems becoming more prevalent, Younger thinks that interoperability among manufacturers and service providers needs to be a major part of the equation. “Cloud-based systems should just be able to deliver a message to that device, whatever it is, and it should be able to receive a message back from that device, whatever it is, securely. The fact that this concept has not been widely embraced is still kind of surprising to me.” 

Paul Ragusa is Senior Editor for Locksmith Ledger.