- Industry News
- 02.24.2023
The introduction of a new access control standard – the Open Supervised Device Protocol (OSDP) has raised questions for security integrators. Should there be an urgency to move to the new standard? What, if anything, should be done about existing installations?
To these important questions, Mat Spears brings an interesting perspective.
With 25 years of experience in physical security, Mat Spears is now a Solution Architect at Presidio, a global digital solutions and services provider. Within Presidio, his role that is focused on physical security reports to the cybersecurity team. As Mat Spears says, Presidio is at the “forefront of the IT world” and because of that “we look at the security of the system from a cyber standpoint as well as a physical standpoint, each and every time.” This makes OSDP a priority for him.
Why OSDP?
OSDP was developed to replace the legacy access control standard known as Wiegand, which has been around since the 70’s. Nearly all installed access control systems use the Wiegand protocol. Even today, most new systems are being installed with it.
Wiegand has a one-way signal and no encryption between reader and door controllers, and it has proven to be vulnerable to hacking. The vulnerabilities were covered thoroughly in this blog post, which explained how for most access control systems installed today, “there is a hole in the boat.”
In Mat Spears’ view, the value of OSDP relates to three factors – it’s security, simplicity, and flexibility.
OSDP, developed by the Security Industry Association, is much more secure, as it supports encryption and authentication, with bi-directional communication between the panel and reader. It also makes it simpler and easier to maintain, as you can remotely push configuration changes and/or firmware updates. And Mat Spears also likes the flexibility of how you can use the RS-485 bus for daisy chaining readers without using multiple reader ports and cable pulls.
Mat Spears has a strong sense of urgency when it comes to deploying OSDP. “We make sure the access control platforms are not only secure but encrypted from the card reader all the way to the server. Most hackers look at endpoints as the point of ingress into the system.”
He is also not waiting for customers to request it. “It's not a question to me. It's how we design and implement our systems. It is our standard. It is our default. Because at this point, to me, Wiegand is a security risk.”
Spears likens the OSDP transition to the changes credit card companies made when card information was easily accessible through a mag stripe, and then went to a more secure chip, and now contactless Near Field Communications (NFC). When vulnerabilities became known, “the credit card companies took steps to ensure things became more secure. That's exactly what we're doing.”
Retrofitting legacy systems
The number of installed access control systems using Wiegand is so huge, one could question why you should rush to retrofit them – especially if on the surface, they seem to have been working reliably for many years.
When Spears meets a new customer with an existing access control system, he finds that nearly all the systems are at least 10 years old. “One of the conversations is always that your card credential and reader technology are out-of-date. We need to have that discussion about getting new cabling in place, replacing the readers, and moving to the newer technology.”
While very few customers are initially aware of OSDP, he says cyber vulnerabilities have often made these installations no longer solely the responsibility of the maintenance or facilities staff. More and more, “If we are working with facilities or maintenance teams, they now turn to their peers in the IT department for direction before they make a choice.”
Why is the change to OSDP going so slow?
In Mat Spears view, OSDP’s slow adoption can largely be attributed to little sense of urgency and a reluctance to change. “Look how long it's taken us to grab a hold of the IP camera world. I mean, we are 15 years into IP cameras and there are still organizations installing cameras on coax because they don't want to change.”
“I don't think it's talked about enough. I don't think the security of the electronics is taken into consideration enough. And I think we have a lot of customers out there in the world that are utilizing systems that are so easily hackable. It's frustrating to me.”
How should security integrators view ODSP?
Here is Mat Spears response to the question of how security integrators should handle the launch of this new access control standard: “My suggestion is simple: OSDP at this point is developed past being a new protocol and should be a standard for your business moving forward, both in retrofit and greenfield installations.”
As for the cabling, Mat Spears adds that “OSDP cabling isn’t just a low voltage cable that you can use anything off the shelf for. Security professionals have been using specialty cables for addressable bus and applications for years… It has a requirement, and it should be followed.”
Paige DataCom has developed cabling specially designed for the requirements of OSDP access control systems. More information on OSDP cabling can be found here.
