The Open Supervised Device Protocol (OSDP) has replaced Wiegand as the Security Industry Association’s standard for many reasons:
OSDP v2 with Secure Channel is a true protocol with encryption and authentication for robust security.
OSDP has 2-way communication for supervision, remote maintenance and enhanced functions.
OSDP is interoperable, enabling OSDP Verified devices to work together, regardless of manufacturer.
OSDP was approved as an international standard in 2020 by the International Electrotechnical Commission (IEC 60839-11-5).
FREQUENTLY ASKED QUESTIONS
Q. What is OSDP? What is the meaning of the OSDP name? What do PD and ACU mean?
A. OSDP stands for Open Supervised Device Protocol. OSDP is a secure, supervised, interoperable, and highly functional protocol that has replaced Wiegand as the official access control protocol of the Security Industry Association (SIA).
OSDP is a 2-way command-response protocol for use between a credential reader and access controller, and was designed to run over RS-485 cable. The OSDP Working Group also aims to deploy OSDP over IP in the future.
In 2020, the OSDP protocol became an international standard (IEC 60839-11-5) after attaining the approval of the International Electrotechnical Commission.
SIA recommends broad adoption of OSDP, especially in high-security settings.
The terms peripheral device (PD) and ACU (access control unit) are frequently used in OSDP discussions.
Q. Who owns OSDP? Who developed OSDP?
A. The Security Industry Association (SIA) owns OSDP; it is not owned by any company. While the earliest version of OSDP was jointly developed in 2008 by HID Global, Mercury, and Lenel, ownership of the specification was transferred to SIA in 2012.
OSDP v2 was developed by SIA and the OSDP Working Group.
The OSDP Working Group, part of the larger SIA Standards Access Control & Identity Subcommittee, is a group of engineers, product developers, specifiers and security professionals who continue to advance OSDP.
Q. Why is Cypress committed to OSDP? Why should I use OSDP?
A. Cypress is committed to OSDP due to the longtime need for a capable Wiegand replacement. Cypress Founder and CTO Tony Diodato spent years engineering solutions to address the many shortcomings of Wiegand: Wiegand’s lack of supervision, its distance limitations, its installation requirements, and its overall lack of features. Wiegand brought order to the early “Wild West” days of access control but did not keep up with industry needs.
Tony’s firsthand insights led him to become a proponent of the OSDP protocol and a contributor to the OSDP Working Group. In 2019, Tony was named co-chair of the OSDP Working Group, alongside Steve Rogers of IQ Devices. Cypress also develops OSDP solutions such as the first OSDP-Wiegand Converter on the market, the pluggable OSDP Hub for testing, the OSDP In-Panel Interface, the Embedded OSDP Module that allows reader manufacturers to support OSDP, and other OSDP devices (link to OSDP products page).
Download the free fact sheet, “Why use OSDP instead of Wiegand?”
Q. What is the difference between OSDP v1 and OSDP v2?
A. OSDP v1 refers to the initial OSDP protocol, which was privately developed before rights to the specification were transferred to SIA. All OSDP iterations starting with v2 were developed under SIA’s guidance by the OSDP Working Group, and include Secure Channel encryption plus features such as support for biometric readers.
All products with the OSDP Verified mark, which signifies that the products have met SIA’s independent conformance testing requirements, use OSDP v2. Since OSDP v1 products are now difficult to source, the more relevant issue is choosing an OSDP Verified product.
Q. What is OSDP Verified certification?
A. A product that is OSDP Verified has passed independent conformance testing. SIA founded the OSDP Verified program in 2020 to validate devices conforming to the SIA Open Supervised Device Protocol (OSDP) standard and related performance profiles.
See also: OSDP & interoperability.
Q. Is OSDP more secure than Wiegand?
A. Yes, OSDP is much more secure than Wiegand. OSDP with Secure Channel communication uses AES-128 encryption and authentication to prevent “eavesdropping” on the data connection. With OSDP, data is encrypted and is never transmitted the same way twice, making it virtually impossible to listen in on the connection.
Wiegand, however, sends data from the reader to the controller without encrypting the data, and without any way to ensure only the intended parties are communicating. In addition, a Wiegand system cannot detect reader malfunctions or vandalism, since Wiegand lacks 2-way communication and supervision.
The Security Industry Association (SIA) recommends broad adoption of OSDP, especially in high-security and government settings. OSDP meets federal access control requirements, such as PKI for FICAM.
See also: Wiegand vulnerability, OSDP encryption, Secure credentials or OSDP, Secure Channel & keys and OSDP supervision.
Q. What is the Wiegand vulnerability? Does the vulnerability affect OSDP?
A. The Wiegand interface is notoriously vulnerable to man-in-the-middle attacks. The vulnerability is due to the lack of encryption and authentication in the Wiegand specification, which was developed in the 1970s, before hacking technology became smaller, cheaper, easily available, and before information was readily available online.
With the Wiegand interface, data sent from the reader to the controller is transmitted “in the clear” without any way to conceal the data from threat actors. In less than one minute, an attack can be launched at the reader, allowing credential data to be skimmed to spoof the system, open access doors or gates, and deny access to legitimate credential holders.
The entire attack can be carried out without the Wiegand reader ever going offline and without the control panel receiving any notification, since Wiegand also lacks supervision.
OSDP is not subject to the Wiegand vulnerability, thanks to its encryption, authentication, and supervision.
Q. Is OSDP encrypted? Is Wiegand encrypted?
A. OSDP v2 with Secure Channel has an AES-128 encryption and authentication scheme with initialization messages and keys, to ensure communication takes place strictly between intended parties and to hide the data exchanged between the reader and the controller. Wiegand, the previous de facto access control standard, is an interface without encryption, authentication or supervision.
See also: Is OSDP secure?
Q. What is Secure Channel? What does SCBK mean? How do I load keys?
A. OSDP v2 with Secure Channel has an AES-128 encryption and authentication scheme with initialization messages and keys, to ensure communication takes place strictly between intended parties and to hide the data exchanged between the reader and the controller. The keys are 128 bits (or 16 bytes) as dictated by AES-128 encryption.
All OSDP devices have a known default Secure Channel Base Key (SCBK), per the OSDP spec. The SCBK is a key shared by the peripheral device / reader and the controller, which is used once to initiate the encryption. The SCBK allows the panel to send a challenge command (vital information that the peripheral device can use to begin the “handshake” process and initiate a Secure Channel session). Note that OSDP security is not limited to the Secure Channel Base Key; the SCBK is used just once at the start of the session before special session keys are generated and used to encrypt the OSDP data.
An important part of setting up an OSDP installation is properly configuring the SCBK in the controller and the reader or peripheral device. Each reader should have its own, unique SCBK. The SCBK should be loaded into the reader out-of-band, meaning the reader is directly connected to the controller over a few feet of wire and not connected to the OSDP network.
Q. If the reader is already secure, why do I need OSDP?
A. A secure reader protects data exchanged between the credential and reader, but the reader cannot protect data as it travels to the access controller.
Securely transmitting access control data is a 2-part process: think of the data as a letter that is first taken to the post office, before the letter is loaded on a truck for delivery.
After data is sent from the credential to the reader, the data is then sent from the reader to the controller. In high security areas, it is critical to secure data at both points: at the credential-to-reader connection, and the reader-to-panel connection.
OSDP’s encryption, authentication and supervision protects the data between the reader and the controller; Wiegand does not protect the data.
Q. Does OSDP communicate differently than Wiegand? Why does it matter?
A. Since Wiegand is a simple 1-way interface, the reader sends out data to the controller, without any assurance that the data reaches the controller, and the controller has no way to supervise the connection. OSDP, however, is a 2-way (bi-directional) protocol, which allows the end devices to have a conversation.
OSDP is a command-response protocol: The panel issues commands to the reader and the reader responds with updates such as credential data, or the I/O states of LEDs, buzzers, or tamper.
The 2-way communication (and other aspects of OSDP) allows for much greater functionality than Wiegand. For example, OSDP supports a file transfer feature for remote updates, allowing configuration and firmware update files to be sent from the panel, instead of requiring a technician to physically remove each reader from the wall.
Q. Why is OSDP supervision important? Does Wiegand have supervision?
A. OSDP has 2-way communication to supervise and constantly monitor the connection to alert the controller if the reader is tampered with, malfunctions, or loses power. Since Wiegand is a simple interface with 1-way communication, there is no way of knowing if the controller has lost contact with the reader.
Q. Are there other OSDP-Wiegand differences? How does OSDP compare to Wiegand in terms of functionality?
A. OSDP is much more advanced and functional than Wiegand. For example:
- OSDP supports protocol messages for commands such as turning on an LED; Wiegand requires I/O wires
- OSDP supports a file transfer feature for remote updates, allowing configuration and firmware update files to be sent from the panel, instead of requiring a technician to physically remove each reader from the wall
- OSDP supports 1024 bits of credential data to accommodate larger formats; Wiegand data formats are usually 200 bits or less
- OSDP supports a variety of baud rates to best suit a network, allowing many readers or longer cable runs, for example
- Biometrics: OSDP biometric readers can be installed similar to any OSDP reader using 2-wire RS-485; no Ethernet or PoE connection is required, and functionality/data is handled with specific OSDP protocol messages, thanks to 2-way data and greater bandwidth than Wiegand
Q. Can I use OSDP devices from different manufacturers? Can all OSDP Verified devices be mixed & matched?
A. The OSDP protocol was designed to enable interoperability between devices from different manufacturers. This is why OSDP is recommended as a replacement for proprietary RS-485 protocols which may be more secure than Wiegand, but cannot be mixed with devices from other manufacturers to best suit the application.
SIA implemented the OSDP Verified program to ensure devices are tested and meet critieria for the standard and the listed profiles. SIA notes that there are still design considerations that an implementer must account for when deploying a SIA OSDP system.
Q. Why use OSDP instead of Wiegand?
A. The Open Supervised Device Protocol (OSDP) has replaced Wiegand as the Security Industry Association's standard for many reasons. For example:
- OSDP v2 with Secure Channel is a true protocol with encryption and authentication for robust security, while Wiegand lacks encryption and authentication
- OSDP has 2-way communication for supervision, remote maintenance and enhanced functions, while Wiegand is a simple 1-way interface without supervision or OSDP’s functionality
- OSDP is designed for interoperability
- OSDP was approved as an international standard in 2020 by the International Electrotechnical Commission (IEC 60839-11-5)
For an expanded list of differences between Wiegand and OSDP, download the free OSDP v Wiegand fact sheet.
Q. Is it possible to retrofit a Wiegand system to use OSDP in a phased installation?
A. Yes, a Wiegand system may be retrofitted to use OSDP. A common strategy is to first identify high-security access points to install OSDP readers, along with converters to allow the OSDP reader to interface with the Wiegand panel. Cypress offers the OSM-1000 or the OSM-CPI OSDP-Wiegand converters for use at the panel to secure the cable run with OSDP Secure Channel. More OSDP readers and an OSDP panel can be added in later phases.
Q. Do you need special OSDP RS-485 cable to install an OSDP system?
A. The short answer: It depends. Generally when we speak with customers retrofitting a Wiegand panel with an OSDP reader plus our converter, they can reuse existing cable, since the distance is generally less than 500 feet. The farther the cable run, the more suitable the cable needs to be to the needs of OSDP (RS-485). OSDP-specific cable will do the job very well though, and is especially worth considering for a new installation with longer cable runs between readers and the controller.
Q. How far from an OSDP panel can I install an OSDP reader? Does OSDP allow for multi-drop installations?
A. OSDP allows readers & other peripheral devices to be installed up to 4,000 ft. from the controller, a big improvement over the 500 ft. distance at which Wiegand generally drops off. OSDP also supports multi-drop installations. One length of 2-conductor cable can be daisy-chained to accommodate many readers connected to a single controller. With Wiegand, each reader/peripheral device must be wired all the way to the panel.
See also: OSDP wiring.
Q. Is there a learning curve with OSDP? If so, where can I find OSDP training?
A. Yes, there is a minimal learning curve with OSDP, as with any new technology. While installing OSDP is different than installing Wiegand, top integrators have found it worthwhile to ensure their companies are well versed in OSDP. SIA offers OSDP Boot Camps, which are instructor-led, hands-on training in OSDP design, configuration and implementation. ASIS CPE credits may now be earned by attending an OSDP Boot Camp.
Q. How do I find reputable OSDP devices? Is there an OSDP testing process?
A. The Security Industry Association implemented the OSDP Verified program to ensure devices are tested and meet critieria for the standard and listed profiles. For manufacturers internally testing products with other OSDP devices, as well as integrators and security professionals lab-testing OSDP systems, Cypress offers the OSM-HUB test tool to streamline the process. The Hub allows devices to be plugged into ports, instead of wiring devices using a busbar, terminal blocks or wire nuts.
OSDP industry articles
“Combined with modern credentials, OSDP provides a way for secure end-to-end deployments with lower installation and operational costs.” Read more …
“Consider the communications technology approach that will future-proof your system’s performance and security. While some access control systems leverage legacy technology like Wiegand, the most modern, advanced systems are powered by Open Supervised Device Protocol (OSDP).” Read more …
“Widespread adoption of OSDP, an access control communications standard, is long overdue. Fortunately, the barriers for entry are low.” Read more …
“If your new system leverages the Security Industry Association’s (SIA) Open Supervised Device Protocol (OSDP), it also will interface easily with control panels or other security management systems, fostering interoperability among security devices, whether using mobile or a card… OSDP is not in the same ballpark with Wiegand; it is in a different sport and country.” Read more …
“OSDP basically is encrypted EAC communication using the popular RS-485 footprint. In comparison, OSDP provides reader-to-controller encryption and two-way communications while Wiegand has no encryption or two-way communications…OSDP is obviously the winner for today’s secure EAC communications.” Read more …
“A key specification in the journey to the Cloud is the Open Supervised Device Protocol, which improves security while adding real-world efficiencies.” Read more …
“In the OSDP Verified program, we have the world’s leading experts on OSDP. People who come into the program benefit from literally a hundred man years of knowledge on OSDP. Every development team we’ve interacted with has benefited from going through the verification program” Read more …
For less than $100, anyone can go online and purchase a device known as an ESP Key. Bad actors can easily take a card reader off the wall and install this postage stamp-sized device on the existing wiring to “sniff” the data that is being transmitted across it. This sensitive data and the vulnerable way it is being transmitted requires attention… Read more …
Do you want to be known as the integrator that told your customer to use an old technology that created a vulnerability? OSDP is secure, has 2-way communication, allows readers to be supervised, and can be used to support everything at a door.… Read more …
In this special episode of the ID Talk Podcast, FindBiometrics’ Doug OGorden speaks with Tony Diodato, co-chair of the Security Industry Association’s OSDP working group and owner and CTO of Cypress Integration Systems… Read more …
SIA’s Open Supervised Device Protocol is quickly becoming the minimum entry requirement for readers in the security industry today. OSDP is expected to be a core requirement for any reader in serious future security projects to protect the customer’s investment because of its higher level of security and potentially being an open industry standard for communication of access readers with access control systems and other management systems.… Read more …
By employing RS-485 serial communications, OSDP offers important installation benefits. Dedicated homerun wiring (or point-to-point) is no longer required from the access control panel to each individual reader… Read more …
Far too often, your customers are forced to make tradeoffs between security and ease of use. As a general rule, the more secure a solution is, the more time is required to establish security protocols.
Access control using the Security Industry Association (SIA) Open Supervised Device Protocol (OSDP) standard is one of those exceptions where security is baked into the solution, providing customers with the security that they require and providing the integrator community with ease of deployment and maintenance capabilities far beyond those of traditional Wiegand access control deployments. Read more …
Knowing that access control is one of the key elements in putting together a comprehensive security plan, it is imperative that standards are continually enhanced to give end users peace of mind knowing that their facilities are safe and secure.
To that end, the Security Industry Association (SIA) Working Group has developed and maintained the Open Supervised Device Protocol (OSDP) since 2011. Read more …
ISC West Virtual Session Highlights Promise of OSDP to Replace Wiegand
The Promise of OSDP: New Implementation and Retrofits
Hacked in 60 Seconds: How Legacy Wiegand Exposes Modern Access Control
In this ISC West recorded session, see how easily the Wiegand connection can be hacked and learn how SIA’s OSDP standard secures the connection in this session featuring ethical hacker Babak Javadi and format/protocol expert Tony Diodato, co-chair of the SIA OSDP Working Group.
Cypress among first to announce OSDP Verified solution
The OSDP Standard
OSDP is a protocol that the Security Industry Association developed, and one that’s taking the industry by storm. In this episode of Inside Access Control, Lee Odess sits down with Salvatore D’Agostino, CEO of IDmachines and Co-Founder of OpenConsent, to talk about the new communication standard.