What’s New With Access Control Standards?
While behind the video surveillance industry in developing open standards, the main three organizations working on open standards for access control have all made good progress in the past year and are hopeful that their impact on the industry will be a benefit to integrators.
ONVIF introduced its first access control profile, Profile C, two years ago. This past year, ONVIF released its second access control-related profile, Profile A. “Profile C was a very basic access control profile that makes is possible for VMS manufacturers to integrate with access control systems and receive basic data like door status and site information,” says Per Bjorkdahl, chairman of the ONVIF Steering Committee.
According to Suresh Raman of Siemens Technology and Services, who chairs ONVIF’s Profile A Working Group, “Profile A was created in response to feedback from ONVIF members and the physical security industry at large, asking for a more advanced access control profile. It expands the feature set of Profile C to include the day-to-day operations of configuration of credentials, access rules and schedules, along with Profile S video management systems. Integration with video can be performed on the Profile A conformant client.”
Profile A is currently in Release Candidate status. ONVIF circulates new profiles first as a ‘Release Candidate’ for six months, allowing members and stakeholders a final implementation review. The final profile is expected to be published in June 2016.
The international IEC’s standard for Electronic Access Control is also incorporating ONVIF’s newest access control specification in its IEC60839 standard to be released next year.
Bjorkdahl is optimistic that this, trends like IoT and the overwhelming interest in standards across the industry will push these efforts forward. “Absolutely [access control] standards will be bigger in the coming years, judging from the number of questions we get from non-members,” Bjorkdahl says. “There is genuine interest and reasoning around why this should happen…. The mission of ONVIF is that all security systems will share an interface. We expect and strongly believe that the ability to incorporate the ONVIF specification will open up and accelerate the IoT.”
SIA’s OSDP (Open Supervised Device Protocol) is finally reaching a more mature state, says Mercury Security’s Frank Gasztonyi, chairman of the OSDP working group within SIA’s Access Control and Identity Subcommittee. “This summer we published four separate profiles. The standard itself has a broad range of messages and a profile will call out what messages must be supported as well as the purpose of that type of device. We have not achieved the state where we can actually enforce and sign off on conformance, but created profiles and the understanding that they are valid and we are moving toward supporting them. This will give a purchasing level person the ability to request an OSDP device confirming to one of those profiles and should be able to have interoperability within the standard.”
This will allow integrators to have flexible installations of high performance reader devices, he says. Biometrics and high assurance readers having a direct Ethernet link without having to go through multiple layers will make installations more efficient in terms of performance timing as well as very secure data transfer and simple installation. “It gives them the best of both worlds: simpler installation and faster transfer and a very secure data path,” Gasztonyi says.
OSDP’s latest initiative is working on network connection security, Gasztonyi says. “The only network connection type we are approving is TLS (Transport Layer Security), which is a secure connection…. This is the technology in use for point-to-point secure connections. It is a fairly broad specification involving public key infrastructure and the use of certificates. To those who know network, TLS means a lot.” SIA plans to introduce OSDP over TLS at ISC West in April.
As for PSIA, in addition to their Physical Logical Access Interoperability initiative (PLAI), which has gained some good adoption in the past year, they are also working on a new standard for wireless and networked electronic locks, says David Bunzel, executive director, PSIA, Santa Clara, Calif.
“PLAI allows integration with active directory so when a company onboards a person they get those privileges transmitted to all the different PACS (physical access control systems). It also allows and enables other services relating to identity, which is a very important activity.” Since PLAI was introduced in mid-2015 Bunzel says the association now has “all the major access control participants supporting it…. I would say if you looked at the companies involved we have a critical mass in the PACS vendor industry.”
But PSAI has another group involved with integrated locking that is just starting to come up with standards for allowing these locks to integrated and have the same sorts of privileges based on identity. The goal is to get these locks, which don’t necessarily all communicate in the same way to talk to each other and to dedicated systems so they can work together in an access control system.
“Right now if you have an ASSA ABLOY lock and you tie into a Tyco system, they have the APIs and protocols written to do that,” Bunzel explains. “But what if you decide later you want to add an Allegion lock. You have to rewrite everything because it is not done in a standard way.” PSIA plans to have a draft specification out mid-year, he says.
What do integrators and manufacturers think of the standards so far?
George Ballman of Kastle Systems is a big believer in standards, and the company’s CTO Mohammad Soleimani is the chairman of PSIA and was the chief architect of PLAI. “In my experience it has been great for me and the clients I serve on the enterprise level,” Ballman says. “It has actually been the selling point with some of our clients to know they can get access anywhere but have a single platform they can use across the U.S. or even globally.”
Tyco is a member of PSIA and a participant in its discussions about standards. They are also board members with SIA OSDP and are closely watching the ONVIF developments, says Jason Ouellette. “Open standards like PSIA and their focus on identity credentials that can be shared, [SIA’s] OSDP and ONVIF all continue to gain traction and promote interoperability of edge devices, which was a contributing factor and will continue to be one for growth in 2016. Integrations are really starting to become a real growth driver for anchor-based products like access control…. The challenge I see is where OSDP is really at the edge device back to the controller, ONVIF is a higher level standard that gets to the server and will be much more challenging. Right now if I were placing bets, PSIA and OSDP would see faster adoption.”
RS2 is also a SIA OSDP member and “very much in favor of it,” adds Gary Staley.
“We are deeply vested and invested financially with SIA and OSDP,” adds Cypress’s Paul Ahern. “We are working with a few unnamed manufacturers helping them adopt to OSDP.”
Cypress’s Osmium product was a SIA New Product Showcase winner last year for promoting easy adoption to the OSDP standard. “We didn’t expect a whole lot of sales from that first year, but it brought us a number of other credential and reader manufacturers to develop products that are compliant,” Ahern says. “I do see a definite growth curve and opportunities for companies to adopt it. I think it is critical. We have to get away from the archaic Wiegand technology for a lot of reasons, including no encryption or security.”
Not everyone is as optimistic about the future of access control standards, however. “Standards are wonderful if everybody plays by the rules and implements them in the same way; then we have interoperability,” says DAQ’s Chris Sincock. “In any industry, including building automation, that is not necessarily the case. And in access control there is not a lot of incentive to fully embrace standards for companies that manufacture electronics. I don’t think we will see one cohesive standard that the industry adopts.”
While SSP’s David English is in favor of industry standards in theory, in practice he has yet to reap the benefits. “Certainly it helps with integration for sure. But it is important to understand what you actually get with standards. It can be pretty deceiving about what compliance actually provides you and at what levels they are compliant. Just because it does work, what is the value you actually get? To be quite honest we have found ourselves in trouble from time to time where we expected it to perform to a certain level and found out it was surface level integration. I would say as much as it helps us, it hurts us, too.
However, English acknowledges that his standards experiences thus far have been limited to the video side, and he has not run into access control standards yet.
Richard Goldsobel of Continental Access Control, a division of Napco understands this dichotomy on the manufacturer side. “For access control manufacturers there is a push on both sides, internally to try to stay proprietary versus the desire to move to be open to gain more market share and acceptance.”
This won’t be a one year or even a five year process, he predicts. “This is definitely a five to 10 year plus movement. But in my opinion, the access world is more complicated. The reason standards went to video first is the total scope of video functions tend to be less involved. When you get to access control, the variety of enterprise access options are huge. There is anti-passback, mustering, two-man rules, and the feature proliferation goes on and on. They are not necessarily huge features but there are so many of them — hundreds or even thousands. And here is the key: right now every enterprise manufacturer does every single one of those slightly differently. Even if ONFIV was adopted today across the board and every manufacturer agreed, what you are going to get are these incredible nuances and differences on that compliance.”
Though the process may be a long one, it will ultimately be worth it, particularly for the integrator, Goldsobel adds. “All these issues relate to the manufacturing side, but if standards do start to become well adopted on the hardware and software level and more commodity-based, the manufacturers may suffer, but integrators can have a better life. So much of their infrastructure is based on training and knowledge of two and three and four and 20 different platforms. What is good for the manufacturer is not necessarily good for the integrator and vice versa.”