The Value and Importance of Open and Interoperable Access Control Products
Historically, access control systems have been anything but open. Early electronic access control systems were custom-built by independent entrepreneurs. It could take up to 16 weeks to order new cards. In 1996 the Wiegand Reader Interface became the first interoperability to access control systems. But it is still a long way to go for the security industry, especially for smart cards.
There is much debate about the meaning of the words “open” and “interoperable.” Some believe that open means that the interface or protocol is published, even though it may be proprietary. Others believe that anything that runs on a common platform like Windows or communicates via TCP/IP is “open.” Yet others believe that open means that any component in a system is interchangeable with compliant components from any vendor. Whatever you believe, historically, access control systems have been anything but open.
Early electronic access control systems were custom-built by independent entrepreneurs. As there were no industry standards, each company designed their own cards, readers, hardware, firmware, and communications systems from the ground up.
Eventually, custom-built controllers were replaced by off-the-shelf mini-computers from Digital Equipment Corp., Data General, and IBM. Software and databases were home grown. Eventually, the minicomputers disappeared in favor of PCs running UNIX and Windows NT, but the proprietary networks still remained.
With system architecture already determined by the previous generation of equipment, manufacturers were committed to backward compatibility, allowing existing customers to keep their existing readers and panels, while expanding their systems and upgrading their “head ends.” This requirement for backward compatibility kept access control communications in the dark ages, while the IT industry standardized on Ethernet and TCP/IP protocols.
Some OEMs used proprietary networks as a selling feature to their dealers, telling them: “Once the installation is completed, you have a customer for life!” The customer could not call another vendor and replace the head end, because nothing else was compatible. The cost of ripping out and replacing all the conduit, wiring, readers, panels and cards was prohibitive. Even if the customer discovered that the system was unreliable, that the dealer provided poor service, that repairs, add-ons, and upgrades were outrageously expensive, or that it took 16 weeks to order new cards, he had no choice but to live with it!
Early Control Panel-to-Host Interfaces
The challenge in designing a communications network for an access control system was the need to transmit data over long distances without being affected by noise. With a limit of 100 feet, RS-232 was immediately ruled out. In the 60’s and early 70’s, RS-422 and RS-485 standards had not yet been published. Current loop transmission was used by the military for teletype machines at distances up to 100 meters and data rates up to 19.2Kbaud. Slowing the data rate increased the maximum cable distance, making 1200 baud 20 mA current loop the medium of choice for access control.
Because there was no EIA standard for current loop, some manufacturers customized the interface by changing the current values, or adding a redundant loop. When EIA RS-422 was introduced in 1978 and EIA RS-485 was introduced in 1983, newer access control manufacturers adopted these standards. However in every case, the data formats were completely proprietary.
Early Reader-to-Panel Interfaces
Crude early reader technology dictated cumbersome interfaces. Barium Ferrite readers required large multi-conductor cables to connect arrays of reed switches, coils, or Hall-effect sensors to a processor. If the reader had a keypad, an additional seven wires were required to scan the keypad.
Mag Stripe readers used a simple interface, which mimicked the magnetic encoding pattern (called Aiken two-frequency coherent phase or F2F) by converting the flux changes into voltage changes and sending logic level serial data to the panel.
The Wiegand Revolution
When Wiegand reader technology became popular in the late 70’s, it revolutionized the access control industry. The cards did not wear out and were almost impossible to duplicate, and the readers were sealed, weatherproof units. The reader had a simple five-wire interface: Data “0”, Data “1”, ground, power and LED control. Cable lengths of up to 500 feet were allowed. Market demand caused almost every panel manufacturer to provide a Wiegand interface to their panels, and eventually, these adapter boards were permanently designed-in.
The Wiegand interface provided the first interoperability to access control systems. Customers could now choose any popular reader technology from any manufacturer. Additionally, manufacturers of other accessory devices added the Wiegand interface: retinal and iris scanners, fingerprint scanners, hand geometry readers, keypads, long range vehicle readers, asset identification systems, and many other system accessories could now connect directly to a panel and send an ID number to any system.
Readers of every technology standardized on Wiegand interface: Xico and Dorado mag stripe readers, SecuraKey Barium Ferrite readers, Essex keypads, Indala, Cotag and HID proximity readers all provide Wiegand interfaces with many data formats. Many others have since adopted the Wiegand interface.
The Security Industry Association adopted Wiegand as a standard in 1996.
A Few Holdouts against the Revolution
The Wiegand revolution was good for Sensor Engineering, the leading manufacturer of Wiegand readers, and later for HID and others who provided Wiegand output readers. However, this affected the sales of OEMs with their own proprietary cards and readers, so a few key players in the systems business have held out against the Wiegand interface. By retaining a non-standard architecture, these OEMs hope to retain their card and reader sales by making it prohibitively expensive to add Wiegand devices to their systems.
One supplier retained the F2F mag stripe interface, although they do offer a Wiegand adapter at a higher price per reader. Another major supplier still uses a 20 ma current loop interface to its readers, offering an add-on module with a strike relay, door monitor and REX inputs.
Although these holdouts promote reader supervision as a key advantage of the proprietary interface, Wiegand readers can actually send a periodic status signal to a host, which will create an alarm if the signal is no longer received. Wiegand readers also offer more security, because all door control inputs and outputs are located at the panel, not at the reader, so tampering with the reader will not allow intruders to access the building.
Cardkey Systems took a different approach to the Wiegand revolution: they bought Systematics, a Wiegand licensee, and manufactured their own Wiegand cards and readers. They combined the Data 0 and Data 1 outputs into a single wire, and moved the centerline of the Wiegand module to differentiate their cards and readers from the Sensor Engineering Wiegand products. Cardkey continued making its own Wiegand readers until the early nineties, when competition finally caused them to add the Sensor Wiegand interface to their panels.
The first successful proximity reader system was developed by Schlage in the 70’s, (before Wiegand became popular) using special coaxial cable to interface between the reader and controllers. These systems were sold through the 90’s, when they were replaced by digital technology. Because no other system used coax, there was no way for end users to upgrade economically, until HID Corporation developed a dual technology reader and a controller which converted the coax outputs to Wiegand outputs, allowing the customers to transition to HID proximity cards and replace their head end systems.
The Card to Reader Interface
Barium Ferrite cards have several “standard” patterns for magnetized spot locations and polarities, the major ones are from Rusco, Cardkey, and SecuraKey. SecuraKey reads all of these patterns by building readers with sensors arranged in the same pattern – they are the only company who still produces readers for these legacy cards.
Standards for Magnetic Stripe for card and stripe size, materials, track width and location are set by ISO 7811. Card encoding standards are driven by by major mag stripe users, such as IATA (International Air Trasnportation Association) ABA (American Bankers Association) and the Thrift Industry. Access Control manufacturers have used or improvised on these standards in many ways. Some use ABA credit card numbers as cardholder ID numbers, although recent increases in identity theft have reduced this practice. Others use the ABA format, but have developed their own schemes for encoding facility codes and ID numbers. Proprietary secure mag stripe encoding schemes such as Dorado EMPI, Watermark and others require specialized readers.
Most proximity readers have a proprietary interface to the card, and most manufacturers’ prox cards cannot be read on another brand of reader. While many vendors share the same card chip, the card chips are customized during the initialization process to use certain modulation schemes, and passwords or encryption can also be used in the programming process. For example, HID’s modulation scheme is protected by US and international patents. While HID is proprietary, it became an industry standard through broad acceptance (much like the Wiegand effect became an industry standard, although cards and readers could only be manufactured by license.) Most other major proximity manufacturers, such as Indala, Cotag, AWID and Keri also have proprietary card-to-reader interfaces.
Indala goes a step further and optionally puts a site-specific password into its readers and cards, so that each customer effectively has his own highly secure card-to-reader interface.
At the other end of the spectrum, EM 4005 and 4100 read-only Proximity card chips are as close to an open standard as you could get. Information on how to build an EM reader is widely available. EM cards from one vendor can usually be read on EM readers from another vendor, which results in lower security. EM also makes more sophisticated card chips with read/write capability and higher security.
Contactless Smart Cards are more open than proximity technology. These cards operate at 13.56 MHz and are designed to meet published ISO standards, such as 14443A 14443B, and 15693. Key chip manufacturers are Philips, Texas Instrument, Sony, EM, Atmel, Microchip, Inside Technologies and Infinion. Each card has a unique CSN, or Card Serial Number, which can be easily read using published information. Several reader manufacturers including HID (iCLASS), AMAG and IE have demonstrated readers which will read the CSN on cards from multiple manufacturers. However, if you want to read anything stored in the card’s secure memory sectors, you will not only need authentication keys, but you will also need a decoding chip or proprietary encryption algorithms which are unique to each chip manufacturer. The “government version” of Philips DESFire contactless smart card is the first contactless smart card with an open, published standard. Naturally it can still be secured with authentication keys, but a special chip set is not required, and anyone can build a reader which reads the DESFire card. The chip is only available from Philips. This is the future of the contactless smart card – to – reader interface – a vendor-independent card chip.
The Future of the Reader-to-Panel Interface
The Wiegand interface will continue to be used for various read-only technologies. However, a new standard must be developed to use the full capabilities of read-write smart cards. This will require a new reader interface, which could use the RS-232, RS-485 or Ethernet physical layer, and a common message set. The prevalence of TCP/IP networks in commercial buildings, and the rising influence of IT departments on security would make Ethernet the physical layer and TCP/IP the protocol of choice, leaving only the message sets to be defined. Ideally, this would be vendor-independent, and supported by an API and published documentation.
The Future of the Control Panel-to-Host interface
As a point of reference, the HVAC / Building Controls industry currently has two competing standards, BACNet and LonTalk. System components are available for each, and the standards are openly published. LonTalk requires a proprietary chip at each device, while BACNet does not. BACNet is a system-down approach which can transfer large blocks of data, whereas LonTalk is a device-up approach that handles smaller blocks of data. If all components in a given system are compliant with one standard, it is still not a simple matter to replace a device from one vendor with another, but it can be done. Head end software can be changed without changing system components, and components from multiple vendors will work together on a single system. These protocols each have their champions, have been around for 20 years, and will likely coexist for the near term, although there are efforts underway at NIST to supersede them with something better.
With regard to interoperability, the Access Control world is about 20 years behind the HVAC industry, but discussions on open systems are under way. Some system vendors claim that their systems are “open architecture” and interoperable because they use the Windows operating system or TCP/IP, but none of their components can be swapped with components from another vendor. Currently, Wiegand interface readers could be interchanged on a system, but cards would also have to be changed and panel settings and database reconfiguration would be necessary. Panels from various vendors cannot be interchanged or combined on the same system, and head end software is not interchangeable.
Some vendors are participating in an effort by SIA to define Access Control industry Communications Standards.
As with the reader-to-panel interface, the prevalence of TCP/IP networks in commercial buildings, and the rising influence of IT departments on security makes Ethernet the physical layer and TCP/IP the protocol of choice, leaving only the message sets to be defined. Additionally, the convenience of accessing systems via the internet will make TCP/IP a must. Ideally, this new standard would be vendor-independent, and supported by an API and published documentation.
The value and importance of interoperability are more than just convenience, lower installation costs, or lower maintenance costs. By merging systems together, more powerful and comprehensive security systems can be developed.
Currently, no open communication standard exists for access control devices. However, market demands, competition, and government requirements will ultimately force the industry to adopt open standards, or new players will emerge who can provide open standards.
* indicates mandatory field