Bob Holland, a Senior Product Manager for US access control product manufacturer HID Corporation, gives a US perspective on the trend from proprietary to open and interoperable access control products.
There is much debate about the meaning of the words "open" and "interoperable." Some believe that open means the interface or protocol is published, even though it may be proprietary. Others believe anything that runs on a common platform like Windows or communicates via TCP/IP is open. Yet others believe open means that any component in a system is interchangeable with compliant components from any vendor. Whatever you believe, access control systems have historically been anything but open.
Early electronic access control systems were custom-built by independent entrepreneurs. Since there were no industry standards, each company designed their own access control cards, readers, and hardware, firmware, and communications systems from the ground up.
Eventually, custom-built access control hardware system support was replaced by off-the-shelf minicomputers from Digital Equipment Corp., Data General, and IBM. Software and databases were home grown. Eventually, the minicomputers disappeared in favor of personal computers (PCs) running UNIX and Windows, yet proprietary networks still remained.
With system architecture already determined by previous generation equipment, manufacturers were committed to backward compatibility, allowing existing customers to maintain their existing readers and panels, while expanding their systems and upgrading their "head ends." This requirement for backward compatibility kept access control communications in the dark ages, while the IT industry standardized on Ethernet and TCP/IP.
Some OEMs used proprietary networking as a selling feature to their dealers; once the installation was completed they had a lifelong customer. The customer could not call another vendor and replace the head-end, because nothing else was compatible. The cost of ripping out and replacing the conduit, wiring, readers, panels and cards was prohibitive. Even if the customer discovered the system was unreliable, the dealer provided poor service, repairs, add-ons, and upgrades were outrageously expensive, or that it took 16 weeks to order new cards, he had no choice but to live with it!
Early Control Panel-to-Host Interfaces
Because the communications network needed to transmit data over long distances without being affected by noise – RS-232 was ruled out. In the 1960s and early 1970s, RS-422 and RS-485 standards had not yet been published. Current loop transmission was used by the military for teletype machines at distances up to 100 meters and data rates up to 19.2Kbaud. Slowing the data rate increased the maximum cable distance, making 1200 baud 20 mA current loop the medium of choice for access control.
Because there was no Electrical Industry Alliance (EIA) standard for current loop, some manufacturers customized the interface by changing the current values, or adding a redundant loop. When EIA RS-422 was introduced in 1978 and EIA RS-485 was introduced in 1983, newer access control manufacturers adopted these standards. However in every case, the data formats were completely proprietary.
Early Reader-to-Panel Interfaces
Early reader technology was crude and dictated cumbersome interfaces. Barium Ferrite readers required large multi-conductor cables to connect arrays of reed switches, coils, or Hall-effect sensors to a processor. If the reader had a keypad, an additional seven wires were required to scan the keypad.
Magnetic stripe readers used a simple interface, which mimicked the magnetic encoding pattern (called Aiken two-frequency coherent phase or F2F) by converting the flux changes into voltage changes and sending logic level serial data to the panel.
The Wiegand Revolution
When Wiegand reader technology became popular in the late 1970s, it revolutionized the access control industry. The cards did not wear out and were almost impossible to duplicate, and the readers were sealed, weatherproof units. The reader had a simple five-wire interface: Data "0", Data "1", ground, power and LED control. Cable lengths of up to 500 feet were allowed. Market demand caused almost every panel manufacturer to provide a Wiegand interface to their panels, and eventually, these adapter boards were permanently designed-in.
The Wiegand interface provided the first interoperability to access control readers. Customers could now choose any popular reader technology from any manufacturer.
Additionally, manufacturers of other accessory devices added the Wiegand interface: retinal and iris scanners, fingerprint scanners, hand geometry readers, keypads, long-range vehicle readers, asset identification systems, and many other system accessories could now connect directly to a panel and send an identification (ID) number to any system.
Readers of every technology standardized on Wiegand interface: Xico and Dorado magnetic stripe readers, SecuraKey Barium Ferrite readers, Essex keypads, Indala, Cotag and HID proximity readers all provide Wiegand interfaces with many data formats. Many other manufacturers have since adopted the Wiegand interface.
The Security Industry Association adopted Wiegand as a standard in 1996.
A Few Holdouts Against the Revolution
The Wiegand revolution was good for Sensor Engineering, the leading manufacturer of Wiegand readers. However, this affected the sales of proprietary cards and readers, so a few key players in the systems business have held out against the Wiegand interface. By retaining a non-standard architecture, these OEMs hope to retain their card and reader sales by making it prohibitively expensive to add Wiegand devices to their systems.
One large supplier retained the F2F magnetic stripe interface, although they offer a Wiegand adapter at a very high price. They built the strike relay, door monitor, and REX inputs into their readers, requiring extraordinary measures to protect the reader against tampering, because all the inputs and outputs are on the non-secure side of the door.
Another major supplier still uses a 20 mA current loop interface to its readers, offering an add-on module with a strike relay, door monitor and REX inputs to support an open Wiegand interface.
Although these holdouts promote reader supervision as a key advantage of the proprietary interface, Wiegand readers can actually send a periodic status signal to a host, which will create an alarm if the signal is no longer received. Wiegand readers also offer more security, because all door control inputs and outputs are located at the panel, not at the reader, so tampering with the reader will not allow intruders to access the building.
Cardkey Systems took a different approach to the Wiegand revolution: they bought Systematics, a Wiegand licensee, and made their own Wiegand cards and readers. They combined the Data 0 and Data 1 outputs into a single wire, and moved the centerline of the Wiegand module to differentiate their cards and readers from the Sensor Engineering Wiegand products. Cardkey continued making its own Wiegand readers until the early 1990s, when competition finally caused them to add the Sensor Wiegand interface to their panels.
The first successful proximity reader system was developed by Schlage in the 1970s, (before Wiegand became popular) using special coaxial cable to interface between the reader and controllers. These systems were sold through the 1990s, when they were replaced by digital technology. Because no other system used coax, there was no way for end users to upgrade economically until HID Corporation developed a dual-technology reader and a controller which converted the coax outputs to Wiegand outputs, allowing the customers to transition to HID proximity cards and replace their head-end systems.
The Card-to-Reader Interface
Barium Ferrite cards have several "standard" patterns for magnetized spot locations and polarities, the major ones are from Casi Rusco, Cardkey, and SecuraKey. SecuraKey reads all of these patterns by building readers with sensors arranged in the same pattern – they are the only company who still produces readers for these legacy cards.
Magnetic stripe standards for card and stripe size, materials, track width and location were set by ISO 7811. Card encoding standards were driven by by major magnetic stripe users, such as IATA (International Air Transportation Association) ABA (American Bankers Association) and the thrift industry. Access control manufacturers have used or improvised on these standards in many ways. Some use ABA credit card numbers as cardholder ID numbers, although recent increases in identity theft have reduced this practice. Others use the ABA format, but have developed their own schemes for encoding facility codes and ID numbers. Proprietary secure magnetic stripe encoding schemes such as Dorado EMPI, Watermark and others require specialized readers.
Most proximity readers have a proprietary interface to the card, and most manufacturers’ proximity cards cannot be read on another brand of reader. While many vendors share the same card chip, the card chips are customized during the initialization process with certain proximity readers to use certain modulation schemes, and passwords or encryption can also be used in the programming process. For example, HID’s modulation scheme is protected by United States and international patents. While HID is proprietary, it became an industry standard through broad acceptance (much like the Wiegand effect became an industry standard, although cards and readers could only be manufactured by license.) Most other major proximity manufacturers, such as Indala, Cotag, AWID and Keri also have proprietary card-to-reader interfaces.
Indala goes a step further and optionally puts a site-specific password into its readers and cards, so that each customer effectively has his own highly secure card-to-reader interface. At the other end of the spectrum, EM 4005 and 4100 read-only proximity card chips are as close to an open standard as you could get. Information on how to build an EM reader is widely available. EM cards from one vendor can usually be read by EM readers from another vendor, which results in lower security. EM also makes more sophisticated card chips with read/write capability and higher security.
The Future of the Card-to-Reader Interface
Contactless smart cards are more open than proximity technology. These cards operate at 13.56 MHz and are designed to meet published ISO standards, such as 14443A 14443B, and 15693. Key chip manufacturers are Philips, Texas Instrument, Sony, EM, Atmel, Microchip, Inside Technologies and Infinion. Each card has a unique card serial number (CSN), which can be easily read using published information. Several reader manufacturers including HID (iCLASS), AMAG and IE have demonstrated readers which will read the CSN on cards from multiple manufacturers. However, if you want to read anything stored in the card’s secure memory sectors, you will not only need authentication keys, but you will also need a decoding chip or proprietary encryption algorithms which are unique to each chip manufacturer. The "government version" of Philips DESFire contactless smart card is the first contactless smart card with an open, published standard. Naturally it can still be secured with authentication keys, but a special chip set is not required, and anyone can build a reader which reads the DESFire card. The chip is only available from Philips. This is the future of the contactless smart card – to – reader interface – a vendor-independent card chip.
The Future of the Reader-to-Panel Interface
The Wiegand interface will continue to be used for various read-only technologies. However, a new standard must be developed to use the full capabilities of read-write smart cards. This will require a new reader interface, which could use the RS-232, RS-485 or Ethernet physical layer, and a common message set. The prevalence of TCP/IP networks in commercial buildings, and the rising influence of IT departments on security would make Ethernet the physical layer and TCP/IP the protocol of choice, leaving only the message sets to be defined. Ideally, this would be vendor-independent, and supported by an application program interface (API) and published documentation.
The Future of the Control Panel-to-Host interface
As a point of reference, the HVAC / Building Controls industry currently has two competing standards, BACNet and LonTalk. System components are available for each, and the standards are openly published. LonTalk requires a proprietary chip at each device, while BACNet does not. BACNet is a system-down approach which can transfer large blocks of data, whereas LonTalk is a device-up approach that handles smaller blocks of data. If all components in a given system are compliant with one standard, it is still not a simple matter to replace a device from one vendor with another, but it can be done. Head-end software can be changed without changing system components, and components from multiple vendors will work together on a single system. These protocols each have their champions, have been around for 20 years, and will likely coexist for the near term, although there are efforts underway at the National Institute of Standards and Technology (NIST) to supersede them with something better.
With regard to interoperability, the access control world is about 20 years behind the HVAC industry, but discussions on open systems are under way. Some system vendors claim that their systems are "open architecture" and interoperable because they use the Windows operating system or TCP/IP, but none of their components are interchangeable with components from another vendor. Currently, Wiegand interface readers could be interchanged on a system, but cards would also have to be changed and panel settings and database reconfiguration would be necessary. Panels from various vendors cannot be interchanged or combined on the same system, and head-end software is not interchangeable.
Some vendors are participating in an effort by the Security Industry Association (SIA) to define access control industry communications standards.
As with the reader-to-panel interface, the prevalence of TCP/IP networks in commercial buildings, and the rising influence of IT departments over security makes Ethernet the physical layer and TCP/IP the protocol of choice, leaving only the message sets to be defined. Additionally, the convenience of accessing systems via the Internet will make TCP/IP a must. Ideally, this new standard would be vendor-independent, and supported by an API and published documentation.
The value and importance of interoperability are more than just convenience, lower installation costs, or lower maintenance costs. By merging systems together, more powerful and comprehensive security systems can be developed.
Currently, no open communication standard exists for access control devices. However, market demands, competition, and government requirements will ultimately force the industry to adopt open standards, or new players will emerge who can provide open standards.
