Cybersecurity – how integrators can protect clients against risks20 March 2017
Previously, we looked at the different kinds of cyberattack to which networked AV systems are potentially vulnerable. Here, we offer advice on how systems can be protected against loss of content, and discuss the opportunities that providing cyberprotection gives to integrators. Steve Montgomery reports
A major target of attacks on networks is to access content, rather than simply to gain control of equipment and create denial-of-service situations. Many systems, particularly those using network-based audio transmission technology, packetise and pass audio content around in unencrypted form. Simply connecting a device of a similar type onto an exposed data port allows intruders to gain full access to content and confidential voice recordings.
“It is not so much transmission between locations, such as international videoconferencing links that are at risk, as the in-house transmission of voice over private PA systems,” says Roland Hemming, founder of RH Consulting. “In boardrooms, courts and meeting rooms, highly confidential information is discussed, whilst concert systems transport valuable content. That would be of interest to many outsiders, who could gain financially or steal intellectual property. With so many internet and wireless transmission portable and guest devices connected directly to a network, it is becoming very difficult to physically manage the hardware, its location, or who has access or use of it at any moment. We haven’t yet come to terms with the human side of portable and BYOD devices. Audio networks are in their infancy, and are highly exposed. They should have token exchange security built in, but don’t. This would prevent access by unauthorised devices and go some way in securing the transmissions. But this would require effort across the industry to implement and change.”
Measures can be taken to limit security risks and ensure the integrity of data and equipment. “Basic and standard security procedures should be followed,” says Ronald Prague, Biamp Systems’ senior network architect. “Change the default password on all devices and switches on the AV network. Make sure that only the specific AV traffic and endpoints are allowed through the firewall. It’s also very important to make sure all equipment on the network is kept up to date. It should be checked regularly to ensure software and firmware patches are regularly updated. The network should be continuously monitored and activity logs collected regularly.”
Delivering secure systems provides opportunity to installers and consultants. Prague adds: “Advising clients on cybersecurity and ensuring the security of proposed systems provides considerable commercial potential. An in-depth knowledge of the field is required, so it is a separate industry with serious training requirements for technicians, policy writers and auditors.”
Chuck Espinoza, staff instructor for InfoComm International, agrees: “Having the knowledge and ability to use already-established protocols that IT has been using for years and apply them to networked AV systems is a major opportunity. AV integrators like to make the network as easy to access and navigate as possible so that the AV equipment that lives on the network will function easily and won’t run into as many system errors or malfunctions as they would on a locked-down network. As convenient and user-friendly as this might seem, it leaves the AV system vulnerable to many types of intrusion. This opens up an entire new career path to the AV industry, something that has been standard in the IT field: network security specialists. These AV professionals would apply their security knowledge and skills to a host of AV system functions.
“Many AV companies are just starting to embrace networked AV security, and how to incorporate it into their needs analysis, project cost assessments, project workflow and system commissioning activities. If a position like network security specialist is implemented correctly at AV integration companies, it will lead to a more collaborative environment between AV and IT staff and some of the security needs that are typically discovered during or after the project is finished will be foreseen, resulting in fewer change orders and project delays.”
Security is an essential consideration. As Hemming believes: “AV system security is immensely important, but is not taken seriously. As an industry we have chosen convenience over security. Change is unlikely to happen until a global organisation suffers an attack through the AV system, or a political event is hacked or valuable content is stolen. Only then will the industry sit up and take note, and do something about it.”