ISE associations tackle cybersecurity15 March 2017
As AV over IP technology becomes ever more prevalent in both residential and commercial AV projects, so the importance of network security becomes increasingly evident. CEDIA and InfoComm International, the two associations that own ISE, addressed this subject directly in a joint conference held during ISE 2017.
In ‘Cybersecurity: How to Help Your Customers Understand, Mitigate, and Respond to Threats’, the various presenters examined a thorough range of topics within this complex umbrella, including what the motivation to plan for cybersecurity is, risk assessment, mitigating risk, along with response and recovery plans.
The concluding panel discussion jumped right into a Q&A to address issues of most interest to the attendees. Some practical best practices were covered, including the pressing need to abandon the habit of port forwarding for remote access (use VPN instead) and providing unique passwords that aren’t shared.
It just so happens, that none of those best practices is difficult to achieve by any means. “It’s so easy now to put a VPN on Android, iPhone – really any of the access points (Macs and PCs) – there’s really no reason most people can’t have a persistent or nearly persistent VPN and be inside their house,” explained Stuart Rench, CEO, ihiji.
There’s also the sticky issue of when a customer requests a device that is not secure. “You’ve got the right to say no,” said Mal Fisher, CTO of UK distributor AWE. “You’ve got the right to explain the implications.”
Fisher went on to explain how manufacturers are the ones that need to make security changes, influenced either by regulation or consumer demands.
The discussion shifted to the need for change to prioritise network security in AV systems and a sense of urgency in doing so for the industry. “In the long term, it will be forced upon us,” Fisher said. “We’re going to get circumstances where banks refuse to let you use online banking if your browser is outdated or your laptop is too old. People are going to get the hang of the notion, and the questions are going to start multiplying. That’s going to come through integrators to manufacturers, or just simply directly from consumers, and the market will then decide who wins.”
Many of these points were directed to residential applications, though broadly applicable. Turning to commercial applications, Paul Zielie (pictured), manager of enterprise solutions, Harman Professional, noted, “it is a requirement at a level where I’ve worked with many major companies where there was extensive lab work prior to them approving what equipment they were going to start to put in.”
Various document tests, how devices were planned to connect to things on the network, which pieces would be allowed to touch which network were all factors determined before a client even put out a tender, Zielie said. In that respect, integrators lose the freedom to choose the devices they deploy because the customer and the IT security side are directing them. They are then faced with the difficult proposition of “Here’s our security requirements. You need to prove it to me as part of the tender that you’ve done all of this due diligence,” Zielie explained. The practice is one that he has been advocating for heavily.
With no waning of interest in sight, moderator Mitchell Klein, of the Z-Wave Alliance, broke in to remind everyone that this session was just the beginning of the dialogue for many. In conclusion, “We need to be voting with our feet,” he proffered. “We need to be making very clear with all our suppliers that this is not a minor issue that needs to be addressed. We need to be making a fast track to those that are addressing it, and essentially leaving some of those behind – that may be our legacy brands, that we’ve been very happy with, that are really not addressing these issues.”
Report by Lindsey M Adler