Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×

Pro AV & cybersecurity: No complacency as scope of attacks increases

From software vulnerabilities affecting APIs to massive state-sponsored cyberattacks, it’s not hard to understand why professional environments across the board are placing a greater emphasis than ever on cybersecurity, writes Ken Dunn

Let’s face it: 2023 was an exceptionally bleak year in many, many ways. But there’s no doubt that the worsening impact of cyber-crime – in terms of range and impact of attacks, and their financial cost – was among its least welcome aspects.

A few statistics for the UK should help illustrate the scale of the problem. According to research issued by internet service provider Beaming, businesses in the UK suffered a total cost of £30.5bn as a result of cyber-crime during 2023. Underlining the extent to which the challenge is expanding over time, this figure is 138 percent higher than the £12.8bn cost estimated for 2019. Of the 1.5m businesses falling victim to some form of cyber-attack, there is particular reason to be concerned about small companies employing between 11 and 50 people registering the steeping rise in victims (+42 percent) and costs (up a whopping 396 percent) between 2019 and 2023. Plenty of AV businesses surely fall into that size bracket.

The Akamai Security and Network Operations Command Center (SOCC and NOCC) can support customer security strategies 24:7 with people, processes, and technology

And while ransomware, DDos and API (Application Programming Interface)-related attacks, and many other types of cyber-crime are having a massive impact across sectors, a more – so to speak – vintage form of illegitimate activity is still responsible for the most business victims in the UK: phishing. Again according to the Beaming study, this form of attack claimed 679,000 business victims during 2023.

With state-sponsored actors and organised crime groups (OCGs) contributing to the cyber-threat, it’s arguably more important than ever that pro AV companies take the necessary steps to ensure their operations and interests – and those of their customers and partners – remain protected.

API WAKE-UP
Bearing in mind the critical nature of APIs to so many areas of pro AV equipment and installation, a new State of the Internet (SOTI) report issued by cloud computing company Akamai should offer particular cause for pause. Entitled Lurking in the Shadows: Attack Trends Shine Light on API Threats, the research highlights the array of attacks targeting APIs, with key findings including the fact that 29 percent of overall web attacks targeted APIs from January through December 2023. Commerce is the most attacked vertical, accounting for 44 percent of API attacks, followed by business services at nearly 32 percent.

Steve Winterfeld, advisory CISO at Akamai, says: “Whilst I don’t think anybody should be surprised, I do think a lot of people will find this to be a wake-up call [whereby they realise that] ‘we need to make sure we have the same level of maturity as we do around our traditional sites.” 

As to the key stages involved in companies achieving greater resilience against API issues, the first is that “you need situational awareness of the environment, and this can get complex if you have a hybrid environment with different groups working in different clouds or with different infrastructural capabilities”. The second aspect is situational awareness of what data is on there, explains Winterfeld. “Some of that will depend on the business model, as well as the sensitivity of the data that makes it into privacy concerns.”

In terms of its own solutions, he describes the Akamai Connected Cloud as a “massively distributed edge and cloud platform, [which] puts apps and experiences closer to users and keeps threats farther away”.

Haivision video wall

Winterfeld adds: “It’s a distributed platform and then we can add things to it like denial of service protections or specific API protection capabilities.” He also highlights Akamai’s domain protection – “so if somebody’s scraped your domain and trying to fake that out there, we are able to determine that and alert you to it” – and its “ability to provide expertise, [be that] engineering expertise, threat hunting for our segmentation, threat-hunting with regard to API, [etc].”

The impetus to enhance “situational awareness” is also a theme of Installation’s interview with Aaron Leiker, vice-president of operation centres at Haivision, which provides real-time video streaming and networking solutions to sectors including defence, government and public safety. 

Surveying the overall cybersecurity environment, Leiker says that the scale, range and variability of the cyber-threat out there is “ever-expanding, and I think we should expect that to continue at this point”. He continues: “Cybersecurity was always important to financial institutions, government customers and so on, but now you’re seeing the same sort of cybersecurity practices and profiles being adopted by, for example, municipal police departments or small- and medium-sized businesses.”

CRITICAL ENVIRONMENTS
When it comes to pro AV solutions being incorporated into critical environments such as control and operation centres, Leiker says there are still too many instances of AV products being built with the assumption that security is going to be taken care of by something else or through isolation, and that’s no longer good enough. “[In some cases] it could be that the manufacturer of a product doesn’t know what it is doing ‘under the hood’ – the supply chains and the building of any product are quite complex.”

Haivision’s response to this unfortunate state of affairs has been multi-faceted. One continuing policy has been to conduct “in-depth reviews of our own supply chains and vendors, possibly making some hard decisions to break up with certain vendors who don’t take [security] as seriously as we do”. The company also continues to take a holistic approach that means its technologies can facilitate a secure, global common operating picture – essential for collaboration in complex environments like global security operations centres and public safety operations centres.

Meanwhile, the 2021 acquisition of visual collaboration systems developer CineMassive, which is now operating under the Haivision banner, has, according to Leiker “significantly bolstered our position in the security industry, particularly concerning visual collaboration solutions for mission-critical environments”, where customers are likely to be viewing some of their most sensitive data. 

This in turn has surely informed the evolution of the Haivision Command 360 visual collaboration software platform, which allows response teams to make real-time decisions by centralising all video, data, communication and visualisation sources into a fully secure, multi-site video wall solution.

“We take a particular posture with the Command 360 product, which is to make sure that it fits directly into any sort of cybersecurity profile that an organisation is looking to maintain, [so for instance] the audio-video system doesn’t become the weak link,” explains Leiker.

HOLISTIC APPROACH
The impression that, increasingly, virtually no professional environments risk taking a relaxed approach to cybersecurity is further underlined by Scott Norder, chief operating officer of RGB Spectrum, a leading designer and manufacturer of video processing, display and control solutions whose latest products include the Zio 4000 standalone and video-over-IP wall processor.

“Our perspective on cybersecurity is essentially rather holistic, and in part it’s because of the types of questions we routinely get from customers about their environment, equipment and personnel,” explains Norder. “This means that we evaluate our internal cybersecurity activities, as well as our supply chains, product development process and the cybersecurity features of our products.”

RGB Spectrum media wall

With customers in areas such as defence and government, the need for an all-encompassing approach is unsurprising. “If you are working with, for example, the US military then there is a requirement that there be no non-US persons involved in the development or production of a product, so there can be [no back-door to a hostile actor],” he says. “And when you really start to think about all the things that go into a product and how you make sure that you are preventing any extraneous back-doors from showing up, [you have to consider] everything from the selection of the components to the pedigree of the companies and even some of the sample code. That requires looking very carefully at your supply chain for hardware and software development, [as well as] meeting the many cybersecurity specifications that are typically required in utilities, banking, finance and so on.”

In the US, at least, the process of compliance is given welcome definition by the NIST SP 800-171 standards for safeguarding sensitive information on federal contractors’ IT systems and networks. Norder indicates that there are undoubted benefits to an approach that means US military networks are physically isolated for differing security levels and typically therefore segregate bad actors at the perimeter of these networks. “It is paradoxically easier to support the cybersecurity standards of the military than to meet the often stricter needs of different vertical markets where their networks are more readily available to public access and socially engineered intrusions.”

With a worsening geopolitical situation in which attacks on essential non-military facilities – one need only think of the escalating fears over nuclear power plant security since Russia’s invasion of Ukraine – seem increasingly probable, no one is taking any chances. “There are lots of customers who may have never had a cyber attack at one of their control centres but are still prepared because they know it could be them the next day,” says Norder. “They look out across the industry and see what could happen if, you know, a bad actor attacked a water purification plant and either took it down or messed with the chemicals being added to the water, therefore creating a real human risk.”

Across the board, he says, “so many entities have really taken it to heart that they need to harden their cybersecurity environment” – and they have done so – often becoming among the most secure organisations in the US.

So, even if it’s hard to be cheered by the overall security threat, there is still scope for positivity thanks to a significant step-change in awareness and willingness to act by customers regardless of sector. That will have to be maintained as we pass through evermore uncertain times, so regular security reviews and ‘stress-testing’ should always be at the very top of the priority list.