The advent of networked AV has unquestionably brought substantial opportunity – but also significant challenges, not least in the area of cybersecurity. To begin this special report, Ian McMurray finds input from the industry about how those challenges can best be addressed.
It was back in September 1999 that InFocus announced the LP755, which it proudly claimed was the industry’s first network projector. At InfoComm 2000, Sony went one better, introducing what it described as network strategies for the conference room. It’s hard to trace the exact point at which network-centric AV began to become a reality, but the turn of the century is probably as good a guess as any.
Entirely coincidentally: in the same year that the LP755 was launched, AV-TEST reported that its database contained 98,428 unique malware samples – well over three times the number it had reported five years previously.
The point, of course, is that the advent of networked AV opened up a potential can of worms – as well as rootkits, keyloggers, spyware, ransomware, Trojan horses and a host of other virus types – for manufacturers, integrators and end-users alike. While the computer industry has had to deal with malware almost throughout its existence – in the days before widespread connectivity, it was possible to get infected floppy disks – it’s a relatively recent phenomenon for our industry. Is it one that we’re taking seriously?
Manufacturers certainly have a responsibility, as was highlighted in November when a BBC journalist logged on to Huddle – and was accidentally given access to a KPMG account, with full access to private financial documents. The security flaw turned out to be that, if two users land on the same login server within 20 milliseconds of one another, both get the same two-factor authentication. Huddle pointed out that the chances of this happening were infinitesimally small – but acknowledged that it had happened six times over a period of months. The problem has now been fixed.
Front and centre
How, then, should integrators be trying to ensure the security of their installations? It should go without saying that security requirements should be front and centre of any discussions with the end-user – and those requirements should be embedded in the overall system design. Then the challenge is to identify, or leverage, equipment that can deliver an appropriately secure implementation. That, among other things, means understanding what’s available.
“In the latest AMX NX control firmware, we took standard risk assessment from ISO 27000 series standards as well as the US NIST SP800-53 and mapped the applicable areas to the AV application,” explains Paul Zielie, manager, enterprise solutions, Harman Professional Solutions. “We then looked at the strictest controls for those risk areas and used that as a baseline for our security design. This doesn’t mean that the system must be configured at the highest security levels, but that we can provide our customers the tools to apply their security policies in a way that fits the application without external mitigation.
“A general understanding of security theory is important in order to be able to make judgment in the all too common cases where the ‘checklists’ are not entirely aligned to AV systems,” he adds.
The role of manufacturers is, of course, a vital one: secure solutions cannot be built on platforms that are in themselves insecure. It is equally incumbent on them to explain how their security provision can best be deployed.
Guidance specific to AV systems currently needs to be ‘gleaned’ from other standards and practices, mostly written for the IT world
Ann Brigida, AVIXA
“Every year, we have dedicated training sessions related to security at our Crestron Certified Masters event,” points out Kenneth Noyens, advanced technical support manager at Crestron EMEA. “We believe it is vital to highlight the importance of security to the people that are integrating Crestron into their AV systems on a daily basis. Beyond this, we provide integrators with guidelines, manuals, tools and training. It is the responsibility of Crestron to provide clear documentation and tools. We invested in making sure our security audit tool doesn’t only analyse systems, but also provides clear guidance on how to change the configuration of devices to make them more secure.”
“We train our installers on a regular basis, providing them all the information required on AV and data protection,” says Keren Lipshitz, director, head of control and solutions division at Kramer Electronics. “We also supply the solutions required to ensure all installations using Kramer’s equipment are fully secured.”
“Extron has been providing training about the security found in our products for more than three years,” notes Rainer Stiehl, the company’s vice president of marketing for Europe. “Our seminars and courses are used to educate our customers about the technologies used in Extron products.”
Unsurprisingly, AVIXA – the organisation known until recently as InfoComm – is active in bringing information to the AV community.
“Network security is an issue everyone seems to be well aware of, but guidance specific to AV systems currently needs to be ‘gleaned’ from other standards and practices, mostly written for the IT world,” notes Ann Brigida, AVIXA’s director of standards. “To create a secure networked AV system, it’s imperative to go through some basic analyses of the environment. In practice, it often happens that these important steps are skipped because it’s a challenge to put all of the necessary practices together.”
“AVIXA’s Standards Steering Committee and the communication team felt that working together to create a recommended practice would be a good first step – it will provide direction specific to the industry for securing AV systems,” she continues. “A group of experts has been working with a technical writer. The group is set to begin reviewing the draft and our aim is to be ready for publication by the end of the year. We’re hoping that it will be of great benefit to anyone who designs, installs, or oversees AV systems. Of course, end-users should also be interested to know what should be happening to secure their system. It would be extremely beneficial for any IT department to have this information as well.”
The document in question has the working title Recommended Practices for Security in Networked Audiovisual Systems and will cover a broad range of topics from the identification of threats, risk mitigation and best practice. It promises to be an invaluable asset.