Crawling out of the Primordial Ooze
Is the AV industry aware of IT Security?
Last week in San Jose, CA the IMCCA put together the Collaborate show, collocating with InfoComm Connections, to offer a program of educational opportunities for the AV community. This began immediately following the opening keynote on the Internet of Things. The first session, in the least ironic fashion possible, was a panel of manufacturers and one consultant (yours truly), hosted by David Danto, discussing IT security in the AV world.
The first question put to the panelists was to place the level of fear on a scale of 1 to 10 that the AV industry should have in regards to the fundamental lack of understanding that exists about being technology providers that are certainly behind the times in providing secure network devices. The average of the five respondents came to 7.5. By some estimates of the audience this number was low and we should be at threat level ten. My response to the reason for it not being a 10 at this point in time is because the AV solutions aren’t mission critical for having access to the remainder of the network, and particularly no need to have them perpetually living on a network capable of accessing the outside world.
We have stopgap measures that we can deploy at this point in time for networked AV Systems. We can deploy our systems on a specialty network that doesn’t have access to the Internet – an air gap network, or a network that literally has a gap of air between it and the Internet. We also have the flexibility to isolate our networks on subnets or VLANs (virtual LANs) that aren’t allowed to port themselves to any other network in the system.
What about the remote services platform that is a major driving force in AV design and a basis of revenue as we continue to expand as an industry in search of added revenue sources? One of the most common methods that’s used to manage this is a VPN (virtual private network). However, in order to access the network through the VPN port, and still keep it secure, it is often done by scheduling a set time with the IT staff beforehand so that they aren’t perpetually leaving an open gateway to their network for anyone to pay it a visit. This is a much greater concern if the AV solutions on the network aren’t isolated to a subnet or VLAN as mentioned above, but even so, leaving as few open holes in the network as possible is the ultimate goal for anyone deploying a network based AV solution.
AV Needs To Evolve
The comment that really jumped out from the conversation, and was most reoccurring, was the idea that the AV industry is in its infancy, crawling out of the primordial ooze, when starting to face and deal with the problems that the IT industry deals with on an everyday basis.
IT companies recognize that there are perpetually evolving threats to their solutions that live on networks and that they must be continuously be applying patches to plug up the holes that are discovered by hackers and employees hired to find the security threats. These patches get scheduled on a weekly basis and deployed by the IT department to ensure security is maintained. The necessary question that the AV industry has to ask itself is whether or not the AV manufacturers are also applying these same concepts. The answer is both yes and no.
Yes, the AV manufacturers recognize that there are security updates that are required and they are sending out patches. The problem, though, is that they are sending them out more slowly and in some cases are only sending them out as a part of a firmware update. As any programmer, integrator, or consultant will tell you, firmware updates can be dreaded moments in systems, particularly if it’s the control system getting the firmware update. All too often the firmware update will be tested to show that it won’t break anything internal to the control processor (or whatever device it happens to be), but because the control processor is at the center of the system solution, what happens when it suddenly no longer communicates with another device on the system that it previously had no issues controlling? Time to get the programmer on site and start troubleshooting.
With the customized solutions where there could be up to eleven different manufacturers in a system, all on an AV network, and all receiving patch updates at different times, how can the AV industry expected to claim that we provide secure systems unless they are sole sourced (an option I have previously argued against)?
The responsibility for security of the system isn’t just on the manufacturers of the devices. The consultants designing the systems and the integrator installing and supporting the system have to be held accountable as well. The consultant should be asking the questions about secure products as they make their selections so that they might be able to account for any issues when they talk to the IT Director. The integrator then must be able to keep that conversation going during the deployment.
The point was also raised that this is a fantastic opportunity for the integrator going forward, assuming they actually follow up and deploy the firmware updates with patches that the manufacturers provide. It puts the integrator in front of the client and demonstrates their willingness to support the system for the warranty in the contract, as well as offers the opportunity to discuss continuing service contracts that go beyond filter and lens cleanings. Not to mention, of course, the chance to offer new systems if the client continues to grow their business.
All too often, though, manufacturers get calls from customers saying there’s a problem and it turns out that no integrator ever went back to apply the firmware update, that potentially including a patch, to resolve a any problems or threats to the system.
It’s Not Impossible
How are we to solve this issue? Time, partnerships and education. Manufacturers need to work together in order to establish what the threats are, develop resolutions to these threats, and then determine how to effectively deploy them to the integrators to implement as a collective. It’s time for AV to emerge from the ooze and start walking on land if we intend to be deploying networked devices. We can’t just sit on our laurels and think that it’s all going to be fine because if it ever reaches the point where the AV solution is the gateway into the system that allowed hackers access to proprietary or private information, the team of lawyers that will be banging down the doors of all parties involved will be beyond comprehension.
Education must follow to resolve this problem if we are going to continue to see success in networked AV. We cannot exist on a network and not face the same concerns that IT manufacturers and IT system providers also face. We must educate ourselves to the problems and solutions that our IT partners are facing so that we too can provide valuable recurring service to our customers and keep their systems secure. This part is going to be a struggle as it already takes more than an eight-hour day to keep up to speed with just the AV technology knowledge. Adding the IT component to that is only going to expand the required time studying on our own, or time spent in a classroom with a manufacturer. Alternatively, if a company wants to get ahead quickly, this sounds like the perfect gateway for bringing more IT centric, young workers companies.
The topic of convergence is officially dead – and if it’s not it should be. AV solutions are on the network. We have to start thinking not only like AV solutions providers, but also like IT solutions providers. Look at the regular maintenance that goes in the IT solutions and start deploying AV in a similar fashion. That effort is going to have to come from the manufacturers and the integrators. Otherwise, both parties may find themselves looking for new clientele and potentially even out of business as a part of the next big hacking scandal.