Face the threat: The hacking crisis taking aim at AV
As AV and IT have merged, new security threats are emerging. Reece Webb investigates how the AV industry is moving to meet ever-evolving security challenges.
The convergence of AV and IT technologies has put AV technology firmly on the frontline in the battle for security on a global scale. Prior to the pandemic, large congress organisations for example primarily relied on closed, internal systems that were not connected to any external networks.
Today, with hybrid working and remote participation, the threat posed by corporate espionage or interference from hostile state actors, cybercriminals and terror groups has never been higher.
As more and more products rely on AVoIP technology, high encryption standards and open standard security technologies need to be maintained to the highest standard and updated as threats continue to evolve in a never-ending security arms race against hackers.
Since the Covid-19 pandemic, many businesses fundamentally shifted in the way that they operate. Hybrid working has become the norm in many businesses, and this has driven a shift in the activities of cybercriminals hell-bent on breaching AV systems.
Phil Marlowe, managing director Middle East, AVI-SPL, explains: “Today, cybercriminals see AV equipment as vulnerable, low-hanging-fruit. Security became more of a visible issue [since the Covid-19 pandemic].
Before Covid, the number of hybrid workers was limited. During the pandemic and beyond this all changed as a large increase in hybrid work including higher-level staff at enterprise corporations, were effectively taking home mini conference room systems.
All of these devices were used on weaker firewall networks or domestic networks with limited security features. This is where we started seeing upticks in attacks. This wasn’t just limited to the AV industry, we saw this happening with corporate laptops that were on networks that were easier to penetrate than larger, more sophisticated enterprise elements.
“As equipment was taken out of a secure environment, it became an easy target for hackers. This problem was always there, but remote work shined a light on how great the threat was.”
Hybrid working fundamentally changed the working landscape, however the rush to rapidly transition to hybrid and remote working during the Covid-19 pandemic has left a lasting impact on AV installations in the workplace.
Research, published by AV integrator Kinly, shows that one in four hybrid working technology setups installed during the pandemic are being rolled back due to ‘rushed’ AV installations.
32% of respondents reported that the rush to adapt to remote working also has the potential to undermine security.
Kinly’s research revealed that businesses are re-evaluating their needs around securing digital space and collaboration software (39%).
Organisations that are navigating the roll back are now assessing what technology needs can be kept and what can be swapped out.
Don Gibson, CISO, Kinly, commented: “Some companies behaved in a reactionary way by putting kit out there that is now having to be revisited because it wasn’t installed properly or [elements] were overlooked.
“Security is becoming more of a prevalent concern. With existing customers, we are seeing a greater uptick [in security demand] expectations from them. They ask how we carry out our work, how it impacts the client and where the data goes. They are ratcheting up the pressure in expectations, which is brilliant for us. We can educate the board on the expected deliverables, outcomes, cost ramifications and return on investment. We need to make sure that businesses are safe and secure.”
AV in the crosshairs
Threats in this space are evolving and becoming more sophisticated: Ransomware, a form of malware designed to deny an organisation access to files on their systems by encrypting these files and demanding a ransom payment for the decryption key, is becoming a regular threat faced by AV integrators and clients, pushing concerns around security into the stratosphere.
Marlowe explains: “We have seen a rise in ransomware attacks specifically targeting AV systems and vulnerabilities on smart devices. To mitigate these risks, our teams take as proactive an approach as possible. We are
constantly conducting thorough security assessments, ensuring all firmware and software are up to date as well as educating clients on security best practices.”
The threat in today’s workplace can also come directly from the equipment in a room, requiring end users and integrators to think consciously about their day-to-day use of technologies which can be used against them without the threat ever being identified.
Gibson says: “Zero day threats are a top priority. A zero day is a flaw inside a system that officially hasn’t been found yet. Hackers have the ability to go into the system via this flaw and nobody knows about it, it’s like a ghost walking through a wall. If you’re building a security system, you have to think of every control as a wide, mesh net. Every time you fold it, you get another layer that makes the hole smaller until it is very difficult to wiggle through. That’s what a mature cyber capability is - You have enough controls that you can properly understand what is going on.”
For manufacturers, security remains at the top of the list of concerns when designing and selling products to customers. John Storey, CTO, Datapath, explains: “Security has become a higher priority for customers, and the reason for that is because AVoIP raises the spectre of security in everyone’s minds. We’ve always had to have these thoughts because we’re using networks for control. When AVoIP is in the mix, it puts the network front and centre, and everybody has preconceived ideas about what a network is and what the security of a network is. We are basing our work on enterprise networking security principles that have been developed over many years, and if you do them right, you can do a very good job.
“It is our responsibility to help [AV integrators] because this is new technology, integrators are typically from an AV background and you want to make all of those security decisions for them by presetting those security hurdles before the AV installers get to it. We’ve thought about the architecture which only works when all of those secure authentication hurdles are in place. An AV network is an isolated network, and that’s how it works best. There’s no real reason why there would be any advantage to mixing in an AV network to an enterprise network.”
Secure by design
On the client side, end users are demonstrating greater awareness of data security and demanding sufficient protection from threats as part of their key requirements when going to tender.
Marlowe adds: “Security has become a pivotal topic during client engagement. Clients recognise the critical importance of security solutions, and they are prioritising security considerations in the tender process and discussions. Security wasn’t a main focus point previously within AV systems. Now it is, as we are seeing more sophisticated attacks targeting AV systems specifically.
“Our teams help clients mitigate emerging security threats by collaborating with cyber-security experts in their respective fields and adhering to industry-specific security standards. There is a lot of focus on device security because they are often so exposed, we need to treat them just like any other compute device.”
“You have to sit down and go through what you are expecting to happen”, adds Gibson, “What are the attack vectors and the ‘what if’s’? then you can start designing. It’s important that ‘always on’ devices are either turned off or covered [when not in use], just to make sure that there is no leakage. It’s about increasing the security-centric mindset [of employees] as well as strengthening the technology.
“We offer a secure by design philosophy – how do we think about security? How do we deliver it and how do we document it? When the next users come in, they need to understand how the system works, what talks to what and what protocol is it in. All of this stuff is ‘secure by design’.
Lock it down
On the manufacturer side, maintaining strong levels of encryption is key to maintaining high security in mission-critical environments. Storey: “We are a little insulated from [wider threats] because we focus our attention on control room AV networks.
We have a single point of contact with the wider network, which we treat very seriously. We have a dedicated server appliance to bridge that in a very secure way, it’s designed from the ground up to be isolated.
“All of our control plane is encrypted. It’s a web interface and everything is covered with full HTTPS, TLS encryption and authentication etc. That control plane is also initiating lots of video streams that might be sensitive, so we make sure that every IP stream is also encrypted using full rolling keys. It’s useful for our customers because, when everything is multicast, we can still apply user rights to things. You can only see things if we give you the key to see it, so you get the best of both worlds.”
Plan and protect
While it is possible to combat the threat posed by cybercriminals, this problem will never truly disappear. So how can the AV industry, as a whole, continue to stay one step ahead of the bad guys? Gibson: “[As an integrator] You have know about everything that is going on – knowledge of what is happening in a system and expected behaviours. It’s going to be an escalating arms race, making sure that cyber teams know what businesses are doing and vice-versa, there has to be open communication between the two, as well as some form of financial responsibility by boards to enable these teams to do what they need to do.
“It would be very sensible for the industry to agree on a set of expected deliverables, answers, and standards [for security]. Customers will then be able to accept that and understand that.”
Working together as an industry could be the answer. Marlowe closes: “I would love to see more AV-specific forums around security. It would be great to be involved with our competitors to discuss what we are seeing, as this is a topic that is as important as safety. You have to take the competition element out of it, as a problem that somebody may create is a problem that can affect all of us. We really need to figure this out as an industry.”
Source: Inavate