Gabriel Buzas, AV Consultant at Cordless discusses the current state of play and with regards to the security of AV technology in the workplace and the issues to be considered…
AV security in general is not where it should be yet, but it is viewed as increasingly important. AV operates on the boundary of the physical human world and the technology world (e.g. corporate network). In a corporate system, any point where human operated systems are interfacing with the network, even indirectly e.g. via an audio visual interface, is potentially a security threat.
What could happen if AV security isn’t tight enough?
Nowadays information has an increasing value and data security is crucial. We see frequently in the media what can happen when data and information is not secured and handled with sufficient care. Currently, AV systems are not the focus of potential attacks primarily because they are harder to access remotely, and there are more convenient ways to attack a corporate system. As integration with IT systems increase and connecting AV devices to the network becomes the default approach, they soon they could easily become the weakest system in a corporate world if security measures are not applied correctly and in time.
What AV tech requires security features?
The first category of products that require security features includes anything that transmits data which carries valuable information e.g. wireless microphone systems, or audio or video distribution systems. Some of these offer a high level of data encryption and a restricted operational area. However, when we talk about AV security, it is not just about preventing information leakage, but also preventing piggybacking or interfacing, when an AV system is used to access other, more vital systems. Therefore, the second category is anything that communicates with other non-isolated systems e.g. the corporate network. Since more and more AV equipment is connected to IT networks, they all pose a potential point for intrusion. When designing such equipment, it is important to have clear and controlled demarcation between system elements that allows human interaction and interfacing with the outside world, and the elements accessing the network. For example, the firmware update is a process where malicious code can be planted into AV equipment.
How secure are AV products on the market now?
Some of the products currently available are secured using high level encryption. Even if someone captured the information transmitted wirelessly, the amount of time required to crack such encryption with brute force or AI would probably render the data outdated and useless. Unfortunately, some manufacturers seem to claim that their devices are secured, but tests sometimes prove otherwise – some manufacturers build in compensating controls*, which is a workaround and not a solution to a problem. The weakest points are around network communication, firmware and transmitted data handling. In most cases, we can only rely on what the manufacturer tells us about the security. It would be good to have an independent and unbiased certification program to rate AV equipment that can provide reassurance to anyone looking to integrate such devices with their network.
*: Compensating control is when a certain function cannot be achieved due to regulations or technical difficulties, so the manufacturer provides a workaround to achieve a similar effect or provide similar functions to what is required. Let’s see an example. A piece of AV equipment wants to recognise the connected user device automatically when next time it connects. This is a desired function. For this, the equipment needs to store user device related data. However, regulation does not allow the data being stored. Deleting the data will not allow the AV equipment to recognise the user device. So the manufacturer decides to store the data but in an encrypted way.
Are legacy AV products and systems likely to have weaker or compromised security?
Legacy systems tend to be more isolated and as such, this reduces the risks of using the system to get to other vital systems. On the other hand, companies where information security tends to be vital are making efforts to keep their systems up to date. This provides the opportunity to introduce updated AV security.
Is a perceived lack of security becoming a barrier to some AV technologies being adopted?
Organisations that have tight security will have many restrictions and controls in place. A piece of technology may not be adopted if it does not meet security restrictions in place, although it could fit the business need. This sometimes makes the life of an AV consultant more difficult when designing a system. For example, banks want to test every single piece of equipment planned for an AV system and will reject everything due to insufficient security. Sometimes we end up with an AV system that is everything but futureproof due to security restrictions applied. This may greatly affect client experience, which is key in every AV system design.
How well do AV vendors and integrators understand security?
I think consultants, manufacturers, integrators and clients are all aware of the need for secure AV systems, but currently there is not enough focus on this. Manufacturers want to sell products that have to have certain security features, but sometimes this can only be achieved with compensation controls built-in, and this is where the problem is. Integrators are also aware of the security needs and they usually work together with the clients to create a ‘secure enough’ system. However, today when most AV equipment is on the network, the created system will only be as good as the knowledge and understanding of the people creating it. To give security the focus it needs, it is vital to have people with very good network and security knowledge throughout the supply chain, right from the consultant and client; through to the integrator and vendor.
Is it common to have to build in compensating controls to counter security flaws in AV products?
Yes, it is common to have compensating controls built in. Although, sometimes there are legitimate technological or business constraints, yet it is still bad practice to achieve the desired security level because this is a workaround, not a solution and as such it cannot offer the same security. Compensating controls in lieu of comprehensive data encryption might include the use of database security, network access control (NAC), or data leak prevention strategies.
Any final words of advice?
I think clients need to know and stick to their security requirements and should not settle with compensating controls. If desired security level cannot be achieved, the AV system needs to be redesigned – this is where consultants with integrators can help a lot.
If you would like to discuss AV security with Cordless, we’d love to hear from you. Say firstname.lastname@example.org
Date: Thu, 28 Jun 2018 15:34:03 +0100 GMT