- With the advent of fully networked AV system designs beyond that of multichannel audio distribution or system control, there is an entirely new echelon of design considerations that our industry needs to address.
AV system designs now need to incorporate redundancy, network protocols, failover, and most importantly, security. I’m not talking about that big, mighty, über top-secret government job though—I’m talking about the network that your system is relying on.
My last big project utilized absolutely zero RS-232, contact closure, or infrared based control. We learned so much from it that summing it all up in one article would be impossible. But since just about everything that can be controlled these days has a built in network port on it, controlling and distributing everything via the network is a logical and cost-effective step. Every device has a heartbeat, nothing is proprietary, everything is connected 100-percent. But with this paradigm comes an entirely new level of threat to the reliability and security of a fully networked system: Hackers.
AV designers need to analyze their designs from a security standpoint on several levels:
1. Can someone break into a corporate network and assume control of devices?
2. Can someone break into a network and view or hear networked audio or video?
3. If I go with a fully networked AV system design, is my client’s IT department capable of providing a stable and secure network?
4. How can I prevent any form of hacking from occurring?
With regard to someone breaking into a corporate network and assuming control of devices, the usual response of “well why would anyone want to turn on or off a projector?” isn’t going to cut it. A hacker could and would have a ton of fun simply wreaking havoc in hundreds of conference rooms with the sole intention of interrupting business processes. If I can break into a network and turn on and off thousands of devices, I could literally stop your entire corporation dead in its tracks. This is a question of operational security, or OPSEC. You need to be able to complete your mission without hindrances.
Now given the importance OPSEC and INFOSEC, a modern AV designer needs to convey these concerns to their client, and most definitely their IT administrators at the highest level. If they are not comfortable with it, simply don’t go with a networked system design. Stick with traditional video switches or coax and analog video. But if your client is gung ho, then you need to fully disclose the ramifications to them.
Given all of the aforementioned, here are several ways you can work to increase the security of your networked AV system design:
1. BYON. Bring Your Own Network and keep it 100 percent separate from any corporate LAN or connection to the internet as a whole. This is usually the safest way to go, and makes it such that your system only has to be coordinated within your own organization.
2. Make sure that any networked distribution devices you use only utilize proprietary compression algorithms. If someone from the outside world were able to hack into a networked AV system, identify a multicast video stream, and attempt to view it, they would have to bring it out of a firewall port and direct it to another proprietary receiver. This is not likely if you are using the right devices.
3. By actively involving your client’s IT department and letting their network security folks do the planning, you are doing the right thing. We’re from the AV industry, not the corporate network security world, so by all means do not try to take this all on yourself. You will be opening your company up to an entirely new level of liability and your contract with a client will for sure have some verbiage in it that will make anything and everything your fault. So put the burden of network security firmly on your client. Assist, but don’t proclaim.
4. Do not have patched and unused network ports available in public areas or conference rooms. Sure, you may have needed three network drops in the early phases of your project, but if you only need two in the later phases, pull the cables back up and unpatch them. There are many a corporate campus where any Joe-Schmo can walk in with a laptop and plug in to an extra network receptacle or the back of a VoIP phone and have full network access. When the damage is done someone will ask, “Who put that there!?” You do not want to be the person affiliated with that suggestion!
5. Suggest that your client run all available network security protocols on their network. Things like user access control, heavy-duty firewalls, anti-virus software, port coordination, and salt/ pepper patching can all go a long way to increase security.
6. Build security enhancing features into the code of your control system. Things like password-protected administration pages or offline control panels can make it very difficult for hackers to assume control of systems.
7. Structure your networked AV system design such that it is organized on its own VLAN and include subnets as necessary.
8. For any devices like a networked music service, VoIP echo canceller, or videoconference CODEC , make sure those network connections are fully separate and not in any shape or form touching your AV VLAN or subnet. This can be a problem with some videoconference CODECS that have their outbound calling and control on the same network port so you might have to revert to RS-232 in these instances but there are RS-232 to IP converters available.
There are many other things that can be done to improve the OPSEC and INFOSEC of your AV system designs, but the most important thing to remember is that we are the AV industry, not the network security business.
Joey D’Angelo (joseph.dangelo@cmsalter.com) is a vice president at Charles M. Salter Associates. He has worked at Salter for 15 years since the day he graduated from Cal Poly SLO and has since completed over 405 projects. He likes to be challenged professionally, listens to punk rock, and plays many instruments.
Three Systems Security Tips
How Can Wire and Cable Help Make an AV System Hacker-proof?
When selecting cabling, there are two choices: copper or fiber. First, a clear definition of use and functionality needs to be identified. In selecting a cable where data security within the network is a high concern—fiber is the clear and preferred choice for a private and secure connection.
—Gary Hess, Vice President of Innovation, C2G
There are several issues that can become a security threat in an AV system, first of which are devices using TCP/IP control interface. Using network control exposes systems to outside factors that might become a threat for a user’s network and equipment. The best way to protect the system is to use a good firewall system to protect it from unauthorized access. Another threat may come from AV extension systems. On a good note, these systems cannot be accessed from outside, making them more secure.
—Ilya Khayn, President and CEO, Atlona
The term hacker-proof needs to be used with extreme caution. It is possible to basically pull the signal off of any copper wire with an antenna. The true answer resides in the adoption of fiber optic transmissions. With fiber, there are no radiated emissions cables. Knowing content protection is vital to any organization, selecting a fiber product is the first step to protecting against hackers. An example we commonly use is that fiber is similar to a fishing line; it is very hard to see. If the hacker can’t find the line, they can’t hack it.
—Crestron Solutions Manager, Michael DiBella