Security Essentials for Next-Level Networked AV

Security Essentials for Next-Level Networked AV

The evolution of devices and media requires a strategic approach to networked audiovisual security that pivots around the use case while staying vigilant against rogue access.

The evolution of devices and media requires a strategic approach to networked audiovisual security that pivots around the use case while staying vigilant against rogue access.

AV managers: How secure is your security? No, this isn’t a word game or an AV brainteaser. A candid discussion of networked AV security in 2018 must start with the acknowledgement that security is itself a moving target. As AV/IT convergence continues and more facilities specify AV-over-IP designs, and as the industry moves further away from point-to-point systems, security planning for AV content and devices will continue to evolve. The goal, many AV stakeholders argue, should be a strategic approach to networked audiovisual security that pivots around the use case while staying vigilant against rogue access.

SECURE ENOUGH?

As Paul Zielie, industry expert and manager of enterprise solutions at Harman Professional sees it, the AV use case is a critical factor when thinking about security and planning more secure designs. An AV manufacturer can and should share their product’s security attributes, but to suggest that any one device is totally and completely secure for all manner of applications is misleading. “‘Secure’ is a business value judgment,” Zielie said.

The MaestroZ management platform supports HTTPS (HTTP over TLS or SSL) to secure browser-based communications and AJAX/JSON API calls. It also supports SSH to secure remote terminal communications for scripted procedures.

The MaestroZ management platform supports HTTPS (HTTP over TLS or SSL) to secure browser-based communications and AJAX/JSON API calls. It also supports SSH to secure remote terminal communications for scripted procedures.

“The determination of ‘secure’ is always going to be ‘secure enough,’” he added, “and ‘secure enough’ is the judgment of the risk owned by the person who would suffer the loss.” Even with traffic separated by VLANs, there will still be sensitivities, and networks must be tightly managed and controlled.

Therefore, the notion that the same AV equipment—what would be potentially secure for a sports bar versus a banking facility—is “irresponsible,” he argued. Instead, what he suggested is an honest discussion of the system’s available features and the “potential known ways that things can go wrong.” If a known risk is realized, identify and itemize all impacts. Known risks and impacts must be clearly defined.

Nic Milani, director of commercial product marketing, Crestron, concurred, suggesting that it has never been more important to have robust conversations about AV security with stakeholders in IT, AV, and pertinent departments such as facilities management. A “common friction point,” Milani said, is that not enough AV professionals are talking with the IT departments about AV security, and he is working to bring more transparency to the issue.

ONE SIZE FITS NONE

For Zielie, understanding the use case, risk profile, and how they relate to potential liability are essential elements of security planning; they cannot be underestimated or overlooked. What is required for the security of content at home versus a worship venue, versus a government or hospital are vastly different.

Indeed, there is “no one answer” for security, according to Steve Metzger, CTO and co-founder of ZeeVee, a manufacturer of AV-over-IP and RF-based distribution products. “It all depends on how you approach the situation,” he said.

Metzger shared the example of a hospital operating theater with sensitive information and delicate, ultra high definition resolution content. That tech team might invest in a purpose-built data network—an IP network just for that information. There would be basic security through “isolation and deployment of a separate infrastructure for the extremely sensitive data, and then you can control the access points,” he said.

Science meets art, however, when the AV team needs to make the data accessible somewhere else in the network; a gateway function between the networks would then need to be tightly access controlled. “You can design the network so that it is inherently secure,” Metzger said, “in which case the data itself doesn’t have to be as secure, but you have to build it in such a way that you cannot have a rogue listener appear on that network.”

On the opposite extreme, Metzger noted, a college campus might distribute streaming content from traditional sources—the network and the cable providers—in addition to local college content. In that case, you might use the data network, not a purpose-built network. Again, access would have to be exceedingly controlled. “You’re going to have to layer on a security system on top of the access method that ties into an LDAP (lightweight directory access protocol) database to make sure that only those approved listeners with their approved clients can access that data. That is an IT department-heavy responsibility for security.”

Those two examples—a purpose-built network and a college campus scenario using traditional and defined IT methods—would each require close scrutiny and protections applied in nuanced ways. Much of it comes down to, once again, the specific use case: what are you trying to do with this AV system?

Even with an active directory in place, is it secure enough? Nic Milani said that Crestron has worked diligently to focus on AV security the past few years and hone the company’s message about this important topic. In 2018 and beyond, as AV devices “become true IP endpoints,” he said, vulnerabilities will increase and application specifics must shape security protocols. Authentication will become even more important.

One methodology for authentication is 802.1X. According to the IEEE, 802.1X is a standard for port-based network access control (PNAC). It is part of the IEEE 802.1 group of networking protocols, and it provides an authentication mechanism to devices wishing to connect to a LAN or WLAN.

(MIS)UNDERSTANDING ENCRYPTION

ZeeVee ZyPer4K encoders and decoders support standards-based encryption, providing an additional layer of security for both dedicated and shared IP networks. All AV traffic between encoders and decoders is automatically encrypted using the proven AES-128 algorithm.

ZeeVee ZyPer4K encoders and decoders support standards-based encryption, providing an additional layer of security for both dedicated and shared IP networks. All AV traffic between encoders and decoders is automatically encrypted using the proven AES-128 algorithm.

Like authentication, encryption technologies exist for several aspects of AV-over-IP systems, and they address multiple areas of AV system design. According to the Matrox whitepaper, AV over IP Fundamentals, some products provide encryption on the command-and-control signaling to encoder and decoder devices. “This offers security against hacking the actions of the boxes—including turning streaming on or off, or switching what source is being displayed. Another security aspect is the ability to encrypt the video streams themselves,” according to the Matrox report.

It’s crucial to understand what devices should and shouldn’t be on the network, and identify who should be allowed to access the devices, and when.

It’s crucial to understand what devices should and shouldn’t be on the network, and identify who should be allowed to access the devices, and when.

ZeeVee underscored the importance of securing the video data stream, which it does in its ZyPer4K product using AES-128 encryption. “Because we are securing the data stream, this adds another level of security on top of any security measures employed in the data network design, making it ultra secure,” said Garth Leach, the company’s director of marketing.

Crestron’s Nic Milani urges AV managers to focus on the protection of information being transmitted between the endpoints, while keeping in mind that encryption evolves, too. SSL encryption, AES encryption…what’s next? The HDCP paradigm might protect content and safeguard against snooping on the network, but it doesn’t protect from diverse insider threats. Vendors must be able to keep up with fast-moving trends. It is also important to understand what devices should and shouldn’t be on the network, and identify who should be allowed to access the devices, and when. Milani added that Crestron prioritizes the AV/IT ecosystem in context, not just specs alone, when creating solutions.

A HOLISTIC VIEW

The AMX N2400 Series of AV-over-IP encoders, decoders, and processors include net-centric features such as support for Active Directory, 802.1x, TLS security, AES128 encryption, and POE+.

The AMX N2400 Series of AV-over-IP encoders, decoders, and processors include net-centric features such as support for Active Directory, 802.1x, TLS security, AES128 encryption, and POE+.

With the countless ways networked AV can be approached, how can tech managers be proactive, rather than reactive, about security?

“A strategic plan,” Paul Zielie said, “would be to understand and disclose the applicable risks to the asset owner—the asset under risk being information, in this case—and have them understand if what they have in place… adequately protects their asset. Again, it is essential to understand what the application is and the nature of the enclave needing protection. Is it a room? A campus? Are there other layers of protection required around AES encryption, which would traditionally meet the requirements of network security teams? Data in transit and data at rest on a hard drive require different strategies. The real-time world has introduced new vulnerabilities that tech managers cannot dismiss.

Furthermore, if an AV manager wanted to tie in Skype for Business into an existing system, should that meeting be “owned” by the room or a specific user? The industry has been exploring network and platform security, but “identity” is ever important as more learning, workplace, and collaborative environments migrate to the cloud.

Bottom line: “Security is holistic,” Zielie emphasized. In 2018, AV security fundamentals haven’t changed, but moving beyond the awareness of passwords and directories, AV managers need to explore smarter ways to build and protect rooms so that myriad functions—the full features and conveniences of the AV systems—are available to the right people with the right requirements for those privileges.

Crestron’s Nic Milani urges AV managers to focus on the protection of information being transmitted between the endpoints, while keeping in mind that encryption evolves, too.

Crestron’s Nic Milani urges AV managers to focus on the protection of information being transmitted between the endpoints, while keeping in mind that encryption evolves, too.

Where ZeeVee offers an advantage with security, Steve Metzger said, is by providing an infrastructure to tile everything together so that the individual AV integrator does not have to become “an expert” in all aspects of data and the network. “That’s part of our job: to educate and then come up with reliable, flexible solutions that interoperate. Then you can secure it without necessarily having to become a security expert. That’s how we add value as a company.”

Hackers get smarter and vulnerabilities increase every day, but Zielie is encouraged by the level of awareness and the number of manufacturers starting to implement security as required by customer communities within their products. He again urges the AV industry to think about the entire end-to-end application, not just the administration of the product and what would be considered “the network” or underlying platform security. “It’s ongoing,” Zielie said. “It’s not one and done.”

Margot Douaihy is a writer, video host, and AV storyteller. She serves as the editor-at-large of AV Technology and she teaches at Franklin Pierce University.

Do Your Security Homework

The AV Technology Manager’s Workbook to AV Security, sponsored by Harman, covers:

* Learning Objectives & Thought Leadership
* Defining the Objectives of AV Security
* Creating a Security Requirements Analysis
* How to Determine Organizational Requirements
* Analyzing the Security Risk

* Establishing a Risk Response, and much more.

A free download is available via https://www.amx.com/en-US/premium-content_workbook-to-security-and-networked-av

Security Terms

* SSL is deprecated, and the more accurate term is TLS, as it replaced SSL. TLS is an authentication and secure session protocol that can use a number of different encryption algorithms including AES.
* AES is an encryption algorithm.
* The HDCP paradigm is that any valid receiver can decode any valid source. This means that content is only protected from invalid receivers (presumably snooping on the network) but not from accidental or malicious use of a valid receiver (unused conference room).
—Source: Paul Zielie, Manager, Enterprise Solutions, Harman

Info

HARMAN
pro.harman.com/applications/enterprise

CRESTRON
crestron.com

MATROX
matrox.com/graphics/en/press/guides/avover-ip-fundamentals

ZEEVEE
zeevee.com

Margot Douaihy, Ph.D.

Margot Douaihy, Ph.D., is a lecturer at Franklin Pierce University.