On episode 229 of AVWeek we heard the story of malware being loaded on some unprotected control systems. This was not the control system’s fault but that of the integrator who did not put a password on the system. However, it brings to light a point I have been trying to make for a number of years: we need to worry about security.
When I ask the question of security concerns to manufacturers, integrators and programmers more often than not I receive a quizzical look back. My favorite retort I’ve ever received was, “Who wants to break into a control system?” The question is not if but when someone will try to hack into your control system.
The systems today are not those of years past. My first control processor did not have a network connection and was used to adjust lighting, sound and shades in one of the many conference centers of the college I worked. It was installed in the early 90’s and was a rock star.
The system that replaced it was required to be on the network. Without that functionality we would not have been able to troubleshoot the system, remotely manage it or schedule it for powering up or shutting down. These are all features that have become requisite in today’s campus environments.
So, the control systems are on the network, big deal some will say. In addition to being on the network they also control, or are able to control, a number of other systems. You can interface with HVAC, lighting, security, EMS and other systems that are vital to either your campus, business or home. Give someone access to the control system and you give them access to all those other systems.
In addition, any device that is on the network that has been compromised is a security threat. With malware installed a malicious hacker or company can access anything else on your network. If you are found to be the one who allowed the device onto the network you may be liable for any damages.
There are a few ways to protect yourself and your client. Number one: use a password on the devices. These logins and passwords are part of the deliverables to your client at the end of a project.
Another thing you can do is put your devices on a separate network than the client’s with a single connection between the two. You can put in physical or virtual firewalls, take the system off the network or block ports.
Regardless of what you do, you need to do something. Security in AV has been lax for far too long. It is time that we take our systems as serious as IT takes theirs.