The SolarWinds Orion supply chain compromise is sounding alarm bells across the technology landscape, and that should include the professional audiovisual industry, cybersecurity experts say.
Especially as audiovisual integrators adopt more IT technologies and deploy systems over IP, the industry needs to do a better job of preparing for a cyber attack like the SolarWinds compromise in which hackers inserted malicious code into an update of the Orion platform to gain access to potentially thousands of customers.
From there, the Russian hackers were able to access the networks of U.S. government agencies and other technology companies. They even viewed some source code in Microsoft’s environment. About 18,000 customers were using the affected version of the SolarWinds program, but the extremely targeted attack has only impacted an estimated 250.
AV Needs to Align with IT
MJ Shoer, senior vice president and executive director of the CompTIA Information Sharing and Analysis Organization, says this kind of attack leveraging a commonly used remote management software tool that isn’t necessarily new.
“It’s the sophistication and depth of this one that’s got all the alarm bells going off,” Shoer says.
One of the most prevalent trends in the AV world is the merging of the worlds of IT and AV, but the cybersecurity expertise has been slow to translate to the other side, leaving integrators and the AV supply chain susceptible to an attack that could affect not only integrators, but their customers as well.
“That space needs to more closely align itself with the traditional IT space as it relates to cybersecurity – no question,” Shoer says.
The IT industry itself – along with cybersecurity experts and Big Tech – was unaware of this hack until last month, although researchers believe this attack has been ongoing since at least March.
Now, there’s a growing belief that there are additional access vectors by which hackers infiltrated organizations aside from SolarWinds, which should alert the pro AV industry to the possibility that this kind of attack could eventually impact the AV supply chain.
“It’s something the industry has been concerned about for quite some time,” Shoer says.
Pro AV cybersecurity isn’t where it should be
Until the last few years, the AV industry has considered itself as secure as any other because it had been isolated from the client network so when there is a compromise, the customer is shielded from that harm.
However, new AV technologies like unified communications now needs to be on both networks, says Frank Padikkala, a design engineer and IT expert with Diversified.
“We actually have now established a bridge between the two,” he says. “It was there in the past as well, but it was easier to kind of separate the two. Now, it’s all converging.”
Historically, integrators have taken approaches to pro AV cybersecurity that Padikkala says don’t meet today’s standards.
Some commonly used phrases include, “Just put it on it’s own switch,” or “Just put it on an AV VLAN.”
“It’s never that simple,” Padikkala says. “It’s not about doing a single statement. It’s a process and it’s a perspective of how you look at it.”
Instead, integrators need to think about pro AV cybersecurity as layers, especially as hackers seize upon hardware and software vulnerabilities until they are patched.
“They need to have the skill set to go back and say, “Yes, this could be a potential security issue.”
More Cybersecurity Conversations Encouraged
As more details of the SolarWinds hack are uncovered and other attacks unfold daily, clients are going to demand that integrators and the tools they use be rigorously vetted from a cybersecurity perspective.
Looking at it from an IT manager’s perspective, audiovisual systems are now essentially endpoints on the network.
“We have to play by the same rules that every other box on the network plays by,” Padikkala says.
Now, integrators need to invest in their own cybersecurity knowledge so they can identify potential security issues when deploying an AV system.
If IT and cybersecurity experts weren’t prepared for this, then the pro AV world isn’t either.
This means the convergence of IT and AV must also mean a convergence of cybersecurity standards and best practices along with a more focused effort to increase the pro AV cybersecurity knowledge within the industry.
“We need to work more closely together,” Shoer says.