In early February, technology solutions provider Diversified, headquartered in Kenilworth, NJ, and GroCyber, a cybersecurity services firm headquartered in Fairfax, VA, announced a partnership. Under the agreement, the two organizations are providing a suite of cybersecurity solutions designed specifically for AV and media companies.
Mathew Newfield, president and chief commercial officer at Diversified, explained that in addition to its integration activities, the company is placing more focus on providing consultative services to its customers. In particular, he notes that there is a high customer demand for AV cybersecurity expertise.
“One of the things we realized last year is we were getting a lot of requests from our client base to assist them with not only physical security—where we’ve had solutions for a while—but the cybersecurity side of that equation,” Newfield said.
The Diversified-GroCyber offering is divided into three main categories:
Cyber certification. GroCyber acts as an independent third party that tests and then certifies the broadcast environments and components of Pro AV systems based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. (In other words, they will certify the manufacturers and vendors that Diversified works with according to internationally recognized standards.)
Cyber hygiene and monitoring. This includes configuration and access control, as well as hardware and software monitoring and patching.
Vulnerability management. In the interest of protecting their media assets, consultations are focused on designing a secure architecture, plus scanning and penetration testing to identify weak spots within the client’s environment.
Driving Demand
Until recently, cybersecurity wasn’t a big issue for the Pro AV industry because of the how systems were deployed. As a result, IT leaders were much less concerned about them.
“In many instances, those systems were physically isolated,” explained Jeff Fillbrandt, VP of technical operations at Utelogy, an AV systems monitoring and management platform developer headquartered in Petaluma, CA. “The AV equipment didn’t touch the enterprise corporate network.”
[Cloud Power: Decisions, Decisions]
But because today’s Pro AV systems are no longer air gapped, CISOs and CIOs need to know about how things like patch management, penetration testing, and vulnerability testing will be applied to the Pro AV systems being deployed onto the enterprise network. “Because it’s all IP-enabled—and it’s about speed and being able to get the most streaming possible across the IT platform and where we are going to connect from the streaming environment over to the IT environment—we have to make sure that all of that is patched, updated, and best of breed,” said Alison Kidd, managing partner at GroCyber.
Not only that, but AV professionals must now consider what happens if one of their customers’ systems is breached. “Now you have to have an incident response plan—you have to have the steps [in place] for what you’re going to do if something actually does occur,” Kidd offered. If a customer is compromised through the technology that the AV integrator deployed, the integration firm should be playing a role in assisting the client through the incident.
All of this is extremely important to customers with valuable digital assets. Yong-Gon Chon, managing partner at GroCyber, illustrates it this way: Consider a customer with a media asset library worth almost $1 billion. In a traditional brick-and-mortar library, a thief may succeed at stealing one book. However, in the world of media storage area networks, a threat actor can get away with the entire library. “When you’re seeing that kind of asset value and business impact, it certainly raises the level of concern now that everything is interconnected,” he added.
AV/IT Relationship
This potential level of breach requires a shift in mindset for many in Pro AV. “For a lot of the people who run these AV environments, this is a new world order for them,” Newfield acknowledged. “We are starting to have that consultative conversation to help them set processes up so that their environments can stay up and running, they can do it in a secure manner, and they can get past that wall of the CIO/CISO saying, 'Here’s the base—you’ve got to be here. And if you’re not here, you’re out.’”
In large organizations, AV teams are starting to operate under the umbrella of the CIO—a promising development, according to Newfield. This convergence is important, because it helps advance the discussion about service-level objectives for both AV and IT, which are often significantly different.
For example, in the broadcast environment, there is little or no tolerance for latency. This is especially taboo in sports broadcasting, where even microseconds of delay are unacceptable. “If you’re putting too many cyber controls on those systems, you could introduce delays,” Newfield said. “Helping to have them change their mindset of how they can put in security controls that are right for them is important.”
Mandates and Best Practices
Cybersecurity requirements are often mandated by regulators and government agencies, Chon noted. For example, the healthcare and financial services industries are highly regulated, which result in the need for integrators working in these markets to adhere to strict cybersecurity practices, such as those outlined in the NIST Cybersecurity Framework.
Contractors working in the public sector may be required to fulfill federal regulations, such as the DFARS Clause 252.204-7012, issued by the Department of Defense (which also lists NIST requirements). Organizations dealing with clients in the European Union must comply with the General Data Protection Regulation (GDPR) and should also take into account the rules set out in the proposed EU Cyber Resilience Act.
All these mandates have pushed cybersecurity to the forefront for everyone, Pro AV companies included. “It’s become incumbent upon the service providers and manufacturers in [this space] to become way more cyber literate,” Chon said.
Often, the first talking point during an initial conversation about a new project is cybersecurity, Fillbrandt observed. In many cases, clients need to know that a vendor or integrator can pass an information security (infosec) review before entering more profound discussions on project specifics. “Knowing how to navigate those discussions is critical,” he said.
That said, cybersecurity is a fast-evolving field, and Fillbrandt acknowledged that AV integrators may not have the resources to remain up to date. For this reason, he urges these organizations to lean on their vendor partners for support.
“We want to play an active role to help guide them through the process,” he said. “Those [AV companies] that bring in the appropriate people that can have those discussions, those are the organizations that are delivering value to their customers.”
Cyber Resources for Pro AV
National Systems Contractors Association (NSCA) members who need information on cybersecurity in AV can turn to the NSCA Cybersecurity and AI Committee. According to Mike Abernathy, NSCA’s director of business resources, this committee’s goal is to recognize the cybersecurity standards that have an impact on both NSCA members and their customers, as well as provide resources related to relevant cybersecurity standards, frameworks, and certifications. The group will also examine the impact AI has on the Pro AV integration firms that are using it, offer guidance on data protection for businesses using AI, and explore the legal aspects to consider when applying artificial intelligence.