Internet, IoT, Cybersecurity, and Pro AV

By Alan C. Brawn, CTS and Jonathan Brawn, CTS

Suffice it to say, we are all now fully immersed in what can be easily identified as the next big chapter of the information age. This era began with the launch of the first workable prototype of what we now call the Internet in the late 1960s. By 1990, the information world expanded into the “network of networks” with the invention of the World Wide Web. The web helped popularize the internet far beyond early adopters and simple data transmission, and ultimately served as the crucial next step in developing the vast trove of information that most of us now access daily. Although some of us may not have recognized it at the time, this was also a pivotal turning point for pro AV. Our story is about the overriding presence and effect of the internet, the tangible nature and growth of the internet of things (IoT), the expanding roll of threats and cyber security, and the significant opportunities this poses to pro AV.

Today, we sit well beyond the turn of the 21st century… and we are now experiencing what this technology revolution has brought us.  It is estimated that there were 413 million internet users in 2000. There are now 4.39 billion internet users as of the end of 2019, an increase of 366 million (9 percent) from January 2018. The “pipeline” is there along with an ever-increasing availability of “tributaries” to feed it. Today the hottest topic in our information evolution is the introduction of “things” to connect to the internet and the inherent ability for them to talk to and among themselves. We now find ourselves firmly planted in the era of the Internet of Things (IoT). As this continues to grow in both concept and products, we are now able to see the ramifications of IoT for pro AV.

In its basic form, the Internet of Things (IoT) describes an interconnected network of physical devices that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet. These devices range from ordinary household objects to sophisticated commercial and industrial applications. With more than 7 billion connected IoT devices today, experts are expecting this number to grow to 10 billion by 2020 and 22 billion by 2025. It has been accurately described as our hyperconnected world, with digital systems that can record, monitor, and adjust each interaction between and among connected things.

All this plays directly into the hands of the pro AV community, providing us a vast array of new design, integration, and service opportunities. What began with designing and integrating stand-alone audio-visual devices and systems in a space, has expanded over the last twenty years; driven by the demands of network connectivity, and most recently with IoT capable devices coming out of the woodwork. There is a lot more to work with than ever before.

The pro AV job continues to revolve around displays, signal distribution, and control, but it is not just these individual pieces of the pro AV pie that are expanding; rather the entire pie is growing. The task at hand increasingly encompasses all rooms, all technologies… all connected with the ability for each to talk to one another as necessary. IoT increases the number of devices to be connected. We have smart environments, not just rooms but entire buildings and campuses. We have digital signage as a multi-faceted communication medium and then add mobile devices to the mix (with the complexities of BYOD) and the opportunities to expand on what a pro AV integrator can provide are nearly endless.

The foundation of these opportunities is the ability for devices and people to be connected. This is where networks and the internet come into play. As we know, the common denominator of any device that has access to the Internet, is the need to be assigned a unique, numerical IP address. To send data from one device to another through the web, a data packet (using one protocol or another) must be transferred across the network using the IP addresses of both devices. Without IP addresses, devices would not be able to communicate and send data to each other. It’s essential to the infrastructure of every network, and the internet as a whole. As the numbers of available devices increase (think IoT), so does the need for more IP addresses. We know for a fact that IoT devices are being introduced at a rapid rate… so what challenges does this present?

Most know that the predominant way to access a network has been (and to a large extent still is) via Internet Protocol version 4 (IPv4) created back in 1983.  From where we sit today, with the emergence of IoT and the cloud, this protocol standard presents some real bottlenecks. These are addressed (pun intended) in the latest version of the protocol finally being adopted, IPv6.

Since every networked device needs an address, the bottleneck with IPv4 is that it has a hard limit of 4.3 billion addresses. This comes from the way addresses were originally designed; constructed of 4 sets of 3 numbers (called octets, because each value is 8 bits), each ranging from 0 to 255 separated by a period. This meant there were 4.3 billion possibilities for an address, from 0.0.0.0 to 255.255.255.255. Because of how IP addresses work, each address may only be used once on a given network. While that may sound like a lot, with the advent of the Internet of Things, the concept of communicating across multiple interconnected networks of independent devices, is estimated that we will reach 20 to 30 billion connected devices by 2020. Redesigned from the ground up to deal with this limitation, IPv6 has a total range of 340,282,366,920,938,000,000,000,000,000 billion addresses! IPv6 uses 8 values, each consisting of 4 numbers (called hextets, because they are 16 bit). This means that each value can also now be written in hexadecimal, allowing for the dramatically increased number of available addresses; far more than our current understanding of technology can foresee using. Translated for us mere mortals, this means that with IPv6 we do not have to worry about available network address for a long, long time. Of course, this begs the question as to why we have not already migrated to IPv6?

The biggest factor holding back IPv6 deployment is cost. It costs time and money to upgrade all the servers, routers, and switches making up the network infrastructure already deployed; one that was designed (and in many cases installed) before IPv6 was developed; An infrastructure that has for so long depended solely on IPv4. While most of these infrastructure devices could hypothetically be upgraded, many companies prefer to wait until they need to be replaced. Because ALL devices must support the new protocol to allow us to make the switch, this process of attrition has slowed things down.

The transition is happening, but for now IPv4 and IPv6 operate simultaneously. Google reports that globally about 14 percent of its users access it over IPv6, up from less than 10 percent one year ago. The progress of deployment varies between countries. The good news for pro AV integrators is about half of US users now use IPv6 according to Comcast. The key element for the pro AV integrator is understanding the growing need and becoming a part of the transition process.  This is the right time and right place for the pro AV integrator to provide value!

Before we turn our attention to the 800-pound gorilla in the room, the dangers of cybersecurity, let’s see where another popular buzzword, the cloud, fits into all of this. In the simplest terms, the cloud is the concept of decentralized computing and data storage that allows us to store and access data and run programs over the Internet instead of locally on your computer’s storage, or via an on-premise server. Cloud storage involves depositing data on servers in a remote physical location, which can be accessed from any device via the internet. With the proliferation of IoT devices this increases the sheer numbers and amount of data that will be addressed on the cloud by an ever-increasing large part of the population.

For organizations today, migration to storing data on cloud services is the next big thing because it allows scalability, flexibility, and device independence. Here are 10 significant benefits of online data storage in the cloud:

  • Usability and Accessibility
    • It is easy to save all the files and data in the cloud; no technical knowledge is required for this purpose. The stored files can be easily accessed from anywhere in the world with an internet connection.
  • Disaster Recovery
    • Cloud storage creates a backup of the files stored. These files are stored at a remote location and they can be retrieved and accessed at any time.
  • Cost Savings
    • Users can ensure cost savings because internal power and resources are not required separately for storing the data.
  • Easy Sharing
    • Data stored in cloud storage can be easily shared with access to a particular cloud environment.
  • Automation
    • With cloud storage technology, the tedious task of data backups is simplified through automation. You simply must select what you want to backup and when you want to backup and your cloud environment will take care of the rest.
  • Collaboration
    • A cloud environment enables multiple people to access, edit and collaborate on a single file or document. People can access the cloud environment from anywhere in the world and collaborate in real time.
  • Scalable Service
    • Cloud hosting enables vertical as well as horizontal scaling and you only pay for the resources that you use. You can scale your cloud hosting environment whenever required and you can also define the attributes of scaling the cloud. This ensures more flexibility and large storage space.
  • Synchronization
    • While using local file storage you can only access your data from a certain location. With cloud storage, accessing files and synchronizing them can be done easily with any device through an internet connection.
  • Convenience
    • The data that is stored in a cloud is backed up online and it can be accessed from anywhere. Information is automatically saved as it streams in. There is no need for you to save, label or track information. The convenience of online cloud storage enables you to completely concentrate on your work without getting stressed about data loss.

Without doubt cloud storage and backup of all IoT devices can be beneficial for most types of businesses. It doesn’t require any huge capital investment or upkeep and it can be actively used for connecting and collaborating with clients and employees, anytime and on any IP capable device where an internet connection exists. While the benefits of IoT and cloud computing are undisputable, the downside to all the proliferation of information is network information security. The idea of connected devices, unlimited storage of all that data, and security is a need to be filled and herein lies even more opportunities for pro AV in partnership with the IT community.

The raw fuel driving our new information age is big data.  Businesses and institutions of all types transmit and store unprecedented amounts of data on computers and other devices. A significant portion of that data may well be proprietary information, intellectual property, financial data, personal information, or other types of data for which unauthorized access or exposure could have negative or even existential consequences. This is yet another one of those “necessity is the mother of invention” situations that must (and will) be addressed. The need for increased information security has taken on a life (and business) of its own and has become omnipresent in our daily lives.

Some would rightfully say that we have known about network security for some time. As network security came into our lexicon many years ago, for the home user it might have been an anti-virus program on your PC and for a business, a more sophisticated version used by corporations behind their firewalls. This may have been enough in the early days… but with IoT, cloud computing, and the onslaught of massive amount of data that we have today, it all goes far beyond installing a simple program. It is fair to say that coincident with the expansion of big data and IoT is an expanded version of security commonly referred to as cybersecurity.

Cybersecurity refers to the broader body of technologies, processes, and practices designed to protect networks, devices, programs, and ultimately data from attack, damage, or unauthorized access. As far back as 2013, the nation’s top intelligence officials cautioned that cyberattacks and digital spying are the top threats to national security, eclipsing even terrorism.

The Department of Homeland Security began addressing cybersecurity as a significant national security concern back in 2007 but in November of 2018 the Cybersecurity and Infrastructure Security Agency (CISA) was signed into law. CISA leads the national effort to protect and enhance the resilience of the nation’s physical and cyber infrastructure. Their website provides cybersecurity resources and best practices for businesses, government agencies, and other organizations.

According to CISA the elements of cyber security (applicable to government and business alike) encompass all the following:

  • Network security
  • Application security
  • Endpoint security
  • Data security
  • Identity management
  • Database and infrastructure security
  • Cloud security
  • Mobile security
  • Disaster recovery/business continuity planning
  • End-user education

Each of these elements must be addressed individually. One size and one approach does not fit all. These elements are where a partnership between pro AV and IT can be established. The hardware, software, access, and security must go hand in hand if a high degree of security is to be achieved.

CISA rightfully points out that individuals are the biggest risk for a security breach. The most difficult challenge we all face is the ever-evolving nature of security threats. It is important to note that organizations and the government have focused most of their cyber security on what is known as perimeter security. This approach protects only their most crucial systems and defends against known treats. As one CISA expert points out, “Today, this approach is insufficient, as the threats advance and change more quickly than most organizations can keep up with. As a result, advisory organizations promote more proactive and adaptive approaches to cyber security.”

“The most unpredictable cyber-security factor is people. Anyone can accidentally introduce a virus to an otherwise secure system by failing to follow good security practices. Teaching users to delete suspicious email attachments, not plug in unidentified USB drives, and various other important lessons is vital for the security of any organization.” – CISA

Source: CISA

If we turn our attention to the National Institute of Standards and Technology (NIST) they issued guidelines in their risk assessment framework that recommend a shift toward continuous monitoring and real-time assessments, a data-focused approach to security as opposed to the traditional perimeter-based model. For both pro AV and IT this can be part of a managed services approach.

In March, US lawmakers introduced a bipartisan bill into Congress that would require IoT makers selling devices to the government to follow guidelines produced by the National Institute of Standards and Technology. Known as the Internet of Things Cybersecurity Improvement Act of 2019, the bill is the third time that federal legislation has been introduced to require security measures by connected device makers. A bill to govern IoT security has been introduced into Congress annually since 2017.

Lest we think that cybersecurity is being left to the federal government to address a set of problems that is even bigger than they are, rest assured others are on the case. States are beginning to take things in their own hands. California is the first state to do so with bill SB327. Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means no more generic default credentials for a hacker to guess. During the creations SB237, one pundit lumped the acronym IoT into what he calls an Internet of Threats!

To be sure, this is a first step and mainly deals with an authentication process for all IoT enabled devices sold in the state. It prevents “unauthorized access, modification, or disclosure”. The law specifies that “single hard-coded passwords are not allowed, and each device must either have a unique passcode or require the user to generate a new passcode before using the device for the first time”. While this addresses some threats, it is viewed by security experts as the first of many steps to come as we wrap our arms around setting up effective cybersecurity barriers.

While California is the first state to enact such a law, it does not stop at the state line. This law will have a ripple effect on products sold nationwide. Most manufacturers of IoT products will not have a separate product for California compliance and one for the rest of the country. To paraphrase a quote about Las Vegas, we can safely say that what starts in California does not stay in California.

What we can say is that we are still relatively speaking in the early days of cybersecurity at the national level and states enacting their own laws governing cybersecurity.  It behooves pro AV providers to become educated about the issues and then get involved with existing and potential clients.

As with so much in pro AV and IT, involvement begins with a need’s analysis. For cybersecurity, it is recommended that a top-down (before not after) approach takes place in which corporate stakeholders circle their wagons and prioritize cybersecurity management across all business practices. Companies must be prepared to “respond to the inevitable cyber incident, restore normal operations, and ensure that company assets and the company’s reputation are protected.” Guidelines for conducting cyber risk assessments focus on three key areas:

  • Identifying an organization’s most valuable information requiring protection
  • Identifying the threats and risks facing that information
  • Outlining the damage an organization would incur should that data be lost or wrongfully exposed.

Following the creation of a formalized cyber risk assessment, a company needs to develop a SMART plan (Specific, Measurable, Achievable, Realistic, Timely) to mitigate the risk, thus protecting the most valuable information outlined in their assessment. Then they need to implement an effective process and plan to detect and respond to security incidents. This plan should encompass both the processes and technologies required to build an effective cybersecurity program.

Cybersecurity threats affect all industries, regardless of size. Cybersecurity is not a “one and done” concept. It is evolving and ongoing, a moving target.  Dangers and attacks are increasingly sophisticated. Vulnerabilities will be discovered and exploited. Security programs continue to evolve new defenses as cybersecurity professionals identify new threats and new ways to combat them.

All of us reside in this latest chapter of the information age including the pluses and minuses. On the plus side internet use is not just expanding, it is growing exponentially right before our very eyes. New and improved IoT devices crop up daily providing more touch points on our networks (estimates number in the billions!). Cloud computing expands our ability to store data at heretofore unattainable rates and amounts. IPv6 takes addressability beyond the concerns of numbers of devices able to attach themselves to our networks. We certainly have a lot more to work with and support. On the minus side comes the vulnerability and risk of unwanted and unplanned intrusion into all of that which is ours. Depending on the level of a security breach it can have existential implications.

As pro AV professionals we need to understand the implications of what all of this means to our clients, both the positives and negatives. We need to provide value considering all that is new. It not about the things but what can be done with them.  We need wrap all of this up in carefully designed “packages of things” and services that are tightly designed, controlled and monitored. Herein lies opportunity and the future for pro AV in the next chapter.