Streaming video over IP networks isn't a new concept, but AV over IP systems have become commonplace only in the last few years. As with any networked system, networked AV poses certain security challenges.

Given concerns over hacking, cybercrime and the Internet of Things (IoT), fears that AV over IP poses insurmountable security risks are common — and overblown, according to HB Communications. Security concerns should be taken seriously, but proper management leads to a system that is at least as secure as hardwired AV.

What are the major security challenges for AV over IP systems? What opportunities do they present for integrators and organizations? We'll cover some of the biggest questions here.

But when it comes to installing AV systems, IT's No. 1 concern has often fallen by the wayside, according to Doug Hall, product manager of device control for Harman Professional Solutions.

“AV is an industry that started out separate from IT, and then it went through something that we, perhaps infamously, called 'AV/IT convergence,' Hall says. Despite living in a post-convergence world, however, AV professionals don't always know which questions to ask, and IT professionals often respond to that lack of knowledge with silence. “Nobody wants to deal with an issue that they don't understand, so the natural tendency is to avoid the subject altogether,” Hall says.

The result? “Security requirements for AV projects are often discovered at installation or even worse, on commissioning or later when the organization runs a security audit,” says Paul Zielie, Harman Professional Solutions manager of Enterprise Solutions.

AV integrators are increasingly preventing the late-realization problem by discussing security during the planning stages, according to Zielie. Both integrators and the organizations that hire them for AV over IP projects can also benefit from making basic security best practices part of their regular routine. These practices include:

• Changing default passwords
• Creating separate administrator and user accounts with separate privileges
• Enabling auditing logs and disabling unnecessary services
• Enabling encryption

In some cases, Zielie says, there's simply no substitution for old-fashioned attentiveness. Describing one of the limitations of encrypting media streams using HDCP or equivalent, he says, “Even if the stream is encrypted or isolated on another network, the only protection you receive is from network eavesdropping. Anyone who is allowed to book a conference room could listen in to a meeting they are not authorized to attend.”

In other words, minding digital security means minding in-person security, too.

The Internet of Things describes the millions of devices that can connect to digital networks — everything from smartphones to fitness trackers to thermostats. When AV components like televisions or speakers are networked, these become part of the IoT, as well.

And there are a lot of Things. According to analysts at Gartner, the IoT will consist of more than 20 billion devices by 2020 — a number that does not include smartphones, PCs or tablets.

IoT security has been a major concern in recent years precisely because it wasn't a concern in the early days of networked objects, according to Icon Labs. Companies learned the hard way from that early neglect that a networked object can become the weakest point in a system — and thus the easiest to hack.

Internet-connected televisions can contribute to the problem. As Gil Press notes at Forbes, Wikileaks' recent release of CIA documents indicated that a networked TV can be repurposed for information-gathering purposes, even against the will of its user.

As long as AV components like TVs, projectors speakers, and microphones are attached to an IP network, they offer opportunities for hackers. But this same challenge also offers an opportunity.

“Standard PC security solutions won't solve the challenges of embedded devices,” Icon Labs says. “In fact, given the specialized nature of embedded systems, PC security solutions won't even run on most embedded devices.” Instead, Icon Labs notes, IoT security must be carried out at the device level.

AV over IP, however, offers more than one opportunity for protecting data within the system. Options include:

• Device security. As both Icon Labs and Wendy Zamora at MalwareBytes Labs note, most IoT things don't play well with traditional security tools. In order to remain secure, these devices need their own internal security solutions. Investing in AV system with devices that come with security embedded, however, is currently costly and limits the range of available options. Fortunately, less-secure devices can be connected to networks in other ways without creating vulnerabilities.
• Stream encryption. Tools like Zio's AV over IP encryption focus on the streaming AV data itself, encrypting the stream so that even if it is intercepted during transit it's inaccessible to the interceptor. Decryption tools on the receiving end ensure the stream can be presented to its rightful viewers or listeners without interruption.
• Encoder/decoder encryption. One way to address both the thing-level security gaps and stream encryption simultaneously is to build encryption tools into the video encoder/decoder points, Matrox points out. Since video signals often must be encoded for streaming (and decoded for viewing), a switch that encrypts as it encodes puts security at the device level — at the switch — while ensuring the stream is secure throughout transit.

As security becomes the next Internet of Things hot topic, security options for components and transmission alike will improve. However, organizations seeking to upgrade to secure AV over IP needn't wait for these built-in tools to become commonplace. Instead, integrators can incorporate security measures using existing tools and protocols.

Many organizations allow or even encourage Bring Your Own Device (BYOD) policies that allow users to connect their own laptop, tablet, or other device to a network for AV purposes. These policies make it easier for people to work anywhere, and they can save a company money by reducing its own expenditures on items like PCs and tablets.

They can also poke massive holes in a company's AV security. To cite just one example, a video presentation streamed from an employee's own laptop may not be encrypted, making it vulnerable to unauthorized viewers.

While AV integrators are not typically in the business of providing “how to mind your cybersecurity” seminars, they can pass along a few tips to clients — and implement these tips themselves.

Nathan Spell at Synergy CT recommends adopting the following policies as a baseline:

• Change default system, home and Wi-Fi passwords.
• Turn off Wi-Fi and Bluetooth when not in use (bonus: it can help save your battery, too).
• Use a reputable antivirus software and update it regularly.
• Don't access public Wi-Fi points from personal devices.

In some situations, an organization may wish to make these points part of their requirements for using the BYOD privilege. In others, a ban on BYOD altogether may be the best way to protect sensitive information such as medical records or other data.

Integrators who understand the security challenges of AV over IP can often have fruitful conversations with IT teams while preparing a project for a client. But talking to other client stakeholders can be a different story.

As Cristina Chipurici at Heimdal Security notes, myths about network security abound, and even the best-versed professionals can fall prey to them on occasion. Some of the most common misconceptions include:

• “Our business/network is too small and unimportant to interest hackers.”
• “We already have antivirus software/firewalls/another security measure, and it works fine.”
• “Our AV integrator's recommended measures are too expensive, or just an attempt to upsell us something we don't really need.”
• “We only access information from trusted sources, so we can't get exploited.”
• “We will definitely know the moment something goes wrong.”

While these objections can be exasperating, they also reveal a key opportunity for integrators.