As part of the schedule of events for Symco’s upcoming regional Technology Showcases, SCN editor Lindsey Adler will be sitting down with cybersecurity experts for high level discussions about the issues that AV integrators and consultants are clamoring to learn more about as they increasingly face network security challenges. The first event will be held on April 5, 2016 in Philadelphia, and the second in Washington, DC, on April 7, 2016.
In preparation, here’s a short Q&A of what attendees can expect to hear more about from Joel Bilheimer, VP of cybersecurity at Pershing Technologies, at the Washington, DC showcase. But first, we’ll learn a little more about him.
SCN: Describe what a typical day of work involves for you?
Joel Bilheimer: A large portion of what we do is architectural and policy analysis for security, which can be done anywhere at any time (I’ve sent many an email at two in the morning!). For those efforts, we’re reviewing compliance policies, interviewing SMEs (which could be vendors, integrators, or customers), performing gap analyses, developing alternative architectures, proposing policy addenda, and writing, writing, writing. Then, of course, we write some more.
The other part of our program is typically a technical deep-dive in a laboratory environment. There, we are running test scripts, scanning tools, physically auditing systems and users, and generally validating products and applications in a real-world production environment. In that environment, we pay more attention to interoperability with other systems and daily operations. For example, if a product has the ability to use syslogs for auditing purposes, we would validate that it actually connects to a secure syslog server via encrypted protocols.
I suppose one way to describe the difference between the two approaches is that the former is a design-oriented or white-box methodology while the latter is implementation-oriented or black-box. Most projects require both; it’s mostly just a question of where we end up on the continuum.
SCN: Since your early career was rooted in audiovisual, what was it like to transition from AV to a cybersecurity role?
JB: I first began focusing on cybersecurity as part of my AV/networking background. About a decade ago, I was lucky enough to be posted on a long-term secure VTC testing effort for a major DoD agency, which required me to learn on the job about enterprise security and compliance procedures within the context of a global architectural framework. I couldn’t have asked for a better environment to be initiated into that world, and, to this day, I use techniques and practices I first honed there.
For the next few years, I had my feet in both worlds, as I managed, designed, and/or implemented video networks in various highly secured environments within DoD. Everywhere I’ve worked, we strongly promoted talent from within the organization, which in this case meant cross-pollinating between the AV, VTC, network, and what was then called Information Assurance (IA) branches of each operation. We simply didn’t have the resources for our engineers and technicians to be siloed, so we always strove to train, shadow, and grow our teams organically.
One thing that necessitated this approach was the fact that we were the personnel responsible for a given audiovisual network if things went south. “Network guys” didn’t care what happened “outside the wall,” while “AV guys” were only vaguely aware that IP connectivity served any purpose other than email—so we couldn’t allow ourselves to be just one or the other. This knowledge gap between the user, the service provider, and the vendor exists to a certain extent everywhere in technology, but I think we can all agree that it’s markedly more pronounced in the AV industry. I’d like to think that Pershing Technologies has done a decent job of helping the industry move forward as a whole as we push to bridge these gaps for our customers.
SCN: How does your AV experience inform your perspective in your current role?
JB: For most of my career, we’ve focused on projects and customers that link multiple independent systems into a coherent operational whole, which we refer to as a “system of systems.” An example might be an organization that features broadcast recording and editing suites, VTC operations centers, satellite downlinks, and conference centers, all of which feed into an online content archive, which is accessible to enterprise desktop and mobile users for Video-On-Demand and live streaming, as well as digital signage and overflow nodes throughout the various facilities, all of which are managed by enterprise automation tools. Each of those elements requires very specific knowledge to develop, but you also have to understand all of the interfaces between those types of systems in order for it to work as a whole. It’s no good if your control system is perfect, but the satellite link is always broken, or if the mobile users can’t see your brilliant content whenever they want to.
I think that maintaining that kind of perspective is really important in the cybersecurity world. Some people hear that term and think “encryption” or “firewalls” or something like that. Those are certainly parts of it, but if you just focus on encryption, you’re missing a vast amount of what cybersecurity entails…and you or your customer are probably going to be in the news pretty soon, and not in a good way. This is what we call “defense-in-depth,” and it’s the bedrock principle on which cybersecurity is based. You have to build multiple layers of defense, in multiple areas, involving multiple systems, datasets, and even personnel—and they all have to work together. One breakdown in that chain, and the whole system falls apart. “You’re only as strong as your weakest link,” is pretty much our mantra, and AV is exactly the same. Frankly, I think AV engineers can probably understand this concept better than most IT folks, if they allow themselves to think about it for a bit.
SCN: What is most misunderstood about cybersecurity?
JB: I think that probably depends on who you ask, and where they are in the supply chain. I don’t think AV vendors and integrators realize that most security requirements are actually fairly simple to implement. It’s not like no one has ever done these things before, nor is the knowledge base some special secret sauce that only military or financial experts possess. There is extensive public documentation addressing all or most of these issues, and most of it is common sense. That said, there can be a tendency to drown in all that data, so it helps to have a guide to sift through it and winnow down the relevant parts for your system or organization.
SCN: What’s the biggest misconception about AV in the cybersecurity world?
I don’t think many people in the cybersecurity world really think about AV systems, to be honest. In my experience, the general sense of the cyber world is that AV systems aren’t really IT systems at all, or they’re so low on the IT component totem pole that there are much bigger targets on which to focus. Even with the supposed AV/IT convergence, there really aren’t that many vendors or integrators out there who are creating truly IP-enabled products and systems. Sure, they might use Ethernet for transport, but how many support multi-factor authentication, or out-of-band management, or software-as-a-service models? Certain denizens of the AV universe have had to figure these things out—the VTC manufacturers, for example—but most of the rest are considered very immature technologically and just get walled off logically or physically from the rest of the system.
That would be fine if the customer didn’t care…but we all know that customers want more connectivity and more synchronization, not less. How many times have you heard, “Well, I can do it on my phone, so why not?” We shouldn’t have to launch into a ten-minute explanation (with annotated diagrams!) when that question comes up. We should be able to instantly say, “You can, and here’s how!” To get there, though, AV has to improve its posture as an industry, and the cyber folks have to prepare for an entirely new set of vectors that they’ve never had to consider (such as user-controllable sensors that can carry aural or visual information across any network boundary or firewall).
There’s no such thing as an IT system that is too minor to be considered a threat. Even children’s toys are potential, and highly valuable, targets now (see: VTech). I think you’re going to start to see significantly more calls for formal cybersecurity standards (voluntary and government-developed) throughout the AV industry, and I remain hopeful that both the cyber SMEs and the AV gurus will have a seat at the table when that happens.