Considerations for Seriously Secure Control Room Solutions

Userful
Userful
The Leading Provider of AV as a Service (AVaaS)
Empty control room with 4 workstations and 3 video walls displaying live security camera footage and data dashboards

Situational awareness is the core mission of any control room or operation center: Getting the right information to the right person at the right time to make the right decision. While many organizations investing in video wall solutions to help deliver situational awareness focus on issues like what video management system to include, the correct emergency communications technologies, and of course, what solution they want to manage and control the video wall and its content, there’s a critical issue that should never be overlooked: security. More and more control rooms and operation centers are online, more and more AV solutions require network access. IT departments are increasingly concerned about the many apps, devices, content, and access points across the network. Security compliance should be top of mind when investing in a display solution for an operation center or control room and below are some of the points to consider.

Network Security

AV-over-IP solutions that use standard TCP/IP communication through standard switches and routers, provide a broad variety of lock-down options for security-conscious customers. By using a standard network, customers can lock down their own network tools, switches, routers according to their own security protocols and using familiar network monitoring tools.

To ensure customers have options, Userful offers three ways to configure the network, with different levels of security and flexibility:

  1. Fully Air-Gapped: Fully Air-Gapped: Completely detached from the network. The server drives the displays via its own air-gapped network with a dedicated router and switch.
  2. Partially Air-Gapped: The server is either connected to the LAN but not the Internet (in the case of Userful, it gives access to internal sources/resources but not to Userful Cloud), or connected to the internet but with no connection to the LAN. In our case, the Userful server would be accessible via Userful Cloud and would be able to display web-based resources but would not have direct access to internal sources. Any sources on the LAN that do need to be displayed could be captured via an HDMI capture.
  3. Fully Integrated: Though a fully integrated deployment provides the most flexibility, we recognize that some security-conscious organizations may prefer to begin with a full or partial air-gapped approach and work their way up (for example, while their organization becomes familiar with Userful’s software stack). When it comes to a Userful deployment, there are a variety of ways of configuring the Userful server and network to isolate traffic from your main network. We suggest running the Userful server from its own router, however, customers can alternatively utilize a dual NICs strategy in the server with one NIC talking just to the zero client’s receiver devices and the second NIC just talking to the corporate network. Both strategies fully isolate the video traffic and ensure flexibility on set up.

Deploy Standard rather than Specialized Hardware

AV has been dominated by proprietary and specialized hardware solutions in the past. These are often black box processors and the teams deploying them often know little of their internal workings. The BIOS may have unknown or unexpected vulnerabilities. The operating system may likewise have vulnerabilities. In the past when control rooms and operation centers were mostly operated offline, this was less of a risk. In today’s post-digital transformation world where work from home and network connectivity are required, the risk to specialized or proprietary hardware is increased.

Userful is a software solution that runs on a commercially available off-the-shelf server from Lenovo, Dell, HP, etc. which greatly reduces security risks.

Use a Known, Locked Down OS

Userful is a complete solution installed on bare metal, so you don’t need to manage the base OS yourself (unlike many video wall solutions that essentially function as a software application layer running on top of a separately maintained and supported desktop Operating System). The use of a locked-down operating system ensures an extraordinary level of security compliance. With unfamiliar proprietary hardware, the IT team will need to perform rigorous testing to ensure that the embedded operating software is safe and trusted, which increases costs and delays the startup process.

Physical Security

Physical security is a fundamental principle for any good security policy. Because Userful operates from a server connected to displays over the network, customers can lock the Userful server in a secure—and ideally video-monitored—server room (or closet) significantly reducing any risks of unauthorized and undetected physical access to the server.

In stark contrast, many commercial display solutions mount the controller or processor directly behind or below the displays themselves. Unfettered access of the controller increases susceptibility to a host of easy physical tampering, trojans, loggers, theft, and other risks.

Role-Based Access Control

Role-Based Access Control (RBAC) is another essential security element to consider as it enables administrators to designate and restrict specific features and permission levels based on customizable teams. With role-based access control, management can create permission structures to build accountability and reduce potential security gaps caused by human error.

To learn more about why Userful is a leader in the security space, download Userful’s security whitepaper which includes a deeper dive into all the topics covered here as well as in-depth comparisons on how Userful’s security compares with other approaches to deploying video walls for control rooms and operation centers.

Userful
The Leading Provider of AV as a Service (AVaaS)