Below are some quick points around how build TVs are secured, when doing a standard installation/deployment.

• ufw is used to control IP tables, so that only port 22 (SSH) is exposed (firewall).
• SSH authentication is key only.
• Default pi account is removed.
• The user automatically logged-on during startup, wallboard is locked down and has little to no permissions.

You are recommended to periodically update all your build TV instances to protect against vulnerabilities. Although trial a single instance initially, in the event of breaking changes.