IP Security For Broadcasters: Part 11 - EBU R143 Security Recommendations
EBU R143 formalizes security practices for both broadcasters and vendors. This comprehensive list should be at the forefront of every broadcaster’s and vendor’s thoughts when designing and implementing IP media facilities.
Articles in this series:
Anybody who has worked in a professional IT environment will be only too aware of ITIL (Information Technology Infrastructure Library) processes, as these bring structure and predictability for engineers, technologists, and their managers, working across the media facility.
One of the aims of ITIL is to achieve a maximum level of competency to keep systems running. For example, if a transcoder server needs updating then the IT engineer can’t just jump in and start performing an upgrade. Instead, a series of checks are performed such as the change control process to make sure the server isn’t being used. This requires every process within the workflow to be documented with the relevant signing authority to make sure all stakeholders are aware of the scheduled outage.
Establishing Order And Predictability
For traditional broadcasters who have cut their teeth on firefighting faults in the dead of night or earned their stripes keeping a program on air against all odds, this seemingly intrusive world of process and procedure may seem unnecessary. However, as equipment and workflows continue to improve and become more reliable, our focus is moving more from firefighting to maintaining order and predictability.
EBU R143 is a continuation of making workflows reliable and predictable by ordering security processes. Modern security thinking isn’t just about making sure a piece of equipment is secure, but instead embraces the entire infrastructure including how the people working in the media facility operate.
By considering security from the ground up and instilling a culture of awareness, the entire broadcast facility is more resilient, and high-value media assets are further protected.
Common Secure Methodologies
As many broadcasters rely on third-party equipment and system integration services, the EBU have designed a checklist into R143 that allows broadcasters to confirm the vendor has met the minimum requirement for secure operation of their products. This doesn’t just include the equipment or software that is being provided, but also how vendors operate their business with consideration to security.
This acts as a standard to which vendors can work to when designing their products and services, and provides peace of mind for the broadcasters as vendors can show they have taken security seriously having taken all reasonable steps to make their products and services as secure as a possible.
As broadcasters continue their IP journey, it’s fair to say, that many, if not all, will be expecting vendors to provide proof of compliance with R143.
Figure 1 – To maintain security across all IP media infrastructures, broadcasters should implement systems that follow a constant path of prevention, detection, response, and forensic analysis to keep systems as secure as possible.
The EBU R143 document is split into eight main sections that cover the vendor security requirement: Vendor Information Security Management System (Vendor ISMS), Operational Security (OS), Secure Development (SD), Incident Management (IM), Physical Security (PS), Cloud Security (CS), Business Continuity (BC), and Supply Chain Management (SM).
Overall Compliance
Vendor ISMS provides the overall frame of reference for R143 compliance. Included are the vendor’s descriptions of their conformity, the security plans they have as an organization, and the audit plans they have in place. The plan includes the contact details of the person responsible for all security implementation within the business, that is, the Chief Information Security Officer (CISO).
Operation Security is where the technical aspects of penetration and vulnerability testing is accounted for. It’s important for vendors to be pro-active with regards to this testing as it’s much better to be able to contact broadcasters with a fix, than have broadcasters contact vendors with a problem, especially where security is involved.
A vulnerability management process should be at the heart of a vendor’s design and testing processes. Not only does this include the vendor’s software but also any third-party components and systems they use. For example, if a vendor’s software is running on a Linux operating system, then they will regularly check security bulletins and act on them accordingly. This process should be carried out for all third-party components and systems.
Securing Code Updates
Consideration for how vendors update software on their own, or their customers’, premises and systems is also covered. Simply sending a link to unencrypted code on an FTP server or website is completely unacceptable as man-in-the-middle attacks could easily infiltrate the code. R143 calls for the code to be encrypted, sent on encrypted USB keys, delivered through secure protocols, and hash-value checked.
Vendors also have a responsibility to keep their source code secure when it’s being developed by software teams. Software repositories help with this, but vendors must be able to document that no third parties have been able to insert malicious code.
Incident response management is documented to provide a well tried and proven course of action should a vulnerability or vendor security breach become evident. This includes the contact details of customers as well as those within the vendor’s organization that are responsible for enforcing the processes. One important aspect of this is that audit trails can be forensically analyzed later.
System Considerations
Physical control embraces the security of devices from unauthorized personnel, including access to the buildings, datacenters, and code. Even intruder detection systems and fire safety mechanisms are included in R143 as anything potentially affecting the security of critical systems is considered.
Although cloud security is included in EBU R146, R143 includes consideration of cloud services in its compliance check list and keeping customer data segregated from other clients in multi-tenanted services. Clearly, if one customer has access to another’s data, then this would potentially cause a serious breach.
Business continuity and supply chain management may not be at the forethought of technical innovation, but disaster recovery forms a key component of secure systems. Again, security isn’t just about protecting access to data, but it also embraces protecting integrity of the data against loss. The R143 check list makes sure these aspects are covered.
Keeping Security Secure
Further in R143 the document takes into consideration documentation, authentication and authorization, encryption, base configuration, network configuration, and application security. This ensures the broadcaster knows the configurable state of the system when they take delivery of it. For example, if the ssh ports are open or whether the HTTP ports are enabled or not, super user passwords and account privileges. This is extremely important for IT departments to be able to understand the risk and additional configuration the software or device will need.
As broadcasters rely more and more on third-party integration, it is paramount that security is considered from the beginning of a project and maintained throughout, rather than being an afterthought that is bolted on at the end as a box ticking exercise. Security must be driven from the top of a company, whether vendor or broadcaster, and EBU R143 provides the organizational framework to help protect high value media assets.
Part of a series supported by
You might also like...
HDR & WCG For Broadcast: Part 3 - Achieving Simultaneous HDR-SDR Workflows
Welcome to Part 3 of ‘HDR & WCG For Broadcast’ - a major 10 article exploration of the science and practical applications of all aspects of High Dynamic Range and Wide Color Gamut for broadcast production. Part 3 discusses the creative challenges of HDR…
IP Security For Broadcasters: Part 4 - MACsec Explained
IPsec and VPN provide much improved security over untrusted networks such as the internet. However, security may need to improve within a local area network, and to achieve this we have MACsec in our arsenal of security solutions.
Standards: Part 23 - Media Types Vs MIME Types
Media Types describe the container and content format when delivering media over a network. Historically they were described as MIME Types.
Building Software Defined Infrastructure: Part 1 - System Topologies
Welcome to Part 1 of Building Software Defined Infrastructure - a new multi-part content collection from Tony Orme. This series is for broadcast engineering & IT teams seeking to deepen their technical understanding of the microservices based IT technologies that are…
IP Security For Broadcasters: Part 3 - IPsec Explained
One of the great advantages of the internet is that it relies on open standards that promote routing of IP packets between multiple networks. But this provides many challenges when considering security. The good news is that we have solutions…