EBU Urges Broadcasters to Conform with New Cyber Security Guidelines
Convergence of broadcasting with IT is exposing the industry to new security threats, according to the EBU.
The EBU (European Broadcasting Union) has published its minimal set of cyber security guidelines for its members’ IT systems based on best practice already established in other industries. The recommendation known as EBU R143 has been developed in response to several high profile and damaging hacks on broadcasters and content owners, but also reflect the growing exposure to attacks from the Internet.
This is the downside of the migration towards IP based communications and established IT technologies such as virtualization and software defined networking.
“The broadcast industry has been an isolated technology island for a long time and, therefore, was intrinsically protected,” noted Andreas Schneider, Chief Information Security Officer at the Swiss public broadcaster (SSR/SRG) and Chair of the EBU Strategic Programme on Media Cybersecurity. “However, with the provision of internet-based services and the convergence of traditional broadcast and information technology, the risk of cyberattacks targeting media companies is now, more than ever before, a real threat.”
The new guidelines focus on internal IT systems rather than the broadcasting delivery infrastructure which has long been protected from piracy and theft of revenue by Conditional Access Systems (CAS) and more recently DRM (Digital Rights Management) systems as well, admittedly with mixed success. But the distinction between the two is diminishing and, as recent high profile hacks have shown, direct attacks on internal IT systems can be at least as effective at stealing premium content. This was demonstrated all too well by the infamous Sony case in November 2014, when the so called Guardians Of Peace (GOP) group hacked into Sony Pictures’ IT systems. This rendered the Sony network crippled for days and also resulted in previously unreleased films being posted on the Internet.
Another more recent case in April 2015 highlighted the great damage to reputation and revenue that can be caused without content theft, when French broadcaster TV5 Monde was hacked. This took its TV channels off the air and meant that its systems were prevented from accessing the Internet for several months while French security agency ANSSI (L’Agence nationale de la sécurité des systèmes d’information) conducted its investigation into the incident and new measures were implemented.
The EBU insisted that this was just the tip of the iceberg and that there had been many lesser breaches with another risk being loss of sensitive customer data exposing subscribers to fraud and identity theft. While there is no pretense that adoption of these minimum guidelines would prevent all such frauds the EBU argued that it would reduce their extent and severity.
Andreas Schneider, Chair of the EBU Strategic Programme on Media Cybersecurity, played a key role drafting the EBU’s new security recommendation.
The guidelines are based on those already defined by European National Security Agencies, such as the French ANSSI and German BSI. They also include contributions from the newly created French-speaking broadcasters Cybersecurity Group, chaired by TV5 and applying its direct experience from the hack.
The fundamental recommendation is that broadcasters and content owners apply security safeguards at the planning and design stage, when it is more cost effective and enables greater robustness against emerging threats that may not be anticipated.
Another key point is that media companies are increasingly reliant on third parties such as software developers and providers of cloud services. Therefore end to end security can only be ensured by insisting that these third parties adhere to the same security guidelines, ideally with external verification.
The EBU also pointed out how connected devices tend to have a low level of security reflecting the protection broadcasters used to enjoy when their systems were closed to the Internet. Now in the era of OTT the threshold for connected devices not owned by pay TV operators needs to be increased. This in turn leads to more specific guidance on how interfaces, access points, network communication and features should be documented. Broadcasters need to focus more on integrating components from a security context, so that for example TCP/UDP ports are only open when necessary and kept shut by default.
The guidelines also indicate best practices for users, which should apply equally to customers as well as staff, including two factor authentication. There are three possible authentication factors, something the user knows like a password, something the user owns like a token and something the user is, meaning a biometric such as a thumbprint. Authentication has often only required one factor, usually a password, which is inherently insecure, so there has been a trend towards adding a second factor, often a smart token generating a one-time passkey, for online banking transactions for example. There has also been growing use of biometrics, so that smart phones for example can actually enable three factor authentication. This is because the phone itself is something the user owns which is unique, while a thumbprint or facial scan may be the something the user is and a password can also be enforced to access say an OTT video service.
Yet authentication is only part of end to end security and does not prevent direct cyber-attacks on internal systems, which is why the EBU has published these guidelines.
You might also like...
Designing IP Broadcast Systems - The Book
Designing IP Broadcast Systems is another massive body of research driven work - with over 27,000 words in 18 articles, in a free 84 page eBook. It provides extensive insight into the technology and engineering methodology required to create practical IP based broadcast…
Operating Systems Climb Competitive Agenda For TV Makers
TV makers have adopted different approaches to the OS, some developing their own, while others adopt a platform such as Google TV or Amazon Fire TV. But all rely increasingly on the OS for competitive differentiation of the UI, navigation,…
Demands On Production With HDR & WCG
The adoption of HDR requires adjustments in workflow that place different requirements on both people and technology, especially when multiple formats are required simultaneously.
Standards: Part 21 - The MPEG, AES & Other Containers
Here we discuss how raw essence data needs to be serialized so it can be stored in media container files. We also describe the various media container file formats and their evolution.
Broadcasters Seek Deeper Integration Between Streaming And Linear
Many broadcasters have been revising their streaming strategies with some significant differences, especially between Europe with its stronger tilt towards the internet and North America where ATSC 3.0 is designed to sustain hybrid broadcast/broadband delivery.