EBU Urges Broadcasters to Conform with New Cyber Security Guidelines

Convergence of broadcasting with IT is exposing the industry to new security threats, according to the EBU.
The EBU (European Broadcasting Union) has published its minimal set of cyber security guidelines for its members’ IT systems based on best practice already established in other industries. The recommendation known as EBU R143 has been developed in response to several high profile and damaging hacks on broadcasters and content owners, but also reflect the growing exposure to attacks from the Internet.
This is the downside of the migration towards IP based communications and established IT technologies such as virtualization and software defined networking.
“The broadcast industry has been an isolated technology island for a long time and, therefore, was intrinsically protected,” noted Andreas Schneider, Chief Information Security Officer at the Swiss public broadcaster (SSR/SRG) and Chair of the EBU Strategic Programme on Media Cybersecurity. “However, with the provision of internet-based services and the convergence of traditional broadcast and information technology, the risk of cyberattacks targeting media companies is now, more than ever before, a real threat.”
The new guidelines focus on internal IT systems rather than the broadcasting delivery infrastructure which has long been protected from piracy and theft of revenue by Conditional Access Systems (CAS) and more recently DRM (Digital Rights Management) systems as well, admittedly with mixed success. But the distinction between the two is diminishing and, as recent high profile hacks have shown, direct attacks on internal IT systems can be at least as effective at stealing premium content. This was demonstrated all too well by the infamous Sony case in November 2014, when the so called Guardians Of Peace (GOP) group hacked into Sony Pictures’ IT systems. This rendered the Sony network crippled for days and also resulted in previously unreleased films being posted on the Internet.
Another more recent case in April 2015 highlighted the great damage to reputation and revenue that can be caused without content theft, when French broadcaster TV5 Monde was hacked. This took its TV channels off the air and meant that its systems were prevented from accessing the Internet for several months while French security agency ANSSI (L’Agence nationale de la sécurité des systèmes d’information) conducted its investigation into the incident and new measures were implemented.
The EBU insisted that this was just the tip of the iceberg and that there had been many lesser breaches with another risk being loss of sensitive customer data exposing subscribers to fraud and identity theft. While there is no pretense that adoption of these minimum guidelines would prevent all such frauds the EBU argued that it would reduce their extent and severity.

Andreas Schneider, Chair of the EBU Strategic Programme on Media Cybersecurity, played a key role drafting the EBU’s new security recommendation.
The guidelines are based on those already defined by European National Security Agencies, such as the French ANSSI and German BSI. They also include contributions from the newly created French-speaking broadcasters Cybersecurity Group, chaired by TV5 and applying its direct experience from the hack.
The fundamental recommendation is that broadcasters and content owners apply security safeguards at the planning and design stage, when it is more cost effective and enables greater robustness against emerging threats that may not be anticipated.
Another key point is that media companies are increasingly reliant on third parties such as software developers and providers of cloud services. Therefore end to end security can only be ensured by insisting that these third parties adhere to the same security guidelines, ideally with external verification.
The EBU also pointed out how connected devices tend to have a low level of security reflecting the protection broadcasters used to enjoy when their systems were closed to the Internet. Now in the era of OTT the threshold for connected devices not owned by pay TV operators needs to be increased. This in turn leads to more specific guidance on how interfaces, access points, network communication and features should be documented. Broadcasters need to focus more on integrating components from a security context, so that for example TCP/UDP ports are only open when necessary and kept shut by default.
The guidelines also indicate best practices for users, which should apply equally to customers as well as staff, including two factor authentication. There are three possible authentication factors, something the user knows like a password, something the user owns like a token and something the user is, meaning a biometric such as a thumbprint. Authentication has often only required one factor, usually a password, which is inherently insecure, so there has been a trend towards adding a second factor, often a smart token generating a one-time passkey, for online banking transactions for example. There has also been growing use of biometrics, so that smart phones for example can actually enable three factor authentication. This is because the phone itself is something the user owns which is unique, while a thumbprint or facial scan may be the something the user is and a password can also be enforced to access say an OTT video service.
Yet authentication is only part of end to end security and does not prevent direct cyber-attacks on internal systems, which is why the EBU has published these guidelines.
You might also like...
Remote Contribution At NAB 2025
The technology required to get high quality content from the venue to the viewer for live sports production remains an area of intense research and development, so there will be plenty of innovation and expertise in this area on the…
Playout Monitoring & Compliance At NAB 2025
Automation, interoperability, and scaling are overarching themes at NAB 2025, associated with continued progression of hybrid video services that are tilting more and more towards streaming. For monitoring and compliance, this means increasing integration across the whole workflow and content lifecycle,…
Streaming Delivery At NAB 2025
Hybrid workflows combining cloud and on-premise systems, and application of AI for personalization, are major streaming themes for NAB 2025. There is an even stronger focus on remote production than at previous shows, especially for live sports. Security of live streams…
OTA TV Transmission At NAB 2025
It is time to consider the state of the US TV Transmission industry and how this might be reflected on the NAB 2025 show floor.
Channel Creation & Playout At NAB 2025
Playout is moving to the public cloud as broadcasters take this next step in their strategies for master control, even as some analytics functions are being drawn back towards on premise systems. This will be reflected by the offerings and…