EBU Calls on Broadcasters and Technology Vendors to Strengthen Cyber Security
The EBU is raising its game over cyber security after staging its event dedicated to emerging threats as broadcasting moves from SDI to IP.
The EBU (European Broadcasting Union) has called on broadcasters and their technology suppliers to work together over cyber security and adopt best practices already available or evolving in the IT world. The organization representing broadcasters across Europe and in many neighboring countries has just staged its first Media Cybersecurity Seminar at its headquarters in Geneva, where delegates were urged to adopt best practices built around existing security standards.
In turn the EBU has been playing its part by staging tutorials at the seminar and more generally by shoehorning those existing standards into a version that takes account of broadcasters’ specific needs. This has led to the development of EBU R 143 (Cybersecurity for media vendor systems, software & services) based on the long standing but more generic ISO (International Standards Organization) 27001, along with national best practice guidelines. ISO 27001 is the globally agreed standard for creating an Information Security Management System and has been widely used by enterprises around the world for over 10 years, yet at the EBU seminar there was the suggestion that broadcasting technology vendors had been slow to adopt it. That is one reason the EBU itself has seen fit to develop its own standards set building on ISO 27001.
"It's not that we are re-inventing the wheel on cybersecurity," said the EBU's Lead on Video R&D and Cybersecurity at EBU Adi Kouadio. "We just customize it for media organizations."
The key message at the seminar was that broadcasters are no longer islands cut off from the rest of the connected world and therefore need to protect themselves against a range of new threats emanating from outside. While the industry is familiar with piracy and the need for content protection it is not so geared up for threats arising from the Internet, such as malware, ransomware and Distributed Denial of Service (DDoS) attacks.
Such risks are growing as the broadcast industry migrates from the world of SDI to that of IT and IP and new standards are developed, according to the BBC's Lead Technologist Peter Brightwell at the EBU seminar. "IP offers flexibility, but also opens doors to hack."
The EBU Media Cybersecurity Seminar highlighted new recommendations that build on existing standards.
To keep that door closed, broadcasters need to do more than just adopt technical standards but must also revise their overall approach to security at a human and logistical level, according to Gerben Dierick, Chief Information Security Officer CISO at Belgium's VRT. He focused on the importance of dialogue rather than just developing policies. Open communication between the people responsible for security and the non-technical staff, especially journalists, was crucial, he said.
At the same time the seminar stressed the key role that can be played by the new EBU R 143 recommendations in developing products and services. It defines security safeguards that should be applied at the planning stage and built into the specifications. The standard should also be used by broadcasters to assess a vendor's security capabilities and abilities to counter threats as part of the tendering process, as well as setting a minimal baseline for system acceptance.
The foundation of EBU R 143 are principles defined for general IT systems in the ISO 27001, including handling cyberthreats like malware and ransomware, along with base considerations for authentication and authorization like enforcing change of default passwords and implementing strong two-factor authentication for internet facing products. Two factor security requires users to own a device such as a one-time password generator into which they enter a key known only to them. Then that access can only be gained by people who possess a given device and also know a “shared secret”.
It also insists on mandatory test stages within the development cycle and regular cleaning of software to ensure that test code, which could leave vulnerabilities, is expunged from the final version. Regular technical security analyses, comprising penetration and vulnerability tests, should be conducted not just during development but also in subsequent operation.
Then EBU R 143 incorporates additional broadcast-specific features to take account for example of vulnerabilities associated with production workflows and infrastructures as they migrate to IT technologies.
But as broadcasting continues to migrate to IP while at the same time media content becomes more central to almost all enterprises, the distinction between broadcasting and other online services will diminish. This is already being reflected on the security front given that most of the EBU 143 recommendations could apply equally to any cloud based service.
You might also like...
Designing IP Broadcast Systems - The Book
Designing IP Broadcast Systems is another massive body of research driven work - with over 27,000 words in 18 articles, in a free 84 page eBook. It provides extensive insight into the technology and engineering methodology required to create practical IP based broadcast…
IP Security For Broadcasters: Part 1 - Psychology Of Security
As engineers and technologists, it’s easy to become bogged down in the technical solutions that maintain high levels of computer security, but the first port of call in designing any secure system should be to consider the user and t…
Operating Systems Climb Competitive Agenda For TV Makers
TV makers have adopted different approaches to the OS, some developing their own, while others adopt a platform such as Google TV or Amazon Fire TV. But all rely increasingly on the OS for competitive differentiation of the UI, navigation,…
Demands On Production With HDR & WCG
The adoption of HDR requires adjustments in workflow that place different requirements on both people and technology, especially when multiple formats are required simultaneously.
Standards: Part 21 - The MPEG, AES & Other Containers
Here we discuss how raw essence data needs to be serialized so it can be stored in media container files. We also describe the various media container file formats and their evolution.