In turn the EBU has been playing its part by staging tutorials at the seminar and more generally by shoehorning those existing standards into a version that takes account of broadcasters’ specific needs. This has led to the development of EBU R 143 (Cybersecurity for media vendor systems, software & services) based on the long standing but more generic ISO (International Standards Organization) 27001, along with national best practice guidelines. ISO 27001 is the globally agreed standard for creating an Information Security Management System and has been widely used by enterprises around the world for over 10 years, yet at the EBU seminar there was the suggestion that broadcasting technology vendors had been slow to adopt it. That is one reason the EBU itself has seen fit to develop its own standards set building on ISO 27001.

"It's not that we are re-inventing the wheel on cybersecurity," said the EBU's Lead on Video R&D and Cybersecurity at EBU Adi Kouadio. "We just customize it for media organizations."

The key message at the seminar was that broadcasters are no longer islands cut off from the rest of the connected world and therefore need to protect themselves against a range of new threats emanating from outside. While the industry is familiar with piracy and the need for content protection it is not so geared up for threats arising from the Internet, such as malware, ransomware and Distributed Denial of Service (DDoS) attacks.

Such risks are growing as the broadcast industry migrates from the world of SDI to that of IT and IP and new standards are developed, according to the BBC's Lead Technologist Peter Brightwell at the EBU seminar. "IP offers flexibility, but also opens doors to hack."

To keep that door closed, broadcasters need to do more than just adopt technical standards but must also revise their overall approach to security at a human and logistical level, according to Gerben Dierick, Chief Information Security Officer CISO at Belgium's VRT. He focused on the importance of dialogue rather than just developing policies. Open communication between the people responsible for security and the non-technical staff, especially journalists, was crucial, he said.

At the same time the seminar stressed the key role that can be played by the new EBU R 143 recommendations in developing products and services. It defines security safeguards that should be applied at the planning stage and built into the specifications. The standard should also be used by broadcasters to assess a vendor's security capabilities and abilities to counter threats as part of the tendering process, as well as setting a minimal baseline for system acceptance.

The foundation of EBU R 143 are principles defined for general IT systems in the ISO 27001, including handling cyberthreats like malware and ransomware, along with base considerations for authentication and authorization like enforcing change of default passwords and implementing strong two-factor authentication for internet facing products. Two factor security requires users to own a device such as a one-time password generator into which they enter a key known only to them. Then that access can only be gained by people who possess a given device and also know a “shared secret”.

It also insists on mandatory test stages within the development cycle and regular cleaning of software to ensure that test code, which could leave vulnerabilities, is expunged from the final version. Regular technical security analyses, comprising penetration and vulnerability tests, should be conducted not just during development but also in subsequent operation.

Then EBU R 143 incorporates additional broadcast-specific features to take account for example of vulnerabilities associated with production workflows and infrastructures as they migrate to IT technologies.

But as broadcasting continues to migrate to IP while at the same time media content becomes more central to almost all enterprises, the distinction between broadcasting and other online services will diminish. This is already being reflected on the security front given that most of the EBU 143 recommendations could apply equally to any cloud based service.