Dr Amal Punchihewa
The media and broadcasting industries have been experiencing an increased number of cyber threats, a growing trend that can possibly be attributed to some of the changes the industries are undergoing. What are broadcasting unions and associations doing? What’s immediate action can TV stations take to mitigate cybersecurity threats?
The adoption of cloud services, for financial or agility reasons; multi-protocol delivery of content over IP to a wide range of consumer devices; over-the-top (OTT) services for direct consumer delivery of digital content; IP-based technology (SMPTE ST 2110, for example) to support the bandwidths and speeds of next-generation TV systems — can all broaden the threat and make media and broadcast industries more vulnerable to attack.
Recent cyber attacks suffered by TV5 Monde, Sony, Comcast and HBO are some examples of major attacks on media companies. Such attacks may result in reputational damage (news organisation), content piracy (Game of Thrones, for example), data leakage (financial information, personal data, e-mails, and so on), software/file corruption or encryption (ransomware).
In certain situations, some of these could result in a media/broadcast operation’s inability to function.
The North American Broadcaster Association (NABA) in October 2015, through its Risk Awareness and Continuity Committee, produced a requirement document titled Cyber Security Requirements for Vendor Products, Hardware, Software and Services.
NABA then held a cybersecurity symposium in December 2016 in New York to raise cyber threats awareness in the broadcasting/media industry in North America. As a result, NABA established a cybersecurity sub-committee under the auspices of its technical committee.
In Europe, the EBU (European Broadcasting Union) has done substantial amount of work on cybersecurity. The EBU has a well-established cybersecurity committee and it has developed six recommendations in recent years:
• R141 – Mitigation of distributed denial-of-service (DDoS) attacks.
• R142 – Cybersecurity on connected TVs.
• R143 – Cybersecurity for media vendor systems, software and services.
• R144 – Cybersecurity governance for media companies.
• R145 – Mitigating ransomware and malware attacks.
• R146 – Cloud security, including procurement, architecture and cloud service provider assessment.
The World Broadcasting Union (WBU) is a collection of eight broadcasting unions in the world. Its technical committee, the WBU-TC, has created a sub-committee on cybersecurity, with a mandate to establish and maintain best practice recommendations to prevent, detect and mitigate cyberattacks from threat agents.
The sub-committee was also tasked to establish minimum cybersecurity technical standards/requirements to be incorporated by equipment manufacturers and service providers, including all forms of cloud services; develop consensus positions on cybersecurity issues in support of the WBU-TC; provide assistance in cybersecurity training and education to unions and their members; and represent WBU positions on cybersecurity at external forums.
In January 2018, WBU-TC released its first cybersecurity recommendations: WBU Joint Cyber Security Recommendations for Media Vendors’ Systems, Software and Services.
The recommendations are graded P1 (critical), P2 (important) and P3 (best practice). It also addresses communications, authentication, controls, documentation, encryption and network configuration, and is available at https://worldbroadcastingunions.org
The next WBU recommendations will be on basic cyber hygiene. It aims to:
maintain an inventory of every physical device and system in the enterprise;
maintain an inventory of every software platform and application authorised for use in the enterprise;
ensure all software systems are patched and operating systems are at their latest release;
institute proper identity management (IM);
institute multi-factor authentication (MFA); and
institute privileged access management (PAM).
The WBU-TC believes that up to about 70% of cyberattacks can be prevented if the above steps are undertaken.
From a management or human resource point of view, cybersecurity functions and issues need to be discussed and decided at a board of directors’ and C-suite level due to the risk to the entire enterprise.
Cybersecurity programmes must be implemented throughout the enterprise, including ongoing governance and risk assessment. It requires continuing education of staff, ongoing investment in cybersecurity solutions, and a dedicated cybersecurity group/department to “protect, defend, detect and respond” to cybersecurity threats.
In conclusion, individual broadcasting unions and the WBU are now engaged and working diligently on cybersecurity. A great start would be to work more closely with WBU and take its recommendations seriously — and, indeed, implementing basic cyber hygiene can help to mitigate cybersecurity threats.