The EBU (European Broadcasting Union) has strengthened its cybersecurity programme by appointing two prominent CISOs (Chief Information Security Officers) as chair and co-chair.
The current chair of the EBU Cybersecurity strategic programme Andreas Schneider is standing down to be replaced by both John Moylan, CISO at RTÉ, as chair and Claus Bayer, CISO at ZDF, as co-chair. The new regime is committed to advancing the EBU’s three-pillar strategy developed under Schneider to address cybersecurity challenges within the media industry.
The EBU had decided the broadcasting industry was poorly prepared for new security threats arising from the proliferation of OTT services and IP connectivity, even if they were well abreast of the business challenges. To counter this the EBU developed its three-pronged strategy under the headings of awareness, design and implementation. The EBU claims that guidelines arising from this programme, set out in its Recommendation R143, have already had a significant industry impact after being adopted by vendors as well as media service providers.
Yet both new chairs acknowledge more work is needed by both broadcasters and vendors to ensure robust defence against both existing and emerging threats, some of which cannot be foreseen. “The road to bring the media industry up to speed on cybersecurity is not easy, especially with the growing threats towards digital services and public service media in general,” said new chair Moylan. “But we have established a strong strategy that will help achieve our goal.”
Co-chair Claus Bayer added: “One of the key challenges for broadcasters is to have proper governance for cybersecurity within their organization, and for systems vendors to perform the minimum-security due diligence on their hardware and software.” Bayer reaffirmed the EBU’s commitment to work with communities and ensure their strategies and roadmaps were properly aligned.
The EBU Media Cybersecurity programme is a growing group of 17 CISOs from European public service media organizations actively working on securing media services and businesses. The three-tier programme will continue to be enhanced as a framework for advancing cybersecurity defences.
John Moylan, CISO at RTÉ, is the EBU’s new chair of cybersecurity.
To address the first of these pillars, awareness, the EBU has published Recommendation 144 aimed at senior managers, setting out best practices for governance, including the organizational structure necessary to meet a minimum-security benchmark. But the EBU has noted this is little use unless senior managers are aware of the urgency and so has been highlighting the risks and cases so far where reputational damage has been caused. A notable early example came in April 2015 when all 12 channels of French TV network TV5Monde were taken off air by an attack from Russian hackers.
The EBU is now urging broadcasters not just to appoint dedicated information security officers but also ensure they have direct access to top management. But it is equally important vendors are closely involved in security at the design phase, which is addressed by the second of the three EBU pillars. This is inevitably taking time to get fully established given organizational changes involved both for broadcasters and vendors, which is partly why the two new EBU cybersecurity chairs stress there is more work to be done.
However, the R143 recommendation has already been adopted by the World Broadcasting Unions and several broadcast organizations including NABA and ABU as well as EBU itself as the basis for a unified security recommendation to be endorsed by all system vendors. The key point is that security should be incorporated by design in every process, project and service in alignment with the media workflows and business objectives. To be effective, all parties of the media ecosystem must be involved in the effort.
The third of the EBU’s security prongs covers implementation, comprising hands on tools and tests for media operational staff to investigate and proactively detect potential vulnerabilities in purchased or installed media equipment. The minimum tests for networked media equipment are set out in Recommendation R 148, to be performed by vendors or broadcasters. Typical threat mitigation scenarios are available for the most popular threats to media services, including DDoS (Distributed Denial or Service) and ransomware attacks. A practical guide to security measures for use before, during and after a field operation has just been published as EBU R 150.
You might also like...
Video consumers are still reluctant to embrace more secure authentication methods than traditional passwords despite mounting fears over identity theft and intrusion into privacy.
Innovation in the media and entertainment industry is at an all-time high with devices, backend technologies, operating systems and consumer behaviors constantly evolving. A key element of this evolution is how viewers see, experience, navigate and consume the content they…
Verimatrix is seeking to win major customers in broadcasting and pay TV on the back of API integration of its MultiRights OTT multi-DRM with Amazon Web Services (AWS). As AWS continues its strong advance into video services by claiming some…
Away from traditional broadcasting a revolution is happening. Live internet streaming is taking the world by storm with unprecedented viewing figures and improved accessibility for brands looking to reach better targeted audiences. The Live Explosion, hosted by the DPP in…
The EBU (European Broadcasting Union) has struck a partnership with the Digital Production Partnership Ltd (DPP), a UK based business change network, to promote open standards for interoperability between all components of the video cycle as the industry continues its…