The EBU (European Broadcasting Union) has strengthened its cybersecurity programme by appointing two prominent CISOs (Chief Information Security Officers) as chair and co-chair.
The current chair of the EBU Cybersecurity strategic programme Andreas Schneider is standing down to be replaced by both John Moylan, CISO at RTÉ, as chair and Claus Bayer, CISO at ZDF, as co-chair. The new regime is committed to advancing the EBU’s three-pillar strategy developed under Schneider to address cybersecurity challenges within the media industry.
The EBU had decided the broadcasting industry was poorly prepared for new security threats arising from the proliferation of OTT services and IP connectivity, even if they were well abreast of the business challenges. To counter this the EBU developed its three-pronged strategy under the headings of awareness, design and implementation. The EBU claims that guidelines arising from this programme, set out in its Recommendation R143, have already had a significant industry impact after being adopted by vendors as well as media service providers.
Yet both new chairs acknowledge more work is needed by both broadcasters and vendors to ensure robust defence against both existing and emerging threats, some of which cannot be foreseen. “The road to bring the media industry up to speed on cybersecurity is not easy, especially with the growing threats towards digital services and public service media in general,” said new chair Moylan. “But we have established a strong strategy that will help achieve our goal.”
Co-chair Claus Bayer added: “One of the key challenges for broadcasters is to have proper governance for cybersecurity within their organization, and for systems vendors to perform the minimum-security due diligence on their hardware and software.” Bayer reaffirmed the EBU’s commitment to work with communities and ensure their strategies and roadmaps were properly aligned.
The EBU Media Cybersecurity programme is a growing group of 17 CISOs from European public service media organizations actively working on securing media services and businesses. The three-tier programme will continue to be enhanced as a framework for advancing cybersecurity defences.
John Moylan, CISO at RTÉ, is the EBU’s new chair of cybersecurity.
To address the first of these pillars, awareness, the EBU has published Recommendation 144 aimed at senior managers, setting out best practices for governance, including the organizational structure necessary to meet a minimum-security benchmark. But the EBU has noted this is little use unless senior managers are aware of the urgency and so has been highlighting the risks and cases so far where reputational damage has been caused. A notable early example came in April 2015 when all 12 channels of French TV network TV5Monde were taken off air by an attack from Russian hackers.
The EBU is now urging broadcasters not just to appoint dedicated information security officers but also ensure they have direct access to top management. But it is equally important vendors are closely involved in security at the design phase, which is addressed by the second of the three EBU pillars. This is inevitably taking time to get fully established given organizational changes involved both for broadcasters and vendors, which is partly why the two new EBU cybersecurity chairs stress there is more work to be done.
However, the R143 recommendation has already been adopted by the World Broadcasting Unions and several broadcast organizations including NABA and ABU as well as EBU itself as the basis for a unified security recommendation to be endorsed by all system vendors. The key point is that security should be incorporated by design in every process, project and service in alignment with the media workflows and business objectives. To be effective, all parties of the media ecosystem must be involved in the effort.
The third of the EBU’s security prongs covers implementation, comprising hands on tools and tests for media operational staff to investigate and proactively detect potential vulnerabilities in purchased or installed media equipment. The minimum tests for networked media equipment are set out in Recommendation R 148, to be performed by vendors or broadcasters. Typical threat mitigation scenarios are available for the most popular threats to media services, including DDoS (Distributed Denial or Service) and ransomware attacks. A practical guide to security measures for use before, during and after a field operation has just been published as EBU R 150.
You might also like...
In part 8 of the series “Data transmission and storage”, consultant John Watkinson looks at some of the intricacies of RF transmission.
Moving to IP opens a whole plethora of options for broadcasters. Engineers often speak of the advantages of scalability and flexibility in IP systems. But IP systems take on many flavors, from on-prem to off-prem, private and public cloud. And…
In this series of articles, we investigate OTT distribution networks to better understand the unique challenges ahead and how to solve them. Unlike traditional RF broadcast and cable platform delivery networks, OTT comprises of many systems operated by different companies…
The times they are a changin’ and faster than ever. For the first time, digital advertising in the United States will surpass the amount of money spent on traditional ads used by television and print media, a research firm predicts.
The mobile video boom will continue over the next few years and consume an ever-greater proportion of overall global network backbone capacity, according to the latest update of the Cisco Mobile Visual Networking Index (MVNI) Forecast (2017 – 2022).