EBU Beefs Up Cybersecurity Programme With New Chair

The EBU (European Broadcasting Union) has strengthened its cybersecurity programme by appointing two prominent CISOs (Chief Information Security Officers) as chair and co-chair.

The current chair of the EBU Cybersecurity strategic programme Andreas Schneider is standing down to be replaced by both John Moylan, CISO at RTÉ, as chair and Claus Bayer, CISO at ZDF, as co-chair. The new regime is committed to advancing the EBU’s three-pillar strategy developed under Schneider to address cybersecurity challenges within the media industry.

The EBU had decided the broadcasting industry was poorly prepared for new security threats arising from the proliferation of OTT services and IP connectivity, even if they were well abreast of the business challenges. To counter this the EBU developed its three-pronged strategy under the headings of awareness, design and implementation. The EBU claims that guidelines arising from this programme, set out in its Recommendation R143, have already had a significant industry impact after being adopted by vendors as well as media service providers.

Yet both new chairs acknowledge more work is needed by both broadcasters and vendors to ensure robust defence against both existing and emerging threats, some of which cannot be foreseen. “The road to bring the media industry up to speed on cybersecurity is not easy, especially with the growing threats towards digital services and public service media in general,” said new chair Moylan. “But we have established a strong strategy that will help achieve our goal.”

Co-chair Claus Bayer added: “One of the key challenges for broadcasters is to have proper governance for cybersecurity within their organization, and for systems vendors to perform the minimum-security due diligence on their hardware and software.” Bayer reaffirmed the EBU’s commitment to work with communities and ensure their strategies and roadmaps were properly aligned.

The EBU Media Cybersecurity programme is a growing group of 17 CISOs from European public service media organizations actively working on securing media services and businesses. The three-tier programme will continue to be enhanced as a framework for advancing cybersecurity defences.

John Moylan, CISO at RTÉ, is the EBU’s new chair of cybersecurity.

John Moylan, CISO at RTÉ, is the EBU’s new chair of cybersecurity.

To address the first of these pillars, awareness, the EBU has published Recommendation 144 aimed at senior managers, setting out best practices for governance, including the organizational structure necessary to meet a minimum-security benchmark. But the EBU has noted this is little use unless senior managers are aware of the urgency and so has been highlighting the risks and cases so far where reputational damage has been caused. A notable early example came in April 2015 when all 12 channels of French TV network TV5Monde were taken off air by an attack from Russian hackers.

The EBU is now urging broadcasters not just to appoint dedicated information security officers but also ensure they have direct access to top management. But it is equally important vendors are closely involved in security at the design phase, which is addressed by the second of the three EBU pillars. This is inevitably taking time to get fully established given organizational changes involved both for broadcasters and vendors, which is partly why the two new EBU cybersecurity chairs stress there is more work to be done.

However, the R143 recommendation has already been adopted by the World Broadcasting Unions and several broadcast organizations including NABA and ABU as well as EBU itself as the basis for a unified security recommendation to be endorsed by all system vendors. The key point is that security should be incorporated by design in every process, project and service in alignment with the media workflows and business objectives. To be effective, all parties of the media ecosystem must be involved in the effort.

The third of the EBU’s security prongs covers implementation, comprising hands on tools and tests for media operational staff to investigate and proactively detect potential vulnerabilities in purchased or installed media equipment. The minimum tests for networked media equipment are set out in Recommendation R 148, to be performed by vendors or broadcasters. Typical threat mitigation scenarios are available for the most popular threats to media services, including DDoS (Distributed Denial or Service) and ransomware attacks. A practical guide to security measures for use before, during and after a field operation has just been published as EBU R 150.

You might also like...

Essential Guide: OTT (or is it ABR?)

Program delivery to mobile devices and smart televisions has fueled the growth for internet delivery. But one of the challenges broadcasters and media content providers face is that the internet was never originally designed to stream large amounts of video…

Essential Guide: Monitoring An IP World - OTT

Monitoring has always been the engineers’ best friend as it turns apparent chaos into order and helps us understand what is going on deep inside a system to deliver high-quality pictures and sound. As OTT continues to play a more p…

Is Gamma Still Needed? - Part 1

Gamma is a topic that pervades almost all forms of image portrayal, including film, television and computers. Gamma has become a tradition, which means that its origins are not understood, and it is not questioned. Perhaps it is time that…

Software-Defined Automation: Are We Nearly There Yet? Part II

Playout automation has been enabling fewer people to control more channels for decades but we’re not quite at the point where human interaction can be eliminated altogether. Since most linear broadcasters will either move to a software-based deployment for t…

Broadcasters Go Mobile For Remote Production During Lockdown

The global lockdowns have come just too soon for 5G mobile services to help mitigate disruption to production and content creation.