EBU Beefs Up Cybersecurity Programme With New Chair

The EBU (European Broadcasting Union) has strengthened its cybersecurity programme by appointing two prominent CISOs (Chief Information Security Officers) as chair and co-chair.

The current chair of the EBU Cybersecurity strategic programme Andreas Schneider is standing down to be replaced by both John Moylan, CISO at RTÉ, as chair and Claus Bayer, CISO at ZDF, as co-chair. The new regime is committed to advancing the EBU’s three-pillar strategy developed under Schneider to address cybersecurity challenges within the media industry.

The EBU had decided the broadcasting industry was poorly prepared for new security threats arising from the proliferation of OTT services and IP connectivity, even if they were well abreast of the business challenges. To counter this the EBU developed its three-pronged strategy under the headings of awareness, design and implementation. The EBU claims that guidelines arising from this programme, set out in its Recommendation R143, have already had a significant industry impact after being adopted by vendors as well as media service providers.

Yet both new chairs acknowledge more work is needed by both broadcasters and vendors to ensure robust defence against both existing and emerging threats, some of which cannot be foreseen. “The road to bring the media industry up to speed on cybersecurity is not easy, especially with the growing threats towards digital services and public service media in general,” said new chair Moylan. “But we have established a strong strategy that will help achieve our goal.”

Co-chair Claus Bayer added: “One of the key challenges for broadcasters is to have proper governance for cybersecurity within their organization, and for systems vendors to perform the minimum-security due diligence on their hardware and software.” Bayer reaffirmed the EBU’s commitment to work with communities and ensure their strategies and roadmaps were properly aligned.

The EBU Media Cybersecurity programme is a growing group of 17 CISOs from European public service media organizations actively working on securing media services and businesses. The three-tier programme will continue to be enhanced as a framework for advancing cybersecurity defences.

John Moylan, CISO at RTÉ, is the EBU’s new chair of cybersecurity.

John Moylan, CISO at RTÉ, is the EBU’s new chair of cybersecurity.

To address the first of these pillars, awareness, the EBU has published Recommendation 144 aimed at senior managers, setting out best practices for governance, including the organizational structure necessary to meet a minimum-security benchmark. But the EBU has noted this is little use unless senior managers are aware of the urgency and so has been highlighting the risks and cases so far where reputational damage has been caused. A notable early example came in April 2015 when all 12 channels of French TV network TV5Monde were taken off air by an attack from Russian hackers.

The EBU is now urging broadcasters not just to appoint dedicated information security officers but also ensure they have direct access to top management. But it is equally important vendors are closely involved in security at the design phase, which is addressed by the second of the three EBU pillars. This is inevitably taking time to get fully established given organizational changes involved both for broadcasters and vendors, which is partly why the two new EBU cybersecurity chairs stress there is more work to be done.

However, the R143 recommendation has already been adopted by the World Broadcasting Unions and several broadcast organizations including NABA and ABU as well as EBU itself as the basis for a unified security recommendation to be endorsed by all system vendors. The key point is that security should be incorporated by design in every process, project and service in alignment with the media workflows and business objectives. To be effective, all parties of the media ecosystem must be involved in the effort.

The third of the EBU’s security prongs covers implementation, comprising hands on tools and tests for media operational staff to investigate and proactively detect potential vulnerabilities in purchased or installed media equipment. The minimum tests for networked media equipment are set out in Recommendation R 148, to be performed by vendors or broadcasters. Typical threat mitigation scenarios are available for the most popular threats to media services, including DDoS (Distributed Denial or Service) and ransomware attacks. A practical guide to security measures for use before, during and after a field operation has just been published as EBU R 150.

Let us know what you think…

Log-in or Register for free to post comments…

You might also like...

Essential Guide:  IP - The Final Frontier

Today’s broadcast engineers face a unique challenge, one that is likely unfamiliar to these professionals. The challenge is to design, build and operate IP-centric solutions for video and audio content.

Essential Guide: Live IP Delivery

Broadcasting used to be simple. It required one TV station sending one signal to multiple viewers. Everyone received the same imagery at the same time. That was easy.

Cost-effective IP Contribution and Distribution

Saving dollars is one of the reasons broadcasters are moving to IP. Network speeds have now reached a level where real-time video and audio distribution is a realistic option. Taking this technology to another level, Rohde and Schwarz demonstrate in…

Essential Guide: Reality of IP

As broadcasters migrate to IP, the spotlight is focusing more and more on IT infrastructure. Quietly in the background, IT has been making unprecedented progress in infrastructure design to deliver low latency high-speed networks, and new highly adaptable business models,…

IMF - Interoperability and Content Exchange Made Easy

As the television business has become more global, and evolving consumer devices spawn the need for ever more formats, there has been an explosion of the number of versions that are needed for an item of content. The need to…