The EBU (European Broadcasting Union) has strengthened its cybersecurity programme by appointing two prominent CISOs (Chief Information Security Officers) as chair and co-chair.
The current chair of the EBU Cybersecurity strategic programme Andreas Schneider is standing down to be replaced by both John Moylan, CISO at RTÉ, as chair and Claus Bayer, CISO at ZDF, as co-chair. The new regime is committed to advancing the EBU’s three-pillar strategy developed under Schneider to address cybersecurity challenges within the media industry.
The EBU had decided the broadcasting industry was poorly prepared for new security threats arising from the proliferation of OTT services and IP connectivity, even if they were well abreast of the business challenges. To counter this the EBU developed its three-pronged strategy under the headings of awareness, design and implementation. The EBU claims that guidelines arising from this programme, set out in its Recommendation R143, have already had a significant industry impact after being adopted by vendors as well as media service providers.
Yet both new chairs acknowledge more work is needed by both broadcasters and vendors to ensure robust defence against both existing and emerging threats, some of which cannot be foreseen. “The road to bring the media industry up to speed on cybersecurity is not easy, especially with the growing threats towards digital services and public service media in general,” said new chair Moylan. “But we have established a strong strategy that will help achieve our goal.”
Co-chair Claus Bayer added: “One of the key challenges for broadcasters is to have proper governance for cybersecurity within their organization, and for systems vendors to perform the minimum-security due diligence on their hardware and software.” Bayer reaffirmed the EBU’s commitment to work with communities and ensure their strategies and roadmaps were properly aligned.
The EBU Media Cybersecurity programme is a growing group of 17 CISOs from European public service media organizations actively working on securing media services and businesses. The three-tier programme will continue to be enhanced as a framework for advancing cybersecurity defences.
John Moylan, CISO at RTÉ, is the EBU’s new chair of cybersecurity.
To address the first of these pillars, awareness, the EBU has published Recommendation 144 aimed at senior managers, setting out best practices for governance, including the organizational structure necessary to meet a minimum-security benchmark. But the EBU has noted this is little use unless senior managers are aware of the urgency and so has been highlighting the risks and cases so far where reputational damage has been caused. A notable early example came in April 2015 when all 12 channels of French TV network TV5Monde were taken off air by an attack from Russian hackers.
The EBU is now urging broadcasters not just to appoint dedicated information security officers but also ensure they have direct access to top management. But it is equally important vendors are closely involved in security at the design phase, which is addressed by the second of the three EBU pillars. This is inevitably taking time to get fully established given organizational changes involved both for broadcasters and vendors, which is partly why the two new EBU cybersecurity chairs stress there is more work to be done.
However, the R143 recommendation has already been adopted by the World Broadcasting Unions and several broadcast organizations including NABA and ABU as well as EBU itself as the basis for a unified security recommendation to be endorsed by all system vendors. The key point is that security should be incorporated by design in every process, project and service in alignment with the media workflows and business objectives. To be effective, all parties of the media ecosystem must be involved in the effort.
The third of the EBU’s security prongs covers implementation, comprising hands on tools and tests for media operational staff to investigate and proactively detect potential vulnerabilities in purchased or installed media equipment. The minimum tests for networked media equipment are set out in Recommendation R 148, to be performed by vendors or broadcasters. Typical threat mitigation scenarios are available for the most popular threats to media services, including DDoS (Distributed Denial or Service) and ransomware attacks. A practical guide to security measures for use before, during and after a field operation has just been published as EBU R 150.
You might also like...
Thanks to Over-the-Top (OTT) streaming video, content owners and broadcasters have a very different relationship with the end consumer – often a direct one.
OTT distribution is worlds apart from traditional unidirectional broadcasting in terms of its fundamental operation and viewing preferences. The internet is a rapidly expanding collection of service providers, many in direct competition, transferring broadcaster video and audio streams alongside many…
After visiting the recent Henry Stewart DAM (Digital Asset Management) conference in New York, Gary Olson asked some very difficult questions of Cloud vendors regarding security. Their responses may surprise you.
In the last two articles in this series we looked at why we need to monitor in OTT. Then, through analysing a typical OTT distribution chain, we sought to understand where the technical points of demarcation and challenges arise. In…
Giving his unique view on NAB2019, Gary Olson considers and scrutinizes the big moving trends of consolidations, and casts clarity on the cloud, ATSC 3.0, and AI.