IP Security For Broadcasters 2026 – EBU R143: Building Security Into Broadcast Operations

Business continuity and supply chain management may not be at the forefront of technical innovation, but disaster recovery forms a key component of secure systems. EBU R143 provides a framework for assessing and improving security across broadcast facilities, defining common expectations for both broadcasters and equipment vendors.


This article is part of our free eBook ‘IP Security For Broadcasters - 2026 Edition’ - download it here.

Anybody who has worked in a professional IT environment will be only too aware of ITIL (Information Technology Infrastructure Library) processes, as these bring structure and predictability for engineers, technologists, and their managers working across the media facility.

One of the aims of ITIL is to establish repeatable and predictable operational processes that keep systems running reliably. For example, if a transcoder server needs updating then the IT engineer can’t just jump in and start performing an upgrade. Instead, a series of checks are performed such as the change control process to make sure the server isn’t being used. This requires every process within the workflow to be documented with the relevant signing authority to make sure all stakeholders are aware of the scheduled outage.

Establishing Order And Predictability

For traditional broadcasters who have cut their teeth on firefighting faults in the dead of night or earned their stripes keeping a program on air against all odds, this seemingly intrusive world of process and procedure may seem unnecessary. However, as equipment and workflows continue to improve and become more reliable, broadcasters’ focus is moving more from firefighting to maintaining order and predictability.

EBU R143 is a continuation of making workflows reliable and predictable by ordering security processes. Modern security thinking isn’t just about making sure a piece of equipment is secure but instead embraces the entire infrastructure including how the people working in the media facility operate.

By considering security from the ground up and instilling a culture of awareness, the entire broadcast facility is more resilient and high-value media assets are further protected.

Common Secure Methodologies

As many broadcasters rely on third-party equipment and system integration services, the EBU have designed a checklist into R143 that allows broadcasters to confirm the vendor has met the minimum requirement for secure operation of their products. This doesn’t just include the equipment or software that is being provided, but also how vendors operate their business with consideration to security.

This acts as a standard to which vendors can work to when designing their products and services, and provides peace of mind for the broadcasters as vendors can demonstrate that they have taken security seriously by taking all reasonable steps to make their products and services as secure as possible.

As broadcasters continue their IP journey, it’s fair to say, that many, if not all, will be expecting vendors to provide proof of compliance with R143.

The EBU R143 document is split into eight main sections that cover the vendor security requirement: Vendor Information Security Management System (Vendor ISMS), Operational Security (OS), Secure Development (SD), Incident Management (IM), Physical Security (PS), Cloud Security (CS), Business Continuity (BC), and Supply Chain Management (SM).

Figure 1 - To maintain security across all IP media infrastructures, broadcasters should implement systems that follow a constant path of prevention, detection, response, and forensic analysis to keep systems as secure as possible.

Figure 1 - To maintain security across all IP media infrastructures, broadcasters should implement systems that follow a constant path of prevention, detection, response, and forensic analysis to keep systems as secure as possible.

Further in R143 the document takes into consideration documentation, authentication and authorization, encryption, base configuration, network configuration, and application security. This ensures broadcasters know the configurable state of the system when they take delivery of it. For example, if the SSH ports are open or whether the HTTP ports are enabled or not, super user passwords, and account privileges. This is extremely important for IT departments as they need to understand the risk and whether the software or device will need any additional configuration.

Why Supply Chain Security Matters

Modern broadcast facilities rarely procure their entire workflow equipment from a single vendor. A typical IP production environment may include cameras, multiviewers, orchestration systems, NMOS controllers, graphics processors, monitoring systems, cloud services, and storage systems supplied by many different manufacturers. Although each component may operate correctly in isolation, the overall security of the facility depends on the security of every connected system in the chain.

This creates a supply-chain challenge.  A vulnerability in a third-party software library, an insecure software update process, or compromised credentials within a supplier’s support infrastructure can potentially provide a route into a broadcaster’s operational environment. In highly interconnected IP workflows, a weakness in one component can quickly become a risk to many others.

EBU R143 addresses this by encouraging broadcasters to evaluate security across all suppliers rather than focusing solely on individual products. The recommendation promotes common standards for software development practices, vulnerability management, incident response, access control, and update procedures. This allows broadcasters to compare vendors using a common framework and identify areas of risk before equipment is deployed into production.

As broadcast infrastructures continue to evolve towards software-defined and cloud-based architectures, the importance of supply-chain security is increasing. R143 provides a practical mechanism for ensuring that security expectations are applied consistently across the entire ecosystem rather than only at the network perimeter.

Overall Compliance

A Vendor ISMS provides the overall frame of reference for R143 compliance. Included are the vendor’s descriptions of their conformity, the security plans they have as an organization, and the audit plans they have in place. The plan includes details of the individual responsible for information security within the organization, often the Chief Information Security Officer (CISO) or equivalent role.

Operation Security is where the technical aspects of penetration and vulnerability testing is accounted for. It’s important for vendors to be pro-active with regards to this testing as it is much better to be able to contact broadcasters with a fix, than have broadcasters contact vendors with a problem, especially where security is involved.

A vulnerability management process should be at the heart of a vendor’s design and testing processes. Not only does this include the vendor’s software but also any third party components and systems they use. For example, if a vendor’s software is running on a Linux operating system, then they will regularly check security bulletins and act on them accordingly. This process should be carried out for all third-party components and systems.

Securing Code Updates

Consideration for how vendors update software on their own, or their customers’, premises and systems is also covered. Software updates must be delivered through authenticated and encrypted mechanisms. R143 discourages insecure distribution methods and requires vendors to demonstrate that software updates can be verified before installation.

Vendors also have a responsibility to keep their source code secure when it’s being developed by software teams. Software repositories help with this, but vendors must be able to document that no third parties have been able to insert malicious code.

Incident response management is documented to provide a well tried and proven course of action should a vulnerability or vendor security breach become evident. This includes the contact details of customers as well as those within the vendor’s organization that are responsible for enforcing the processes. One important aspect of this is that audit trails can be forensically analyzed later.

System Considerations

Physical control embraces the security of devices from unauthorized personnel, including access to the buildings, datacenters, and code. Even intruder detection systems and fire safety mechanisms are included in R143 as anything potentially affecting the security of critical systems is considered.

Although cloud security is included in EBU R146, R143 also includes consideration of cloud services in its compliance check list, as well as keeping customer data segregated from other clients in multi-tenanted services. Clearly, if one customer has access to another’s data, then this would potentially cause a serious breach.

Business continuity and supply chain management may not be at the forefront of technical innovation, but disaster recovery forms a key component of secure systems. Again, security isn’t just about protecting access to data, but it also embraces protecting integrity of the data against loss. The R143 check list makes sure these aspects are covered.

Keeping Security Secure

As broadcasters become increasingly dependent on software-defined infrastructures, cloud services, and third-party integrations, security can no longer be viewed as a specialist activity. It must become part of everyday engineering practice. EBU R143 provides a common framework that helps vendors and broadcasters work together to protect systems, services, and the high-value media assets upon which modern broadcasting depends.


This article is part of our free eBook ‘IP Security For Broadcasters - 2026 Edition’ - download it here.

Supported by

You might also like...

IP Security For Broadcasters - The Book 2026

Security is everyone’s problem. It is not just about having the right policies in place or knowing where the vulnerabilities in your network are; it’s about understanding how the network is accessed and by whom, and how to str…

Standards: Audio - Advanced Audio Coding (AAC)

AAC succeeded MP3 by delivering better quality at lower bitrates. This guide examines how it works, compares the leading encoder implementations, and explains where it sits within the broader MPEG audio standards landscape.

Broadcast Standards - The Science Of AI: New Foundations

We begin this series with the foundational building blocks of AI. Basic principles, the technology stack and the types of AI based upon it, and how to apply them effectively in a broadcasting enterprise.

Standards: Audio - MPEG Layer 3 Audio Coding (MP3)

Launched in 1995, MP3 remains one of the most ubiquitous audio formats in the world. This guide explains how psychoacoustic compression works, explains the differences between MPEG-1 and MPEG-2 implementations, and finds out where MP3 works – and where it doesn’t.

Network Traffic Engineering: Head-Of-Line Blocking - Why QUIC Changes The Rules

Head-of-line blocking turns minor packet loss into visible glitches by stalling entire TCP streams until missing data is retransmitted. Eliminating cross-stream blocking by multiplexing independent streams over UDP, QUIC might be the answer for OTT delivery, cloud workflows and the…