EBU Urges Broadcasters to Conform with New Cyber Security Guidelines

The EBU (European Broadcasting Union) has published its minimal set of cyber security guidelines for its members’ IT systems based on best practice already established in other industries. The recommendation known as EBU R143 has been developed in response to several high profile and damaging hacks on broadcasters and content owners, but also reflect the growing exposure to attacks from the Internet.

This is the downside of the migration towards IP based communications and established IT technologies such as virtualization and software defined networking.

“The broadcast industry has been an isolated technology island for a long time and, therefore, was intrinsically protected,” noted Andreas Schneider, Chief Information Security Officer at the Swiss public broadcaster (SSR/SRG) and Chair of the EBU Strategic Programme on Media Cybersecurity. “However, with the provision of internet-based services and the convergence of traditional broadcast and information technology, the risk of cyberattacks targeting media companies is now, more than ever before, a real threat.”

The new guidelines focus on internal IT systems rather than the broadcasting delivery infrastructure which has long been protected from piracy and theft of revenue by Conditional Access Systems (CAS) and more recently DRM (Digital Rights Management) systems as well, admittedly with mixed success. But the distinction between the two is diminishing and, as recent high profile hacks have shown, direct attacks on internal IT systems can be at least as effective at stealing premium content. This was demonstrated all too well by the infamous Sony case in November 2014, when the so called Guardians Of Peace (GOP) group hacked into Sony Pictures’ IT systems. This rendered the Sony network crippled for days and also resulted in previously unreleased films being posted on the Internet.

Another more recent case in April 2015 highlighted the great damage to reputation and revenue that can be caused without content theft, when French broadcaster TV5 Monde was hacked. This took its TV channels off the air and meant that its systems were prevented from accessing the Internet for several months while French security agency ANSSI (L’Agence nationale de la sécurité des systèmes d’information) conducted its investigation into the incident and new measures were implemented.

The EBU insisted that this was just the tip of the iceberg and that there had been many lesser breaches with another risk being loss of sensitive customer data exposing subscribers to fraud and identity theft. While there is no pretense that adoption of these minimum guidelines would prevent all such frauds the EBU argued that it would reduce their extent and severity.

Andreas Schneider, Chair of the EBU Strategic Programme on Media Cybersecurity, played a key role drafting the EBU’s new security recommendation.

Andreas Schneider, Chair of the EBU Strategic Programme on Media Cybersecurity, played a key role drafting the EBU’s new security recommendation.

The guidelines are based on those already defined by European National Security Agencies, such as the French ANSSI and German BSI. They also include contributions from the newly created French-speaking broadcasters Cybersecurity Group, chaired by TV5 and applying its direct experience from the hack.

The fundamental recommendation is that broadcasters and content owners apply security safeguards at the planning and design stage, when it is more cost effective and enables greater robustness against emerging threats that may not be anticipated.

Another key point is that media companies are increasingly reliant on third parties such as software developers and providers of cloud services. Therefore end to end security can only be ensured by insisting that these third parties adhere to the same security guidelines, ideally with external verification.

The EBU also pointed out how connected devices tend to have a low level of security reflecting the protection broadcasters used to enjoy when their systems were closed to the Internet. Now in the era of OTT the threshold for connected devices not owned by pay TV operators needs to be increased. This in turn leads to more specific guidance on how interfaces, access points, network communication and features should be documented. Broadcasters need to focus more on integrating components from a security context, so that for example TCP/UDP ports are only open when necessary and kept shut by default.

The guidelines also indicate best practices for users, which should apply equally to customers as well as staff, including two factor authentication. There are three possible authentication factors, something the user knows like a password, something the user owns like a token and something the user is, meaning a biometric such as a thumbprint. Authentication has often only required one factor, usually a password, which is inherently insecure, so there has been a trend towards adding a second factor, often a smart token generating a one-time passkey, for online banking transactions for example. There has also been growing use of biometrics, so that smart phones for example can actually enable three factor authentication. This is because the phone itself is something the user owns which is unique, while a thumbprint or facial scan may be the something the user is and a password can also be enforced to access say an OTT video service.

Yet authentication is only part of end to end security and does not prevent direct cyber-attacks on internal systems, which is why the EBU has published these guidelines.

You might also like...

NAB Show 2024 BEIT Sessions Part 2: New Broadcast Technologies

The most tightly focused and fresh technical information for TV engineers at the NAB Show will be analyzed, discussed, and explained during the four days of BEIT sessions. It’s the best opportunity on Earth to learn from and question i…

Standards: Part 6 - About The ISO 14496 – MPEG-4 Standard

This article describes the various parts of the MPEG-4 standard and discusses how it is much more than a video codec. MPEG-4 describes a sophisticated interactive multimedia platform for deployment on digital TV and the Internet.

The Big Guide To OTT: Part 9 - Quality Of Experience (QoE)

Part 9 of The Big Guide To OTT features a pair of in-depth articles which discuss how a data driven understanding of the consumer experience is vital and how poor quality streaming loses viewers.

Chris Brown Discusses The Themes Of The 2024 NAB Show

The Broadcast Bridge sat down with Chris Brown, executive vice president and managing director, NAB Global Connections and Events to discuss this year’s gathering April 13-17 (show floor open April 14-17) and how the industry looks to the show e…

5G Broadcast: Part 6 - Technical Dive Into 5G Broadcast & New 3GPP Standards

Standards bodies and mobile technology developers are putting the finishing touches to 5G Multicast and Broadcast. These include enabling seamless switching between unicast and multicast, and equally transparent roaming for users as they move between mobile cells. There is also…