This is the downside of the migration towards IP based communications and established IT technologies such as virtualization and software defined networking.

“The broadcast industry has been an isolated technology island for a long time and, therefore, was intrinsically protected,” noted Andreas Schneider, Chief Information Security Officer at the Swiss public broadcaster (SSR/SRG) and Chair of the EBU Strategic Programme on Media Cybersecurity. “However, with the provision of internet-based services and the convergence of traditional broadcast and information technology, the risk of cyberattacks targeting media companies is now, more than ever before, a real threat.”

The new guidelines focus on internal IT systems rather than the broadcasting delivery infrastructure which has long been protected from piracy and theft of revenue by Conditional Access Systems (CAS) and more recently DRM (Digital Rights Management) systems as well, admittedly with mixed success. But the distinction between the two is diminishing and, as recent high profile hacks have shown, direct attacks on internal IT systems can be at least as effective at stealing premium content. This was demonstrated all too well by the infamous Sony case in November 2014, when the so called Guardians Of Peace (GOP) group hacked into Sony Pictures’ IT systems. This rendered the Sony network crippled for days and also resulted in previously unreleased films being posted on the Internet.

Another more recent case in April 2015 highlighted the great damage to reputation and revenue that can be caused without content theft, when French broadcaster TV5 Monde was hacked. This took its TV channels off the air and meant that its systems were prevented from accessing the Internet for several months while French security agency ANSSI (L’Agence nationale de la sécurité des systèmes d’information) conducted its investigation into the incident and new measures were implemented.

The EBU insisted that this was just the tip of the iceberg and that there had been many lesser breaches with another risk being loss of sensitive customer data exposing subscribers to fraud and identity theft. While there is no pretense that adoption of these minimum guidelines would prevent all such frauds the EBU argued that it would reduce their extent and severity.

The guidelines are based on those already defined by European National Security Agencies, such as the French ANSSI and German BSI. They also include contributions from the newly created French-speaking broadcasters Cybersecurity Group, chaired by TV5 and applying its direct experience from the hack.

The fundamental recommendation is that broadcasters and content owners apply security safeguards at the planning and design stage, when it is more cost effective and enables greater robustness against emerging threats that may not be anticipated.

Another key point is that media companies are increasingly reliant on third parties such as software developers and providers of cloud services. Therefore end to end security can only be ensured by insisting that these third parties adhere to the same security guidelines, ideally with external verification.

The EBU also pointed out how connected devices tend to have a low level of security reflecting the protection broadcasters used to enjoy when their systems were closed to the Internet. Now in the era of OTT the threshold for connected devices not owned by pay TV operators needs to be increased. This in turn leads to more specific guidance on how interfaces, access points, network communication and features should be documented. Broadcasters need to focus more on integrating components from a security context, so that for example TCP/UDP ports are only open when necessary and kept shut by default.

The guidelines also indicate best practices for users, which should apply equally to customers as well as staff, including two factor authentication. There are three possible authentication factors, something the user knows like a password, something the user owns like a token and something the user is, meaning a biometric such as a thumbprint. Authentication has often only required one factor, usually a password, which is inherently insecure, so there has been a trend towards adding a second factor, often a smart token generating a one-time passkey, for online banking transactions for example. There has also been growing use of biometrics, so that smart phones for example can actually enable three factor authentication. This is because the phone itself is something the user owns which is unique, while a thumbprint or facial scan may be the something the user is and a password can also be enforced to access say an OTT video service.

Yet authentication is only part of end to end security and does not prevent direct cyber-attacks on internal systems, which is why the EBU has published these guidelines.