The EBU is raising its game over cyber security after staging its event dedicated to emerging threats as broadcasting moves from SDI to IP.
The EBU (European Broadcasting Union) has called on broadcasters and their technology suppliers to work together over cyber security and adopt best practices already available or evolving in the IT world. The organization representing broadcasters across Europe and in many neighboring countries has just staged its first Media Cybersecurity Seminar at its headquarters in Geneva, where delegates were urged to adopt best practices built around existing security standards.
In turn the EBU has been playing its part by staging tutorials at the seminar and more generally by shoehorning those existing standards into a version that takes account of broadcasters’ specific needs. This has led to the development of EBU R 143 (Cybersecurity for media vendor systems, software & services) based on the long standing but more generic ISO (International Standards Organization) 27001, along with national best practice guidelines. ISO 27001 is the globally agreed standard for creating an Information Security Management System and has been widely used by enterprises around the world for over 10 years, yet at the EBU seminar there was the suggestion that broadcasting technology vendors had been slow to adopt it. That is one reason the EBU itself has seen fit to develop its own standards set building on ISO 27001.
"It's not that we are re-inventing the wheel on cybersecurity," said the EBU's Lead on Video R&D and Cybersecurity at EBU Adi Kouadio. "We just customize it for media organizations."
The key message at the seminar was that broadcasters are no longer islands cut off from the rest of the connected world and therefore need to protect themselves against a range of new threats emanating from outside. While the industry is familiar with piracy and the need for content protection it is not so geared up for threats arising from the Internet, such as malware, ransomware and Distributed Denial of Service (DDoS) attacks.
Such risks are growing as the broadcast industry migrates from the world of SDI to that of IT and IP and new standards are developed, according to the BBC's Lead Technologist Peter Brightwell at the EBU seminar. "IP offers flexibility, but also opens doors to hack."
The EBU Media Cybersecurity Seminar highlighted new recommendations that build on existing standards.
To keep that door closed, broadcasters need to do more than just adopt technical standards but must also revise their overall approach to security at a human and logistical level, according to Gerben Dierick, Chief Information Security Officer CISO at Belgium's VRT. He focused on the importance of dialogue rather than just developing policies. Open communication between the people responsible for security and the non-technical staff, especially journalists, was crucial, he said.
At the same time the seminar stressed the key role that can be played by the new EBU R 143 recommendations in developing products and services. It defines security safeguards that should be applied at the planning stage and built into the specifications. The standard should also be used by broadcasters to assess a vendor's security capabilities and abilities to counter threats as part of the tendering process, as well as setting a minimal baseline for system acceptance.
The foundation of EBU R 143 are principles defined for general IT systems in the ISO 27001, including handling cyberthreats like malware and ransomware, along with base considerations for authentication and authorization like enforcing change of default passwords and implementing strong two-factor authentication for internet facing products. Two factor security requires users to own a device such as a one-time password generator into which they enter a key known only to them. Then that access can only be gained by people who possess a given device and also know a “shared secret”.
It also insists on mandatory test stages within the development cycle and regular cleaning of software to ensure that test code, which could leave vulnerabilities, is expunged from the final version. Regular technical security analyses, comprising penetration and vulnerability tests, should be conducted not just during development but also in subsequent operation.
Then EBU R 143 incorporates additional broadcast-specific features to take account for example of vulnerabilities associated with production workflows and infrastructures as they migrate to IT technologies.
But as broadcasting continues to migrate to IP while at the same time media content becomes more central to almost all enterprises, the distinction between broadcasting and other online services will diminish. This is already being reflected on the security front given that most of the EBU 143 recommendations could apply equally to any cloud based service.
You might also like...
Samsung has announced Germany’s HD+ satellite service as the first customer for the TVkey security USB dongle developed in partnership with content protection technology vendor Nagra. The dongle works in conjunction with a chip in Samsung’s latest smart…
In the world of pay-TV there is only one constant: the need for robust content protection. Despite standardization efforts across the industry, device fragmentation still poses a challenge for pay-TV service providers that want to offer secure premium content over…
For many OTT video distributors, rights management is a challenge. Given the alternative of lacking rights to manage, this is a good problem to have. But slow-paced integrations and makeshift solutions are creating costs and risks that competitive OTT players…
Kudelski Group, the Swiss content security and pay TV software provider, has continued its spate of acquisitions by buying Dallas-based M&S Technologies, a supplier of enterprise IT security technology and services, for an undisclosed sum. The move consolidates…
NEOTION confirms a longstanding working relationship, launching the first NEOTION CAM deployment with Viaccess-Orca Adaptive Sentinel dual card and cardless Conditional Access System (CAS) for a major European Operator.