EBU Calls on Broadcasters and Technology Vendors to Strengthen Cyber Security

The EBU (European Broadcasting Union) has called on broadcasters and their technology suppliers to work together over cyber security and adopt best practices already available or evolving in the IT world. The organization representing broadcasters across Europe and in many neighboring countries has just staged its first Media Cybersecurity Seminar at its headquarters in Geneva, where delegates were urged to adopt best practices built around existing security standards.

In turn the EBU has been playing its part by staging tutorials at the seminar and more generally by shoehorning those existing standards into a version that takes account of broadcasters’ specific needs. This has led to the development of EBU R 143 (Cybersecurity for media vendor systems, software & services) based on the long standing but more generic ISO (International Standards Organization) 27001, along with national best practice guidelines. ISO 27001 is the globally agreed standard for creating an Information Security Management System and has been widely used by enterprises around the world for over 10 years, yet at the EBU seminar there was the suggestion that broadcasting technology vendors had been slow to adopt it. That is one reason the EBU itself has seen fit to develop its own standards set building on ISO 27001.

"It's not that we are re-inventing the wheel on cybersecurity," said the EBU's Lead on Video R&D and Cybersecurity at EBU Adi Kouadio. "We just customize it for media organizations."

The key message at the seminar was that broadcasters are no longer islands cut off from the rest of the connected world and therefore need to protect themselves against a range of new threats emanating from outside. While the industry is familiar with piracy and the need for content protection it is not so geared up for threats arising from the Internet, such as malware, ransomware and Distributed Denial of Service (DDoS) attacks.

Such risks are growing as the broadcast industry migrates from the world of SDI to that of IT and IP and new standards are developed, according to the BBC's Lead Technologist Peter Brightwell at the EBU seminar. "IP offers flexibility, but also opens doors to hack."

The EBU Media Cybersecurity Seminar highlighted new recommendations that build on existing standards.<br />

The EBU Media Cybersecurity Seminar highlighted new recommendations that build on existing standards.

To keep that door closed, broadcasters need to do more than just adopt technical standards but must also revise their overall approach to security at a human and logistical level, according to Gerben Dierick, Chief Information Security Officer CISO at Belgium's VRT. He focused on the importance of dialogue rather than just developing policies. Open communication between the people responsible for security and the non-technical staff, especially journalists, was crucial, he said.

At the same time the seminar stressed the key role that can be played by the new EBU R 143 recommendations in developing products and services. It defines security safeguards that should be applied at the planning stage and built into the specifications. The standard should also be used by broadcasters to assess a vendor's security capabilities and abilities to counter threats as part of the tendering process, as well as setting a minimal baseline for system acceptance.

The foundation of EBU R 143 are principles defined for general IT systems in the ISO 27001, including handling cyberthreats like malware and ransomware, along with base considerations for authentication and authorization like enforcing change of default passwords and implementing strong two-factor authentication for internet facing products. Two factor security requires users to own a device such as a one-time password generator into which they enter a key known only to them. Then that access can only be gained by people who possess a given device and also know a “shared secret”.

It also insists on mandatory test stages within the development cycle and regular cleaning of software to ensure that test code, which could leave vulnerabilities, is expunged from the final version. Regular technical security analyses, comprising penetration and vulnerability tests, should be conducted not just during development but also in subsequent operation.

Then EBU R 143 incorporates additional broadcast-specific features to take account for example of vulnerabilities associated with production workflows and infrastructures as they migrate to IT technologies.

But as broadcasting continues to migrate to IP while at the same time media content becomes more central to almost all enterprises, the distinction between broadcasting and other online services will diminish. This is already being reflected on the security front given that most of the EBU 143 recommendations could apply equally to any cloud based service.

You might also like...

KVM & Multiviewer Systems At NAB 2024

We take a look at what to expect in the world of KVM & Multiviewer systems at the 2024 NAB Show. Expect plenty of innovation in KVM over IP and systems that facilitate remote production, distributed teams and cloud integration.

Wi-Fi Gets Wider With Wi-Fi 7

The last 56k dialup modem I bought in 1998 cost more than double the price of a 28k modem, and the double bandwidth was worth the extra money. New Wi-Fi 7 devices are similarly premium-priced because early adaptation of leading-edge new technology…

NAB Show 2024 BEIT Sessions Part 2: New Broadcast Technologies

The most tightly focused and fresh technical information for TV engineers at the NAB Show will be analyzed, discussed, and explained during the four days of BEIT sessions. It’s the best opportunity on Earth to learn from and question i…

Standards: Part 6 - About The ISO 14496 – MPEG-4 Standard

This article describes the various parts of the MPEG-4 standard and discusses how it is much more than a video codec. MPEG-4 describes a sophisticated interactive multimedia platform for deployment on digital TV and the Internet.

The Big Guide To OTT: Part 9 - Quality Of Experience (QoE)

Part 9 of The Big Guide To OTT features a pair of in-depth articles which discuss how a data driven understanding of the consumer experience is vital and how poor quality streaming loses viewers.