Software Infrastructure Global Viewpoint – September 2019

Beyond Firewalls

“Put it behind the firewall and it will be fine!” was once the assumption – but not anymore. As broadcasters continue their IP journey, a growing appreciation of all things secure has become apparent. Difficult questions are being asked of vendors and the perceived security demarcation is in question.

As centralized monitoring and control permeated through the traditional SDI infrastructure, ominous RJ45 connectors started to appear. Back then, I could not remember a single conversation about security as it was assumed the network was impervious - a reasonably valid assumption as they were generally closed systems. As I remember, the real change in the consciousness of security happened when the internet started to infiltrate broadcast facilities.

DMZ’s and firewalls supposedly protected everything inside the building. Even desktop computers had firewalls built into their core software. But the cybercriminals always seemed one step ahead and found they could hack a desktop with a simple phishing attack and penetrate the firewalls from within. A ransom-ware virus could pervade an infrastructure at the click of a key and encrypt every file in the network.

More recently, I discovered, as anti-virus software and firewalls have increased in sophistication, and consequently become more effective, the cybercriminals have found new methods of attacking computer systems – through the firmware. To my horror, I found it is possible for a cybercriminal to take control of a computer by intercepting the firmware code running in disk drives, network interface cards, and graphics cards.

Enterprise server manufacturers are at the forefront of the cyberwar and have been working hard to counteract these potential vulnerabilities. When the server is switched on, even before the CPU boots, known validated secure code interrogates each of the peripheral devices to verify the firmware hasn’t been tampered with. A system of authentication cross references the codes’ certificate to a trusted database and validates the firmware. And these routines execute periodically to guarantee the firmware is still secure.

This “silicon root of trust” brings to IT the same level of security, audit and accountability that the commercial airplane manufacturing industry has enjoyed for many years. Each component and software version can be traced back to a subcontractor or specific vendor, thus taking security and accountability to new levels. And in this world, security is the concern of everybody involved. Each system, process, and device is responsible for being highly secure.

This leads me to consider two interesting questions for broadcasters. First, if a vendor delivers a combined software and server solution, then what precautions have been taken to confirm the servers firmware has been validated and continues to be validated throughout the life of the product? And second, if a vendor supplies a bespoke hardware product with IP connectivity, what precautions have been taken for security and its continued security after installation?

Relying on assertions that appear to abdicate responsibility such as “the network should be secure”, or “we assume the network is secure”, in my view, are no longer an acceptable.

One of the reasons broadcasters invest in their own COTS datacenter infrastructures is because they understand the provenance of their hardware and can purchase maintenance and service contracts to mitigate against issues such as firmware attacks.

Broadcast vendors can learn much from enterprise IT and I’m sure many are, especially where security and service level agreements are concerned. And this is a real opportunity for broadcast vendors to leverage these successful, proven, and much needed business models. But I would say this, security is about collective responsibility, it’s a partnership, a collaboration, and every person, system and product is responsible for the preservation of data.

Related Editorial Content

Secure IP Infrastructures For Broadcasters - Part 1 - Secure Servers

In this series of three articles, we investigate the underlying aspects of computer server design for high value security and 24-hour operation. In the first article we look at advanced server security, in the second article we understand how servers…

Secure IP Infrastructures For Broadcasters - Part 2 - Lights Out Control

In the previous article in this series we looked at advanced server security and how the controller within a hard disk drive or SSD can be vulnerable to hacking even with the most advanced firewalls and anti-virus software. In this…