On-Air Operations and Cyber Security
As most everyone is aware, there have been a number of instances of cyber breaches (or hacks) in the broadcast Industry. Some well known examples are the French National Network TV5 Monde breach, the Public Radio station RDS hack, and of course, the now infamous Zombie attack incident.
Because of radio and television stations’ role as first informers (i.e. public alerting functions, EAS, etc.), broadcasters are considered by the Department of Homeland Security (DHS) and the FCC to be an integral part of the nation’s Critical Communications Infrastructure. As such, there is an expectation that stations will take adequate steps to stay on the air in times of emergency (which we already do) but, also, to protect themselves from cyber breaches that could take a station off the air or highjack a station’s programming. These broadcast station program interruptions, at the hands of cyber hackers, has led the FCC to become concerned that broadcast stations on-air ops may not be adequately protected.
Consider that much of the essential equipment in a broadcast station is, at its heart, either a Linux or Windows computer with software installed that makes the unit perform its purpose-built function, e.g. “program playout system.” These systems are typically controlled or managed (including the routing of content) via an IP network which may, or may not, be connected to the open internet. Is this network adequately firewalled? Is malware protection software installed on the computer-based systems? If not, your on-air operations could be vulnerable.
Station technical personnel need to fully consider how well their on-air operations are protected from cyber-type attacks. Or, to look at it another way, stations need to assess how vulnerable their on-air “network” might be and then put in place a plan to protect it and recover in the event of attack.
As part of its Communications Security, Reliability and Interoperability Council (CSRIC) the FCC has issued two reports regarding cyber security and critical communications infrastructure. The latest report covers security in general and the other specifically focuses on security of the EAS. These reports detail how to apply a document known as the NIST Cyber Security Framework. The NIST framework takes a “risk assessment” approach to cyber security rather than a step-by-step checklist approach.
In the next installment of this blog we will take a deeper dive into the two reports above and look at how to apply the concepts in those documents at your station. The important thing to know is that the FCC expects that broadcasters have reviewed these documents and are in the process of adopting the principles and practices embodied in them. While the FCC has not yet worked out the details on how to do this, they will be contacting broadcasters in the near future to assess stations’ progress in adopting the measures in these reports. Stay tuned…