Ed Czarnecki for Radio World /
08.05.2013 08:42 AM
We Need a Dialogue on Cyber Security
Current precautions may not be as safe as we think
The author is senior director of strategy, development and regulatory affairs with Monroe Electronics Inc.

Broadcasters have grown increasingly reliant on the Internet, whether it is to reach a potential audience and advertisers, conduct daily business or fulfill their FCC EAS obligations to monitor the IPAWS CAP service.

The downside of Internet dependence, of course, is that the broadcast industry is now at the front line of potential assaults by any number of cyber threats. Like it or not, cyber security will continue to be a fact of life for broadcasters and EAS manufacturers.

 EAS technologies are not security appliances in and of themselves. Broadcasters must protect these technologies as they would any sensitive system in their operations. 

Protection means, at a minimum, keeping all network connections to the devices firewalled from the public Internet, regularly checking with vendors to ensure software is up to date and regularly checking the facility’s EAS systems for any potential indications of attack or unauthorized access. (For DASDEC users, the current 2.0-2 release issued in April includes several cumulative security and feature updates.)

On May 15, FEMA posted a reminder to various industry e-mail lists about the importance of maintaining updated software/firmware on CAP EAS devices.

However, there is much more to be done. Common best practices and critical controls need to be identified and implemented in each of the key stakeholder areas in the EAS system: broadcasters, CAP EAS manufacturers and CAP EAS networks, including IPAWS and the various state CAP networks that are evolving. These best practices do not necessarily need to be onerous, but they do need to be implemented system-wide.

The system is only as strong as its weakest link.

What kinds of security practices or controls should the industry consider? And who should be the arbiter or advocate for these cyber security best practices? Well, an initial list of “Best Practices for Public Warning Cyber security” could include:

• Safeguarding Equipment— Make sure that CAP EAS equipment is behind a firewall, at minimum, and that it has the most current versions of firmware/software from manufacturers. All remote administration should be performed over secure channels, preferably with strong encryption, or over a secondary SSL or IPSEC channel.

• Securing Configuration— Of firewalls, routers and switches. These elements are often left less secure than they ought to be. Broadcasters also should limit access to ports and other services.

• Perimeter Defense— Create a strong “perimeter defense,” as a simple firewall may not always be sufficient. Broadcasters should consider a creating layered boundary by using firewalls, proxies, DMZ perimeter networks and network-based intrusion protection and detection, as well as filtering both inbound and outbound traffic. Digital Alert Systems issued a white paper on this matter in 2011. (“CAP, EAS and IPAWS: Introducing a Defense-in-Depth Security Strategy for Broadcasters,” available at www.digitalalertsystems.com/pdf/wpdas-122.pdf.)

• Malware Beware— Defenses against malware may become even more important in the future, if and when CAP messages contain resource (file) links to third-party Web servers. Even if a CAP message comes via the FEMA IPAWS server, that CAP message may contain a link to some separate multimedia sever that the device may automatically attempt to access.

• Foster Skills and Training— A stronger culture of awareness around cyber security is needed in the mass media sector. There also must be greater training opportunities that aid key personnel in developing or enhancing skills in the cyber security area. With the support of key government agencies, national organizations such the Society of Broadcast Engineers or NAB could take the lead to promote these activities.

• Controlled Access— Take charge of who can access CAP EAS equipment by changing all default passwords for applications, operating systems, routers, firewalls, wireless access points and other systems to a difficult-to-guess value, and limiting administrative privileges.

Broadcasters have a financial and competitive incentive to safeguard their own networks. Government agencies including FEMA and the FCC have an inherent incentive to safeguard the overall resilience and reliability of the Emergency Alert System, and this means addressing the risks that accompany its new dependence on the Internet.

The alarming incident this past February, when someone hacked into the EAS and issued a warning that zombies were real and on the attack, has at least sparked a dialogue on cyber security. However, this dialogue remains uncoordinated between industry and government, and is far from yielding a security framework addressing the interests of both the public and private sectors.

Since President Obama’s February executive order on overall cyber security, the White House has favored combining voluntary security measures along with incentives for companies that comply. Congress, for its part, seems to be leaning toward legislation that would promote the adoption of cyber security best practices by both private sector and public sector entities.

What this approach lacks is a means of identifying, translating and promoting those best practices across the broadcast industry. Creating a public-private partnership around cyber security for public warning could be an effective way of bridging this critical gap. The outcome of such a partnership would be the sharing of information on best practices, practical approaches and potential cyber security threats to the overall CAP EAS system.

This is not a hypothetical suggestion. Just this type of public-private approach is already being embraced in other industries. In principle, it could be replicated in the broadcast industry.

The Department of Homeland Security, along with the Department of Energy, recently partnered with a number of energy companies to identify and combat threats in that industry. Through this working relationship, the energy industry is sharing information about risks that it faces, and the government is sharing information on potential threats.

This energy industry partnership provides a real benchmark for how a public-private partnership could function for cyber security in the public warning area and, ultimately, to produce mutually beneficial outcomes for government and industry.

A further recommendation is the inclusion of EAS-related technologies and systems under the DHS Protected Critical Infrastructure Information (PCII) Program. PCII is an information-protection program that enhances voluntary information sharing between infrastructure owners and operators and the government. PCII protections mean that homeland security partners can be confident that sharing their information with the government will not expose sensitive or proprietary data.

Simple steps can be taken to enhance the security of the new CAP EAS system, and many of these steps fall within the control of the local broadcaster. However, CAP EAS is a system — a system that will be only as secure as its weakest link.

Therefore, now is the time to open a dialogue on forming a public-private partnership on cyber security in public warning. Now is the time for broadcasters to become more aware of the increasing network security requirements that CAP EAS demands of them. The growing sophistication of cyber threats is not going away, and the interconnected nature of an Internet-based CAP EAS system puts all broadcasters on the front lines.

Post New Comment
If you are already a member, or would like to receive email alerts as new comments are
made, please login or register.

Enter the code shown above:

(Note: If you cannot read the numbers in the above
image, reload the page to generate a new one.)

Posted by: Anonymous
Wed, 08-07-2013 09:42 AM Report Comment
Firewalls, Antivirus, keeping updated etc. are not adequate against zero day attacks. They can reduce the load for sandbox type solutions, which with analysts are effective, but expensive, perhaps over $100k. The NY Times used Mandiant to catch Chinese PLA hackers. Fire Eye is another. Bromium and others may be applicable. It may be more cost-effective for FEMA or an accepted contractor to provide secure ISP using such services to Broadcasters and others. Frank W. Bell

Tuesday 03:07 PM
WMUR-TV Says FAA Drone Rules Preclude ENG
The FAA’s current rules and proposed ban on flight over people, requirement of visual line of sight and restriction on nighttime flying, effectively prohibit broadcasters from using UAS for newsgathering. ~ WMUR-TV General Manager Jeff Bartlett

Sue Sillitoe, White Noise PR /   Friday 11:15 AM
DPA Microphones Expands Its d:facto™ Vocal Microphone Range
Wall Street Communications /   Friday 04:20 PM
SMPTE 2015 NAB Show Preview

Featured Articles
Discover TV Technology