The author is senior director of strategy, development and regulatory affairs with Monroe Electronics Inc.
Broadcasters have grown increasingly reliant on the Internet, whether it is to reach a potential audience and advertisers, conduct daily business or fulfill their FCC EAS obligations to monitor the IPAWS CAP service.
The downside of Internet dependence, of course, is that the broadcast industry is now at the front line of potential assaults by any number of cyber threats. Like it or not, cyber security will continue to be a fact of life for broadcasters and EAS manufacturers.
MUCH TO BE DONE
EAS technologies are not security appliances in and of themselves. Broadcasters must protect these technologies as they would any sensitive system in their operations.
Protection means, at a minimum, keeping all network connections to the devices firewalled from the public Internet, regularly checking with vendors to ensure software is up to date and regularly checking the facility’s EAS systems for any potential indications of attack or unauthorized access. (For DASDEC users, the current 2.0-2 release issued in April includes several cumulative security and feature updates.)
On May 15, FEMA posted a reminder to various industry e-mail lists about the importance of maintaining updated software/firmware on CAP EAS devices.
However, there is much more to be done. Common best practices and critical controls need to be identified and implemented in each of the key stakeholder areas in the EAS system: broadcasters, CAP EAS manufacturers and CAP EAS networks, including IPAWS and the various state CAP networks that are evolving. These best practices do not necessarily need to be onerous, but they do need to be implemented system-wide.
The system is only as strong as its weakest link.
What kinds of security practices or controls should the industry consider? And who should be the arbiter or advocate for these cyber security best practices? Well, an initial list of “Best Practices for Public Warning Cyber security” could include:
• Safeguarding Equipment— Make sure that CAP EAS equipment is behind a firewall, at minimum, and that it has the most current versions of firmware/software from manufacturers. All remote administration should be performed over secure channels, preferably with strong encryption, or over a secondary SSL or IPSEC channel.
• Securing Configuration— Of firewalls, routers and switches. These elements are often left less secure than they ought to be. Broadcasters also should limit access to ports and other services.
• Perimeter Defense— Create a strong “perimeter defense,” as a simple firewall may not always be sufficient. Broadcasters should consider a creating layered boundary by using firewalls, proxies, DMZ perimeter networks and network-based intrusion protection and detection, as well as filtering both inbound and outbound traffic. Digital Alert Systems issued a white paper on this matter in 2011. (“CAP, EAS and IPAWS: Introducing a Defense-in-Depth Security Strategy for Broadcasters,” available at www.digitalalertsystems.com/pdf/wpdas-122.pdf
• Malware Beware— Defenses against malware may become even more important in the future, if and when CAP messages contain resource (file) links to third-party Web servers. Even if a CAP message comes via the FEMA IPAWS server, that CAP message may contain a link to some separate multimedia sever that the device may automatically attempt to access.
• Foster Skills and Training— A stronger culture of awareness around cyber security is needed in the mass media sector. There also must be greater training opportunities that aid key personnel in developing or enhancing skills in the cyber security area. With the support of key government agencies, national organizations such the Society of Broadcast Engineers or NAB could take the lead to promote these activities.
• Controlled Access— Take charge of who can access CAP EAS equipment by changing all default passwords for applications, operating systems, routers, firewalls, wireless access points and other systems to a difficult-to-guess value, and limiting administrative privileges.
Broadcasters have a financial and competitive incentive to safeguard their own networks. Government agencies including FEMA and the FCC have an inherent incentive to safeguard the overall resilience and reliability of the Emergency Alert System, and this means addressing the risks that accompany its new dependence on the Internet.
The alarming incident this past February, when someone hacked into the EAS and issued a warning that zombies were real and on the attack, has at least sparked a dialogue on cyber security. However, this dialogue remains uncoordinated between industry and government, and is far from yielding a security framework addressing the interests of both the public and private sectors.
Since President Obama’s February executive order on overall cyber security, the White House has favored combining voluntary security measures along with incentives for companies that comply. Congress, for its part, seems to be leaning toward legislation that would promote the adoption of cyber security best practices by both private sector and public sector entities.
What this approach lacks is a means of identifying, translating and promoting those best practices across the broadcast industry. Creating a public-private partnership around cyber security for public warning could be an effective way of bridging this critical gap. The outcome of such a partnership would be the sharing of information on best practices, practical approaches and potential cyber security threats to the overall CAP EAS system.
This is not a hypothetical suggestion. Just this type of public-private approach is already being embraced in other industries. In principle, it could be replicated in the broadcast industry.
The Department of Homeland Security, along with the Department of Energy, recently partnered with a number of energy companies to identify and combat threats in that industry. Through this working relationship, the energy industry is sharing information about risks that it faces, and the government is sharing information on potential threats.
This energy industry partnership provides a real benchmark for how a public-private partnership could function for cyber security in the public warning area and, ultimately, to produce mutually beneficial outcomes for government and industry.
A further recommendation is the inclusion of EAS-related technologies and systems under the DHS Protected Critical Infrastructure Information (PCII) Program. PCII is an information-protection program that enhances voluntary information sharing between infrastructure owners and operators and the government. PCII protections mean that homeland security partners can be confident that sharing their information with the government will not expose sensitive or proprietary data.
Simple steps can be taken to enhance the security of the new CAP EAS system, and many of these steps fall within the control of the local broadcaster. However, CAP EAS is a system — a system that will be only as secure as its weakest link.
Therefore, now is the time to open a dialogue on forming a public-private partnership on cyber security in public warning. Now is the time for broadcasters to become more aware of the increasing network security requirements that CAP EAS demands of them. The growing sophistication of cyber threats is not going away, and the interconnected nature of an Internet-based CAP EAS system puts all broadcasters on the front lines.