BOC security

Nuclear power plants are secure. Right? A recent article in the Proceedings of the IEEE, tells a tale of a nuclear power plant that was infected by a vendor’s laptop. Fortunately, the reactor was down at the time. The article is also a good place to get an overview of security techniques.

Security attacks should be of critical concern to broadcasters. Malicious content tampering or an infrastructure breech can be embarrassing, damage business relationships or take you completely off the air.

Inadvertent acts by BOC personnel are also a security concern. Internet connectivity and transferring files from a non-secure computer (from home) can infect a platform, the media network and the entire infrastructure.

Layer by layer

The security layer consists of increasingly tightening layers of protection. This requires a hacker to repeatedly attack and breech protection mechanisms. You might get lucky and the hacker will give up. Designing for security must be a fundamental infrastructure requirement.

Controlling physical access is the first line of defense. This is generally done by using badges, card reading locks, security guards and by locating equipment in locked rooms. But with so much BOC equipment being on a network, a hacker can get into your facility without physical access.

Media network security consists of firewalls, proxy servers, DMZ’s and Access Control Lists. These techniques must be intelligently and cost-effectively deployed and intimately integrated into the BOC infrastructure to be effective.

On the application layer, granting of access rights to accounts is based on username and password. By using a least privilege approach, a graphics artist can only log onto a graphics workstation, not a playout server.

Risk assessment

Security attacks can originate externally and internally. Security problems can involve employees or people on the inside. Their actions can be accidental or malicious. Incidents have two phases. In the attack phase, a way into the infrastructure is sought. When successful, there is a breech.

A thorough security audit, common practice in the IT world, will examine all these issues. This is an assessment of threats that have the potential to cause harm. An effort is made to identify areas of vulnerability. A determination of the impact of an incident will guide implementation of security techniques and technologies

An informative article entitled “How to Conduct a Security Audit,” by Justin Kapp can be found at www.techsupportalert.com/search/t04123.pdf.

Basic methods

Security should be an integral part of infrastructure design. There should be no one point of vulnerability. You can start with computer platforms.

Lockdown is the act of removing or disabling services and applications on a computer system that will not be used and are not necessary. This removes potential security holes.

Virus scanning should be installed on every computer. Periodic checks of entire machines and on-access scanning of a file as it is being opened should be implemented. Virus definition files need to be updated weekly. A current list of viruses can be found at www.symantec.com.

However, security has its price. It can be expensive, time consuming and require dedicated personnel. Every level of security slows infrastructure speed. Evaluate the impact of security implementation on infrastructure performance.

A response plan: Limiting the damage

Every facility needs to have a plan about how to respond to an attack. Once you’ve been breeched it is too late to figure out what to do.

Establish an Incident Response Team (IRT) to respond to attacks, investigate incidents, make evaluations and initiate corrective action. An IRT consists of technical specialists, corporate security, legal, HR, executive management among others. From this group a core team is established to perform threat and risk analysis, vulnerability testing and security audits. Appropriate response plans are developed for any possible incident. Security alerts are published.

An IRT operation process is defined. A consistently applied approach must be followed. Incidents must be documented and a database created. If there is an incident, an analysis will identify measures to take to prevent future attacks.

If an incident occurs, intrusion response personnel must be alerted instantaneously. A sufficient amount of information must be gathered so that an audit trail can be traced and the responsible party identified

Continuous monitoring

Implementing real-time monitoring capabilities that immediately make security personnel aware of a potential attack is imperative. Intrusion Prevention Systems and Intrusion Detection Systems are fundamental security techniques that activate monitoring system alarms and notify the IRT.

Intrusion Prevention Systems (IPS) will block a suspected attack before it can enter the network infrastructure. These are previously seen and analyzed attacks. An IPS must be used in conjunction with other techniques. Hackers are clever.

Intrusion Detection Systems (IDS) monitor networks, hosts (OS) and applications. Some technologies analyze activity patterns. If suspicious activity is observed, actions are taken to prevent the suspect file or activity from inflicting any damage and issue alerts.

Internet access

BOC personnel want Internet access but Internet connectivity in a BOC is fraught with danger. Active code, routinely downloaded from the Web, can include viruses, worms and bots. ABC News was recently forced to use typewriters to prepare copy for “World News Tonight” due to a worm. It could have been a lot worse.

Some broadcast equipment vendors require firmware and software upgrades to be downloaded over the Internet. They may want to supply field service by a VPN into your machine and take remote control. Each of these scenarios entails security risk.

Broadcast networks should be physically separated from corporate networks and the Internet. As a stand-alone system, the BOC infrastructure can be considered secure.

Broadcast Engineering’s Computers and Networks expert, Brad Gilmer discusses relevant Internet access security issues and measures in his monthly columns.

A matter of trust

A BOC may not be a military command post, but you can learn security techniques. Trusted computers insure file traceability by unique username and password. Operating systems include security information, as data is input to a system over a secure network. When these conditions are met, OSes and networks are certified.

Similar protocols belong in a networked BOC. Test and certify computer platforms and operating systems before installation.

The National Institute of Standards and Technology has established a National Vulnerability Database. Located at http://nvd.nist.gov/statistics.cfm it is updated daily. Try a search with the Vulnerability Notes or Technical Alerts selection checked. You may be surprised at how many items are listed.

Knowledge is power

Broadcast personnel need to become knowledgeable about security techniques, technologies and infrastructure deployment. Train all levels of personnel to be security aware. Security is a philosophy

Follow Generally Accepted Systems Security Principles (GASSP) www.auerbach-publications.com/dynamic_data/2334_1221_gassp.pdf.

Have at least one person on your design team earn a Certification for Information System Security Professional (CISSP). The exam is administered by the International Information Systems Security Certification Consortium (www.isc2.org).

Keep the following principles in mind when developing your security plan:

  • Use a combination of physical and logical measures.
  • Each user should have a unique account. Reset passwords frequently.
  • Implement the least privilege concept.
  • Require users to read and sign off on the security policy when their accounts are created.
  • Display a usage notification when users sign on prohibiting unauthorized use and stating that violators will be prosecuted. Employees should not expect privacy.
  • Enforce security policies.
  • Warn and discipline employees when necessary.
  • Perform security audits regularly.
  • Never let a user log on with administrator privileges.

Senior management must understand the need for security. Circulating a broadcast facility specific IEEE security article can increase awareness of the need for security.

Be afraid. Hacking is becoming an organized, criminal activity. Access to your infrastructure can be sold to groups that want to do damage to your organization. And without adequate security, you will not be aware that you are at risk.

References

[1] “Security for Industrial Communication Systems”, Dzung, Naedele, von Hoff & Crevatin, Proceedings of the IEEE Volume 93, Number 6, June 2005

[2] Network security, Brad Gilmer, Broadcast Engineering, Oct 1, 2004, http://broadcastengineering.com/mag/broadcasting_network_security/index.html

[3] Broadcast Security Architecture For The Digital Age - The Next Level, Baden & Flint, Flint Associates, Washington DC http://uptown.flint.com/articles/bsa.pdf

Further reading

Information Security Management Handbook, 2004 Edition (Vol. 1, 2 & 3 or CD-ROM), Tipton, Auerbach Publications

Organizations

IETF - http://web.mit.edu/network/ietf/sa

ISO - www.isosecuritysolutions.com/standardmain.html

Back to the top