IABM UK Members’ Council debates Cyber Security

The issue of cyber security hits on many levels – corporate, product, system and individual.  All of these are apparent within the Broadcast Industry with attitudes as well as actions to cyber security increasingly changing, driven in no small part by the rapid adoption of new cloud-based workflows and ‘direct to consumer’ strategies.  Below the UK Members’ Council have been given 30 minutes to ‘debate’ two opposing statements around cyber security and what it means for the Broadcast industry.

UK council chairman, Simon Haywood (Dell Technologies), kicked off the debate by positing two very different scenarios:

• Most broadcasters have cyber security covered, and the threat of so-called cyber-attack is considerably over-exaggerated. All that's required is a decent firewall, and anti-virus on machines that people use. Backups aren't needed - because everything's archived. And in any case, broadcasters are not the target of any of these attacks - they're more aimed at extorting money from commercial organisations.

•  Every touchpoint that a broadcaster has with a viewer or any other organisation is a potential attack vector - and the consequences of malicious activity go far beyond any immediate impact. Broadcasters must adopt a "zero trust" security policy - and secure their systems and workflows across all levels of their organisations.

Tim Felstead (Sony Professional Solutions Europe) cited a recent example of a tender for a public broadcaster as clear evidence that cyber security is a central consideration. The tender required full compliance at every level of the EBU’s Technology Pyramid for Media Nodes and its various cyber security recommendations. “There were two components – the company security: how do you as a company comply with all these security requirements and also how do your products comply with the security requirements?” Felstead explained. “And also, can you demonstrate test results that you comply? This gets down to really detailed levels – does this product respond to a certain action over an IP network in a certain period of time? So it’s not just about 2110 and the standards compliance of transport – it’s also down in the minute detail about tests for cyber security and responses to various kinds of attack etc. It’s very onerous.”

Martin Paskin (Techex) also had a recent similar experience with a large broadcaster specifying that they needed to clear levels 1 and 2 of OWASP (Open Web Application Security Project) and a significant proportion of level 3 too. “That costs a lot of money and time to achieve but it was the only way we could get our products on their site,” he said. “And the Russian war on Ukraine has caused a lot of people to be very concerned about security, including broadcasters, some of whom have severed all remote connections to all of their systems, which has become a blocker to trying to deploy systems or even support systems now.”

Simon Haywood suggested a lot of industries could learn from Hollywood, “which has been all over content security for years; they take it much more seriously than – for example – the medical guys. But in the broadcast industry, we all know of broadcast systems from big vendors where the vendor name is both the username and password, which is the execution user for the entire system!” This comment brought smiles all round. “We can’t do that anymore.” Haywood pointed out that Dell products get used in many other verticals – enterprise and government for example – “which dealt with this stuff years ago, so maybe we don’t need to reinvent the wheel. What Tim Felstead was being asked to do has been done before in these other verticals. You could find someone from a totally different sector who might just mop it all up in an afternoon.”

Felstead responded by pointing out that, while software-centric companies may have the skills in house, “if you’re a company making say pedestals for cameras, then I bet you have a LAN, but you’ve got far more mechanical engineering resources in the company than you have IT engineers. Companies need to change their approach to accommodate the changing norms in the industry.”

Peter Blatchford (Starfish Technologies) reported that when he tried to renew his company’s public liability insurance recently, he was forced to implement “a whole bunch new things because the company said our cyber security wasn’t up to scratch. It came from nowhere – we’ve never been asked to do it or prove it in the past. It isn’t a bad thing in itself but, as Martin Paskin said, these things cost money and time, which is a really precious commodity irrespective of cost. We don’t have people to sit around and look at this stuff – we’re trying to deliver a product, so any distraction is incredibly unwelcome and it basically involves us setting aside two of our top software developers to implement.

“The implication is that insurance companies are now expecting anyone involved in any high-tech industry to implement these standards internally. We didn’t want to challenge them; they allocated a couple of people at their end who are now responsible for ensuring companies implement these standards; we had a conference call that went on for many hours with our software developers and they told us what we needed to implement. The implication is that any company that wants any form of liability insurance will have to implement these kinds of standards, including one-time passwords and two-factor authentication. We’ve had to implement these internally when we VPN into our own systems.”

“Our customers have been protecting their systems for years. For example with Sky, you obtain a token and you’re given access to the system for a very short period of time. You have to justify why you need that token and that’s totally reasonable – I have no issue with that,” Blatchford added.

John Sparrow (Clear-Com) concurred. “We’ve been doing this for a long time when connecting to our servers in the US. We’ve just changed to meet California laws, which say  you can’t have the same password, so the first time someone logs into the product, they are forced to change the password – so we lose the general ability to get into the system.”

Ilona Valent (Riedel Communications and Solent University) expressed her surprise at how unprepared some companies are when it comes to cyber security. “One aspect is protecting content – ‘Hollywood syndrome’ – piracy is a major concern, and the other is confidentiality and data protection – personal and employee data protection. Most of our clients are focusing on these. Recently we were trialing a new power system at one of our clients to enable them to control and monitor remotely. We were trying to remotely turn on lights in the studio and instead took down the whole gallery. It was just a test or it would have been mission-critical! Hackers these days do it just for fun – recently one of the world’s most prolific hackers was caught and he was just a 16-year-old autistic boy who just enjoyed doing it. But if a broadcaster goes down on air to a hacker – maybe carrying a major live event – that’s an incredible amount of money and reputation lost.”

Jonathan Morgan (Object Matrix) added “Broadcasters get hit by everyone – by these kinds of people having fun, by opportunists, by government-sponsored hackers. The big thing that’s happened over the last few years is that there seems to be an industry of companies that exist to hack and make money out if it. In the past, we used to think of individuals or loose collectives but now it seems like there are actually companies set up do this. It has changed dramatically.”

“Now we’re seeing people move away from direct satellite feeds or A to B telecommunications towards using IP, we’re seeing a lot more people asking for rotating keys,” Martin Paskin said.

Mark Davies (TSL Professional Products) has seen this go one stage further – or maybe that should be backwards: “We have had a customer request to do one totally IP installation where they seriously took all their outgoing lines back to SDI then IP before going out of the building.”

Micky Edwards (TAG VS) added: “As a software-only company, we regularly get asked about penetration testing. Third parties carry this out and each individual broadcaster wants to keep their results secret. But it’s the same type of test being done by these companies, and if there were a method of sharing this between them, they may be able to save themselves an absolute fortune in hiring these third parties to come out and do each individual test. That’s maybe something to think about where there are standards.”

Darren Whitehead (IABM) has seen an example of sharing at a recent BT seminar. “They deal with major threat attacks on the network through collaboration. They’ll pick up the phone to their competitors and tell them about an attack, helping to minimize its impact. It’s in everyone’s best interests to have the most secure possible network for their clients. I don’t see this happening in broadcast.”

Rounding out the discussion, Whitehead concluded: “If we don’t do something about it as an industry ourselves, then other people such as the insurance industry will force it on us.”

So it is clear the UK Members’ Council believes approaches to cyber security in the broadcast industry are getting more sophisticated and certainly more prioritized throughout the planning, purchasing and implementation stages of a project.  However, by working with other vertical industries, broadcasters may be able to learn a lot as well as save time and money!  The message from the UK Members’ Council then is for more collaboration between vendors and customers and more transparency around what works!