While politically motivated hacks such as the ones that may have disrupted France’sTV5Monde and WBOC Salisbury, Md., are scary, they aren’t likely to be typical. Stations and networks are more likely to be hit by garden variety malware and malicious code intrusions because where there is IP, there is vulnerability. An area of particular security concern to broadcasters is the nation’s Emergency Alert System, which is increasingly dependent on networked and IP-based services.
On April 8, 2015, hackers penetrated the French broadcaster TV5Monde, crippling email and production facilities, hijacking social media accounts and disrupting the transmission of 11 channels for three hours.
The attackers replaced TV5Monde programming with a message that said “Je suIS IS,” a play on the popular rallying cry of “Je Suis Charlie” that galvanized the world in the wake of the staff killings at French satirical publication Charlie Hebdo.
The hackers also posted on TV5Monde’s social media propaganda and the identities of French soldiers supposedly conducting military operations against ISIS.
A pro-ISIS group that calling itself the Cyber Caliphate claimed credit for the attack, although French government officials have recently suggested that the ISIS connection was a “false flag” operation by Russian hackers.
With scary sounding cybersecurity breaches casting a spotlight on the vulnerabilities of financial institutions, health care providers and Hollywood studios, relatively little light had been shed on the security of the broadcasting system. The TV5Monde hijacking is changing all that.
It is a cautionary tale, says Kelly Williams, senior director of engineering for the NAB.
“That’s the ecosystem of where we are,” he says. “They actually got into the broadcast equipment and turned some servers on and turned some servers off and that’s really scary.”
The TV5Monde attack is a wake-up call that “our broadcast operations are highly reliant on some kind of PC and some kind of IP infrastructure in the station.”
Broadcasters don’t primarily provide Internet Protocol-based services to the public, as do cable, wireline, wireless and even satellite providers, but most have websites and apps and they have increasingly adopted IP technology in their production operations. Where there is IP, there is vulnerability.
Three months prior to the TV5Monde episode, the Cyber Caliphate claimed credit for hacking the Twitter account and website of WBOC Salisbury, Md., replacing the site’s content with pictures supporting ISIS.
While politically motivated hacks such as the ones that may have disrupted TV5Monde and WBOC are scary, they aren’t likely to be typical. Stations and networks are more likely to be hit by garden variety malware and malicious code intrusions.
Two years ago the Web servers at Hubbard Broadcasting’s radio stations in Washington were infected by malware that installed credit card scam software on the computers of some visitors to the companies’ websites.
An area of particular security concern to broadcasters is the nation’s Emergency Alert System, which is increasingly dependent on networked and IP-based services. In April 2013, pranksters hacked into the EAS system of KRTV Montana alerting viewers of an impending zombie apocalypse.
Any intrusion into a station’s EAS system could have widespread public safety ramifications, as illustrated by a recent incident involving iHeart Communication’s WSIX-FM Nashville.
In October 2014, WSIX personality Bobby Bones aired a false emergency alert picked up by 70 affiliated stations, creating a cascade of false alerts on radios and televisions across multiple states and prompting the FCC to levy a $1 million civil penalty against iHeart.
Although the Bobby Bones incident did not involve a cyber breach of any kind, it did illustrate the havoc that could ensue if the system were compromised by a hacker.
“When the EAS was thought of in the middle ’90s, there wasn’t all this thinking about digital security,” Williams says.
With the help of the federal government, the NAB and others have been working on hardening broadcasting against cyber attacks.
Last year, a working group (WG3) of the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC) initiative issued basic security recommendations for EAS operators, participants and manufacturers to better protect their systems.
“In general we are still waiting to see how close to heart industry takes these recommendations,” says Edward Czarnecki, director of government affairs for EAS manufacturer Monroe Electronics and former chairman of the FCC’s EAS Working Group.
A more comprehensive set of recommendations for network and local broadcasters comes from the separate FCC CSRIC working group, WG4. The recommendations are based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Mandated by President Obama in February 2013 and forged through a year-long series of intensive workshops, the NIST Framework was developed to minimize cyber threats to critical infrastructure industries and improve resiliency in the event of trouble.
“Broadcasters are used to carrying mission-critical data and information. Broadcasters must assess which parts of their infrastructure are critical to maintaining on-air operations so that they can deliver … essential information to the public,” the WG4 report says.
The WG4 report, which the FCC currently has out for public comment, “is a very solid baseline,” says Czarnecki, who also serves on WG4.
“What these two reports [from the FCC EAS Working Group and WG4] have done is repackage common sense recommendations from previous cybersecurity groups and drill them down into a way that broadcasters can use,” he says.
“What’s important about the CSRIC work and the NIST Framework is that they fundamentally change your approach to cybersecurity,” says Williams, who chaired the broadcast sector for working group 4.
In contrast to older cybersecurity approaches, which entail ticking off relatively generic security tasks, he says, the latest reports say “look at your own ecosystem and look at where you’re vulnerable and develop a recovery plan if you’re vulnerable in some way.”
Security is as simple as implementing the recommendations because malicious actors can easily and deftly circumvent them, the experts say.
“All the standards in the world will do nothing more than provoke laughter from the opposition,” said John McAfee at this year’s NAB Show. McAfee is founder of the well-known eponymous anti-virus firm and currently head of a software privacy and security company Future Tense Central.
NAB’s Williams agrees adopting good practices is no guarantee against attacks. The real goal is to become resilient in the face of these events, he says. “One of the perspectives I gained in the context of CSRIC is that it’s about staying on the air. You will get attacked, malware will get into the system and there will be security breaches. But if it doesn’t take you off the air, you will have done your job.”
Meanwhile, the FCC under Chairman Tom Wheeler is becoming more active in spurring broadcasters — and all communications companies — to take cybersecurity seriously.
Last year, Wheeler laid out a new paradigm for communications cybersecurity that he calls “proactive, accountable cyber risk management” in lieu of a “prescriptive, regulatory approach.” The FCC plans to hold companies accountable, with Wheeler stressing in a recent speech that efforts must be more than “glossy powerpoints.”
“The government expects everyone to be thinking about this,” says Megan Brown, a partner at communications law firm Wiley Rein.
Part of the problem, though, is the speed with which cybersecurity threats have emerged on the radar screen of most broadcasters, she says. “I think the approaches are still pretty nascent for most companies.”
Broadcasters are early in the learning curve, says Monroe’s Czarnecki. “There is outreach needed to reach these smaller broadcasters. The smaller guys still may be a little more challenged.”
It doesn’t help that the subject matter itself is difficult to grasp for all but a handful of specialists. “One of the challenges for the broadcast segment is trying to distill the NIST guidelines in a manner that makes sense to broadcasters,” Czarnecki says. “There is quite a bit of eye rolling or eyes glazing over. It is not written in a way that broadcasters understand.”
What then can most broadcasters do to beef up protection and improve survivability?
“The first step is cyber hygiene,” Williams says, echoing the consensus of most cybersecurity experts across all sectors.
Broadcasters should know where their vulnerabilities are and take the appropriate basic steps to make it more difficult for intruders to gain access, he says. “Where is your firewall? Is everything you have protected? Did you change all the default passwords on every piece of equipment you own?
“I can’t stress enough the concept of understanding what your risk is. You get 50% of the way there if you sit down and have a conversation with your staff and you look at where all the vulnerabilities are.”
Cynthia Brumfield is a veteran communications and technology analyst who is currently focused on cybersecurity. Her latest venture is Metacurity.com, a website aimed at solving the information overload facing cybersecurity professionals.
In partnership with TVNewsCheck, she will moderate a webinar, Cybersecurity for Broadcasters: Ten Steps You Should Take Right Now, on July 22 at 2 p.m. ET. It will feature top security specialists on how to protect your assets from cyber intrusions and how to recover quickly from them.