EAS Security Notes
April 10, 2017
Prepared by the SBE EAS Advisory Group
Intrusions into computerized equipment have been around since the internet became a reality years ago. It is no surprise to broadcast engineers that these invasions have made their way into radio and television stations.
Most recently, EAS devices have been a major target. To comply with FCC rules, these devices must have internet access to receive information from FEMA via IPAWS.
Security for EAS and other station devices should be a high priority for station engineers. As a result, the SBE EAS Advisory group has put together a basic security guidelines summary to aid stations in assuring that all equipment is protected from these outside intrusions.
Summary
Every week, broadcasters like you are having their station equipment and computers hacked or tampered with by outsiders or malware infections that affect station computers and networks. If it hasn't happened to you yet, the odds are unfortunately high that it eventually will happen.
These types of intrusions are more than an inconvenience. It can cost you to repair the systems that were compromised. It can cost you revenue for lost airtime. It can cost you credibility in your audience and community. Moreover, it eventually will cost all of us if the government feels it necessary to step in with additional regulations and requirements on broadcasters.
At the same time, it's challenging for many broadcasters to keep up with the wide range of potential cyberattacks. Many broadcasters don't know they have become vulnerable to attackers until it's too late.
To help broadcasters address this growing concern, we have compiled some tips and best practices on how to keep your operation from falling prey to cybercrime. The bottom line:
• Know your Systems. Know what is connected to the network and the internet: at the office, studio, transmitter site, and remotes. If it's connected, it is at risk.
• Defend your Network. Anything that is connected to your network or the internet must be behind a firewall.
• Protect your Equipment. Change default passwords. Change default usernames. Regularly check for and install any software upgrades or patches for equipment.
• Use Common Sense with Email and the Internet. Be cautious about opening email attachments or downloading from websites you don't completely trust. Harmful malware can enter your station, and do significant damage to your business.
What is the problem?
Recent events had plainly shown that broadcasters are a low-hanging fruit for internet mischief-makers and cybercriminals. All too frequently, this involves key station equipment and computers left vulnerable to the internet, not changing default passwords, or even not having passwords at all.
The results have included the entire programming stream disrupted by IP streamers redirected to offensive, political and/or obscene content, the issuance of false or simulated EAS messages, the creation of fake messages and alerts via RDS encoders, the wholesale disruption of station operations when computers are locked via malware and viruses, and more. These are issues that have already happened, repeatedly.
In many cases, the threats boil down to simple vulnerabilities that could have been easily addressed beforehand.
• Stations with unconfigured firewalls - or even no firewalls.
• Station equipment left exposed and unprotected to the open internet.
• Station equipment left with default or easily guessable passwords – or even no passwords.
• Email attachments open, which introduced malware across the station network.
Presenting the potential for reaching a wide audience with inappropriate or political content, broadcasters present an irresistible opportunity for internet bad guys. Some broadcasters have opined that cybersecurity is too expensive or difficult. However, as we outline below, broadcasters can take preventative steps that are often a minimal expense – or no expense at all.
The technical solutions:
• Know Your Systems. Know what systems are connected to your network and to the internet, and know which systems should not be. If it is connected to the network, it's going to need to be protected. This applies to looking at your systems throughout your operation. This includes the business office, studios, transmitter sites, remote control points, and other remote sites.
• Firewalls to Defend Your Network. The one security item every company needs is a firewall, a security appliance that attaches to your network and acts as the protective shield between the outside world and your wired and/or wireless network. A firewall continuously inspects traffic and matches it against a set of predesigned rules. If the traffic qualifies as safe, it's allowed onto your network. If the traffic is questionable, the firewall blocks it and stops an attack before it enters your network. Just about anything in your broadcast facility should be behind a firewall if it is on your network, or going to be connected to the internet. Properly configure your firewall, make sure any software or firmware is up to date, and don't leave ports open.
• Equipment Passwords and Account Management. Equipment in your station may come with a default password. You are urged to change default passwords on any equipment in your operation. If there are accounts or usernames on equipment that are default, or unused, you should also change or delete these. And remember, just because a system has a password, does not mean that it may be fully protected from access by other means. Equipment needs to be behind a firewall.
• Updates and Patches. The manufacturers of equipment in your station may contact you periodically regarding software patches and updates. Make it a practice of applying those software updates in a timely manner. Also, make it a practice of checking with your various manufacturers from time to time to see if they have released software updates of which you may not have been. These updates and patches may include not only feature improvements and bug fixes; they may also contain critical security patches.
• Secure Networks. Other measures to consider is a virtual private network (VPN). A VPN securely and inexpensively uses the public internet, instead of privately owned or leased lines, to provide remote sites and individuals with secure access to your organization's network. Consider, for example, a VPN link as part of the STL, if that relies on an IP stream from the studio to transmitter.
• Safe Web Browsing and E-Mail Habits. Very bad things can enter the station via email or suspect web sites. If your station's employees send e-mails and browse the internet (and of course, virtually all do!), you may also want to consider a software security solutions that include e-mail security, Web gateway security, and URL filtering.
The social solutions
• Security fundamentally involves a social aspect. Internally, you may need to reorient your employees and colleagues around safe email and web browsing habits. You may want to orient these employees to be wary of scam and phishing emails, and to beware of potentially dangerous attachments to emails from unknown or suspicious senders. You may need to reinforce safe web browsing habits, such as being careful not to download content from unknown or suspect websites.
• Broadcasters are a community. Externally, you may find opportunities to share information about what you are doing to improve security, what threats you see, and how you are addressing them.
When to call in an IT security consultant
There are going to be things you might not be able to do alone as a broadcaster. For FCC issues, you get outside legal advice. For annual and quarterly financials, you have an accountant. The same goes for security expertise. When you need to conduct a risk assessment, or get assistance in setting up network and IT security solutions, it may be money well spent it if you don't have the expertise to do it yourself.
Don't be part of the problem. Be part of the solution.