Broadcasting, a central part of critical infrastructure
The communications sector, which includes broadcasting, is part of critical infrastructure. Broadcasting, for instance, provides essential services at times of national emergency or natural disasters. Over the decades, broadcasting installations have often been the first targets in international conflicts or in attempts to change a regime. The threats have evolved from physical – bombing or taking over stations – to disabling or paralysing broadcasting installations which rely increasingly on digital tools and processes.
The US administration “identifies the Communications Sector as critical because it provides an ‘enabling function’ across all critical infrastructure sectors.” Broadcasting is listed as one of the sector’s five components (together with wired, wireless, cable and satellite networks). This concept is also being adopted in a growing number of countries. Broadcasters are content creators and providers as well as distributors.
Merging IT and OT
The broadcasting industry (and media content providers) rely increasingly on IT, the Internet, internal and web-connected networks for content production, storage and delivery.
As a result, protecting content production, storage and delivery of broadcast and multimedia services from cyber threats relies on both IT and operational technology (OT). This requires a multi-layered, multi-sector approach, for which IEC and ISO/IEC joint standards, as well as industry-specific standards and recommendations from other organizations, provide solutions.
Cyber attacks on broadcasting and multimedia companies may take many forms, have multiple objectives and be instigated by multiple actors, such as criminal gangs or individuals, state or state-sponsored wrongdoers, some maintaining informal links with each other. This makes such attacks extremely difficult to prevent, identify or mitigate in real time, which is essential in the broadcasting sector where latency can be a major issue.
The motives may include taking down a network, extortion or disruption of services.
Examples of attacks on broadcasters include:
- An April 2015 sustained cyber attack on French international TV broadcaster TV5Monde. The network, which is available in 200 countries, came under attack from a group claiming to be the “Cyber Caliphate”. The attack took the broadcaster’s 12 channels off the air and according to its director-general Yves Bigot, nearly led to the total destruction of its systems.
- A July 2015 cyber attack on the UK-based Islam channel, lasted for around five months before cyber specialists from British intelligence cleared hackers from its systems.
One size doesn’t fit all
Media companies, broadcasters and content producers, rely increasingly on IT and connected networks, and have Internet offers for production and other services (websites, blogs, audio and video streaming, etc.) The multiplicity of services (and threats) means that many tools are needed to address them. They include international standards developed by IEC and the joint work it carries out with ISO and International Telecommunication Union (ITU). For the broadcasting sector industry-specific standards and recommendations are also essential to protect networks and content. These are developed by the World Broadcasting Union (WBU) and its member bodies. Additionally, the Association for International Broadcasting (AIB), set up a Cyber Security Working Group to share information and expertise about existing cyber threats to media companies.
As media services, including those of content providers, have become more connected, spanning different technologies, they face multiple kinds of attacks, including Distributed Denial of Service (DDoS) and the use of ransomware and malware. Other incidents are state-sponsored, such as the November 2014 release of confidential data from Sony Pictures aimed at hurting the entertainment company or the large (and still ongoing) piracy operation launched against the Qatari pay-TV service beIN in October 2017, aimed at damaging the country’s economic interests.
The multiplicity of systems potentially at risk from cyber attacks and of vectors used to carry these out, mean that broadcasters and media content providers must protect against a wide range of threats and mitigate their impact, should they succeed in penetrating and compromising systems. Vulnerabilities include:
Equipment: many media companies rely on connected media devices that have a low security threshold. Off-the-shelf components and devices used may not meet the latest adequate cyber security measures or include available software updates or security patches protecting them, to a certain extent, against cyber threats.
Processes and procedures: implemented by media companies to protect against cyber threats to operations and systems, such as Industrial Automation and Control Systems (IACS).
Equipment may also include personnel (suppliers, vendors).
Personnel: the human factor, should be a priority for all media companies, yet often proves to be the weakest link in the cyber security chain. The most effective attacks use social media engineering to manipulate people and lure them into divulging confidential information, using, for instance, phishing.
Personnel may include suppliers, vendors, maintenance staff and operators.
Protecting against vulnerabilities
Broadcast industry companies started using cloud services for their workflow, editing and storage, and to ensure resilience and continuity of services in case of cyber attacks.
A number of standards and recommendations address vulnerabilities and provide solutions for protection. Some span across different kinds of vulnerabilities. As regards IT aspects the ISO/IEC 27000 family of Standards for IT service management, developed by ISO/IEC JTC 1/SC 27: IT security techniques, is the absolute reference. The IEC 62443 series of standards, developed by IEC TC 65: Industrial-process measurement, control and automation, addresses OT vulnerabilities linked to IACS. Both are referenced as essential for the broadcasting sector in publications such as the US National Association of Broadcasters (NAB) guide to broadcast cyber security.
Other relevant IEC standards include the IEC 62351 series for telecontrol equipment and systems, which addresses the issue of role based access control (RBAC), in other words, restricting access to authorized users. When properly implemented, these standards may prevent unauthorized personnel accessing systems.
Protecting content (a valuable asset), from production to delivery, requires among other things, the implementation of digital rights management (DRM) measures. IEC TC 100 has developed standards to protect content. These cover interoperability solutions that allow the distribution of content according to digital living network alliance (DLNA) guidelines for home networked devices, as well as IEC 62698, which provides a standardized framework to ensure that multimedia content, under copyright, can be shared legally across different systems, including Internet protocol TV (IPTV).
Blockchain can be used to protect content
Blockchain technology can be used to validate and protect multimedia content from piracy and tampering.
EBU Senior Project Manager Adi Kouadio told e-tech: “Blockchain technology makes it possible to improve the traceability of content by recording a signature for each content resulting from a process (editing, compression, etc...). Better traceability means faster detection of content that is either tampered with or labelled with the wrong source. Each operation on the content can be considered a transaction and registered on the blockchain (which cannot be altered).”
Much more at stake and even more to come in the future
Other technologies such as artificial intelligence (AI) and machine learning (ML) can both be used to disseminate and thwart cyber attacks. IEC and ISO recently established the first international standards committee, ISO/IEC JTC 1/ SC 42, that is looking at the entire AI ecosystem, addressing among others, issues concerning trustworthiness, privacy and security, bias in algorithms, as well as societal concerns and ethics.