EBU Session @ IBC: Cyber Security and Strategies for Media Companies
This year, the EBU will host a special session on cybersecurity to discuss this important topic. Join us in Room Emerald on Saturday, 10 September from 15:30 – 18:00. For more information, click here.
Dealing with a hyper-connected media world
Media consumption patterns have tremendously changed over the past few years. This new hyper-connected and multi-platform media ecosystem continues to push media companies to adapt their production and distribution strategies to enable them to reach dispersed audiences.
To help solve this challenge, media companies have created a range of IP-based content delivery services (from Internet-Radio and hybrid TV to second screen and video on demand). This is done in addition to traditionally broadcasting radio and TV which are slowly also migrating to IP for flexibility.
Everything talks IP: audio and video content is delivered over the internet, news-feeds are collected over the internet, traditional production applications get cloud access or are provided "as-a-service" and even studio lights are controllable via apps running on tablet devices or smartphones. As a result, media companies are becoming an integral part of a new smart cyber-ecosystem.
Increasing threats toward media companies
So far, this all sounds exciting and good. But, there is a twist in the perfectly interconnected world because even hackers become smart. Beginning with the Arab Spring and the Wikileaks whistle-blower disclosures in 2010, a growing radicalization and ideologization of hackers has raised a new type of hacker whose intent is not to gain money but to destroy or manipulate systems or institutions at any price. Such activities may even often be government driven, as part of defence departments or national intelligence offices.
Today’s hackers are usually well organized, and rarely done by a single attacker but more likely by a group of attackers. Social media provides, almost offers, the required information about employees and the target organization, and Google-like search engines can be used to find the weakest link in the target’s content delivery chain. Recent hacks like the disastrous attack against TV5Monde in 2015, Sony Pictures in 2014 and a steadily increasing amount of DDOS attacks against public broadcasters have shown the potential damage that can be done.
The EBU Media Cybersecurity Group
So what do we do? These changes in technology and hackers’ approaches require a fundamental paradigm shift to transform and actively address security risks as corporate cyber risks. Security is no longer an operational, technical issue; it is an integral part of wider business decisions that are not limited to the broadcaster itself, it’s the whole industry that needs to adequately address security.
For these reasons, the European Broadcasting Union (EBU) has started a Strategic Programme on Media Cyber Security (MCS) to address these new and evolving threats. The EBU MCS Group consists of Chief Information Security Officers of EBU Members (including SRG SSR). These Members actively share their knowledge to provide broadcast specific recommendations on cybersecurity (e.g. EBU R141 on DDoS Mitigation). These recommendations are built on proven security practices and further refined with the specifications of the media world. Below are a few examples of the types of recommendations the group makes for media companies:
- Involve security governance at the highest corporate level: First and foremost, it is key for organizations to create awareness of the topic, especially among senior management. A company’s security advocate is required to have the necessary skills and competencies to address security related topics. If appropriate, a security team or board should be institutionalized. By defining scenarios based on probable hacker attacks that cover the big picture of the content delivery chain, the topic of cybersecurity will become more tangible and known as a realistic threat. Based on these scenarios, potential security risks can be derived for feeding corporate risk management programmes, thus making security an active part in the corporate decision making process. As a result, security aims for being a business enabler, not a business preventer, outgrowing today’s hackers in smartness and speediness. The EBU MCS Group has created a security governance guideline (EBU R144) that helps organisations benchmark their security awareness level and also establish an efficient security hierarchy.
- Raise the security-level of media-specific system and services: Even though most media products and services run on conventional IT platforms, the security best practices from the IT world are not necessarily carried out in the media domain. The EBU’s recommendation (EBU R143) helps manufacturers and media companies benchmark the minimum security levels of their products or services.
- Consider security aspects in the design of media application and standards: Security in media is mainly related to digital rights management around the content. However, in this ecosystem of apps and web-based services, not only the content should be secured, but also the application itself (Android/IoS Media Apps, HbbTV, etc…). If flawed, the application can be used as an entry point to either hijack the device (create a bot) or gain other privileged access. The EBU liaises with different standards bodies and consumer electronic vendors associations to consider minimum security requirements and implementation best practices (e.g. EBU R142).