"It is important that security becomes a minimum quality requirement for broadcast systems," said Andreas Schneider, Chief Information Security Officer (CISO) at Swiss broadcaster SRG. He was speaking at the recent EBU Media Cybersecurity Seminar in Geneva, the first such event of its kind in Europe. Mr Schneider is also chair of the EBU's Media Cybersecurity group.
The opening session on securty standards highlighted initiatives such as EBU R 143 (Cybersecurity for media vendor systems, software & services) and the DPP's security checklist. These recommendations, which build on existing security standards such as ISO 27001 and national best practice guides, should be embraced by vendors. "It's not that we are re-inventing the wheel on cybersecurity," said the EBU's Adi Kouadio, "we just customize it for media organizations."
No more an island
The well-attended seminar identified the problem of broadcasting's legacy as a technology island, where historically neither vendors nor application developers were mandated to follow security best practices in software development. However, in today's connected world such best practices are essential. As the broadcast industry moves from the world of SDI to that of IT and IP, new standards are being developed. BBC's Lead Technologist Peter Brightwell pointed out that "IP offers flexibility, but also open doors to hack."
Rather than simply diagnosing the problems, the EBU seminar provided practical advice on implementing cybersecurity within media organizations. France Télévisions' David Garcia discussed the importance of a Security Operation Centre and the challenges associated with deciding whether such services should be in- or out-sourced. Trust in the service provider is a key consideration.
Gerben Dierick, CISO at Belgium's VRT, focused on the importance of dialogue, as opposed to developing policies. Open communication between the people responsible for security and the non-technical staff – especially journalists – is crucial. Lena Vretling (SR) and Johan Ribberheim (SVT) echoed this point, acknowledging that while "you cannot avoid users adopting external cloud services, you can guide them and raise their awareness of security limitations." They said cybersecurity should be so easy to implement that it will be easy to adopt.
Another key topic, that of data privacy, was covered extensively by an internationally recognized expert in the field, NETAPP's Sheila FitzPatrick. She emphasized that media organizations and, to a wider extent, service providers need to pay attention to compliance with data privacy laws at both regional (EU GDPR) and national level, noting that in some cases national legislation may be more restrictive.
A series of hands-on tutorials allowed seminar delegates to build up their know-how in the domain. The offer included SCRT on ransomware, EdgeSCAN on secure web application development, a live hacking demo from OneConsult, and a look at DDoS mitigation from Cloudflare.
EBU Members are strongly encouraged to engage with this topic by following the work of the Media Cybersecurity group. In addition to the the suite of recommendations already issued, work is ongoing on a recommendation on cloud security (R 146).
Videos of the presentations from the Media Cybersecurity Seminar 2017 are available to view by EBU Members and others who attended the event.