Organized and hosted by the EBU in Geneva for the third year in a row, the Media Cybersecurity Seminar has grown to become a regular meeting point for Chief Information Security Officers, IT specialists and industry experts and representatives.
This year, the conference took an in-depth look at threat mitigation strategies for digital organizations, responsible disclosure programmes, Security Operation Centres (SOCs), and initiatives to improve security standards implemented by system vendors, as well as related cyber-challenges such as content piracy and deep fakes. All presentations are hosted on the event website and can be accessed by MCS 2019 participants and staff of EBU Member organizations.
Awareness is the first step towards improvement
A recurring theme throughout the conference was the need to improve visibility and awareness of vulnerabilities and threats. David Garcia, CISO at France Télévision and Chair of the EBU Media Cybersecurity group, explained how the French broadcaster went to great lengths to give its new Security Operations Centre access to the logs it needed to detect attacks and build and initiate “kill chains” to mitigate them.
Similarly, Belgian broadcaster VRT’s Gerben Dierick and Wim Wauterickx presented on how its collaboration with “ethical hackers” – independent security researchers – allows the Flemish broadcaster to discover and fix vulnerabilities it had no awareness of. Like several other broadcasters and most digital corporations, VRT runs a responsible disclosure programme – a mechanism formalizing the interaction with ethical hackers that eliminates risk of criminal prosecution as an obstacle to the reporting of vulnerabilities an independent researcher has discovered.
Ethical hackers are motivated by the challenge, rather than by criminal energy, said white hat hacker Inti De Ceukelaire, who previously worked for VRT and now runs a responsible disclosure platform. Organizations can benefit from the more global view and greater creativity that ethical hackers develop compared to typical penetration tests, said De Ceukelaire. An effective way to incentivize these security researchers are so-called bug bounty programmes, where payments are made only when vulnerabilities are discovered and reported.
The EBU has published a set of best practices for responsible disclosure programme as EBU R 161.
Assumption: every device can (and will) be hacked
Andreas Schneider, CISO at Swiss media group Tamedia, in his keynote to MCS 2019, explained how his organization’s wish to fully embrace agile working methods led the company to seek a new approach to security. Schneider and his team decided to accept the fact that developers themselves tended to use their personal devices at and for work, greatly increasing the risk of exposing the company to a vulnerability – and in response to push the organization’s security boundary from the devices to the applications. This zero-trust policy for end-user devices now allows the organization’s staff to use their own devices freely, and the organization to focus its security efforts where they are most effective.
Similarly, the BBC also decided that simply isolating its systems from security threats wasn’t possible, as Mike Ellis, Head of Production Architecture at BBC explained in his presentation. “It used to be that we thought of a broadcast facility as a castle with a moat around it – a physically secured infrastructure that didn’t have any connections to the outside world. That was the typical broadcast security model”, said Ellis. “In reality, no castle and its inhabitants have ever been able to maintain that for very long, and for modern media organizations it’s practically impossible.” In the case of the BBC’s new Cardiff facility, which is fitted with cutting-edge IP-based production infrastructure, this meant that the infrastructure itself had to be hardened.
Ellis called on media organizations and vendors to apply EBU Recommendations R 148 and R 160, which provide guidance on minimum security requirements for equipment and on procedures to encourage the patching of vulnerabilities – a sentiment that was echoed by vendors in the room as greatly simplifying the process.
Addressing the vulnerabilities of IP-based production equipment is the expressed goal of the JT-NM Tested programme. In his presentation, Alvaro Martin Santos from Spanish broadcaster RTVE described the methodology designed for the vulnerability scans that were administered by the EBU, IRT and BBC this summer on equipment submitted by manufacturers for testing. The results of the tests can be viewed on the JT-NM website.
MCS also took a look at the topic of content piracy – a thriving industry generating hundreds of millions in illicit revenue – as well the risks to consumers and the cost to content producers. The EBU’s Adi Kouadio and Julien Mandel from partner ATEME also presented the latest BISS-CA (Basic Interoperable Scrambling Standard – Conditional Access) system, a standard used to protect and manage, in real-time, content contribution streams sent on any infrastructure, including satellite and fibre.