A newly published report highlights the need for continuous assessment and mitigation of cybersecurity vulnerabilities in networked media production equipment. The report, published by JT-NM*, is based on an assessment conducted by EBU experts at the most recent JT-NM Tested event.
The JT-NM Tested programme is designed to give prospective buyers – including EBU Members – a view on which IP production equipment supports a range of interoperability protocols. At the second round of testing in Wuppertal, Germany last August, with 35 vendors participating, a security assessment of the devices under test was introduced. The assessment was conducted by a team from the EBU Media Cybersecurity (MCS) group.
Critical vulnerabilities
As detailed in the report, a total of 385 vulnerabilities were found across the 68 devices tested, with 18% of them rated from critical to highly critical. Even those that were not critical were exploitable. The vulnerabilities ranged from the use of default authentication credentials and unauthenticated remote access to misconfiguration or even absence of encryption. Other weaknesses identified were the inclusion of unnecessary features or poorly implemented web interfaces.
The aim of the assessment is not to "name and shame" the participating vendors; rather it is to raise awareness of the issues and encourage vendors to perform self-assessments in accordance with the methods and tools in the EBU R 148, the recommendation on minimum security tests for networked media equipment.
The report concludes that the "open, cooperative spirit has raised the industry’s awareness of cybersecurity and has demonstrated that manufacturers and users can work together to improve the security of IT-based media facilities."
EBU recommendations
Vendors with critical vulnerabilities have been proactive in collaborating with the EBU MCS team to address those vulnerabilities, in accordance with EBU R 160, the recommendation on vulnerability management procedures. Vendors are also encouraged to put in place a responsible disclosure policy that sets out how security researchers can cooperate with them. Another EBU recommendation, R 161, provides guidance on this.
At the next round of JT-NM Tested, set to take place in Houston, USA during March, cybersecurity will once again be on the agenda. A formal security test plan based on the relevant EBU recommendations forms part of the mandatory pre-event self-testing to be undertaken by participating vendors. The EBU MCS team will once again lead the on-site assessment, through Gerben Dierick (VRT) and Álvaro Martin Santos (RTVE).
Download the JT-NM Cybersecurity Vulnerability Assessment report from the JT-NM website
*JT-NM is the Joint Task Force on Networked Media. The EBU's partners in the consortium are AMWA (Advanced Media Workflow Association), SMPTE (Society of Motion Picture and Television Engineers) and the VSF (Video Services Forum).