Cybersecurity masterclass: Video discussion
Posted on Oct 11, 2021 by FEED Staff
Are you ready for the next attack? FEED meets industry experts to learn the best methods of securing your business from the next set of cyber security threats
On the panel
The trade association:
Simon Spanswick, chief executive officer, Association for International Broadcasting (AIB).
The tech vendors:
John Mailhot, CTO infrastructure and networking, Imagine Communications
Phil Myers, chief technology officer Lawo
Neal Romanek, editor, FEED
Neal Romanek: To begin with, Simon, could you update us on what the AIB has been up to – and how it currently views the landscape of cybersecurity in broadcast?
Simon Spanswick: One of the pieces of work we got involved in a few years ago was cybersecurity, because it was starting to raise its head. We were seeing more and more problems for a lot of broadcasters; so some of them came to us and said: “How can we share knowledge? How can we work together and improve the current situation?”
Not all broadcasters are as well-resourced at dealing with the challenge of security. The problem has increased, particularly over the past 18 months of the pandemic, where everyone has been working from home.There are extra points of entry when broadcasting remotely.
The problem has increased, particularly over the past 18 months of the pandemic
We’ve done lots of work with the UK National Cyber Security Centre – part of GCHQ, the government’s signal monitoring station. We’ve also talked to other agencies across the world; they are concerned about the effect on critical national infrastructure, which broadcasters represent. There’s a worry about whether companies have the tools to address the cybersecurity problem.
Neal Romanek: What are the biggest threats facing broadcasters?
Simon Spanswick: The problems are multitudinous. I have been in some cybersecurity centres within broadcasters, watching the number of cyber security threats available to them all the time, from different parts of the world. There are certainly nation states working against broadcasters, and they are very well-resourced, increasing the threat level.
The issues involve emails, which can particularly compromise a news environment, where sources and stories are being compiled by contributors that might not want to be named. You’ve also got attacks on playout, and we are all connected by vulnerable mobile phones.
About five years ago, France’s TV5Monde had their website blocked – their entire systems were trashed. French security services did a clean-up operation, and staff weren’t allowed to use the internet for around six months. It cost them €9 million to recover and put in place systems to prevent the repetition of that attack.
Neal Romanek: How are technology vendors working with broadcasters to make them aware of the issues?
Phil Myers: A lot of customers, while they know it’s important to their business, don’t truly understand the impact an attack could bring. Once someone is in your system and has access to your private information, it’s not only emails – potentially it’s payrolls and anything else associated with that individual.
From a content perspective, use the example of US TV shows being distributed to European broadcasters, well in advance of going out. Then there’s the other side of it – somebody enters the system with malware, or ransomware where they effectively lock the system and prevent you from operating. From a broadcast vendor perspective, it’s challenging, because we supply technology to a lot of broadcasters. But we don’t supply all the technology – that’s the most important part.
John Mailhot: In a sense, the broadcaster isn’t so different from any other similar-size enterprise-business. It needs to have good cybersecurity practices and basic IT hygiene. If you compare media and banks, for example, there are two key differences.
For one, the media industry often reports on nation states. So, in effect, they can lead to nation-state attacks. Look at some examples – in Australia, and on Sony Pictures. Those were nation-state attacks inspired by content on the channel.
Another way is if you visit the IT infrastructure at a bank: you need at least two different people to approve walking into the building, and you are escorted the entire time. Whereas, if you show up with a hoodie and a USB stick at a broadcast station, and say, “Hey, I’m the replacement editor for the show,” you can talk your way into sitting at a desk with an edit station. We have a very transient staff model in the television world, so the human threat surface is very different to that of a bank or a trading firm.
Phil Myers: I would echo that. Just look at an OB truck, for example, that might be connected to a facility. You have switches in the production area, everybody can come up with a device and plug into it. It comes down to the point John made – if you think about a bank, you wouldn’t be able to walk in and connect, but in broadcast it’s common practice. Anyone might plug into anything without realising the implications for your facility.
John Mailhot: I think another thing is to recognise and accommodate needs. For example, the requirement for people to connect to the internet around the truck – or even in the broadcast centre. The enterprise security industry is huge, and growing. The first line of defence in the television industry is to use things other industries have. There has always been history in the television industry, between broadcast engineers and IT, where they weren’t on the same page. The reality is that the two disciplines are intertwined and interconnected – they need to not just find peace, but also successful collaboration.
A lot of customers don’t truly understand the impact an attack could bring
Neal Romanek: Are broadcasters prepared to make cultural changes?
Simon Spanswick: It depends on the culture of the organisation. There is a problem, often at board level, where cybersecurity is put on the ‘too hard’ pile. People are not really employing a top-down culture when it comes to the need for cybersecurity. That’s one of the biggest issues within our industry; it’s not the be-all-and-end-all of everything, until there’s another TV5 incident. This is an issue that exists until it’s taken seriously by the most senior executives within an organisation. It needs to be taken as seriously as producing the best programmes, or finding ways to be carbon neutral – the ‘sexier’ things. Unfortunately, cybersecurity isn’t considered a ‘sexy’ topic for your average media executive, so it’s just put to one side.
People are not employing a top-down culture
Neal Romanek: More devices are connected than ever, and more remote working is taking place. What strategies are there for keeping workflows safe?
Phil Myers: As a vendor, it becomes really challenging. Lawo supplies an overarching control system, but you might find a lot of the devices that sit underneath that control system span the last five, ten, 15 years. The reality is, you’re not going to be able to secure all of them.
The approach we’ve taken with customers is to look at the entire infrastructure you have, understand where your risks are – legacy equipment, for example – and see if you can make the failure plane as small as possible. Some customers do that by putting SDI air bricks around that infrastructure, so only content goes in and out – and no data.
In terms of the application layer, lots of systems tend to be monolithic, and not as redundant as you would expect. You should also look at how the vendor designs and architects the products, to ensure even smaller failure planes. From a vendor perspective, take responsibility for your own technology. But it does require that, from a customer perspective, you are also aware of where all the risks are.
John Mailhot: Again, I’ll go back to the mantra: ‘enterprise security’, which has already provided the tools for these kinds of cyber security threats. There is plenty of legacy equipment, with legacy protocols, that is not secured. But most of those protocols could run across a secure socket, a secure tunnel or a VPN. The IT industry has built a nice, layered architecture that we live in; this has made remote working arrangements possible. You can extend a VPN tunnel from an enterprise to someone’s home. When designing the facility and workflows, there’s been a rhetoric in broadcast for a long time that security purely means protecting content.
Neal Romanek: How does working in the cloud affect this?
John Mailhot: It’s easier because the cloud deployments designed to operate in the cloud are secure from the first day. There’s no legacy entanglements, or legacy protocols to worry about; everything’s designed with current technology and standards, secure from day one. There’s also an inherent segmentation of things in the cloud. For example, if I put my playout operation there, it’s in its own little zone.
Phil Myers: In terms of the cloud, as John alluded to, yes, it’s very secure. But you still have to allow for caretaking of content, as well as preparing a failure plan.
Start with understanding where the issues are, and where the potential risks within your facility are, because it’s expensive either way. Once you’ve been hacked, you can always look back in hindsight, saying I just wish I’d spent the money.
Neal Romanek: How are broadcasters monitoring and detecting when these attacks become major threats?
John Mailhot: They’re pretty standard enterprise tools. They should be there in every organisation, like the CISO (chief information security officer), who has some responsibility for overall cybersecurity footprint and defence mechanisms. There’s on-call mechanisms and IT organisations.
You’re under attack all the time, and it’s a question of: does it get anywhere? Most of them don’t, but a few of them can get a hold. Lots of people think they would know when they’re getting attacked, but you can be breached and not know it for months. Most attacks are latent.
Phil Myers: Ultimately, you must have a process, because the reality is somebody is going to get into the facility. It’s about providing business and broadcast continuity, in the same way as if a natural disaster hit. You’ve got to know what to do if something like this happens.
You can see with Channel 9, they had to take very quick measures to keep the operation running. But it could’ve gone a lot further than that, and taken out the entire network.
You can be breached and not know about it for months. most attacks are latent
Neal Romanek: Does the same also apply to broadcasters universally, or are smaller media companies more vulnerable to cyber security threats?
Simon Spanswick: Some people are better-resourced, more aware of the issues, and have done more work to protect themselves, as John and Phil said.
A lot of cyber security threats happen in less-developed countries, such as Kiev in Ukraine – somewhere a certain nation state is very interested in attacking, and getting their own point of view across.
They are not as well-equipped to deal with this. They haven’t had the firepower to put into cybersecurity what organisations in western Europe and North America might have. This is definitely a ‘them and us’ situation.
The biggest threat surface in television is the people
John Mailhot: The weaponry is internationally available, so it’s really a question for every enterprise to make that balance and create a one-man band journalist. Inherently, this doesn’t have a very big threat surface, or a staff of people coming and going – there’s advantages to being small. But at the same time, you’re responsible for your own security.
Ultimately, making an operation secure is an enterprise management system you have to create yourself. You need to staff it, organise it, plan it and execute it. Make sure every new piece of equipment has the right security features, for example. But don’t mistake that for solving the enterprise challenge – this involves the whole business, including the people.
The biggest threat service in television is the people coming and going daily. If anyone could click a link in an email and infect their computer, you require a process to manage the zone of infection.
Neal Romanek: How can organisations communicate better about cyber security threats?
Simon Spanswick: Phil mentioned the importance of knowledge sharing. Getting discussions going between the equipment manufacturers and broadcasters is so important. If that can be done, it will go a long way to improving the situation.
Both of you are right about the people problem. It is people clicking on links, bringing in USB sticks, getting past physical security that causes big issues, and we’ve seen that in other industries.
John Mailhot: Simon is right about the point of information sharing amongst broadcasters. As vendors, we are in the trenches working on our tech.
The biggest source of information sharing amongst broadcasters is each other. I don’t know what is going on in the larger industry, and who is facilitating that wider communication, so that could be a job for Simon’s organisation. Facilitate that dialogue among media companies.
Phil Myers: From the Lawo team perspective, we’ve moved on from IP networks, focusing on making it easier to deploy – and looking at security. That’s been a key focus during the past 12 months. We’re not going to get to the endgame without discussion, because it’s an evolving process.
This article first featured in the Autumn 2021 issue of FEED magazine.