Cybersecurity, “nothing” new in our industry
Cybersecurity is something having already an impact on all professionals from nearly all industries, including broadcast. And the solution is not always a technological one. Proper implementation of the required protection without the right policy and adequate procedures in place will be altogether inefficient.
Our broadcast industry has been gradually relying less in dedicated hardware and has widely moved on to a standard IT infrastructure, which in turn has opened the door to the reality of cybersecurity. At the same time, and mostly due to the high level of performance we demand from our equipment, implementing cybersecurity systems becomes really complicated, and not only because antivirus software. From manufactures, which –due to the fact that it had never been a requirement for their clients- had not made up to then any development efforts targeting security, to freelance operators that handle the systems in each production, cross-wise awareness to turn IT protection into an everyday, indispensable element is required.
There are countless alternatives for media management software, whether edition systems, PAM or MAM, or hardware configuration systems for use on a more limited scope, and hardly any time has been devoted to make sure they are secure. But manufacturers are not the only ones to be blamed for this oversight: clients, broadcasters and producers have never demanded secure systems.
In some instances network protocols used by the relevant software are not even documented, which makes it impossible to detect whether an existing network communication is legitimate or not.
Let’s see a practical example well known to many: an antivirus running on a video editing station. One of the main functions of antivirus software is the permanent monitoring and scanning of files being used in a computer, which slows down operations in some applications. The reaction of any editor who detects an antivirus will be to deactivate it straight away with no questions asked.
This example, not far-fetched at all, should be used for reflecting. We could have the best firewalls and antivirus software available but, if there is no clear culture and strict, well-defined policies in place and a shared responsibility in preventing risks, it will be to no avail. In many mobile units, any operator is free to bring from their homes a removable drive and plug it into the systems to download their homemade setup with no prior scanning. Had the pendrive been used for any other purpose before? Had it been exposed to any viruses in the past? What if it infects the whole mobile unit or the entire TV Compound, as all trucks are connected? What would happen to the event? If we think that way, it turns out that having an antivirus in place is not such a big deal, forcing operators to scan their devices in a standalone machine and making sure everything is clean in order to prevent risks, right?
It is starting to become a common practice that broadcasters using and producing remote operations require suppliers to observe strict cybersecurity conditions. Nothing really complicated is needed, as guidelines in this regard are already created and complying with them is absolutely a routine matter in purely IT or business environments. Therefore, adapting them to our industry is not a complex issue. It is obvious that scanning terabytes of content the same day in which operations are to take place is not really feasible. Therefore, the creator of the relevant content must take responsibility –even from a legal perspective- and make sure that the storage media –either a hard disk or a pendrive- are free from virus.
And all this becomes much more complex when dealing with Cloud environments. And the thing is that in a standalone mobile unit or in a unit connected to the TV Compound our network ends up right there, in the stadium. In remote operations, the networks is monitored and closed when connecting the stadium with the production centre, nothing else. But in the Cloud we are actually connected to the internet. This would be like leaving the door of the OBV open and the TV Compound not fenced and with no one to enforce security during the 100-metre dash final: quite risky indeed. As an internet connection is used to access the Cloud, the computers being used for production can be easily used for checking emails, surfing the Web or even for personal matters if they are not duly protected.
In many projects in which work is carried out on a Cloud-based system the IT department itself will forbid suppliers to remove must-have protection layers due to the obvious risk, which might jeopardize the project’s feasibility. This combined with the fact that even engineering favours removing these restrictions in order to let the project move forward, something that is wrong no matter how you may look at it.
If we in the industry are moving towards implementation of an increasing number of network-based technologies such as NMOS, PTP and similar ones which have the potential of being managed remotely or even from the Cloud, thus becoming connected to the Internet, we must change our mindset. And this is because implementing proper technologies to get protection is no longer enough. We must be aware that a fence in the TV Compound is as necessary as a firewall in a network or an antivirus at the edition room.
Let’s switch from accepting and even promoting simple –to-use systems to demand that they are compliant with appropriate security guidelines. It was only a few months ago when I could no longer see PCs with Windows 7 –an operating system over 10 years old- running on broadcast stations… And unfortunately enough, I am sure that there are still some computers with Windows XP running, an operating system that is now of full age. Crazy…
Let’s imagine for a second that our channel’s flagship program could not be broadcast because of a computer virus. In fact, we do not need to imagine that. It has already happened. How much money was lost then? And even more, what was the reputational impact for the channel, producers and associated advertisers? In this situation, waiting for a hard disk to be scanned, not letting anyone connect anything to our vision mixer or using two layers of firewalls in our network are investments with an outright return if they might prevent a program from not being broadcast.
Moreover, some cybersecurity measures have no relationship whatsoever with technology, such as blocking our phone and computer or having our desk free from papers at the end of the day.
By Yeray Alfageme