author is senior director of strategy, development and regulatory
affairs with Monroe Electronics Inc.
have grown increasingly reliant on the Internet, whether it is to
reach a potential audience and advertisers, conduct daily business or
fulfill their FCC EAS obligations to monitor the IPAWS CAP service.
downside of Internet dependence, of course, is that the broadcast
industry is now at the front line of potential assaults by any number
of cyber threats. Like it or not, cyber security will continue to be
a fact of life for broadcasters and EAS manufacturers.
TO BE DONE
technologies are not security appliances in and of themselves.
Broadcasters must protect these technologies as they would any
sensitive system in their operations.
means, at a minimum, keeping all network connections to the devices
firewalled from the public Internet, regularly checking with vendors
to ensure software is up to date and regularly checking the
facility’s EAS systems for any potential indications of attack or
unauthorized access. (For DASDEC users, the current 2.0-2 release
issued in April includes several cumulative security and feature
May 15, FEMA posted a reminder to various industry e-mail lists about
the importance of maintaining updated software/firmware on CAP EAS
there is much more to be done. Common best practices and critical
controls need to be identified and implemented in each of the key
stakeholder areas in the EAS system: broadcasters, CAP EAS
manufacturers and CAP EAS networks, including IPAWS and the various
state CAP networks that are evolving. These best practices do not
necessarily need to be onerous, but they do need to be implemented
system is only as strong as its weakest link.
kinds of security practices or controls should the industry consider?
And who should be the arbiter or advocate for these cyber security
best practices? Well, an initial list of “Best Practices for Public
Warning Cyber security” could include:
• Safeguarding Equipment — Make sure that CAP EAS equipment is behind a firewall, at minimum, and that it has the most current versions of firmware/software from manufacturers. All remote administration should be performed over secure channels, preferably with strong encryption, or over a secondary SSL or IPSEC channel.
• Securing Configuration — Of firewalls, routers and switches. These elements are often left less secure than they ought to be. Broadcasters also should limit access to ports and other services.
• Perimeter Defense — Create a strong “perimeter defense,” as a simple firewall may not always be sufficient. Broadcasters should consider a creating layered boundary by using firewalls, proxies, DMZ perimeter networks and network-based intrusion protection and detection, as well as filtering both inbound and outbound traffic. Digital Alert Systems issued a white paper on this matter in 2011. (“CAP, EAS and IPAWS: Introducing a Defense-in-Depth Security Strategy for Broadcasters,” available at www.digitalalertsystems.com/pdf/wpdas-122.pdf.)
• Malware Beware — Defenses against malware may become even more important in the future, if and when CAP messages contain resource (file) links to third-party Web servers. Even if a CAP message comes via the FEMA IPAWS server, that CAP message may contain a link to some separate multimedia sever that the device may automatically attempt to access.
• Foster Skills and Training — A stronger culture of awareness around cyber security is needed in the mass media sector. There also must be greater training opportunities that aid key personnel in developing or enhancing skills in the cyber security area. With the support of key government agencies, national organizations such the Society of Broadcast Engineers or NAB could take the lead to promote these activities.
• Controlled Access — Take charge of who can access CAP EAS equipment by changing all default passwords for applications, operating systems, routers, firewalls, wireless access points and other systems to a difficult-to-guess value, and limiting administrative privileges.
have a financial and competitive incentive to safeguard their own
networks. Government agencies including FEMA and the FCC have an
inherent incentive to safeguard the overall resilience and
reliability of the Emergency Alert System, and this means addressing
the risks that accompany its new dependence on the Internet.
alarming incident this past February, when someone hacked into the
EAS and issued a warning that zombies were real and on the attack,
has at least sparked a dialogue on cyber security. However, this
dialogue remains uncoordinated between industry and government, and
is far from yielding a security framework addressing the interests of
both the public and private sectors.
President Obama’s February executive order on overall cyber
security, the White House has favored combining voluntary security
measures along with incentives for companies that comply. Congress,
for its part, seems to be leaning toward legislation that would
promote the adoption of cyber security best practices by both private
sector and public sector entities.
this approach lacks is a means of identifying, translating and
promoting those best practices across the broadcast industry.
Creating a public-private partnership around cyber security for
public warning could be an effective way of bridging this critical
gap. The outcome of such a partnership would be the sharing of
information on best practices, practical approaches and potential
cyber security threats to the overall CAP EAS system.
is not a hypothetical suggestion. Just this type of public-private
approach is already being embraced in other industries. In principle,
it could be replicated in the broadcast industry.
Department of Homeland Security, along with the Department of Energy,
recently partnered with a number of energy companies to identify and
combat threats in that industry. Through this working relationship,
the energy industry is sharing information about risks that it faces,
and the government is sharing information on potential threats.
energy industry partnership provides a real benchmark for how a
public-private partnership could function for cyber security in the
public warning area and, ultimately, to produce mutually beneficial
outcomes for government and industry.
further recommendation is the inclusion of EAS-related technologies
and systems under the DHS Protected Critical Infrastructure
Information (PCII) Program. PCII is an information-protection program
that enhances voluntary information sharing between infrastructure
owners and operators and the government. PCII protections mean that
homeland security partners can be confident that sharing their
information with the government will not expose sensitive or
steps can be taken to enhance the security of the new CAP EAS system,
and many of these steps fall within the control of the local
broadcaster. However, CAP EAS is a system — a system that will be
only as secure as its weakest link.
now is the time to open a dialogue on forming a public-private
partnership on cyber security in public warning. Now is the time for
broadcasters to become more aware of the increasing network security
requirements that CAP EAS demands of them. The growing sophistication
of cyber threats is not going away, and the interconnected nature of
an Internet-based CAP EAS system puts all broadcasters on the front
World welcomes comments on this or any article. Write to
email@example.com with Letter to the Editor in the subject field.