ALEXANDRIA, Va. — If you want to know the National Association of Broadcasters’ stance on whether or not cybersecurity is important to modern radio stations, a recent nomenclature change should give you a hint.
In 2017, the NAB tweaked the name of the annual educational conference held in conjunction with NAB Show. Originally known as the “Broadcast Engineering Conference,” it was rechristened the “Broadcast Engineering & Information Technology Conference.”
It’s no secret that silos that long divided broadcast engineers and IT guys are going the way of the dinosaur. As everything from transmitters to apps to security cameras becomes networked and reliant on the Internet of Things, this trend is not likely to reverse.
What is also clear is that locking the doors and gate at your transmitter site and studios are no longer an adequate security procedures, at least not on its own. Copper thieves and vandals continue to cause problems, but hackers and others with malicious intent have joined the ranks of threats to radio stations of all sizes and locations.
It’s easy to cite several recent, high-profile incidents of hacking that have challenged radio stations. Among them: Portland, Wash., station KBOO(LPFM) was hacked this spring as part of Drupalgeddon2; Indiana station WZZY broadcast a fake EAS alert about zombies; San Francisco’s KQED(FM) was temporarily crippled by a ransomware attack; and a number of stations had egg on their faces when hackers exploited a default password to play an anti-Trump song last year.
WHAT SHOULD YOU WORRY ABOUT?
According to NAB Senior Director of Engineering and Technology Policy Kelly T. Williams, broadcasters need to focus on defending stations’ IP infrastructure — the network — from cyber attacks. Increased incidents of phishing and other cyber breaches, like those that targeted KBOO or KQED, worry him, Williams said.
He encourages stations to have “an action plan in place so that you can detect a breach and recover from it.”
Williams said broadcasters should remember: “It’s not if you will be breached; it’s when. So be ready.”
“The number one goal is to not let a breach take your station off the air,” Williams said.
Nonetheless, Williams noted, “The significant increase recently in cybersecurity awareness by broadcasters encourages me.”
Assuming you need no further convincing that this issue is relevant to you and your station, what should you do next to beef up (or establish) your cybersecurity presence?
“NAB’s focus is on educating broadcasters about cybersecurity issues,” Williams said, “NAB has put together white papers that stations can use, and we are in the process of rolling out online courses to educate station personnel on how to implement a cybersecurity program.”
Williams added, “We are very bullish on something called the NIST framework. This is a document that outlines how to take a risk assessment approach to cybersecurity in your organization. “
The NIST cybersecurity framework was developed by the U.S. Department of Commerce’s National Institute of Standards and Technology. According to the NIST website, “This voluntary framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.”
The most recent version of the NIST framework was published in late April and can be found online here. According to the website, “Version 1.1 includes updates on: authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain and vulnerability disclosure.”
An article in the June 6 issue of Radio World entitled “Do You Know If Your Broadcast Plant Is Really Secure?” summarized KAMU Director of Engineering Wayne Pecena’s BEITC presentation on network security for broadcasters. According to the article, basic elements of a contemporary cybersecurity plan may include — but are not limited to — controlling access to the physical network components; for Ethernet switch port programming, use VLANs to segment traffic for user groups or functions; implement physical and software firewalls; add encryption tools.
Of course, all of these steps require an investment of time and money, but a hacking incident could cost your station much more — just ask any engineer who has had to recover from a cybersecurity breach.