Targets and motives
Broadcasters are attractive targets for state, non-state actors and organized crime as any attack becomes public, is amplified and may attract more attackers. In addition to being content distributors, broadcasters are content providers, producing or commissioning valuable content, often for entertainment, as such their content may be of interest to many. Furthermore, parts of the broadcasters’ infrastructures cannot be totally insulated from the outside world, as new work practices, from news gathering to editing and distribution, are computer-based and need to be widely shared between collaborators. Also, broadcasters must maintain access to some of their content to the wider public, a potential vulnerability.
Attackers can be rival broadcasters, political or business interests upset with coverage that may decide to carry out cyber attacks to disrupt broadcasters’ operations. The most notorious cyber attack on a broadcaster was that carried out in April 2015 on French international channel TV5Monde, an attack that nearly destroyed its entire infrastructure. More recently, one of France’s largest multimedia group, M6, was the target of a ransomware attack in October 2019, Swedish public broadcaster SVT, Serbia’s independent N1 TV channel, a CNN affiliate, and Ukraine’s Black Sea TV, among several others, reported having been targeted by cyber attacks between August 2019 and January 2020. The tools may include phishing (TV5Monde), DDoS (N1 TV and SVT) or ransomware (M6).
Perpetrators and tools
In all these cases state actors, business interests and criminal groups were later identified as being behind these attacks. However, identification is complex and time-consuming as perpetrators conceal their identity in what has become known as “plausible deniability”. In the case of TV5Monde, initial claims for the very sophisticated attack, apparently carried out via phishing, were made by the Cyber Caliphate, a group allegedly linked to the so-called Islamic State. Following lengthy investigations France’s national cyber security agency ANSSI announced months later that the attack had been carried out by a group known under various names, including APT28 (Advanced Persistent Threat 28) or Fancy Bear, said to be linked to Russia's military intelligence agency, the GRU. The cost to the broadcaster exceeded USD 15 m in lost equipment and additional security measures. The motive for the distributed denial-of-service (DDoS) attack on N1 TV may have been a business dispute or political. Interestingly, it was paid for and “subcontracted” to a China-based operator. The DDoS attack on SVT was an example of foreign actors attempting to influence SVT reporting, according to the broadcaster.
Vulnerabilities – Protecting assets and content
In recent years broadcasters (and media content providers) have come to rely increasingly on IT, the Internet, internal and web-connected networks for content production, storage and delivery (including now cloud applications for workflow, editing and storage, and to ensure resilience and continuity of services in case of cyber attacks), but also on traditional operational technology (OT). As a result, protecting content production, storage and delivery of broadcast and multimedia services from cyber threats relies on protecting both IT and OT systems. To do so, broadcasters around the world have taken a number of steps, which include the implementation of international standards, such as those developed by the IEC, and well-established good practices, industry-specific recommendations, and cooperation between regional unions and, globally, within the World Broadcasting Unions (WBU), and other professional organizations.
A weak link is that many broadcasting companies, like other sectors, rely on connected media devices that have a low security threshold. Recent off-the-shelf components and devices may not meet the latest adequate cyber security measures or include available software updates or security patches protecting them, to a certain extent, against cyber threats. The multiplicity of systems potentially at risk from cyber attacks, means that broadcasters and media content providers must protect against a wide range of threats and mitigate their impact, should they succeed in penetrating and compromising systems. The human factor, is another weak link in the cyber security chain. Some of the most effective attacks, such as the one that targeted TV5Monde, use social media engineering to manipulate people and lure them into divulging confidential information, such as passwords.
Working in silos: not an option! Standards and recommendations matter
Central to the protection of the broadcasting sector everywhere are international standards developed by IEC to protect IT and OT systems, and industry-wide recommendations. The US National Association of Broadcasters (NAB) published a Guide to Broadcasting Cybersecurity, which lists some types of incidents affecting broadcasters and draws on the National Institute of Standards and Technology (NIST) “Cybersecurity Framework” to make recommendations for protection against cyber attacks. The NAB guide followed by broadcasters elsewhere, lists recommendations and standards to protect from risks the following categories linked to: Internet access, file content delivery, news and production, broadcast networks/firewalls and partners. The ISO/IEC 27000 family of Standards for IT service management, developed by IEC and ISO joint technical committee ISO/IEC JTC 1/SC 27: IT security techniques, is the absolute reference, while the IEC 62443 series of standards, developed by IEC TC 65: Industrial-process measurement, control and automation, addresses OT vulnerabilities linked to operations and systems, such as Industrial Automation and Control Systems (IACS). These standards are referenced as essential for the broadcasting sector in the NAB guide to broadcasting cyber security, as well as in recommendations published by industry bodies, such as broadcasting unions. Other technologies such as artificial intelligence (AI) and machine learning (ML) can both be used to disseminate and thwart cyber attacks. IEC and ISO established the first international standards committee, ISO/IEC JTC 1/ SC 42, that is looking at the entire AI ecosystem, addressing among others, issues concerning trustworthiness, privacy and security. Industry associations, such as the Digital Production Partnership (DPP) or the Association for International Broadcasting (AIB), work on cyber security. The AIB has set up a Cybersecurity Working Group.
The broadcasting unions have also developed their own recommendations such as the WBU Cyber Security Recommendations for Media Vendors’ Systems, Software and Services, to mitigate third party and supply chain risks. The European Broadcasting Union (EBU) has developed several recommendations, such as: R160, on the management of observed vulnerabilities in media equipment; R148, cyber security recommendation on minimum security tests for networked media equipment; and R161, on responsible vulnerability disclosure policies for media companies, among others.
International standards, industry recommendations and cooperation between broadcasters will reduce the number of successful breaches and mitigate their impact, but they will not stop them. They provide a framework for better cyber security developed by global experts and based on best practices.