Cyber criminals and rogue governments are increasingly setting their sights on the broadcast community, but there are ways of mitigating the risks.
Revelations about large-scale online data breaches have plagued the likes of LinkedIn, Yahoo and Dropbox this year, and even the US presidential election was mired in allegations of hacking by other nation states.
MI5 director general Andrew Parker warned of a “high-volume” cyber threat from Russia in early November, while chancellor Philip Hammond described how “foreign actors” were a threat to UK infrastructure.
Hammond pledged that the government would spend £1.9bn on cyber security, warning of the threat to the UK’s financial services, electrical grid and airports.
But those tasked with protecting the broadcast industry say that it too is under increasing threat.
“While IT services have typically been the number one target for attacks, media and entertainment are fast becoming attractive too,” says Jonathan Smith, managing director for Europe, the Middle East and Africa (EMEA) at Limelight Networks, which provides cloud security services for the likes of Channel 4 and Dailymotion.
“The size of attacks on the industry outstrips other sectors. We have seen a surge this year.”
The most recent high-profile attack was the 2015 TV5 Monde hack (see box, below), in which the French network was taken off air. Its website and social media accounts were also hit by a group that is believed to have links to Russia.
It is not clear why the hackers chose TV5, but many believe the attack was a show of strength, proving the capability exists and that there is a willingness to use it.
The TV5 attack served as a wake-up call to the wider industry.
A cyber security working group was formed by the Association for International Broadcasting (AIB), which held its first meeting at the start of 2016.
Comprising security managers and chief information security officers from broadcasters and service providers including the BBC, Al Jazeera, ABC and MBC, the working group has held a handful of meetings since its launch.
AIB chief executive Simon Spanswick says the security group was founded after the association received enquiries from broadcasters about how to exchange information in a safe environment.
He says: “The more you dig into this, the more you discover the extent of attacks against broadcasters. It is happening in all parts of the world and there are some horrific stories of threats that have been caught in the nick of time, and some that have not. It is a growing challenge.”
What happened at TV5?
The TV5 attack is thought to have originated via a phishing email that enabled the cyber attacker to penetrate the broadcaster’s network and then establish a two-way connection.
The attacker then found other networked machines to establish a foothold in case the original breach was discovered.
From there, it could look for further vulnerabilities to exploit, before bespoke software was used to corrupt the encoders that sat at the heart of TV5’s broadcast operation.
The result was that 12 channels were taken off air.
The TV5 attack was also remarkable for the level of coordination; not only was phishing used, online portals and social media accounts were also targeted.
Arqiva chief information security officer Denis Onuoha, who is also chair of the AIB cyber security working group, says the highly visible nature of broadcast makes it a prime target.
“When you target broadcast infrastructure, it is about causing panic and making people feel insecure. Rather than cyber-crime for financial gain, such as finding press releases about upcoming mergers and acquisitions, we are seeing cyber-crime for panic and to make people feel insecure.”
The main threats, Onuoha says, are governments, because of their resources in terms of both people and money.
“Disgruntled employees and insiders have always been a threat and there are still ransome ware take-down operations, but these threats are not as big as those from governments, some of which work in tandem with cyber criminals.”
But identifying who is responsible is not easy.
By working with third-party hackers, he says, governments seek to distance themselves from the event, providing “plausible deniability”.
The use of open source code can also make attribution – and retribution – even harder.
According to Smith, the primary security threat to broadcasters is distributed denial-of- service (DDoS) attacks, which occur when hackers cause many systems to flood the bandwidth of a target and overwhelm it.
All of the BBC’s websites were knocked offline for a few hours towards the end of 2015, which the corporation attributed it to a “technical issue”, but according to a BBC news article, a DDoS attack was responsible.
Smith says: “In our 2015 survey of security risks, with content delivery network [CDN] customers, nearly half (46%) ranked DDoS as the number one threat, followed by 27% who cited unauthorised access.
“Like other industries that have been targeted by DDoS, it is hard to pin down the sources as the capability to create botnets to launch an attack is accessible to even small-scale cyber criminals.
“However, the high status of broadcasters as international brands, major economic contributors or prestigious public broadcasters does make them targets for the kind of nation-state actors outlined by Hammond in his recent speech.”
There was a year-on-year increase of 71% in DDoS attacks in the third quarter of 2016, according to CDN service provider Akamai’s State Of The Internet Security Report, published in November.
Akamai also found that two of the attacks, both of which used the Mirai botnet that had been linked to attacks on Twitter, Spotify and Amazon, were the biggest recorded by the platform to date, at 623Gbps and 555Gbps respectively.
Raising awareness on both sides of the pond
The Digital Production Partnership (DPP) is another industry group that has been working to raise awareness of the threat posed to the broadcast community by cyber attacks.
DPP managing director Mark Harrison says the organisation’s recently released supplier checklist for production or post-production companies to work through with suppliers has been deliberately modelled on a risk assessment form to aid familiarity.
It has also worked with its US counterpart, the North American Broadcasters Association, with the aim of “creating an open dialogue with media suppliers towards more consistent and effective compliance with cyber security best practices”.
Areas include documentation, testing, authentication and controls. Rapid response: armed guard outside TV5 offices following the attack
Changes in the way that TV programmes are made and delivered have served to make the broadcast industry more vulnerable to the kind of action that affected TV5.
These changes include moving broadcast infrastructure from on-premise, SDI-connected equipment to IP and cloud-based systems, as well as the increasing use of over-the-top platforms.
Bill Wishon, architect in the media office of the chief technology officer at Akamai, says as more workflow elements move to IP, there are more “attack surfaces” that provide greater opportunities to hackers.
“If you go back a few years, the video production and broadcast industry was connected by SDI cables and terrestrial satellite broadcasts that were harder to attack. Now, with IP, the risk is higher,” he says.
So what can vendors and broadcasters do to help prevent attacks?
Smith says that CDNs can be powerful weapons against DDoS attacks, providing a layer of detection that helps to block bad requests.
“Digital content providers need to operate on the principle that a DDoS attack is going to happen. Being able to rapidly identify an attack taking place and mitigate and recover just as rapidly from the impacts is crucial,” he says.
But vendors have to make equipment as secure as possible, says Onouha.
“Six weeks ago, my penetration testing team reviewed an encoder from a vendor. We couldn’t change the default password, which is very poor practice. If someone gets onto the network, all they need is the password in the vendor’s manual, which was published online.”
Anyone with access to a system needs to be accountable for their online activities, Onouha adds.
“If I have 20 engineers using an admin account, I cannot pinpoint any actions to one user in particular.”
But users must also focus on prevention. Anti-virus software, for example, is limited but still has a role to play: while most significant attacks take advantage of unknown security flaws, anti-virus software is capable of defending against known threats.
Even where an attack is backed by a rogue government, it is likely to be a system user that enables the attack by opening a phishing link.
Vendors and broadcasters must also be vigilant in the real world. “There is a blur between cyber and physical worlds: if a criminal were to copy an employee’s security pass and use it to gain physical access to a site, they could then plug something directly into a network,” says Onouha.
“We might not be able to completely stop an attack, but we must demonstrate that we have done all we can to do so.”
Wishon describes security as a process rather than a tool.
“It will be forever a game of cat and mouse. There needs to be analysis of current systems and vulnerabilities and a set of recommendations on each risk component.
“Then, there needs to be a discussion about the trade-off between the risk and the cost of a particular solution.”
Sharing information can help mitigate the threat.
Within an hour of the TV5 attack, a UK broadcaster had provided Onouha with the virus signature, which meant he was able to guard against being hit by the same attack.
But sharing information does not always come naturally to the broadcast industry, as there is an understandable reluctance to publicise weaknesses.
“Criminals and governments collaborate on dark web forums and talk about how they carried out an attack, but in our industry, because of service credits and legal and commercial issues, it is very difficult to call another broadcaster. We need to get to a situation where we are able to speak openly.”