Industry concern over cyber security has accelerated in recent months, following a series of hacks and the leaking of high-profile TV shows. Ann-Marie Corvin talks to post-production houses about what they are doing to combat the problem
With vast amounts of data coming in and out of facilities on a daily basis, it’s easy to see why they are under increased pressure to ramp up their cyber security.
The Farm Group head of IT Adam Morris likens a typical post house to “an open-door hotel on top of a data centre” with “a myriad of security angles to cover”.
Ten episodes of Netflix’s Orange Is The New Black were recently leaked in advance of their release date, following a ransomware incident at the show’s audio supplier, Larson Studios. Under pressure, the facility paid $50,000 (£40,000) to the hackers, only for their client’s shows to be leaked anyway.
Larson chose to share its mistakes with the industry. An investigation by the familyrun facility revealed that the hackers had been scanning the internet looking for PCs using older versions of Windows they could easily break into. By chance, they stumbled on a computer at Larson that was still running Windows 7.
DIFFERENT TYPES OF ATTACK
According to Verizon’s 2017 report based on an analysis of 1,935 security breaches, ransomware is now the fi fth most common type of malware. This type of cyber attack was ranked 22 only a few years ago, which shows how quickly threats change and how often security needs to be evaluated.
Another big concern is Denial of Service Attack (DoSA), where criminals look to interrupt or shut down the networks linking facilities to the internet or cloud, possibly extorting a ransom to put it back online.
Verizon reported DoSAs as the number one most prevalent form of attack, with 11,246 incidents on record. All types of company were attacked, with entertainment, professional services, public, information and financial businesses experiencing the most instances. Large organisations were the target in 98% of attacks.
OOYALA’S TOP 5 SECURITY TIPS
Oscar Wall, general manager, EMEA, at online video platform provider Ooyala, offers his tips for protecting media organisations from cyber attack.
1) Ensure all connections are secure. Lock down all network protocol ports that are unnecessarily open. Know what is connecting to what. Eliminate weak links in the chain. Surprisingly, there are still systems that use unencrypted HTTP rather than HTTPS.
2) Initiate two-factor authentication. Combining a password with a physical device or token provides far more security than using a password alone.
3) Perform regular penetration testing. Check to make sure there aren’t holes in the security perimeter.
4) Consider implementing digital rights management (DRM) earlier in the production cycle.
5) Foster discussion and collaboration regarding security among disparate groups within your organisation. Traditionally, production teams have assumed cyber security to be the province of the chief information officer, chief technology officer and IT teams. In the new environment, everyone needs to be cognizant of the security strategy and policies.
Sohonet chief technology officer Ben Roeder said these types of cyber crime have increased as they’ve become much easier to carry out.
“Digital extortion has become easier to monetise – there are ways of transferring money to people that are untraceable – and as a result we’re increasingly seeing organised crime involved.”
Fortunately, much of the business of protecting data from low-level criminal chancers can be done employing basic cyber hygiene: a good fi rewall, regular patching (the most common threats tend to occur in unpatched systems), decent virus protection and solid permissions.
While cyber security advice and monitoring has become a big business, there isn’t one ‘silver bullet’ solution that meets the specific needs of a post-production house. There are, however, individual solutions that make day-to- day tasks easier to carry out.
Creative talent at a facility may like to be online while they’re working on content, exchanging production notes and sending and receiving files. But this is sometimes at odds with the security demands from the client – particularly studios – who would prefer operators have no access to the internet while they are working on their content.
“One way around this is to virtualise the process and create a machine on which you can’t drag material on and off while you are connected,” says Milk VFX head of systems Dave Goodbourn.
He adds that adopting this process has allowed operators at the facility to use their preferred online project management tool, Shotgun, for tracking and email.
Sohonet, meanwhile, offers Air Gap Browsing, a server-based solution hosted on the Sohonet Media Network that enables users inside a facility to browse the internet without a direct connection.
Encrypted file transfer is another area facilities have been advised to re-examine, as emailing FTP links to review and approve content is still a common source of cyber vulnerability.
“Many businesses still use FTP but it lacks security and is unencrypted – files are highly vulnerable if they are intercepted,” says Roeder.
Because FTP has security implications, a protocol called SSH File Transfer or Secure File Transfer Protocol (SFTP) has been developed as a more secure alternative. While SFTP can be slow, hybrid Software as a Service (SaaS) solutions such as Signiant’s Media Shuttle claim to speed things up considerably.
CASE STUDY 1: ERICSSON - THE BROADCAST SERVICE SUPPLIER
Ericsson delivers playout services for some of the most complex channels in the industry, including BBC1, ITV, Sweden’s TV4 and French broadcaster TV5 Monde – which was briefl y taken off air two years ago following a powerful cyber attack by a group of hackers.
“A key outcome of high-profile industry attacks has been much greater awareness of the challenges, how to tackle them and, crucially, how to do this collectively,” says Steve Plunkett (pictured), chief technology officer in Ericsson’s broadcast and media services division.
Plunkett, who is also group lead for security, says it is not enough for a facility to be secure in isolation as operations and business processes cross organisational boundaries.
The company’s practices therefore involve working collaboratively on joint security models and risk assessments to ensure clear lines of accountability are agreed and incident-response procedures are followed.
Plunkett says regular reviews are conducted between cyber security leaders in both organisations and knowledge of best practice and ongoing risks are shared.
One challenge for the playout industry, as it migrates to an all IP/IT technology stack, is to fully understand the security risks associated with modern IT environments without impeding creative goals.
“Live environments are very dynamic and time-sensitive and the security model needs to reflect that. Risks and controls need to be practical and not hinder the primary activity,” Plunkett says.
The industry trend of cloudbased working also needs to be managed effectively. “Cloud vendors provide very sophisticated tools to limit and log access to the software and systems they provide, but broadcasters must understand where the cloud vendor’s responsibility ends and where theirs begins,” he adds.
“The controls and tools offer no protection unless they are used correctly, and getting it wrong can be disastrous. A strongly secured cloud environment can offer security advantages over a private facility, but you need to know how to implement one.”
Fortium Technologies, meanwhile, licenses MediaSeal – an ‘encryption at rest’ security technology co-developed with NBC Universal to specifi cally address the lack of security during the editing stages of postproduction, where fi les are typically worked on without any protection.
Used on Hollywood films Wonder Woman and Dunkirk, and zombie spin-off series Fear Of The Walking Dead, MediaSeal ensures only intended users can access files.
Even if a trusted user saves a file out, the administrator will know and can act on it. Fortium chief executive Mathew Gilliat-Smith says the advantage of protecting individual fi les is that content is safe from being aired because it is encrypted.
While most of the big hacks that have been widely reported were in the US, that doesn’t mean UK facilities can rest on their laurels in protecting their worldwide reputation as premier suppliers of VFX.
Some 18 months ago, VFX rivals Double Negative, Framestore and MPC, together with Sohonet, applied for a government grant to collaborate on an open-source toolkit and specifi cations for monitoring traffic in and out of facilities.
Milk VFX came on board as the SME tester. This resulted in the Creative Industries Security Environment (CISE), which works by automatically cross-checking all traffi c that comes in and out of a facility with a list of IP servers with a bad reputation score.
The logic is that better monitoring means at least a hack can be tracked down before it gets any more serious.
Milk VFX’s Goodbourn says his facility is facing fresh challenges as the company grows: “We’ve gone from three or four employees to last year peaking at 150. It’s still a friendly culture but we’re facing the additional challenge of educating more staff as well as freelancers about security-related matters.”
Facilities of all sizes are also facing the challenge of convincing key suppliers to comply with their security concerns. According to The Farm Group’s Morris, there are some key broadcast manufacturers – critical to the production chain – that appear unwilling to adopt security measures through fear that doing so would affect the performance of their tools.
“A recent facepalm moment was when a server was delivered to us with zero security and the manufacturer wouldn’t recommend any. There’s a string of software vendors out there that don’t really like you patching Windows or running anti-virus software, which is pretty fl abbergasting when you think about it.”
To address this, the Digital Production Partnership (DPP) has been working collaboratively with its members and suppliers on creating a number of checklists. The ‘supplier checklist’ is tailored to meet the needs of production companies, post-production and suppliers of production services.
It has been designed as a risk-assessment form that customers can request a supplier to complete; or it could be self-completed by a supplier.
The DPP has also been working with its US counterpart, the North American Broadcast Association (NABA), on a second checklist tailored to suppliers of broadcast-critical infrastructure. On satisfactory completion of both checklists, companies will be issued with a DPP ‘Committed to Security’ logo.
Working in a multivendor environment means there is no point in forcing manufacturers to meet standards, says the DPP’s managing director, Mark Harrison. But cyber security only works if everyone in the supply chain is working towards it simultaneously.
“Until this intervention, there was no way for suppliers and customers to enter into a structured conversation about security, and to demonstrate a mutual understanding of needs,” Harrison says.
If suppliers aren’t fully compliant to all the cyber-security demands made, that’s fi ne, according to Harrison, as long as they can demonstrate they are thinking about it and working within that supply chain as best they can.
CASE STUDY 2: CLEAR CUT PICTURES - THE MID-SIZED POST HOUSE
According to Clear Cut technical director Jess Nottage (pictured), the subject of security is raised regularly during the procurement process with broadcast clients, as cyber threats become more frequent and severe.
While some of the facility’s risk management is conducted via scheduled, automated tasks, there remains a need for highly skilled IT people to ensure the protection in place is “working, up-to-date and fit for purpose”, Nottage says.
Hardware firewalls with well-configured rules and only the necessary ports open are employed, to restrict and prevent unauthorised external access to the network. If permissions are required, user accounts are configured with the appropriate restricted access to important data on the network.
Core business-critical data at the facility is backed up to two physical locations daily using automated back-up software, while antivirus software is installed on all PC and Mac endpoints within the business.
“To limit the potential for emails containing malicious attachments or hyperlinks reaching our users, all incoming email is passed through a spam filter,” says Nottage.
While one simple, cost-effective cyber-security strategy would be to simply remove the internet from work stations, Nottage says access is vital for all collaborators working on the creative process, so it has opted for “a special configuration of AV software”.
Security specialist Kaspersky has been working with the facility to ensure it achieves the balance between performance and high security on its creative workstations, he adds.
There is, understandably, some reluctance from companies that have experienced security breaches to come forward so the industry can learn from them.
When Larson revealed details of the attack it experienced, some studios decided to take their business elsewhere. However, according to the owners, the majority stuck with the company and even helped to further beef up its security.
“The great dilemma we face is that you can only get more secure if you admit your weaknesses,” says Harrison. “It takes enormous courage for a supplier to admit to a client they have a weakness and would like to work together to close those gaps.”
Goodbourn says that if the industry is serious about creating a more secure environment, collaboration and honesty are key: “We need to create greater awareness and get other facilities to talk to each other about security. We may be competitors but we need to stand together to keep control.”
Broadcast TECH Sept/Oct
- Currently reading
Cyber Security: Protect your assets