NABA and the IAMT Engage on Security

                                     

John C. Lee. P. Eng. Chairman,                                Stan Moote P. Eng,  CTO, IAMT

Cybersecurity Committee North

American Broadcasters Association (NABA)

Broadcasters are continuing to transition to IP infrastructures and multiple cloud-based services to support their production workflows, storage, playout, distribution, etc.

Production efficiencies have been gained by moving from purpose-built broadcast hardware to flexible, software-defined, and scalable workflows with COTS processing equipment. These enabling technologies have simplified remote collaboration, reducing capital expenditures and the size of physical plants, while at the same time shortening the time to air.

Before the move to IP, the security of TV broadcasting relied on a “fortress mentality” based on closed, proprietary hardware and physical, air-gapped technologies. Because traditional SDI systems were physically isolated from the public-facing Internet, cybersecurity defences were largely based on physical security rather than logical networks.

 

Early M&E Attacks

The attacks that happened ten years ago with TV5 Monde were due to phishing emails being clicked on, even a password was in a shot from a sticky note that was put on-air!  This resulted in TV5 going off-air. Like the Sony hack, though much broader, the TV5 case involved stealing data and installing malware. These were IT infiltrators – they didn’t attack via video infrastructures.

This unfortunately misled the industry to focus on traditional IT infrastructure and vendors, hence many of the suppliers/service providers within the industry didn’t put an emphasis on cybersecurity in their products and services. As the industry migrated towards IP, this has increased cybersecurity risk by transforming these formerly closed production systems into open, interconnected networks, which has enlarged their overall threat surface. This makes media production susceptible to typical IT-based cyber threats, including ransomware, phishing, DDoS, data breaches and general malware.

Threats Continue to Rise

As one of the key threats, ransomware incidents have increased annually across all industries. Some ransomware attacks may go unreported due to concerns over reputational damage. The top ransomware threat agents are almost certainly financially motivated and opportunistic. The availability of RaaS (Ransomware as a Service) has now lowered technical barriers to entry for threat actors and allowed for sophisticated tactics and techniques to be used against targets.

Broadcast/media industries will likely continue to be a desirable target due to the perception that they are more inclined to pay ransom demands to minimize disruptions. The editorial positions of some broadcasters might also contribute to their being identified as viable targets.

Adding to the “top five” cyber threat list besides ransomware, are phishing/social engineering, AI-powered attacks, cloud-based vulnerabilities, and supply chain compromises.

Impact of AI

AI development has accelerated and has becomes more integrated into many aspects of broadcast/media operations. Likewise, threat actors have added adopt AI capabilities to target victims.

They have leveraged improvements in generative AI, particularly large language models (LLMs), including developing malware, generating Deepfakes, automating ransomware negotiations with victims, conducting vulnerability research, implementing social engineering strategies, etc.

In addition, the rise of agentic[1] AI use by threat actors further increases the threat level in the industry.

Supply Chain Threats

Threat actors have shown an increasing capacity to navigate and compromise organizations through supply chains as an alternative to direct attacks against network defences. As a result, broadcasters/media industries are now more acutely aware of their supply chain vulnerabilities.

Supply chain attacks typically target the perceived weakest link in the chain of trust. Even if a broadcaster has an effective cybersecurity program, if one of its suppliers is not secure, attackers will target that vendor to bypass whatever security broadcasters have in place. By gaining a foothold in the supplier’s network, an attacker can exploit this trust to gain access to more secure networks.

Supply chain attacks can be directed by various strategies, including ransomware, sabotage, intellectual property theft, etc. These attacks can take many forms, such as malicious code injection, hijacking software updates, ransomware, etc.

Dan Grove, Sr. Director, GRC and Data Security, Sinclair Inc. makes this very clear: “According to Bluefin, third party and supply chain breaches have increased significantly over the past two years, now accounting for 30% of all data breaches. This marks a 100% year-over-year increase, with 75% of organizations reporting at least one software supply chain attack within the last 12 months. In response to this evolving threat landscape, Sinclair maintains a rigorous vendor risk management program, including the review of SOC 2 compliance and/or completion of a comprehensive 70-point security assessment for our suppliers and vendors.” (Source: https://www.bluefin.com/bluefin-news/14-biggest-data-breaches)

 

Impacts on Broadcasters 

Given the threat landscape, broadcasters would benefit from maintaining a comprehensive SCRM[2] program within their organization.

Broadcasters should map in detail their own, individual supply chain(s) and its key components. This can be done by inventorying equipment and suppliers and assessing each’s security maturity. Specifically, broadcasters should prioritize each supplier by their cybersecurity maturity, access to broadcaster’s data and systems, and impact on the organization should a breach occur.

The weakest suppliers/service providers in the supply chain from a cyber perspective must have a detailed plan and schedule to continually improve their cyber maturity.

Impacts on Suppliers/Service Providers 

Adequate product security, specifically cybersecurity, has now become table stakes for supplier/service providers to compete in an increasingly hostile IP ecosystem. Like broadcasters, some are not ready yet.

Obtaining insurance against cyber breaches typically requires a supplier/service provider to be SOC 2[3] compliant, which can be both expensive and time-consuming. Detailed audits can sometimes be required before a claim is approved and processed. In addition, the question remains whether achieving SOC 2 compliance extends to cloud services.

New challenges, like dynamic media licensing, have arisen in response to the major changes underway in broadcast/media infrastructures. The broadcast industry’s adoption of cloud-based and hybrid workflows has highlighted fundamental challenges between traditional licensing models and modern operational requirements. Customers, system integrators (SI’s), and Independent Software Vendors (ISV’s) are voicing these challenges and the impact when migrating broadcast and live production workflows to software-based, cloud or hybrid ones.

Interoperability in hybrid cloud environments is no longer optional; it is essential to how modern broadcast/media systems operate. SMPTE ST 2138[4] implements a control-plane between microservices and larger applications. It complements the already existing ST 2110 and NMOS architectures to provide a means to devices and services, bringing industry expertise together to address one of the sector’s most pressing technical needs.

In addition, all suppliers/service providers must provide a security point of contact (SPoC) in their organization should a cybersecurity breach be identified. This could be facilitated through a service desk as well or be negotiated as part of the service level agreement.

 

The IAMT and NABA Collaborate

To address security, NABA and the IAMT have engaged in a collaborative relationship via a joint security committee called the NABA/IAMT Supplier Security Council. Under the purview of this group, NABA and the IAMT will:

• Share their current security activities, including recommendations and committee efforts.
• Table specific security issues associated with their suppliers/service providers and members, with the goal of resolving those issues through technical and/or best practices solutions.
• Address and discuss supply chain, ownership, or other changes that could affect the supply of their products or services to broadcasters.
• Address the work of external cyber testing facilities, including, for example, those of the Security4Media organization.
• Exchange information on upcoming security conferences, fora, etc. of potential interest to either organization.

IAMT’s Security and Vulnerability working group and NABA quarterly as this is a continuous, enterprise-wide and supply chain–wide mandate that requires accountability at every level.

 

Conclusion

The broadcast/media landscape has dramatically changed from a purpose-built closed system to a diverse IT infrastructure. Broadcasters and the vendor community need to continue to “step up their game” to meet the challenges of this new environment.

[1] Agentic AI (aGenAI) acts autonomously to achieve objectives. aGenAI can set goals, plan and execute complex, multi-step tasks across systems proactively, with minimal human intervention, often using GenAI as a reasoning component.

[2] Supply Chain Risk Management

[3] SOC 2 (System and Organization Controls 2) is an AICPA-developed auditing framework that ensures service providers manage customer data securely based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. It is critical for SaaS companies to demonstrate compliance and build trust.

[4] SMPTE ST 2138, known as “Catena,” is an emerging suite of standards defining a unified, open-source, vendor-agnostic control plane for media devices across cloud, on-premises, and hybrid environments