Kelly Williams is senior director, engineering and technology policy in the Technology Department of the National Association of Broadcasters; he served on the FCC’s CSRIC working group mentioned below. This interview is part of the Radio World eBook “The Internet of Broadcast Things.”
Radio World: What sorts of resources on cybersecurity are available from organizations like the Department of Homeland Security, NIST, FCC and NAB?
Kelly Williams: There are a number of resources and documents on the Department of Homeland Security’s website, although they tend to be more global in scope. The top level for the federal government is the National Institute of Standards and Technology. They are charged with creating the standards for cyber security that all government agencies must adhere to, including the FCC. NIST has a number of reports and papers on its website under the Computer Security Resource Center.
The FCC responded to the NIST mandate by creating CSRIC, the Communications Security Reliability and Interoperability Council. Its mission is to provide recommendations to the FCC to ensure, among other things, optimal security and reliability of communications systems, including telecommunications, media and public safety. Its most recent recommendations are on the FCC’s CSRIC IV website [see PDF at www.tinyurl.com/rw-csric4].
It is important to remember that the federal government considers broadcasters to be part of the critical infrastructure, owing to their ability to keep the public informed in event of emergencies.
For our part, the NAB has embarked on a cybersecurity evangelism and education program. There are two publications on our website, “The Essential Guide to Broadcasting Cybersecurity” and “35 Critical Cyber Security Activities All Broadcasters Should Know.” The NAB has also created two webinars and two educational courses about cybersecurity. [See www.nab.org/cybersecurity/broadcasterResources.asp.] Looking ahead, we are considering creation of a cybersecurity certification program.
RW: How have strategies to protect organizations from cyber attacks changed over the years?
Williams: It used to be done largely with checklists. When you completed everything on the list, your system could be considered secure. The problem with that was that hackers could use the very same checklists to figure out your soft spots.
NIST has developed a strategy called the Framework, where you determine your risk in five different categories. Your assessment of risk determines the path to security, resulting in a more targeted and unique approach.
RW: What kind of questions should engineers and IT managers be asking when using IP audio and other IP accessible systems?
Williams: There are still a lot of systems out there that run on Windows XP, which hasn’t had a security update in three years. Any system in use today needs virus protection, scans and a software firewall. The best systems incorporate Security by Design, meaning that the system has been designed from the ground up to be secure. Buyers should ask about the operating system of any equipment they are purchasing. Is it the latest version? Is it updated regularly? Can it do virus scans, and does it have a firewall? Has it been built using SbD standards?
IP connectivity is beneficial to broadcasters in so many ways, but “best practices” are still evolving; read much more on this topic in the eBook “The Internet of Broadcast Things” at radioworld.com/ebooks.
CHECK OUT THESE RESOURCES
The NIST publication “Framework for Improving Critical Infrastructure Cybersecurity” provided a broad approach to thinking about cybersecurity as well as practical guidance.
In turn, the FCC’s Communications Security, Reliability and Interoperability Council took that framework and offered communications providers, including broadcasters, recommendations based on it.
Seeking to make that information more digestible for stations, the National Association of Broadcasters then published “The Essential Guide to Broadcasting Cybersecurity,” picking out the most important broadcast-related recommendations and making them more accessible. And authors DCT Associates even boiled that down further to “35 Critical Cybersecurity Activities All Broadcasters Should Know.” You can download those two files at www.nab.org/cybersecurity/broadcasterResources.asp.
Why go to all this trouble? As the authors put it, “Among many broadcasters the chief desire is for a simple checklist to ensure that newsroom, transmission, remote units and video production operations are sufficiently protected from cyber intrusion and disruption. Because cyber miscreants and threats are constantly evolving, static checklists no longer protect against such things as mutating malware, ransomware, viruses or sophisticated attack campaigns. The NIST Framework and CSRIC recommendations represent a new way of thinking about cybersecurity, offering holistic approaches under which broadcasters can begin to behave differently to ensure continuous, reliable operations.”
For more helpful resources, see the NAB’s Cybersecurity Resources page, www.nab.org/cybersecurity/default.asp.