The industry has quickly taken note of the rules adopted by the Federal Communications Commission last week that require all Emergency Alert System participants — which includes all radio and TV stations — to change default passwords on EAS equipment and implement other cybersecurity measures.
STL links and any remotely managed gear that routes, processes or inserts programming content also are included in the new cybersecurity rules, according to the FCC.
Many observers agreed that it has been long overdue for stations to prioritize network security. We’ve written about several high-profile STL-based breaches in the past, and the commission likely had last year’s round in mind when it drafted its mandate.
But, added protection does come with a monetary cost.
Broadcast engineers and EAS experts told us that the changes could affect smaller market broadcasters more, as they are likelier than their larger counterparts to use off-the-shelf consumer products to protect equipment connected to the internet.
FCC Chairman Brendan Carr said last Thursday the additional steps will help reduce opportunities for cyber criminals to exploit weaknesses in alerting equipment.
The National Association of Broadcasters applauded the FCC for adopting “reasonable safeguards” and the group’s President and CEO Curtis LeGeyt said in a statement: “The newly adopted Report and Order … establishes reasonable safeguards to enhance the cybersecurity of EAS.”
Best practices
We reported on the changes last week and broadcast engineers appear to be taking notice of the new mandate.
The first step for broadcasters, experts told us, is to analyze what the changes mean for your station’s remotely managed systems.
Chris Tarr, chair of the Wisconsin State Emergency Communications Committee (SECC) believes it’s time for radio stations to start reviewing password policies, implementing two-factor authentication and beef up other security measures.
“In reviewing the draft order, stations should prepare for actions that, frankly, they should already be taking as a matter of good practice,” Tarr explained.
Some of those actions include using a business- or enterprise-grade router from a manufacturer that offers frequent security updates. As a result, the new expanded cybersecurity practices will require capital expenses for some broadcasters, Tarr said, particularly smaller ones.
Tarr also is group director of engineering for Magnum Media, which operates radio stations with signals across Wisconsin, Minnesota and Illinois.
“Most larger broadcasters already have many of these added security measures in place. But smaller stations using consumer routers for internet access should expect to spend a few thousand dollars to upgrade their firewall hardware, Tarr said.
Other costs, he said, entail the time and labor needed to create and implement the required password policies.
New Mexico SECC chair Jason Quinn told Radio World in an email that cybersecurity needs to be viewed as part of overall broadcast reliability, and not just an EAS issue.
What are good starting points for engineering departments?
He said station plans should include routinely reviewing network architecture, access controls, software updates, vendor connections and backup procedures.
Quinn, who is also director of engineering for New Mexico PBS, expects there will be some added costs for broadcasters, especially for stations that need to upgrade older equipment, improve network security or implement additional monitoring and training.
“The challenge will be making sure smaller rural broadcasters are not left behind, as many operate with reduced budgets and limited access to engineering resources. These stations will need additional support and practical solutions to help them comply with new regulations while ensuring they can continue to serve their communities,” Quinn said.
Marvin Walther, a broadcast engineer in a small radio market in Michigan, agreed that the stiffer cybersecurity steps were needed but implementing the changes could bring challenges.
“I’ve even heard of breaches here in Michigan where bad actors are getting into brand new audio processors and setting up foul-mouthed messages to go out over the air, which means these people obviously have knowledge about our equipment and are looking for ways to get us in trouble with the public and the FCC,” he said.
Walther wrote comments on a broadcast engineering listserv maintained by the Michigan Association of Broadcasters and gave Radio World permission to reprint them.
“Of course it has been a growing cybersecurity problem” for broadcasters, Walther explained. And he believes “there’s probably more going on” with the bad actors than meets the eye.
Walther is chief engineer for Carroll Broadcasting in Tawas, Mich, which includes four FM and one AM station plus an FM translator. His cluster of radio stations is currently looking at a new firewall solution for their studios, but he feared the group’s transmitter sites are going to make it an expensive proposition.
“It’s already too expensive just to have one at the studio, let alone cover every transmitter.
“VLANs may be the best solution for most of the smaller operators to protect their transmitter sites. There’s no doubt, protecting the EAS boxes with a firewall, though, is a must,” he wrote in his email.
The FCC’s new cybersecurity requirements take effect 60 days after pending publication in the Federal Register.
[Do you receive the Radio World SmartBrief newsletter each weekday morning? We invite you to sign up here.]
