Resilient cybersecurity comes in multiple forms for radio stations these days.
The Federal Communications Commission sent out a notice on Jan. 29 urging communication providers, including broadcasters, to safeguard their infrastructure against ransomware, citing multiple attacks suffered by small- and medium-sized communication companies last year.
Meanwhile, transmitter manufacturer GatesAir urged its customers to never operate its network-capable equipment on networks directly exposed to the internet, as a result of multiple “confirmed radio cyber-intrusions” this week.
We’ve also reported on the multiple audio chain compromises as a result of malicious access to station IP-based STLs, of which the commission sent an advisory notice about back in November.
Never, ever over the internet
The Alabama Broadcasters Association sent out a notice to its members of WKXM(FM) in Winfield, Ala., of an RBDS-based display text compromise on Thursday, as we noted.
Then, GatesAir shared a security advisory on its social media accounts Friday morning regarding multiple “confirmed radio cyber-intrusions” within the last day of its posting.
“Never expose transmitters and control systems to the public internet,” the manufacturer wrote. It’s unclear if these mentions were about the same incident.
A separate posting we saw on social media indicated that a broadcaster’s Flexiva transmitter control was accessed over the internet by a malicious actor.
That actor was able to switch the transmitter’s RDS setting from an external encoder to the Flexiva’s built-in encoder, and it was used to project a racial slur over its scrolling program service data.
GatesAir pointed to a service bulletin it released on Dec. 19 for guidance.
The manufacturer underscored that its transmitters should only be internet-reachable only when access is mediated by security controls, such as through a VPN, a firewall with default-deny rules, an isolated management network or VLAN or a centralized NOC system behind protected infrastructure.
In all of those situations, the transmitter would not have a public IP, no ports are open to the internet and its access should be authenticated, logged and controlled.
Even if passwords are set, HTTP is enabled and access “seems to work,” if the internet can initiate a session directly to the transmitter, GatesAir said, the transmitter is internet-facing, and that configuration is not supported by the manufacturer.
Ransomware
In the FCC’s Jan. 29 public notice, meanwhile, its Public Safety and Homeland Security Bureau emphasized the ramifications of a ransomware attack, including time and service disruption, as well as any financial ransom needed to regain compromised files.
Depending on their effects, ransomware attacks may also require reporting the attack to the FCC or federal law enforcement, the commission said.
If the attack results in the unauthorized transmission of Emergency Alert System codes or attention signals, it must be reported to the FCC Operations Center within 24 hours.
The commission recommended that, regardless, ransomware attacks be reported to the FCC and federal law enforcement for their situational awareness and assistance.
The commission cited a Cyble threat landscape report that noted a four-fold increase in ransomware attacks against communications providers since 2021. Ransomware attacks are not limited to major carriers, the report noted, but also affect regional operators and vendors.
The Michigan Association of Broadcasters summarized several of the best practices the commission recommended to safeguard operations against ransomware.
They include:
- Turn on Multi-Factor Authentication for email, remote access, VPN and cloud services.
- Verify offline backups and test that you can restore from them.
- Update and patch operating systems, automation and remote access tools.
- Train staff to recognize phishing and social engineering emails.
- Limit access privileges and segment office networks from on-air systems.
