|Researchers at the University of Illinois Urbana-Champaign designed a simple experiment to demonstrate the problem. They dropped 297 USB sticks around the campus, each loaded with a little piece of software which reported back when it was online. 48% were picked up and plugged into a computer. Some within just a few minutes of being dropped. |
This was just a demonstration, and the software on the stick was not malicious. But it is quite likely that this is exactly the route the WannaCry virus entered the NHS network: someone plugged some unauthorised storage into a networked computer. Does your office have a policy on quarantining USB sticks and disk drives?
Take that thought forward to the future, software-defined, IP-connected media architecture. Now we are not just plugging in random USB sticks, we are actively encouraging software from multiple vendors to automatically log on to the network, authenticate themselves, and handle vital data safely.
Many - perhaps all - of those software vendors will allow their software to "phone home" to check licenses. They will dial in to their software to allow remote diagnostics and fault-finding. There may be automated updates. A lot of uncontrolled connectivity, in other words.
The EBU published a recommendation on cyber-security, R 143, last year. You can read its checklists online. IBC this year features a top-level (CTO invitation only) conference on cyber-security.
In light of this, I asked a couple of the big names what they thought about the issue. Phil Myers of SAM told me "Protection is provided at two levels within the system. At the device level, a 'hardened' secure realtime operating system is implemented to provide isolation protection of all aspects of the device, including the file system and network stack."
Steve Reynolds, CTO of Imagine Communications, expanded on this idea. "The best practice for media companies is the segmentation of networks into zones of increasing trust. In general, critical control systems should be positioned inside isolated media networks, independent logically - and physically if possible - from broad corporate networks."
This is a new buzzword for me. We need to be designing "zones of increasing trust".
"At the COTS network switch level, industry standard protocols can be implemented to secure the network," according to SAM's Myers. He mentioned whitelists of valid addresses, which can be used to control the flow of data in and out of a network.
Imagine's Steve Reynolds agreed, continuing "The logically isolated media network zone can then be further segmented into streaming media flows, automation and control traffic, and file-based workflows, depending on the overall system requirements.
"If you secure operations and have trust elements built into the system, then you can stop an intruder doing anything with the content," he added. "You can never guarantee that something bad will not happen, of course, but it does mean that hackers cannot go to air on your back."
Haroon Meer of Thinkst Applied Research, though, told a recent summit in Qatar that attacks against media organisations become inevitable as the industry becomes more connected.
"Broadcast is at the centre of an almost perfect storm," he said. "It didn't used to matter if you weren't secure because you weren't exposed. You had an unlocked house but it was in a very safe neighbourhood.
"Recently, with convergence and IP, your house is moving into a much worse neighbourhood," he explained. "Breaches will happen. The important question is how you respond."
One suggestion is that you move your operations to someone else's house: put it in the cloud. The general feeling is that the big names in cloud are probably the world authorities in cyber-security, because it is at the core of their business. "There are thousands of people at Google, AWS, Microsoft and the rest with 'security' on their business cards," according to Steve Reynolds.
Keeping your content and your operations secure in the connected world from those who would do you harm is an urgent priority. Clearly, though, it takes money and resources. And the bigger the name, the bigger the reputational damage at risk.
Willem Vermost of the EBU asked "How are broadcasters going to compete in the modern world? Security could be a real block on future developments." Brad Gilmer of AMWA added "business requirements like flexibility and shareability might be conflicting with security, which always has to be the top priority."
And, as Thomas Edwards of Fox so memorably put it, "no-one's ever been hacked over SDI".