What can broadcasters do to improve security in IP and cloud-based workflows?

The broadcast industry is continually evolving to meet the demands of an increasingly digital audience. With the advent of IP and cloud-based production technologies, broadcasters have gained unprecedented flexibility and efficiency in delivering content across diverse platforms. However, alongside these advancements come formidable challenges in ensuring the security and integrity of live broadcasts.

Cyberattacks on major broadcasters

High-profile attacks on live broadcasts serve as stark reminders of the vulnerabilities inherent in the broadcast ecosystem. One of the earliest and most dramatic of these was in 2015 when TV5Monde in France was taken off the air by a group of Russian hackers. In 2021, Channel Nine in Australia was unable to air several programmes due to a ransomware attack. And earlier this year, Sweden’s SVT, along with other public institutions in the country, were targeted by denial of access attacks.

These attacks underscore the urgent need for robust security measures to protect against malicious actors intent on exploiting vulnerabilities in broadcast infrastructure. However, implementing security presents a unique set of challenges for broadcasters.

Read more Momentum builds behind content credentials to combat AI deepfakes

The distributed nature of IP and cloud-based production environments complicates traditional security paradigms, requiring broadcasters to adopt a holistic approach to risk mitigation across all layers of the broadcast workflow. Further complicating things is the fact that Smart TVs and other mobile devices are complex computers that are vulnerable to cyberattacks themselves. Programme makers, equipment and service providers, and broadcasters now need to be mindful of security vulnerabilities from ‘glass to glass.’

Protecting production

Steve Taylor, VP R&D for Vizrt, which sells products across the entire production chain, believes that the best approach to security is to educate users. The move to cloud-based systems where equipment is no longer on-prem requires a new way of thinking. “The danger is that people are not aware that this computer is no longer just in front of them and that there are other people that may want to access it,” he says. “I think there’s still a perception in the broadcast industry that systems run in a box under the desk in the broadcast control room, and that they are SDI connected, and fairly isolated.”

Taylor emphasises that new types of relationships need to be established. “Broadcast experts suddenly realise that they have to talk to IT people,” he says. “They have to adhere to password policies; they have to ask for ports to be open, and everything else. And it’s a different world. We’re seeing this education starting and some of it’s coming from their frustration, because the IT department won’t let them stream stuff up to the cloud. This is very much an education, there are lots of things you can do wrong, we have to make sure we’re helping with that.”

Protecting delivery

From leaked episodes of programmes like Game of Thrones, to pirated transmissions of live sporting events, the delivery stage of the media chain is particularly vulnerable now that the industry is moving from closed, dedicated transmission networks to the open internet.

Watch more Security in the Modern Media Supply Chain

Avigail Gutman, VP Intelligence and Security Operations at OTT platform provider Synamedia, believes that the industry is currently playing a game of catch-up. “OTT systems came out without security built in,” she says. “All of a sudden, there were huge amounts of content, and it was kind of naive to think that it wouldn’t get pirated, and that it wouldn’t get pirated easily. Don’t forget, that this is kind of an open system. It’s not that walled garden of satellite broadcasts, where you can only see things if you’re under the footprint and the distribution system is physically protected on-prem. The content is up in the cloud.”

Gutman stresses the importance of looking at systems as a whole. “Cloud security is developing as OTT security is developing,” she says. “It’s not there yet. When you look at security holistically, you say, ‘Well, where do I start?’ and I think the industry started in the middle, rather than end-to-end. The first thing to do is to actually protect the platform that the content’s being distributed from.”

As with Taylor, Gutman feels that there needs to be much more cooperation between traditional broadcast engineers and IT engineers. “Today, OTT security is much closer to the world of IT security than it is to satellite and cable,” she says. “The threats are very similar. The attacks and methodologies by hackers and pirates are very similar. So, you have to take that same approach when you’re protecting your service and when you’re protecting your content. First of all, the technologies themselves have to be secure. You have to implement hardened security on distribution platforms.”

Protecting the audience

Until recently, there was little concern regarding keeping receiving devices secure because TV and radio receivers were what is known as ‘dumb terminals’ – devices with no or extremely limited processing power themselves. With global Smart TV penetration expected to pass 51% within two years, and a significant number of younger audiences using smartphones and tablets to view content, ensuring security all the way through to the audience is a factor broadcasters need to address.

Daniel Pike, Chief Product Officer at Covatic, whose products enable the delivery of addressable advertising without exposing personal user data, describes the privacy and security considerations for the audience. “If you’re a broadcaster and you want to personalise adverts or content or understand users, then you would have to have a database somewhere with lots of email addresses, and maybe names and dates of birth, and where people live, payment details, and all sorts of things. Also, all the content that they’ve consumed,” he says. “Content consumption doesn’t feel like particularly sensitive data, but we know from the success of the streamers and others, that it really can be quite telling about people. You can, even with quite mainstream broadcast content, probably work out things around sexuality, various sorts of lifestyle choices, outlooks and attitudes, political views, and all sorts of things. There’s a whole bunch of things that you could probably infer with reasonable accuracy, and then you could tie that to an individual just based on the content that they’re consuming. If you get hacked, or someone inside the organisation does something malicious, then that’s all up for grabs and it’s got your name on it. There’s a whole world of pain that you could have just created.”

Covatic’s approach is to give the audience member total control of their personal data. “For us, we do it the other way around, all data stays on the device,” he says. “It will look at things like consumption, it will look at locations, it will look at the type of device, and so on, and so forth. All the rich stuff you can get from a mobile, but it all stays there on the device, and it doesn’t associate it with a named user, an email address, or anything like that. From our platform, the client can essentially send down certain rules, they can start to build out audiences and say, ‘I want to address people who have certain characteristics.’ A simple one might be a sports fan, and so that might have the rule of someone who’s consumed sports content twice in the last month. You send that rule down to all of the devices. They all get it. It’s kind of like a broadcast model, and when that ad request comes in, we can put in an anonymous code that goes to the ad engine as a key-value pair, and the ad engine knows what it means and we’ll say, ‘okay, there’s a sports fan here.’ Again, there’s no email address, I don’t know who they are, I just know that there’s someone listening to the radio right now, and they’re a sports fan. So, I’m going to put a Nike advert to them. At no point is the data associated with an identifiable individual.”

Pike believes that giving ultimate control over personal data to the user protects both them and the broadcaster. “It’s on your device,” he says. “If you want to delete it, just delete the app and it’s gone forever. And if our back end gets hacked or people get access to it, there’s no personal data there. I think crucially for the broadcaster or the publisher, they’re entirely compliant, and the risk of regulatory challenge to their advertising business has gone. The risk of anything malicious happening is gone. It’s a great future-proof way for them to operate.”

Not just technology

Educating users and fostering collaboration between traditional broadcast engineers and IT professionals are essential steps in addressing security vulnerabilities in cloud-based systems. By implementing comprehensive security measures and empowering users with control over their data, broadcasters can navigate the evolving landscape of IP and cloud-based technologies with confidence, safeguarding their operations and ensuring a secure and compliant future for the industry.

Read more Cloud Security for Media Services