Broadcast
Cyber security is rising up the agenda for broadcasters and suppliers as high-profile breaches hit the headlines, but how serious is the risk and what can be done?
https://www.broadcastnow.co.uk/home/how-to-protect-against-piracy/5121824.article
Cyber security is rising up the agenda for broadcasters and suppliers as high-profile breaches hit the headlines, but how serious is the risk and what can be done?
https://www.broadcastnow.co.uk/home/how-to-protect-against-piracy/5121824.article
Piracy is an unfortunate fact of life for the TV industry, but direct hacks into production servers represent a worrying new trend. Leaked content available before its release date has even more value than movies or series that have already been launched.
Netflix has been hit by ransomware attacks and had files stolen. Although the SVoD site’s production subcontractor paid the requested amount, the hackers leaked episodes of hit series Orange Is The New Black anyway.
Other hackers allegedly breached Disney’s film production unit and claimed to have obtained a major movie, threatening to release it if the studio didn’t make a ransom payment.
Disney, working with the FBI, ultimately determined that no hack had taken place. However, the event pushed cyber security high up the company’s priority list.
Last month’s HBO attack appears the most sophisticated yet. The Time Warner-owned company was attacked from multiple points, including its employees’ Twitter feeds.
Hackers, who may have stolen as much as 1.5 terabytes of data, threatened to leak secrets from HBO’s biggest show, Game Of Thrones, with the warning: “Winter is coming – HBO is falling.”
“As more data is centralised into faster single systems, the opportunity for the hacker to strike gold becomes ever larger,” warns Jonathan Morgan, chief executive of storage vendor Object Matrix.
“Media companies face a plethora of rising dangers, from hackers, whether financially or politically motivated, and from internal breaches.”
DPP managing director Mark Harrison says cyber security is now at the top of board agendas: “There is a lot of anxiety about how you achieve it.”
Content thefts have tended to result in blackmail demands for money in exchange for not releasing the content.
However, the Sony hack of 2014, and breaches at organisations such as TalkTalk, CBS-owned Last.fm and US cable provider Comcast, show that internal data, such as emails and private consumer data, is just as much a target as the content itself.
“Consumer data is one of the biggest assets that service providers have,” says Nick Fitzgerald, chair of managed services provider TV2U. “This data is being treated with the same value as content, which has changed the game when it comes to security.”
As more types of devices – whether tablets, smartphones, consoles or internet-connected TV sets – are used to consume content as well as interact with core management systems, the security domain for providers has become much more complex.
“These additional access points offer enticing targets for adversaries seeking to exploit payment or other personal subscriber information,” says Christopher Schouten, senior director, product marketing, at content security specialist Nagra.
“Providers will need to expand their security focus from content encryption and piracy protection, to include their broader network and the core business systems where critical subscriber data is maintained.”
In an industry reluctant to divulge incidents of attack, quantifying the scale of the threat is tricky. Fitzgerald reckons more than a quarter of media organisations have experienced a cyber attack – “and that’s just the ones that admit it”.
“The threat is real and it’s growing bigger by the day, particularly when it comes to the impact on pay-TV revenues,” he says.
Research from PwC in July 2015 showed that the average cyber attack costs large UK companies more than £3m. For small organisations, it ranges from £75,200 to £310,800.
In June this year, US data protection research body the Ponemon Institute’s cross-industry study of several economies calculated the average consolidated cost of a data breach at £2.8m.
With the advent of the European Union’s General Data Protection Regulation in 2018, those costs could be driven even higher.
It will allow sanctions including a fine of up to ¤10m (£9.2m) or 2% of a company’s annual worldwide turnover the preceding financial year (whichever is greater) and far exceeding the current maximum of £500,000.
According to video analytics platform Ooyala, there is widespread agreement that the media industry loses billions of dollars to piracy each year.
“What’s not in dispute is that the impact is greater the further up the supply chain the piracy occurs,” says Ooyala business development director, media logistics, Bea Alonso.
“A single end user sharing a Netflix password costs the company $10 per month – whereas a single download and illegal posting of pre-released content could cost a studio millions in lost revenue.”
There is no single solution for data security. Instead, all companies, from studios and broadcasters to their suppliers, are advised to implement layers of security – and to be more honest about their weak points in dealing with each other.
DPP’s Harrison reports that producers are starting to take the matter seriously by building security thinking into each production.
“That is a very significant change,” he says. “Since every production is different in terms of scale, location, budget, personnel and so on, it is a major commitment to tackle security each time.”
For its part, the DPP has issued a security checklist for suppliers. Another, shortly to be published, covers the protection of critical broadcast infrastructure.
“These are not standards but risk-assessment forms,” Harrison stresses. “They are devised to create the space for companies to discuss the issue honestly and to admit they don’t have this process yet but they are putting it in place. It’s about getting suppliers into a formal space so that they can demonstrate their commitment to security.”
Post houses and other suppliers demonstrating this will be badged with a special DPP logo. The first company names will be released at IBC this month.
“The best way to stop the bad guys from breaking in is to ensure that the systems are secure, using the latest, patched versions of the OS and vendor applications,” says Avid director of architecture Rob Gonsalves.
“Anti-virus software should be applied as standard on all systems,” he insists. “Firewalls should be deployed to block all access by default, and only open traffic to named endpoints with minimal access to ports.”
At operator level, security needs reinforcing, too.
“Where previously operators needed to ensure set-top boxes were hardened against tampering or piracy, consumers can now choose what type of device they use to interact with content and core business applications,” says Nagra’s Schouten.
“This moves operators from having a single, controlled point of entry into the home to needing multiple ways to control access to content and personal information.
”What’s more, these access points could potentially create openings for adversaries to move laterally into other business systems, so providers also need to harden defences around key business systems and data to monitor access and ensure that unauthorised activity is quickly identified and terminated.”
Implementing best practices for systems, infrastructure and assets is only half the story.
“Staff are a hugely important element and their understanding is paramount to a business’s security,” says Neil Bottrill, digital operations director at DMS, which provides localisation and distribution for Hollywood studios.
“We encourage staff to review what we do and they have the opportunity to give feedback if they feel we can improve security in any aspect of the business.”
Gonsalves backs this up: “Humans are often the weakest part of the security chain, so employee training is crucial to the prevention of attacks. Many cyber attacks start with easily disguised phishing emails, so employees should be briefed with the policies and practices they are expected to follow regarding internet safety, and what to do if a breach occurs.”
It is worth putting cyber crime in perspective. While an unauthorised script, tweet or leak of an episode makes headlines, the industry is by some accounts haemorrhaging revenue from illegal premium, often live, sports streams.
“Crime is happening on many levels, from sensitive customer data to original source content and denial of service, where a hacker swamps a service with fake requests so that the service goes down,” says Richard Brandon, chief marketing officer at content delivery network vendor Edgeware.
“Each of these could be very serious, but some accounts suggest that more people are watching pirated live shows – such as top-tier football – than are paying for it.
“Somebody who breaks in and steals an episode of Game Of Thrones is, in the long run, probably having nowhere near the impact on the industry of day-to-day piracy.
Netflix has been hit by ransomware attacks and had files stolen. Although the SVoD site’s production subcontractor paid the requested amount, the hackers leaked episodes of hit series Orange Is The New Black anyway.
Other hackers allegedly breached Disney’s film production unit and claimed to have obtained a major movie, threatening to release it if the studio didn’t make a ransom payment.
Disney, working with the FBI, ultimately determined that no hack had taken place. However, the event pushed cyber security high up the company’s priority list.
Last month’s HBO attack appears the most sophisticated yet. The Time Warner-owned company was attacked from multiple points, including its employees’ Twitter feeds.
Hackers, who may have stolen as much as 1.5 terabytes of data, threatened to leak secrets from HBO’s biggest show, Game Of Thrones, with the warning: “Winter is coming – HBO is falling.”
“As more data is centralised into faster single systems, the opportunity for the hacker to strike gold becomes ever larger,” warns Jonathan Morgan, chief executive of storage vendor Object Matrix.
“Media companies face a plethora of rising dangers, from hackers, whether financially or politically motivated, and from internal breaches.”
DPP managing director Mark Harrison says cyber security is now at the top of board agendas: “There is a lot of anxiety about how you achieve it.”
Content thefts have tended to result in blackmail demands for money in exchange for not releasing the content.
However, the Sony hack of 2014, and breaches at organisations such as TalkTalk, CBS-owned Last.fm and US cable provider Comcast, show that internal data, such as emails and private consumer data, is just as much a target as the content itself.
“Consumer data is one of the biggest assets that service providers have,” says Nick Fitzgerald, chair of managed services provider TV2U. “This data is being treated with the same value as content, which has changed the game when it comes to security.”
As more types of devices – whether tablets, smartphones, consoles or internet-connected TV sets – are used to consume content as well as interact with core management systems, the security domain for providers has become much more complex.
“These additional access points offer enticing targets for adversaries seeking to exploit payment or other personal subscriber information,” says Christopher Schouten, senior director, product marketing, at content security specialist Nagra.
“Providers will need to expand their security focus from content encryption and piracy protection, to include their broader network and the core business systems where critical subscriber data is maintained.”
In an industry reluctant to divulge incidents of attack, quantifying the scale of the threat is tricky. Fitzgerald reckons more than a quarter of media organisations have experienced a cyber attack – “and that’s just the ones that admit it”.
“The threat is real and it’s growing bigger by the day, particularly when it comes to the impact on pay-TV revenues,” he says.
Research from PwC in July 2015 showed that the average cyber attack costs large UK companies more than £3m. For small organisations, it ranges from £75,200 to £310,800.
In June this year, US data protection research body the Ponemon Institute’s cross-industry study of several economies calculated the average consolidated cost of a data breach at £2.8m.
With the advent of the European Union’s General Data Protection Regulation in 2018, those costs could be driven even higher.
It will allow sanctions including a fine of up to ¤10m (£9.2m) or 2% of a company’s annual worldwide turnover the preceding financial year (whichever is greater) and far exceeding the current maximum of £500,000.
“What’s not in dispute is that the impact is greater the further up the supply chain the piracy occurs,” says Ooyala business development director, media logistics, Bea Alonso.
“A single end user sharing a Netflix password costs the company $10 per month – whereas a single download and illegal posting of pre-released content could cost a studio millions in lost revenue.”
There is no single solution for data security. Instead, all companies, from studios and broadcasters to their suppliers, are advised to implement layers of security – and to be more honest about their weak points in dealing with each other.
DPP’s Harrison reports that producers are starting to take the matter seriously by building security thinking into each production.
“That is a very significant change,” he says. “Since every production is different in terms of scale, location, budget, personnel and so on, it is a major commitment to tackle security each time.”
For its part, the DPP has issued a security checklist for suppliers. Another, shortly to be published, covers the protection of critical broadcast infrastructure.
“These are not standards but risk-assessment forms,” Harrison stresses. “They are devised to create the space for companies to discuss the issue honestly and to admit they don’t have this process yet but they are putting it in place. It’s about getting suppliers into a formal space so that they can demonstrate their commitment to security.”
Post houses and other suppliers demonstrating this will be badged with a special DPP logo. The first company names will be released at IBC this month.
“The best way to stop the bad guys from breaking in is to ensure that the systems are secure, using the latest, patched versions of the OS and vendor applications,” says Avid director of architecture Rob Gonsalves.
“Anti-virus software should be applied as standard on all systems,” he insists. “Firewalls should be deployed to block all access by default, and only open traffic to named endpoints with minimal access to ports.”
At operator level, security needs reinforcing, too.
“Where previously operators needed to ensure set-top boxes were hardened against tampering or piracy, consumers can now choose what type of device they use to interact with content and core business applications,” says Nagra’s Schouten.
“This moves operators from having a single, controlled point of entry into the home to needing multiple ways to control access to content and personal information.
”What’s more, these access points could potentially create openings for adversaries to move laterally into other business systems, so providers also need to harden defences around key business systems and data to monitor access and ensure that unauthorised activity is quickly identified and terminated.”
Implementing best practices for systems, infrastructure and assets is only half the story.
“Staff are a hugely important element and their understanding is paramount to a business’s security,” says Neil Bottrill, digital operations director at DMS, which provides localisation and distribution for Hollywood studios.
“We encourage staff to review what we do and they have the opportunity to give feedback if they feel we can improve security in any aspect of the business.”
Gonsalves backs this up: “Humans are often the weakest part of the security chain, so employee training is crucial to the prevention of attacks. Many cyber attacks start with easily disguised phishing emails, so employees should be briefed with the policies and practices they are expected to follow regarding internet safety, and what to do if a breach occurs.”
It is worth putting cyber crime in perspective. While an unauthorised script, tweet or leak of an episode makes headlines, the industry is by some accounts haemorrhaging revenue from illegal premium, often live, sports streams.
“Crime is happening on many levels, from sensitive customer data to original source content and denial of service, where a hacker swamps a service with fake requests so that the service goes down,” says Richard Brandon, chief marketing officer at content delivery network vendor Edgeware.
“Each of these could be very serious, but some accounts suggest that more people are watching pirated live shows – such as top-tier football – than are paying for it.
“Somebody who breaks in and steals an episode of Game Of Thrones is, in the long run, probably having nowhere near the impact on the industry of day-to-day piracy.