DR/BR: Could your station recover from a cyber attack?

As an Australian TV network deals with a massive cyber-attack – one of the worst such corporate attacks to date, and still playing out as this article was being written – right now would be an excellent time to consider your station’s state of readiness.  Technorama President, John Maizels, reports.

The broadcast industry is a ripe target for cyber criminals.  Viruses, malware and bloatware are all nasty, annoying, and have repercussions.  But the worst possible form of attack is Ransomware.  Your station could be next.  This article is about how to avoid that, and might be the single most important advice that Technorama could give you this year.

Let me say at the outset: this is a lot of stuff to take in, and you could easily feel swamped by the time you get half way through.  Keep going.  If you only take one tip, and start with that, you’re ahead of the game.

The key questions are:  how prepared is your station for a cyber-threat, and how likely are you to be able to survive a direct attack?  Does your station have an active plan B?

To be really blunt: does everyone in your food-chain speak the language of business recovery and business continuity?

Many stations don’t have a plan

If you don’t have a solid strategy to handle a disaster, you’re not alone.  The trick is to start somewhere, and start now if you haven’t already.  In fact: start before you’re ready!

Step one is always to be informed, so this article asks the important questions, and suggests some beginning strategies.  Bigger answers will come later, but right now your best defence is to know that there is a challenge to be met, and what form that challenge might take.

To help you along, the Technorama brains-trust has mapped out some aspects to consider about cyber-threats and your station.

This article will be updated from time-to-time, as tips and hints come to light.  If you have a suggestion, or an experience to share, send an email to [email protected].   But let’s start with the obvious.

It’s about your mindset

The first step to readiness is to admit that a cyber-attack can happen.   Not only can it happen, but broadcasters are an obvious target, and your station is a broadcaster.

The outcome of an attack on a broadcaster is very visible, instills fear into the rest of the community, and the stakes are high enough that the demands can be high too.  Don’t assume that because your station is “community broadcasting” that the attack will be lessened, or that the attacker is ready to give you a discount.

The word “attack” might seem extreme, but that’s what it is so don’t mince words.  Consider that if it’s possible to attack a major television network with a cyber-security team in place, that it can happen to a community broadcaster.  It can happen to you.

It’s reasonable to assume that if you are hit, there will be consequences.  But don’t assume that your attacker is going to play fair.  Even if you pay the ransom, your files might not be unlocked and your systems might not be restored.  Money (or whatever the ransom is) might not even be the endgame.

Assume that if you haven’t thought about cyber-attack and recovery, any situation is going to be messy.

At the same time, Radio is much simpler to fix than Television. It’s not hard to get back on air, there are low-cost recovery methods, and you should not be broadcasting silence for very long at all.

How can you mitigate an attack?

Have the correct mindset: ensure that your colleagues, the board/committee, and anyone who has access to your gear knows that there is a real risk of virus, malware, and ransomware attack.

Then do everything you can to not be that target.

Plan to be attack-ready!

A key piece of advice is to have a plan in place, no matter how unlikely you think an attack might be.  Your station might be collateral damage in an attack intended for another organisation (eg: if you’re using the same software or systems).

Identify your critical assets, and know what the impact would be if those assets are compromised.  Then create an incident plan.  It doesn’t have to be complex or extremely detailed, but it does need to exist.  By having a response plan, you start from a position of preparedness and calm, which in turn will reduce fallout and promote confidence.

Assume that your station is a target.

If you’re a broadcaster, you are visible.  If you are visible, someone might decide your station is worth going after.

Create a reasonable “under attack” mindset and culture.  Ensure that everyone knows it’s not a matter of if, but when, and that every user of station facilities has a part in the protection strategy.

Encourage everyone to be aware of the consequences of a mis-click, an imported USB key, and the various attack vectors that cyber-criminals use.

Know your pressure-points

Look at your current environment, and be both realistic and brutal. Ask the question: do you have a single point of failure?  This is not just a technical question.  You can be attacked many ways, and your recovery depends on strategies with:

  • hardware/software/infrastructure: can you manage hardware and software in a way that ensures the problem isn’t made worse?
    • do you have spare hardware to cope with recovery?
    • is at least some of that hardware completely isolated from the live network?
  • people:  when the attack occurs, is there a defined list of people to call, and a sequence in which they will be called?  Who needs to know?  Who is capable of leading the recovery?  And if that’s one person, or someone who isn’t available: the station is exposed.
  • location:  is there a defined backup process for anything physical, and can you implement a recovery offsite?
  • protocol: does everyone understand that a cyber-attack is possible, and what to do if they are the first-noticer?

Security starts on the inside

Control who has access to your network, and which parts of the network they can access.  Control what resources can be reached by non-technical people.

Separate internet and on-air traffic.  At the very least, put your automation systems and internet access on separate VLANs, and ensure that the external internet can’t touch the automation system.

A smart way to manage networks is to construct the network with multiple NICs (network interface controllers) on critical machines. Create an internal and external network and ensure that network traffic can’t be cross coupled.

Ensure there is no reason for anyone to connect an external device directly to the broadcast network or a machine on the broadcast network.

Set clear IT policies.  Ensure everyone understands what is and isn’t a threat.

  • You can’t be infected with a virus from a WAV or MP3 file.  Audio files are audio, and not executable.
  • You can be infected with a viral carrier that is disguised as a WAV or MP3 file – and such a file won’t be playable audio.  If a file won’t play when dropped into an appliance player (eg: VLC) then maybe have a look more carefully.
  • You could easily be infected with a file that is trivially disguised.  For instance:
    • tune.mp3” is safe.  It can’t be executed.
    • tune.mp3 (lots of spaces) …exe” might not be noticed as an executable file, and is a threat

The Windows default, which is to hide file extensions of well known files, is one of the craziest decisions that Microsoft ever made.  You can change the defaults of file lists so that extensions are visible.  If the file is a .exe, you probably want to know.

The best policy is for your people not to download anything on-station unless it’s from a known, trusted, source.

Don’t go overboard

I’ve been in many stations where browsers, desktops, accesses and even office suites are so locked down that it’s hard to function.  That’s not desirable, and it’s not a good outcome.  Neither is it sensible (especially in small stations) to restrict access to only one person.  Balance your approach.  And before you tighten security, ensure that somewhere, in a trusted place, there is the password-containing envelope that can be ripped open in case of emergency.

Your aim is to secure the station, not cripple it and alienate all your volunteers.

To publicise or not?

If you do suffer an attack, there are two obvious PR strategies straight off the bat:  tell everyone, or keep it under wraps.  Your attacker would like nothing more than to have the work publicised – that’s how terrorism works, and if everyone else is fearful of an attack, the ransom toll can be steeper.  On the other hand, if your station is plunged into darkness, people will want to know what happened.

Turning a bug into a feature – being very open, even to the point of joking about it – is a powerful alternative.

The golden rule of PR is to have a strategy.  Everyone marches to the same tune.  So when you create your attack mitigation plan, ensure that a defined PR approach is part of what you do.  At least then you can relax on that aspect.

Prevention and Mitigation Basics

At the very least, you should do the basics.

  • Have a reputable anti-virus package installed on all your internet-accessible computers.
  • Have a backup strategy that involves taking backups once a week at the very least.  Daily incremental backups is an even better strategy.
  • Test your backups.  Backups are useless unless you know that a restore will work, and that you are comfortable with the restore procedure.  Backup and restore instructions should be written in a way that a non-technical person could follow, and be successful.
  • Have a complete set of backups stored offsite, and store these in a way that the backups are completely isolated from your active network – in fact, isolated from all other infrastructure.  If you have to bring a backup into play because your network is compromised:  don’t put your only backup on the compromised network!

Recovery

If you’re hit: what are some considerations?  Most importantly: don’t panic. Don’t do anything that is likely to compromise whatever is still working – if the station is off air, you don’t want to make the situation worse by extending the off-air period while trying to shorten it.

Some simple tests:

  • check backups before restoring.  Are they clean?  Do they work?  Are you restoring the most recent appropriate version?
  • ensure that the machine to which you are restoring (and any machine that touches the backup) is clean before you attach backup media.  If you’re not sure: don’t do it.
  • Ensure you are restoring data, not programs.

Things you can do to protect your station

Have a Plan B.  That sounds so obvious, so ask: do you have one?  If the station is hit with a cyber attack, does everyone from the on-air presenter up know what to do next and who to call?

If you rely on automation, have a standby machine that is completely disconnected.  Even an old playlist is better than no playlist.  An old PC with a duplicate of your libraries is a good piece of insurance.

If you have a digital studio infrastructure, confirm that the console can’t be brought down by a cyber attack on another part of the network.  Consoles that rely on network attachment, and a Windows-based configuration controller, might be a point of risk.

Include appliances in your backup plan

Part if your recovery arsenal should be some tools that aren’t based on files, or connected IT. What does that mean?  Simple: be ready to play material from a source that can’t be compromised by a cyber attack. Appliances are your friend.

An appliance is a device which does exactly one job and can’t be tricked into being something else.  Examples of an audio appliance include CD player, DVD player, or a box which can play from a hard drive or USB stick.  Think in terms of old-school devices:  CD, cassette, vinyl, tape, and Edison cylinders are totally immune to computer viruses. Any of those will keep your station on the air.

If you have an analogue studio with CD players and turntables, you have massive protection already. It would be very hard for a cyber attack to knock you out completely.

In these days of substantial digitisation, your station might not have any of those playback devices in the studio.  So ask: if the network goes down, what can you use to deliver emergency program, and what is your strategy for program continuity?

Of all the devices available today, a DVD or BluRay player is the obvious choice as an emergency program source.  Cheap, easily available, and can’t be hacked.  Put one in the master racks for the rainy day.

Ideally, your emergency playout should bypass studios and all your other infrastructure.  Have cables and suitable interface available to connect the audio output from the appliance directly into your studio switcher.

Then ensure that you have a generic standby program sitting on a CD/DVD/BD, and that you have spare batteries for the remote control.

When all else fails

Don’t forget: your OB kit can double as an emergency studio.

Where next?

Technorama members, and everyone who has subscribed:  the Technorama Community Radio Tech Q&A Facebook Group is a great resource. It’s an excellent place to ask questions and get advice.