FCC adopts new cybersecurity rules for EAS and other broadcast equipment; proposes changes to improve EAS and WEA
FCC to require firewalls, stronger passwords and prompt updates of security patches. Proposes enhanced EAS geotargeting, earthquake alerts and software-based alerting.
Today at the June Open Meeting with a 3-0 vote, the Federal Communications Commission had adopted Report and Order in PS Dockets 25-224 and 22-239 and a Further Notice of Proposed Rulemaking in PS Dockets 25-224, 15-94 and 15-91 which relate to the Emergency Alert System (EAS) and cybersecurity threats. REC Networks was deeply involved in some of these proceedings.
We note that at the time of this publication, the FCC has not released the final Report and Order/NPRM. To see what may eventually be in that final document, please review the circulation draft.
The proceedings related to cybersecurity were amplified by multiple instances of where a broadcast station’s EAS or internet-based studio to transmitter link (STL) (such as Barix boxes) were compromised to allow for content being broadcast that was not authorized by the broadcaster. These hacks over the years included EAS alerts warning about “zombies rising from the dead” and the broadcast of obscene material.
Originally, the Commission had suggested that all broadcasters be required to develop and maintain what REC described as “an extensive and elaborate cybersecurity plan” requirement similar to those that may be required of extremely large telecom providers and other government agencies use. REC would push back on this stating that broadcasters are different that those types of entities and such a requirement would be a huge burden on small commercial and noncommercial broadcast stations which comprise REC’s constituency. While agreeing that security of EAS equipment is of “paramount importance”, we further stated that small broadcasters should implement a plan of good network operating practices which involve network configuration, password management and periodic password changes, along with other “common sense” methods to assure that EAS equipment is not compromised.
In 2022, REC published Advisory Letter #17: Practice of Good Network Security for EAS and other station assets. Some of these practices include:
Not placing equipment on a static IP address. During the proceeding, REC had demonstrated that using a third party website, it was able to identify hundreds of DASDEC EAS encoder/decoders that had their login pages directly accessible using ports 80 and 443, the common ports used for accessing websites.
Not using port forwarding to an EAS decoder. Likewise, determined hackers can use software known as “port sniffers” in order to identify specific port numbers that point to EAS or broadcast STL equipment which can be compromised.
Limiting who has access to the password(s) for the EAS encoder/decoder.
Having air talent use third party sources for newsgathering on major events that triggered previous alerts instead of accessing the EAS encoder/decoder by password.
On DASDECs, disable the front panel demo alerting button.
Avoid using default passwords, periodically changing passwords and keeping passwords secure. Use two factor authentication where available.
Immediately change default passwords on newly acquired equipment.
Use your EAS encoder/decoder email capability to send alerts and logs to an email address.
Place the EAS encoder/decoder at the studio instead of the transmitter site.
Practice good common sense network security at the station:
Assure that station assets are only used for station business and that computers are only equipped with the applications necessary to run the station.
Develop policies that make clear that staff or volunteers should not used to access their own emails and download attachments.
Use due diligence when receiving an email with an attached file from an unknown external source.
AD: Looking for a new transmitter (up to 1kW, including for LPFM stations)? Look no further than Progressive Concepts. Use the coupon code REC or if calling, ask for the REC Networks Discount in order to get 5% off on BW broadcast transmitters. With the translator window coming up, now is a good time to think about how you will implement a granted construction permit. Visit progressive-concepts.com or call them at 630 736-9822.
The rule changes adopted
In the Report and Order, the FCC amends §11.35 of the FCC Rules to add a new paragraph (d) that requires that broadcasters implement security controls with respect to EAS equipment, STL and any remotely managed equipment that routes, processes, or inserts content into the broadcaster’s programming. This includes:
Prior to any use to broadcast to the public, broadcasters shall change any default password, use strong passwords and change any password if the broadcaster has reason to believe that the password has been compromised.
A strong password has a minimum of 15 characters and does not use any dictionary words.
Instead of using a strong password, broadcasters may use alternative authentication methods such as look-up secrets, out-of-band devices, single or multi-factor one time password.
Single or multi-factor cryptographic authentication.
Passwords should not be reused for the broadcaster’s other accounts, equipment, applications or services.
Install security patches and security-related software and firmware updates provided by equipment manufacturers promptly after those patches or upgrades become unavailable. Security patches and security-related software and firmware updates issued by equipment manufacturers may be tested before they are installed, providing that the testing begins promptly and is completed in a timeframe that is consistent with industry best practices.
Use a network firewall or comparable network segmentation practice that limits remote management access to authorized devices and authorized users.
The Report and Order sets a compliance deadline of 60 days after the rule’s publication in the Federal Register.
REC recommends that broadcasters check with their equipment manufacturers through their websites and other communication methods for any updates on software or firmware updates related to the compliance of these new rules.
REC has no information at this time on whether manufacturers (such as Digital Alert Systems or Sage) will be charging for these specific software or firmware updates.
What this means for small stations
The recommendations around these requirements are very simple.
Make sure that you are using a router with network access translation (NAT) set and putting your equipment behind that. Do not use port forwarding to get to your equipment whenever possible.
Do not hook up any broadcast equipment directly to a static IP (this would more likely happen in industrial and academic environments).
Make sure passwords are strong and secure using two factor authentication where available.
Limit access to the EAS and other broadcast equipment. Don’t write the password on a label and put it on the equipment or on the wall next to the equipment.
Physically place the EAS in the studio/office instead of the transmitter site. This also makes things easier in the event of an FCC inspection where the inspector wishes to view the station’s EAS logs.
Do not ignore any manufacturer notifications about software or firmware patches and when you receive them, install them as soon as possible.
Notice of Proposed Rulemaking
The NPRM proposes to improve the integrity of EAS through the authentication of all alerts made by alerting authorities (public safety agencies) before they are transmitted, improve geographic accuracy through expandi
ng geotargeting options for EAS (such as partial county alerting), improving the ability of earthquake alerts to grab the public’s attention and for TV stations, requiring the use of symbols that match the type of emergency.
The NPRM will also look extensively at the ability to use software solutions for EAS as opposed to hardware. Of interest to REC is a proposed provision that will allow for the ability to make a waiver request for EAS encoders, decoders and software which are constructed for use by a broadcaster but are not offered for sale on an individual case basis. This provision has a remote chance of allowing for the use of some “open source” solutions and the construction of the supporting equipment by the broadcaster themselves. The software and assembled hardware solutions cannot be sold.
The NPRM also proposes changes to Wireless Emergency Alerts (WEA), which are outside the scope of concern to broadcasters.
Comments on the NPRM portion will be due 30 days after publication in the Federal Register with reply comments due 30 days after that.
I think the better term here is "public IP" instead of "static IP". Static IP addresses are mostly used so that you can find your equipment where you left if on the network. Public IP's are your front door to your private network. You never want to have ANYTHING directly on the public internet other than a router. Many devices also have the ability to change the ports they are using so if you do have to do "port forwarding" on your public IP address, you can use a non-standard port that is a little harder to find. For example. The web port for many devices is 80. You can change it to be something odd like 92 or 43563. You have about 65535 options so pick from. It's not perfect security but it is another layer of security through obscurity.