SBE EAS Advisory Group; Larry Wilkins, CPBE, chair
I hope everyone is staying safe and abiding by the guidance concerning COVID-19. With that in mind, most broadcast operations are now being handled off-site, which could create security problems. Hackers know this and can take advantage of these opportunities.
Login and Password
It stands to reason that engineers should review the station security features including firewalls, passwords and any access to the open internet by station equipment. One area of concern is the EAS equipment, including any RBDS encoders. Creating secure login information is vital to blocking hackers from getting to the system. While I visit stations as part of the ABIP program, I still find some that are still using the default password that came with the unit. It is not difficult to create secure passwords and change them regularly.
Thankfully, most EAS devices force you to change your password when you first configure your device. Some EAS devices also periodically remind you to change your passwords. When you first install your EAS device, you need to change that default password. If you haven’t done this since you first installed your device, take this as a reminder to go change it as soon as possible. If your device didn’t prompt you to change your password, that is also probably a clue that you are running old software on the EAS device that needs to be updated.
Other reasons to change your EAS device passwords:
1. When you have changes in personnel. Even when changes in status happen on friendly terms, it is a wise idea to “change the locks” on key station equipment – including EAS equipment – when staff or contractors quit, retire or are terminated.
2. After a security incident, such as evidence of unauthorized access to EAS device (even internally).
3. You suspect someone who should not have access might know the password.
4. You somehow logged into the EAS device from outside your station, or from a shared or public computer. First, you should not access your EAS equipment from outside the station, unless you are using a secure link (such as a virtual private network). Fix that right away. Then change your passwords.
5. It’s been a year or more since you last changed the password.
Although it is tempting to place the EAS equipment on an outside static IP address, this gives an open door to those wishing to do harm. If you don’t have an IT staff or someone who understands IT systems, you might ask, “How can I check to see if my EAS device is directly accessible from the Internet?”
1. The easiest way to see if your EAS device might be directly connected to the Internet is this check: Are you accessing the device from a remote location – from home, or an off-campus hotspot, from your smart phone, etc. If you are, and it always “just works,” then your device is on the internet, and you might not have a firewall. A firewall usually requires you to access the device from a known IP address, or to connect through a VPN or other access limiting system. If you’ve never heard of these, and haven’t spent any time setting it up, you need to investigate if you have a firewall.
2. Check the IP address of your EAS device. This will be the address you use to check your logs. Some EAS devices will display their IP address on their front panel – check with your manufacturer.
Some IP addresses are non-routable, and some are routable. If you have a non-routable address, then you are not directly connected to the internet – but you might still have a problem. Sometimes your network will have a device that is redirecting connections from an external routable address to your non-routable internal address. Such a device will often also have firewall capabilities. The non-routable addresses will always look like one of these: 10.xxx.xxx.xxx, 172.16.xxx.xxx through 172.31.xxx.xxx, and 192.168.xxx.xxx. If you have anything other than these, then you are probably directly connected to the Internet. You NEED A FIREWALL. Find out of you have one.
The firewall will permit only certain IP addresses that you select from getting from the outside internet directly to your EAS device. You usually need to limit such access to just the HTTPS port (443). SSL will add additional protection against outsiders gaining information by watching the flow of data between you and your EAS device. Even if you are going to permit remote access to your EAS device, only give access to just the ports you need; not all the ports, because an IP address can be spoofed.
For the best protection for your EAS device, a firewall should reject any incoming connection to your EAS device it receives from the Internet. If you must permit remote access, the best choice is to only permit a connection to the HTTPS port (443). Some EAS devices will use different ports for different things, and you might want to allow access on these ports, but start with a locked down system, and know what you are doing when opening any other ports.
As with all computer devices that connect to a network, keeping the firmware and software updated is important. EAS device software updates contain modifications to meet FCC rule changes, they also contain critical security patches, functional updates and bug patches.
1. FCC compliance updates. The FCC has modified its rules several times over the past few years, changing the way alert time is handed for national alerts, adding EAS event codes, modifying FIPS names, and other rules. If you are not updating your software, you run the risk of not being compliant with current FCC rules.
2. Security patches. Security patches address vulnerabilities that bad guys might use to gain unauthorized access to your EAS equipment. And, let’s face it, anything connected to the Internet – even behind a firewall – should be treated as vulnerable. It is very wise practice to keep current with these security updates.
3. Bug patches and functional updates. From time to time, EAS manufacturers find a flaw or a bug in their software and issue a software update to address it. They also release helpful improvements and new features.
Should you have questions about the EAS equipment configuration, contact the manufacturer directly. Should you have questions regarding your firewall or network configuration, you may want to consult with an IT consultant or the manufacturer of that equipment.