Cyber attacks targeting the EAS equipment of radio and television broadcasters are not commonplace but have happened, and now the FCC is taking steps to prevent what could be chaos if such a hack were to happen on a broad scale.
At their monthly meeting on Thursday, FCC commissioners gave the go ahead for a Notice of Proposed Rulemaking (NRPM) that seeks comment on a variety of ways to secure EAS equipment from cyber attacks and improve the operational readiness of EAS systems.
More will be required of broadcasters and cable operators to remain compliant in EAS matters, including mandatory reporting of cyber threats to their EAS equipment within 72 hours and filing a cybersecurity risk management plan with the FCC for their EAS system, if the new rules are formally adopted. The commission also wants to ensure broadcasters have downloaded the most recent security patches for their EAS gear.
The commission — which in its press release announcing the NPRM points out that October is Cybersecurity Awareness Month — also addressed the security of Wireless Emergency Alerts (WEA) and ways to hold wireless providers accountable to ensure only valid alerts are displayed on consumer devices.
[Related: “FCC Poised to Address Cybersecurity of EAS Equipment“]
FCC Chairwoman Jessica Rosenworcel said of the proposal: “This effort will help ensure the function of these essential systems in emergencies and that the public can trust the warnings they receive.
“This is important because the Department of Homeland Security recently determined that some of this alerting infrastructure is susceptible to serious security vulnerabilities. While some patches have been released to fix these flaws, not everyone has installed them. We are committed to fixing that here and now.”
The vulnerability of EAS equipment connected to the internet is well documented, the FCC says, specifically noting how several cases of hacking resulted in false alerts from radio and television broadcasters in recent years.
The proposal will seek comment on the operational readiness of EAS systems; specifically, deciding whether allowing broadcasters and cable providers to continue operations for a period of 60 days despite having defective EAS equipment, which is the current policy, is a good idea.
Among the FCC’s questions: “For example, instead of requiring repairs within 60 days, would it serve the public interest to require EAS participants to conduct repairs promptly and with reasonable diligence? Are all EAS participants already doing so? If so, what are the reasons why some EAS participants are not able to conduct repairs promptly and diligently? What factors should we consider when determining whether repairs are made promptly and with reasonable diligence? What barriers prevent equipment from being repaired promptly and what steps can we take to remove those barriers?”
The FCC will also ask about the economic impact of its proposal upon participants, as well as alternatives for small entities following the review of comments filed in response to the NPRM, including costs and benefits analyses.
[See Our Business and Law Page]
In a statement on Thursday, FCC Commissioner Geoffrey Starks asked to include an edit to the original EAS security proposal that circulated prior to the October meeting.
“As part of our proposal to require EAS Participants to adopt cybersecurity risk management plans, we will now seek comment on whether we should require the plans to be structured to follow the NIST Risk Management Framework or the NIST [National Institute of Standards and Technology] Cybersecurity Framework.
“The importance to the safety of life and property regarding EAS alerts cautions that allowing a cybersecurity risk management plan that doesn’t meet the structure of the NIST gold standards is likely to be ineffective,” Starks said.
The NPRM (FCC 22-82) would amend Part 11 of the commission’s rules regarding EAS. A comment period will commence 30 days after the date of publication in the Federal Register.