REC LPFM Advisory Letter #17: Practice of Good Network Security for EAS and other station asssets.

Created December 22, 2022

The FCC is currently considering rule changes that would require all EAS participants from iHeart to LPFM stations to have a detailed Cyber-Security Risk Management Plan framework for their station.  For big corporations and government agencies, these types of plans can be dozens of pages long.  REC is currently fighting imposing such a massive requirement on LPFM and other smaller broadcast stations.  Instead, we are calling on the EAS industry to fix their equipment at their own expense by providing additional security features such as two factor authentication and to only require LPFM and smaller stations to utilize a pre-defined simplistic standard of good network security in lieu of creating, maintaining and updating a complex enterprise-based framework plan that is more suited for institutional users such as universities, iHeart, Verizon and Comcast.  

Following a Practice of Good Network Security assures that the assets of an LPFM or other Small Station are properly protected from cyber-attacks and other illicit activity, especially where it comes to the protection of the Emergency Alert System (EAS) decoder/encoder, which if compromised, can result in the initiation of a false alert that can create local panic, alert fatigue and require the station to initiate FCC processes in order to report the false alert.

In addition to making sure that you are running a current version of the EAS software/firmware, REC makes the following recommendations to assure that a station's EAS decoder is best secured on their network to prevent false alerts:

Never use static IP addresses.  A static IP address is an IP address that is specific to the device (such as the EAS decoder).  Static IP addresses are assigned by the internet service provider (ISP) and are normally used only in institutional environments (such as universities or large corporations) or as a feature of a business grade internet service plan.  Even an EAS on a static IP address using a port number other than the standard port numbers 80 and 443 are exposed and are vulnerable.  If a static IP must be used, consider the installation of a router and placing both the EAS and a regular PC on that router.  Have the router set to port forward to the regular PC and have that regular PC running some kind of remote desktop software (VNC can be used but is not as secure as other solutions that may be available).  The user would log into the remote desktop (using a password) and then once there, they can use a web browser to access the EAS decoder's logon screen. 

Avoid using port forwarding directly to an EAS decoder.  Most Small Stations that use regular home or small business class internet service from their ISP will normally use a dynamic IP address.  This IP address is assigned by the ISP from a pool of IP addresses and depending on the provider, can change at any time.  Users from outside would access the router through either the dynamic IP address assigned by the ISP or using a dynamic DNS service which monitors the station's IP address and permits access through using a fully qualified domain name (FQDN).  Using port forwarding in the router, the station can set up a routing based on a "port number" used after the dynamic IP or FQDN to route to the EAS decoder. Even though this method may not make the EAS decoder easily accessed, the EAS decoder remains visible using the specific port number assigned in the router.  Instead of setting up port forwarding directly to an EAS decoder, have the router set to port forward to the regular PC and have that regular PC running some kind of remote desktop software (VNC can be used but is not as secure as other solutions that may be available).  The user would log into the remote desktop (using a password) and then once there, they can use a web browser to access the EAS decoder's logon screen. 

Limit who can access the EAS decoder (DASDEC).  An administrator level password should only be provided to those who have a direct business need to make configuration changes to their EAS decoder.  The DASDEC does provide the ability to add additional user accounts at varying levels of access based on the user's specific business need, including a "view only" level, which cannot originate alerts.  The "view only" level can be given to station staff that may need access to view past alerts or to get EAS log information, especially in the case of an inspection. 

Limit who can access the EAS decoder (Sage).  The Sage has a user level password and an administrator level password.  The user level password permits the origination of alerts so it is recommended that only those who have a true business need to configure or operate the EAS decoder should have access to this password.  Unlike the DASDEC, there is no "view only" level of access in the Sage.

Use third party sources for newsgathering and to elaborate on previous alerts.  If the station receives and forwards an EAS alert on the air and the local air talent wishes to talk more about it on the air, instead of accessing the EAS, they should use a third party source.  REC clients with a minimum spend have access to such a screen through our myLPFM portal that permits air talent to visit a web page without a password requirement to show details of unexpired EAS alerts as well as other National Weather Service bulletins that did not trigger an EAS alert.  Unexpired alert (EAS and non-EAS) details are also available at recnet.com/cap.

Periodically change passwords (Sage).  While this is not as much of an issue with the DASDEC, which can provide access at a specific user level which does not have to be shared between multiple people, this is a major vulnerability for the Sage as it only has a single user and administrative password that must be shared among all users who have a need to know.  Periodic changing of this password at either certain intervals or when someone leaves the station is very prudent to assuring the EAS remains secure. 

Disable the front panel demo alerting function (DASDEC).  The DASDEC offers a method where a demonstration alert can be sent over the air by the pushing of a front panel button.  This functionality can be disabled in the web interface using an administrator level password.  While the demo alert function is good for off-air testing of the equipment, it should not be used.  Even if the front panel function is disabled, these demo alerts can still be initiated by a higher user level from the web interface.

Immediately change default passwords.  EAS units are shipped with default passwords and sometimes systems may revert to default passwords for factory resets and software/firmware updates.  Make sure that as soon as unit is installed or otherwise has the password changed back to the defaults, they are immediately changed back to discrete passwords in order to prevent malicious access.  Also, if your station uses Barix boxes or other equipment that connects directly to the internet, make sure that you change those default passwords before putting the equipment into production service to prevent unauthorized access and program hijacking.

Keeping passwords secure.  Passwords (especially for the Sage) should not be posted in conspicuous places.  They should be kept written in a secure location that is not easily seen by any visitor or any other unauthorized person.  While we all know that keeping a house key under the doormat is not very secure, hanging the key on the front door is asking for trouble.  Same thing here. 

Place the EAS in the studio site instead of at a remote transmitter site. Placing the EAS at a remote transmitter site requires there to be an internet connection established in order to maintain the EAS if the person is not physically at the transmitter site.  Because of limited rack space at some transmitter site installations, there may be no provision to place a computer at the transmitter site to access a remote desktop to access the EAS (plus the presence the equipment at a shared site may pose some additional risks).  It is always best to have the EAS in the audio chain on the studio side before the program audio leaves the main studio location.  If a DASDEC must be installed at the transmitter site, make sure the front panel demo alert mode is disabled.

Use two factor authentication methods if they are ever offered.  Two factor authentication is an additional level of security where if someone does enter the password for the EAS decoder, the system would send an email to the authorized user with a confirmation code that must be entered. Currently, neither the DASDEC nor the Sage provide two factor authentication, but this is something that REC is pushing for as a potential solution to protect EAS decoders from false alerts due to cyber-attacks.  If these features are ever offered, we strongly suggest their use.

Use your EAS decoder's email functionality. Both the DASDEC and the Sage have the capability to email reports to one of more specific email addresses.  Both the DASDEC and Sage can send alert logs, alert notifications and errors.  We strongly recommend that in lieu of accessing the EAS decoder to get log information that the email logs sent by the EAS decoder are printed and retained as part of the station's log.  That way they can be easily reviewed by FCC staff in the event of an inspection or investigation without having to wait for a specific staff member who knows the EAS password.

Practice good common sense network security at the station.  Assure that station assets are only used for station business and that computers are only equipped with the applications necessary to run the station.  Develop policies to make clear that staff or volunteers should not use station computers to access their own emails and download attachments and to use due diligence when receiving an email with an attached file from an unknown external source.  This basic security can prevent stations from experiencing malware, spyware, ransomware and other major security risks. 

The station is your castle, make sure you are protecting it as much as possible.

Receiving REC Advisory Letters by RSS

If you are using newsreader software or certain e-mail clients such as Mozilla Thunderbird, you can set it up to receive these bulletins as an RSS news feed.  The feed URL is: https://recnet.com/taxonomy/term/76/feed