REC tells FCC that EAS cybersecurity plan is overkill for Small Stations, calls on EAS manufacturers to step up to address security concerns

REC Networks has filed comments with the FCC in PS Docket 22-329, a proceeding related to Emergency Alert System (EAS) readiness and cyber security.

In comments, REC expressed serious concerns over an FCC proposal that would require all broadcast entities from iHeart, Sinclair and Nexstar to small stations including LPFM licensees, noncommercial educational stations with limited revenues, minority-owned, "mom and pop" and individual owner commercial stations to develop, maintain and update a complex cyber security risk management plan, similar to those used by federal government agencies and large corporations with enterprise computing operations.  

These demands from the FCC come on the heels of a small number of incidents that occured over the past decade where the passwords of EAS decoders/encoders were compromised in cases where the EAS was directly exposed to the internet for incoming connections. 

In comments, REC stated that "Small Stations" do not have separate information technology departments, help desks or chief information officers.  They are small operations, many with primarily volunteers and to provide a complex cybersecurity plan similar to those used by federal agencies would be extensively burdensome and would take resources away from a noncommercial station's primary mission of achieving their educational objectives and informing the public.  

REC proposed for smaller FM stations (LPFM, Class D and Class A), smaller AM stations (Class C and Class D stations operating 1 kW or less) and for smaller LPTV stations (those with a noise limited contour of 28.3 km or less) that do not play a support role in EAS (such as being a local primary station), that these stations not be required to prepare an extensive cyber security plan but instead, adopt a simplified "Code of Good Network Operating Practices" which addresses some common-sense methods of assuring that an EAS, especially one that is exposed to the internet for incoming connections is properly protected from unauthorized use.  This Code of Good Network Operating Practices have also been published by REC in REC LPFM Advisory Letter No. 17. 

REC calls upon the EAS equipment manufacturers, such as Digital Alert Systems/Monroe Electronics, Sage Alerting Systems, Viavi (Trilithic) and Gorman Redlich to enact additional security methods, such as two factor authentication in their EAS decoders/encoders as well as other methods including pre-setting random passwords for new units at the factory or placing the login screen in a manner that requires the additional entry of a few random characters in the uniform resource locator (URL) that is used to access the equipment.  REC states that EAS equipment manufacturers also own this issue and demands that manufacturers make these security patches in EAS equipment at no charge to at least small stations.

REC also opposed any changes at this time to current policy related to EAS outages from the current policy where the FCC field office is contacted if the EAS is expected to be out of service for more than 60 days.  REC states that issues with EAS are not always equipment but also receive antennas.  REC also cites the issues with the current State Emergency Communications Coordinator structure and the struggles that some rural stations have in receiving their monitoring assignments outlined in their state plans.  REC states that if reporting at less than 60 days is necessary, it should be done in a system that broadcasters are familiar with, such as LMS and not in systems unfamiliar to broadcasters, such as NORS, which is normally used for telephone service outage reporting. 

Reply comments in PS Docket 22-329 are due by January 23, 2023.