In our summary of this week’s regulatory actions of importance to broadcasters, we noted that the FCC sent an email to broadcasters last week warning them of a cybersecurity flaw in the DASDEC EAS encoder/decoder device sold by Digital Alert Systems (formerly Monroe Electronics), using software prior to version 4.1. The email states that the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory expressing concern that there is a vulnerability in the code used by the system that can be used by remote attackers. The CISA advisory provides the technical details of the vulnerability.
The fear is that this security flaw can allow bad actors to access not only to the EAS system but, if that system is connected to other station computer networks, to other station information and systems as well. Securing the EAS system has been a priority of the FCC, with a pending rulemaking proposal (about which we wrote here) that would require stations to adopt cybersecurity plans to secure these systems and report yearly to the FCC about those plans (and report breaches when the station learns of such breaches or when they should have learned about the breach). The FCC already requires that false EAS alerts be reported to the FCC within 24 hours (see our article here) – but the new proposal would require FCC notice even if no false alert occurred. With the FCC contemplating the imposition of these obligations on broadcasters, and (of paramount priority) the risks that station operations can be compromised by any cyberbreach, stations need to be extra-vigilant in their cybersecurity considerations. Thus, any stations that use the identified encoder/decoder must be sure that they have taken the proper actions to secure their stations.
The FCC’s e-mail, and the CISA advisory, recommends that stations using this equipment make sure that they have downloaded the latest updates containing a patch to address the vulnerability. Stations should also adopt good “cyber hygiene,” including updating passwords, using firewalls, and isolating equipment that may be subject to attack. In an August 5 Public Notice on that subject (about which we wrote here), the FCC set out many steps that broadcasters should take to secure their systems and linked to a FEMA advisory that set out security steps for broadcasters. Read all these advisories, get specialists to help secure your networks, and make sure that your systems are safe from the cyber-vulnerabilities that exist in today’s connected broadcast station.