ATSC 3.0's ‘Foundational’ Security ‘Very Sound,’ Says Noland

Noland is “really proud” that 3.0 security “was built in and considered from the very beginning,” she said. The A/360 document in the suite of 3.0 standards on security and service protection was approved two years ago and was last updated in February. A third A/360 amendment on updated system encryption is in the candidate standard process that runs through Dec. 31. Though 3.0 is a voluntary standard, “all the protocols in A/360 are required” of broadcasters that deploy 3.0 services, said Noland.

ATSC 3.0 is “continually evolving” to be sure that “what we’re using is up to date, and it’s safe,” said Noland. “When you think about ransomware attacks, you think about executable code infiltrating another device.” The 3.0 standards say “all the executable code shall be signed” cryptographically with a specified “key structure,” she said. “The receiver is able to look at that signature and determine whether or not the executable came from a bona fide source.”

As an additional 3.0 safeguard, “all the signaling structures” for audio and video, emergency alerting and other service features “must be signed” by the broadcaster, she said. “It would be very difficult for a man-in-the-middle attack to come in and sort of take over,” she said.

ATSC believes the Transport Layer Security (TLS) protocols that are built into A/360 “are the current state of the art,” said Noland. “TLS 1.2 and 1.3 are the best of the best of the best right now.” The chain-of-trust “certificate system” in A/360 “is also sound and state of the art,” she said.

When any future TLS update comes out, “we will study that and work on it, but right now, the foundational technologies that we’re using are very sound,” said Noland. Though stressing she didn’t want to come off as “overconfident” in assessing whether recent ransomware hacks can strike too close to home, Noland said: “We don’t feel our system would have been vulnerable to those types of attacks, given the way we’ve structured it.”

ATSC has multiple “mechanisms in place” for updating 3.0's security safeguards, if warranted, said Noland. “We’re a contributions-based organization, and we look to our members to bring these things to our attention when we feel it’s something that requires discussion.” ATSC’s S36 specialist group on 3.0 security, chaired by Sony Director-Technical Standards Adam Goldberg, “meets on a regular basis, and they always have their ear to the rail,” staying “abreast of what’s happening” in the market to decide whether “a new project should be proposed or not,” she said. “It’s a very active group.”

The broadcast industry “is in a new world, so to speak,” as it transitions more toward internet-protocol-based “workflows,” said Noland. “These are security challenges that many of our members face. I know they’re all taking it very seriously, and they’re working very hard to make sure they are doing everything they need to do in order to keep their internal plants safe.”

Though fending off ransomware attacks and other cyberthreats is an obvious “challenge” for broadcasters, Noland hopes 3.0 transmissions “are not one of the biggest challenges that they have in the security area,” she told us. “My hope, that's one area they can feel confident about.”

COVID-19 and its Delta variant is “obviously a fluid situation, and we have to react as we can” in planning the ATSC annual members meeting Aug. 25 and the NextGen Broadcast Conference a day later. Both are planned as in-person events at the Reagan Building in Washington, with a livestream component for those not making the trip. “My feeling right now is that the show will go on as planned,” Noland said.

ATSC will follow all health and safety protocols, existing and new, for the in-person events, said Noland. If authorities in Washington “say you cannot have gatherings, well of course, we’ll go 100% virtual if we need to, but my hope is that we’re going to be able to do this” as a physical conference, she said. “My hope is that it won’t get much worse than it is.” The “bottom line,” she said, is “we need to be flexible and fluid ... and make sure that what we present and produce is going to be safe for all our conference-goers.” D.C. Mayor Muriel Bowser (D) reinstated a mask mandate for indoor gatherings, effective last weekend, regardless of vaccination status.

Of those who already registered for the Aug. 25-26 program, ATSC is averaging about one livestream registrant for every four planning to attend in person, said Director-Communications Amy Lodes. “We were planning for 100 people to attend in person, and I think we’re going to get there very easily,” she said. “We are seeing very robust activity on conference attendance.”