Industry panel outlines layered cyber defenses for broadcasters
Weekly insights on the technology, production and business decisions shaping media and broadcast. Free to access. Independent coverage. Unsubscribe anytime.
Building a cybersecurity program in a broadcast operation starts with leadership buy-in and a working understanding of which systems matter most, panelists said during a session at the FCC’s cybersecurity workshop for broadcasters.
The panel, moderated by Drew Morin, deputy chief of the Cybersecurity and Communications Reliability Division at the FCC, brought together broadcast engineering, corporate security, federal law enforcement and nonprofit cybersecurity perspectives.
Panelists included Roswell (Roz) Clark, executive director of radio engineering at Cox Media Group; Daniel Parsons, chief information security officer at E.W. Scripps Company; Brian Kaiser, lead for the FBI Cyber Division’s Critical Sector Engagement and Intelligence Unit; and Valecia Stocchetti, senior cybersecurity engineer at the Center for Internet Security.
Start with the people, not the tools
A cyber risk management strategy works only when the people who run the business are involved, Clark said. He said broadcast engineering needs to be embedded in the planning alongside IT and security functions, and that the work needs to be exercised regularly.
“What you don’t want to do is have anyone feel like this is handled by one entity or the other. Everyone has skin in the game,” Clark said.
Cox Media Group performs annual exercises of its business continuity plans, which now place increasing emphasis on cyber scenarios, he said.
“People process technology is constantly changing. And so if you don’t rehearse it, you won’t know what has changed, what people don’t know or what they do know,” Clark said.
Parsons said the goal in early planning is to scope the environment without trying to fix everything at once.
“If you try to kind of build a holistic approach right out of the gate, people are going to get a little bit burned out. And you’re going to probably end up fixing things that are easier, but not the most important,” Parsons said.
Identifying what matters
Asset inventory was a consistent theme across the panel. Stocchetti said the two questions worth asking about any asset are whether it stores sensitive data and whether it provides a critical function or service.
For smaller broadcasters, a spreadsheet is an acceptable place to begin, she said.
“You don’t need an expensive, fancy CMDB to start with. You have to start somewhere,” Stocchetti said.
Kaiser pointed to a framework developed at Idaho National Laboratory called Consequence Driven Cyber-Informed Engineering, which begins from the attacker’s perspective by asking what an adversary would need to compromise to stop a station from broadcasting.
Clark said Cox Media Group uses a visual approach, mapping systems and the minimum communication each requires to function. The diagrams help engineers think through what could be isolated in a compromise without taking the station off the air.
Segmentation and the basics
Several panelists returned to network segmentation as foundational. Clark described it as both an access control problem and a monitoring problem.
“It’s not just access control lists. You really need to have a firewall type of rule set that you can get down to,” Clark said.
Parsons said segmentation can take several forms beyond firewall rules, including domain trusts, least-privilege account design and zero-trust architectures, though full zero-trust implementations remain difficult to achieve. He also recommended that broadcasters consider deception techniques such as honeypot accounts and decoy folders that signal an active intrusion if touched.
Stocchetti pointed to examples in which attackers gravitated to clearly named targets, including a retail breach in which self-checkout kiosks were labeled as such on the network and were among the first systems attacked.
On basic controls, Stocchetti urged broadcasters to start with what CIS calls implementation group one, or essential cyber hygiene: patching, backups, changes to default credentials and multi-factor authentication.
“Anything you can do more than just a password is incredibly helpful,” Stocchetti said.
Clark agreed that MFA, network segmentation, endpoint protection and employee training are achievable starting points for most stations.
Patching and resiliency
Parsons said vulnerability management practices are changing under pressure from AI-accelerated attacks. Scripps has added a category it calls urgent vulnerabilities, covering external-facing systems with known exploitation in the wild, with a service-level target of patching within 12 to 24 hours.
The broader challenge is treating cyber response with the same operational discipline that broadcasters apply to power failures, hardware failures and weather events, he said.
“Cyber has to be a part of that kind of expected resiliency moving forward,” Parsons said.
Clark said third-party software running on station computers is as much a source of vulnerability as the operating system itself, and that automated scanning is necessary at any scale.
Supply chain and vendor questions
Kaiser said many investigated incidents trace back to third parties rather than direct attacks on the victim organization.
“You can do as much as you want for your systems, but if you can’t control everything in that, it’s kind of a moot point,” Kaiser said.
He pointed to CISA’s Secure by Design guidance as a baseline broadcasters can use when evaluating vendors. Clark said Cox Media Group has begun asking vendors questions about firmware update practices and ongoing vulnerability monitoring that were not part of past procurement conversations.
Parsons said attackers are shifting attention from individual targets to suppliers with broader customer access, making vendor security posture a direct concern for stations.
Plans, decisions and accountability
Panelists returned repeatedly to the value of having an incident response plan that names decision-makers before an event occurs.
“When you get to a situation where things are on fire, you don’t want to look around for someone to make a decision,” Parsons said.
Stocchetti said policies should align with business objectives and define accountability rather than serve as compliance documents. Clark added that small broadcasters benefit from a written policy in part because it supports insurance underwriting, and recommended pairing a detailed policy with a quick-start document for use during an incident.
Backup testing was another recurring point.
“If you don’t test your backups, if you don’t know how it works, you do not want to find that out during a recovery of some sort,” Clark said.
Resources for stations of any size
The panel closed with suggestions for stations looking for outside support.
Kaiser recommended building a relationship with the local FBI field office before an incident occurs, and pointed to Operation Winter Shield, an FBI Cyber Division initiative that published recommended protections based on investigated incidents. Clark pointed to the Society of Broadcast Engineers’ webinar archive on cybersecurity topics.
Parsons suggested industry peer groups and media-focused information sharing and analysis centers. Stocchetti said the Center for Internet Security publishes free policy templates, and noted that some broadcasters affiliated with tribes may be eligible for the Multi-State Information Sharing and Analysis Center.






tags
Cybersecurity for Broadcasters, FCC
categories
Broadcast Engineering, Featured