FCC Urges Stations, Cable Ops to Shore Up Emergency Alert Defenses

In the wake of a hacking hoax in which stations' emergency
alert systems were
hijacked for a zombie warning
, the FCC Tuesday issued an urgent alert to
stations and cable operators to update their EAS equipment, including resetting
their passwords and making sure the systems' defenses are in order.

That is according to a copy of the alert obtained by B&C.

"All EAS participants are required to take immediate
action to secure their CAP EAS equipment, including resetting passwords, and
ensuring CAP [Common Alerting Protocol] EAS equipment is secured behind
properly configured firewalls and other defensive measures," the FCC said.
"All CAP EAS equipment manufacturer models are included in this
advisory."

The FCC said all EAS participants need to change passwords
from their default settings.

The FCC alert came the same day the president signed an
executive order mandating a framework for better protections of critical
systems from cyber-attacks.

FEMA, which adopted the standard for the Common Alerting
Protocol (CAP)-formatted emergency messages -- which the industry was required
to migrate to -- said Tuesday that the issue was at the station and system
level and that its "integrated public alert and warning system" had
not been breached or compromised at its end.

Ed Czarnecki, senior director of strategy and regulatory
affairs at Monroe Electronics, which manufactures EAS systems, had told B&C Tuesday that the hacking highlighted
the need for improved IT security and the FCC clearly agreed.

The FCC said media outlets needed to take the following
steps immediately:

  1. EAS Participants must change all passwords on their CAP EAS
    equipment from default factory settings, including administrator and user
    accounts.
  2. "EAS Participants are also urged to ensure that their firewalls and other
    solutions are properly configured and up-to-date.
  3. "EAS Participants are further advised to examine their CAP EAS equipment
    to ensure that no unauthorized alerts or messages have been set (queued) for
    future transmission.
  4. "If you are unable to reset the default passwords on your equipment, you
    may consider disconnecting your device's Ethernet connection until those
    settings have been updated.
  5. "EAS Participants that have questions about securing their equipment
    should consult their equipment manufacturer."