Security Issues Concerning Operation of EAS Equipment

SBE EAS Advisory Group; Larry Wilkins, CPBE, chair

I hope everyone is staying safe and abiding by the guidance concerning COVID-19. With that in mind, most broadcast operations are now being handled off-site, which could create security problems. Hackers know this and can take advantage of these opportunities.

Login and Password
It stands to reason that engineers should review the station security features including firewalls, passwords and any access to the open internet by station equipment. One area of concern is the EAS equipment, including any RBDS encoders. Creating secure login information is vital to blocking hackers from getting to the system. While I visit stations as part of the ABIP program, I still find some that are still using the default password that came with the unit. It is not difficult to create secure passwords and change them regularly.

Thankfully, most EAS devices force you to change your password when you first configure your device. Some EAS devices also periodically remind you to change your passwords. When you first install your EAS device, you need to change that default password. If you haven’t done this since you first installed your device, take this as a reminder to go change it as soon as possible. If your device didn’t prompt you to change your password, that is also probably a clue that you are running old software on the EAS device that needs to be updated.

Other reasons to change your EAS device passwords:

1. When you have changes in personnel. Even when changes in status happen on friendly terms, it is a wise idea to “change the locks” on key station equipment – including EAS equipment – when staff or contractors quit, retire or are terminated.

2. After a security incident, such as evidence of unauthorized access to EAS device (even internally).

3. You suspect someone who should not have access might know the password.

4. You somehow logged into the EAS device from outside your station, or from a shared or public computer. First, you should not access your EAS equipment from outside the station, unless you are using a secure link (such as a virtual private network). Fix that right away. Then change your passwords.

5. It’s been a year or more since you last changed the password.

Network Connections
Although it is tempting to place the EAS equipment on an outside static IP address, this gives an open door to those wishing to do harm. If you don’t have an IT staff or someone who understands IT systems, you might ask, “How can I check to see if my EAS device is directly accessible from the Internet?”

1. The easiest way to see if your EAS device might be directly connected to the Internet is this check: Are you accessing the device from a remote location – from home, or an off-campus hotspot, from your smart phone, etc. If you are, and it always “just works,” then your device is on the internet, and you might not have a firewall. A firewall usually requires you to access the device from a known IP address, or to connect through a VPN or other access limiting system. If you’ve never heard of these, and haven’t spent any time setting it up, you need to investigate if you have a firewall.

2. Check the IP address of your EAS device. This will be the address you use to check your logs. Some EAS devices will display their IP address on their front panel – check with your manufacturer.

Some IP addresses are non-routable, and some are routable. If you have a non-routable address, then you are not directly connected to the internet – but you might still have a problem. Sometimes your network will have a device that is redirecting connections from an external routable address to your non-routable internal address. Such a device will often also have firewall capabilities. The non-routable addresses will always look like one of these: 10.xxx.xxx.xxx, 172.16.xxx.xxx through 172.31.xxx.xxx, and 192.168.xxx.xxx. If you have anything other than these, then you are probably directly connected to the Internet. You NEED A FIREWALL. Find out of you have one.

The firewall will permit only certain IP addresses that you select from getting from the outside internet directly to your EAS device. You usually need to limit such access to just the HTTPS port (443). SSL will add additional protection against outsiders gaining information by watching the flow of data between you and your EAS device. Even if you are going to permit remote access to your EAS device, only give access to just the ports you need; not all the ports, because an IP address can be spoofed.

For the best protection for your EAS device, a firewall should reject any incoming connection to your EAS device it receives from the Internet. If you must permit remote access, the best choice is to only permit a connection to the HTTPS port (443). Some EAS devices will use different ports for different things, and you might want to allow access on these ports, but start with a locked down system, and know what you are doing when opening any other ports.

Software Updates
As with all computer devices that connect to a network, keeping the firmware and software updated is important. EAS device software updates contain modifications to meet FCC rule changes, they also contain critical security patches, functional updates and bug patches.

1. FCC compliance updates. The FCC has modified its rules several times over the past few years, changing the way alert time is handed for national alerts, adding EAS event codes, modifying FIPS names, and other rules. If you are not updating your software, you run the risk of not being compliant with current FCC rules.

2. Security patches. Security patches address vulnerabilities that bad guys might use to gain unauthorized access to your EAS equipment. And, let’s face it, anything connected to the Internet – even behind a firewall – should be treated as vulnerable. It is very wise practice to keep current with these security updates.

3. Bug patches and functional updates. From time to time, EAS manufacturers find a flaw or a bug in their software and issue a software update to address it. They also release helpful improvements and new features.

Should you have questions about the EAS equipment configuration, contact the manufacturer directly. Should you have questions regarding your firewall or network configuration, you may want to consult with an IT consultant or the manufacturer of that equipment.

Instructions to Download and Install Updated Security Firmware to EAS Units

(updated Nov. 5, 2019)

FEMA has released the new Federal Bridge certificate bundle for Sage and DASDEC users. The certification must be installed by Jan. 7, 2020, for the proper validation of CAP alert messages from IPAWS. The deadline was extended (from the original date of Nov. 8, 2019) after stations reported problems with installing the updates.

Sage Endec Users
Sage Alerting Systems will have the mandatory firmware rev 95 posted sometime on Nov. 1, 2019. To download the software, go to www.sagealertingsystems.com, and enter the serial number of your Sage unit. If you do not qualify for the free upgrade, you must first contact a Sage distributor, pay the required fee and they will unlock your serial number for the download.

Only Sage units with serial numbers between B417611 through B429999 qualify for free upgrade. You do not have to contact your vendor if your unit serial number is in that range.

You must download and install into the Sage unit before Jan. 7, 2020. If you have multiple Sage units, each download is keyed to the serial number. If you accidentally upload to the wrong Endec, nothing bad will happen, but the update will not succeed and you’ll get an “update failed” message in the history on the Version page.

Download the firmware to a PC, log onto the Endec with a web browser, then click upload firmware.

DASDEC Users

The new FEMA IPAWS Certificate for DASDEC/One-Net is now posted: www.digitalalertsystems.com/DAS_pages/resources_fsb.html. Instructions and download link for the bundle are found at that site.

This is a free certificate update, which may be used for versions 3.x and v4.x software. If you are running version 2.6 software, this certificate file should function as well.

Separately, note that FEMA’s upcoming TLS change is already supported in v3.x and v4.x software. If you are a DASDEC user, no further action is required for the TLS update. You do need to upload the certificate bundle for the new Federal Bridge Certificate by Jan. 7, 2020.

Stations: Confirm Your Station is Compliant with EAS Updates

by Larry Wilkins, CPBE, CBNT, AMD
Chair, SBE EAS Advisory Group

The FCC and FEMA are in the process of making changes in the EAS and CAP system. Most of these changes concern security issues. To aid stations in understanding these changes and what will be required to keep your EAS units compliant, the SBE has gathered the following information.

A change in FCC EAS rules (Part 11) has come into effect that makes the validation of digital signatures in CAP messages a mandatory element. The FCC amended section 11.56 “Obligation to Process CAP-formatted EAS Messages” to add the following new paragraph:
(c) EAS Participants shall configure their systems to reject all CAP-formatted EAS messages that include an invalid digital signature.

The FCC has also changed its EAS rules to refine the time window within which an alert message is valid. The change is to 11.33(a)(10) “Message Validity”, where the existing sentence, “A header code must only be considered valid when two of the three headers match exactly;”, the FCC added: “the Origination Date/Time field (JJJHHMM) is not more than 15 minutes in the future and the expiration time (Origination Date/Time plus Valid Time TTTT) is in the future (i.e., current time at the EAS equipment when the alert is received is between origination time minus 15 minutes and expiration time).”

In a long-awaited move, FEMA is updating the IPAWS system with Transport Layer Security (TLS) protocol. TLS is a cryptographic protocol providing end-to-end communications security over networks and is widely used for Internet communications.

The Federal Bridge Certificate Authority (CA) will expire on Nov. 8, 2019. Depending on the CA used by IPAWS, it may be necessary to provide a new CA for installation in all EAS decoders.

Finally, The FCC has put into effect a new false EAS alert reporting rule. Pursuant to section 11.45(b), an EAS Participant must inform the Commission if it discovers that it has transmitted a false alert. This rule provides that: No later than 24 hours of an EAS Participant’s discovery (i.e., actual knowledge) that it has transmitted or otherwise sent a false alert to the public, the EAS Participant send an email to the Commission at the FCC Ops Center at FCCOPS@fcc.gov, informing the Commission of the event and of any details that the EAS Participant may have concerning the event.

FEMA has indicated the target date to update the IPAWS server to TLS is Nov. 8, 2019.

What do stations need to do to remain compliant with FCC and FEMA guidelines?

Sage Alerting Systems Endec
Sage added support for the Part 11.33 15-minute change in its 89-34 release. Sage has supported the ability to validate the digital signature since 2012, it is enabled by default.

Sage’s September 2019 release, called Rev95, will support the TLS and certificate updates. This release will be mandatory. After the FEMA switchover, scheduled for Nov. 8, 2019, older versions of the ENDEC software will not be able to receive CAP messages from IPAWS. This will render the station in violation of FCC rules concerning EAS monitoring and logging.

Sage Alerting Systems has indicated there will be a one-time charge of $349 for the September release. The release will only be sold through their distributors. This update will be provided free of charge for ENDECs purchased new after March 1, 2018, (18 months prior to September 2019). Direct questions regarding these updates to Sage at support@sagealertingsystems.com or 914-872-4069 and press 1 for support.

Gorman-Redlich
Radio stations operating with E-prom V 9.5.8 and television stations operating with E-prom V 20.9.8 will remain compliant with the changes. Contact Gorman-Redlich at 740-593-3150.

DASDEC/One-Net
Units operating with software versions 3.1 or 4.0 will remain compliant with the items listed above. If an updated CA certificate for FEMA IPAWS is necessary, Digital Alert Systems will make it available to DASDEC and One-Net users as soon as possible at no charge.

While the upcoming FEMA TLS change can be handled by either v3.1 or v4.0 software, Digital Alert Systems wanted to let customers know about some of the additional features in v4.0. The v4.0 upgrade includes a complete OS upgrade (improved operating and security), Triggered CAP Polling, Blue Alert (BLU) event code support, and greater flexibility for future value-added enhancements. V4.0 is a highly recommended upgrade.

While V4.0 is an optional upgrade, users should be aware that Digital Alert Systems has deprecated development support on v3.0. New feature requests, updates, and software revisions will only be provided within the Version 4.x series of software. Contact Digital Alert Systems at support@digitalalertsystems.com or 585-765-2254.

---

Information in this report was furnish with the permission of Digital Alert Systems, Sage Alerting Systems and Gorman-Redlich.

EAS 2019 National Periodic Test Final Checklist

by Larry Wilkins, CPBE, CBNT, AMD
Chair, SBE EAS Advisory Group

As the 2019 National EAS Test, commonly called the National Periodic Test (NPT), approaches, there are several steps broadcasters should take to ensure they are prepared on Aug. 7.

FEMA will transmit the test via the Primary Entry Point (PEP) system. It will not be available on the IPAWS CAP system. The NPT will be issued at 2:20 p.m. EDT Wednesday, Aug. 7, 2019.

By now all EAS participants should have checked their EAS units to ensure that they are programmed and working properly. If you haven’t, now is the time to do so. Key items to check:

1. Verify your EAS equipment is running the required software version (contact your equipment vendor if you have questions).
2. Verify you are monitoring the correct legacy EAS monitor sources as outlined in your state EAS plan.
3. Verify the audio from both required sources is broadcast quality.
4. Verify the system clock is correct and synced to a national time server (check the time zone setting as well).
5. Be prepared to file ETRS Form Two by midnight on August 7.

Contact your state emergency communications committee (SECC) or state broadcaster association with any questions about the NPT requirements.

2019 National Periodic Test Date Announced

FEMA has announced that the 2019 National Periodic Test (NPT) will issued Wednesday, Aug. 7 at 2:20 p.m. EDT (18:20 GMT). The alternate date is Wednesday, Aug. 21, 2019.

Alfred Kenyon, chief, Customer Support Branch IPAWS Program Office, indicated, “This year FEMA proposes to originate the test via the National Public Warning System composed of the FEMA designated Primary Entry Point (PEP) facilities. The intent of conducting the test in this fashion is to determine the capability of the Emergency Alert System (EAS) to deliver messages to the public in event that dissemination via internet is not available. The public should be aware that full message text and multilingual messaging will not be available due to the over-the-air message delivery and relay used in this system of EAS message dissemination.”

All EAS participants are encouraged to verify the two required monitor sources assigned by the State Emergency Communications Committee (SECC). Check not only for the correct source but the quality of the audio. If you not able to receive clearly the assigned sources or have not been receiving the Required Weekly Test (RWT) from both sources, contact your SECC for an alternate source.

The 2019 test will not be fed via the IPAWS network as in past years. The test will be received via each state’s Primary Entry Point (PEP) and relayed by the area LP-1 and LP-2 stations.

EAS Blue Alert Code Becomes Effective January 18, 2019

By Larry Wilkins, CPBE, chair, SBE EAS Advisory Group

In January 2018 the FCC amended its regulations governing the Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA) to add a new event code, BLU, to allow alert originators to issue an alert whenever a law enforcement officer is injured or killed, missing in connection with his or her official duties, or there is an imminent and credible threat to cause death or serious injury to law enforcement officers.

Delivery of Blue Alerts over EAS will be implemented January 18, 2019.

Sage Endec users: Update firmware will be available next week.

DasDec users: The BLU event code is in the v4.0 software update.

Trilithic/Viavi: includes BLU event code in its v18.10 software update.

Gorman-Redlich: has a update, contact their office for details

As a reminder the BLU event code is in the “voluntary” list, that is, it is not one of the FCC required relay alerts (EAN, NPT, RMT). Stations can elect to relay these alerts or not, with guidance from their state and local EAS plan.

Broadcasters and Cable Operators should watch for information updates from your SECC (State Emergency Communication Committee).

Blue Alerts over WEA takes effect July 18, 2019.

Read the FCC ruling.

Senate Moves READI Act Forward

By Larry Wilkins, CPBE, chair, SBE EAS Advisory Group

Just before the end of the year, the Senate passed the READI (Reliable Emergency Alert Distribution Improvement) Act, a bipartisan bill meant to improve the Emergency Alert System, extend it to new platforms, and avoid a repeat of the false alarm nuclear missile strike alert in Hawaii that drew an FCC investigation.

While most of the points in the bill deal with the creation and origination of EAS alerts, one item is of interest to broadcasters: It would allow broadcasters to repeat presidential and FEMA alerts, something they can’t do now.

The bill still must be passed by the House and approved by the president, after which it will be sent to the FCC and FEMA to work out details of implementation, followed by an FCC notice of rule changes. So, it will be some time before any changes to the way EAS Alerts are created and/or distributed.

The SBE will continue to issue updates as the bill moves through the approval process.

National EAS Test Rescheduled for Oct. 3

The Federal Emergency Management Association (FEMA) previously announced that a National EAS test would be sent Sept. 20, 2018. Following the effects of the Hurricane Florence, the test has been moved to the backup date, Oct. 3, 2018.

The times for the test have not changed. At 2:18 p.m. Eastern Daylight Time (EDT), FEMA will send a Wireless Emergency Alert (WEA) test message to all WEA-capable wireless devices throughout the entire United States and territories. Immediately following the WEA nationwide end-to-end test, at 2:20 p.m. EDT, FEMA will conduct a live test of the Emergency Alerting System (EAS). All EAS participants are required to participate in this nationwide test. The EAS message will be disseminated via the Integrated Public Alert and Warning System (IPAWS).

Stations are encouraged to verify that their EAS units are communicating correctly with the IPAWS server. Review station logs (which should be checked once each week by the chief operator) to ensure stations are receiving the Required Weekly Test (RWT) from IPAWS. This RWT is fed every Monday at 11:00 a.m. local time. Contact your equipment representative for details on setting up your EAS decoder to properly receive and relay the National test.

EAS participants are reminded that they are required to register with the EAS Test Reporting System (ETRS). Form One was to be filed on or before Aug. 27, 2018. Then on or before 11:59 p.m. EDT, Oct. 3, 2018, EAS participants must file the day-of-test information sought by ETRS Form Two. Post-test data will be filed later with Form Three.

More information is availble from the FEMA website.

EAS National Test Reminder: Do Not Air Alert Tones as Examples

As you prepare your station for the EAS and Wireless Emergency Alert System (WEA) national test on Sept. 20, 2018, remember that the FCC forbids airing the audio attention signal or EAS tones for any reason other than a genuine alert, authorized test, or approved public service announcement. Remind your news and programming operations of this rule.

Any transmission, including broadcast, of the WEA or EAS attention signals or codes, or a simulation of them, under any circumstances other than a genuine alert, authorized test, or approved public service announcement violates the Commission’s rules and undermines the important public safety precautions that WEA and EAS provide. See 47 CFR §§ 10.520(d), 11.45.

While the FCC encourages improving public awareness of WEA and the EAS, including the upcoming nationwide test, broadcasters and cable providers are reminded to exercise caution and avoid inadvertently broadcasting the WEA or EAS tones in a news story.

Any question or concerns with the upcoming nationwide test can be directed to the FCC at alerting@fcc.gov.

Update FEMA Security Certificates by Sept. 24, 2018

By Larry Wilkins, CPBE
Chair, SBE EAS Advisory Group

As a reminder to all engineers, the Federal Emergency Management Agency (FEMA) will update one of its security certificates on Sept. 24, 2018.

Security certificates allow EAS decoders to use the digital signature in the CAP message to verify that the message came from an authorized authority, and that it wasn’t changed between the originator and EAS participants’ equipment. These certificates expire periodically. FEMA currently uses a chain of five certificates for alert validation, one of which expires at 11:55 p.m. EDT on Sept. 24, 2018 (Sep 25 03:55:36 2018 UTC).

Monroe-Electronics and Sage Alerting Systems have both issued updates to their EAS units.

DASDEC users: A field service bulletin and CA file are available from the Digital Alert Systems website at digitalalertsystems.com/resources_fsb.html. All DASDEC and One-Net customers should download the field service bulletin for instructions, and install the new CA file.

Sage Endec users should visit sagealertingsystems.com for compete information on downloading and installing the file in their units.

Engineers are also reminded that FEMA has scheduled a national EAS test on Thursday, Sept. 20. It will be sent at 2:20 p.m. EDT. The test will be fed via IPAWS.

Be aware that preceding the EAS test to broadcasters, FEMA will send a Wireless Emergency Alert (WEA) test message to all WEA capable wireless devices throughout the entire United States and territories. That message will be sent at 2:18 p.m. EDT.