On August 5, 2022, the Public Safety and Homeland Security Bureau (“PSHSB” or “Bureau”) released a Public Notice advising EAS Participants to take steps to secure their EAS equipment against risks impacting devices that are publicly accessible from the Internet. On August 1, 2022, FEMA issued an advisory on potential vulnerabilities in certain EAS encoder/decoder devices that have not been updated to the most recent software versions. If these devices are not up-to-date, an unauthorized actor could issue EAS alerts of the EAS Participant’s infrastructure.
The Bureau has previously warned about this vulnerability and encourages EAS Participants to install current security patches and utilize firewalls to secure their EAS equipment. In addition, the Bureau urges EAS Participants to take the following steps to improve their cyber hygiene:
- Install software security patches issued by the manufacturer as soon as they become available.
- Change default passwords. (It is suspected that failure to comply with this suggestion resulted in the 2013 Zombie EAS Alerts).
- Continually monitor EAS equipment and software and review audit logs to detect and report incidents of unauthorized access.
- Review the list of recommended best practices to address potential data security vulnerabilities issued by the Communications Security Reliability and Interoperability Council in 2014.
As a reminder, EAS participants are “responsible for ensuring that EAS Encoders, EAS Decoders, Attention Signal generating and receiving equipment, and Intermediate Devices used as part of the EAS . . . are installed so that the monitoring and transmitting functions are available during the times the stations and systems are in operation.” Failure to receive or transmit EAS messages during national tests or actual emergencies because of an equipment failure may subject the EAS Participant to enforcement action.
Please Contact Us if you have any questions.