We are aware of various reported instances of EAS equipment connected to the internet with weak or otherwise inadequate network security and/or unsecure device setting configurations that potentially leave them vulnerable to IP-based attacks. We remind EAS Participants that if EAS equipment lacks basic security maintenance, it can be vulnerable to disabling or exploitive attacks.
EAS Participants should take action to secure their EAS equipment. It is advisable, for example, to ensure that default passwords have been changed, equipment is updated with current security patches, and EAS equipment is secured behind properly configured firewalls and other defensive measures. The Commission’s Communications Security, Reliability, and Interoperability Council IV (CSRIC IV) has developed several security best practices for EAS Participants, and we encourage all EAS Participants to review them and implement those that apply to their situation. These best practices are referenced in the Communications Security, Reliability and Interoperability Council IV, Working Group 3, Emergency Alert System (EAS) Subcommittee, Final Report (March 2015) (available at this link), and are listed in detail in the Communications Security, Reliability and Interoperability Council IV, Working Group 3, Emergency Alert System (EAS) Subcommittee, Initial Report (May 2014) at this link. All EAS equipment manufacturer models are included in this advisory.
If there are any questions regarding the security of EAS equipment, we encourage EAS Participants to contact their EAS equipment manufacturers.
We appreciate your efforts to make the EAS a vital, beneficial and secure national platform for the distribution of alerts that save lives and property.
Lisa M. Fowlkes
Chief, Public Safety and Homeland Security Bureau
Federal Communications Commission