The FCC is set to adopt new cybersecurity rules requiring broadcasters and other Emergency Alert System (EAS) participants to protect their equipment with network firewalls (or equivalent segmentation) and strong, unique passwords.
The agency plans to vote on the requirements at its June 25, 2026, open meeting. The move aims to safeguard the nation's public warning system against a rising number of cyberattacks that have targeted EAS gear in recent years.
If approved, the rules will apply to radio and TV stations, cable systems, and other EAS participants. They specifically cover EAS encoders/decoders, studio-to-transmitter links (STLs), and any remotely managed equipment that routes, processes, or inserts content into programming streams.
- Firewalls and Network Segmentation: Participants must place EAS equipment behind a network firewall or use comparable practices (such as a dedicated VLAN, demilitarized zone, or physically isolated management network). This limits remote access to authorized devices and users only, keeping the equipment off the public internet.
- Password Security: Default passwords must be changed before any operation. New passwords must be strong—at least 15 characters, avoid dictionary words, and not be reused across other accounts or systems. Passwords should also be updated if there's any suspicion of compromise.
- Timely Updates: Participants must promptly test and install security patches, firmware upgrades, and related software from manufacturers.These measures address documented vulnerabilities. For example, scans have exposed hundreds of EAS devices with publicly accessible password screens, making them easy targets for even low-skilled attackers.
Attacks on EAS equipment “continue to occur with disturbing frequency,” according to FCC documents. High-profile incidents in past years, often exploiting default credentials or exposed ports, have eroded public trust in the emergency alerting system.