Need C/C++, Linux Kernel & Firmware Expertise? Start in days with Promwad engineers
banner Encryption

BCP-003 / PEP

Encryption

Book 24h Expert Call

Home / Expertise / Broadcasting & Media / Broadcasting Equipment / BCP-003 & PEP Encryption for ST 2110 and NMOS/IPMX

Secure Your ST 2110 & NMOS/IPMX Infrastructure with BCP-003 / PEP Encryption

ST 2110 and NMOS/IPMX traffic is unencrypted by default. Once it's on the network, any node can read it, modify it, or inject unauthorized commands.   

Promwad engineers can close that gap by implementing BCP-003 and PEP encryption — without adding latency or breaking interoperability

Why Broadcast IP Networks Are Vulnerable by Default

ST 2110 was designed for performance and interoperability — not security. Media flows, control signals, and device discovery all travel unencrypted across the network. In a closed facility, this was an acceptable trade-off. In today's infrastructure, it isn't.

Retail

The attack surface has expanded

SDI-to-IP migration moves broadcast traffic onto standard Ethernet — shared switches, routable VLANs, and cloud-connected backbones. Any device on the network can intercept RTP streams, monitor NMOS discovery traffic, or inject unauthorized connection requests.

Retail

'Closed network' is no longer enough

Multi-vendor facilities, remote production, and cloud-hybrid deployments all introduce exposure that a physically isolated SDI plant never had.



Retail

Compliance is catching up

Major broadcasters and content owners increasingly mandate encrypted media transport as a contract condition. OEM product lines that can't demonstrate BCP-003 compliance are being disqualified before procurement begins.

Worried your ST 2110 infrastructure won't pass a security audit? Let's find out before your customer does.

BCP-003 / PEP: Encryption Built for Broadcast IP

BCP-003 and PEP were designed specifically for NMOS and ST 2110 environments — they can be implemented without compromising latency, interoperability, or compliance.

Retail

BCP-003 secures the NMOS control plane

TLS-based security applied across IS-04, IS-05, IS-08, and other NMOS APIs — covering registries, controllers, and nodes. Promwad implements BCP-003-01, -02, and -03, including both authorization and encrypted transport of control traffic.

Retail

PEP secures parameter exchange between devices

The Policy Enforcement Point layer ensures that only authorized endpoints can negotiate stream parameters, join a flow, or modify a connection. Unauthorized devices are rejected before they reach the media plane.

Retail

ST 2110 media flows are encrypted at transport level

RTP streams are protected via SRTP or DTLS — maintaining the timing precision and multicast behavior that broadcast workflows require. Properly implemented, encryption adds no measurable jitter and no packet loss.

Retail

Certificate and key management is included

Promwad handles PKI setup, certificate issuance, rotation policies, and revocation as part of the delivery scope — not as an afterthought.

Retail

Vendor-neutral by design

The implementation works across mixed ecosystems: existing hardware, software-defined nodes, and cloud gateways — without requiring a forklift upgrade.

What We Deliver

Promwad plugs in as your engineering team at any stage — from architecture design to implementation and compliance verification. A typical engagement covers:

Security architecture design

for ST 2110 / NMOS environments — threat modelling, topology review, encryption scope definition

BCP-003 implementation

across NMOS controllers, registries, and nodes — IS-04, IS-05, IS-08 and beyond

PEP integration

for policy-enforced, encrypted parameter exchange between devices

PKI setup

certificate issuance, rotation policies, and revocation handling

Interoperability testing

across your vendor mix — we verify compliance, not just functionality

PEP integration

for policy-enforced, encrypted parameter exchange between devices

Documentation and compliance reporting

audit-ready deliverables for your customers or internal security reviews

Engagements start with a scoped technical assessment. First results typically within 8-10 weeks.

Need BCP-003 compliance on a fixed timeline?
We'll scope it in one call.

Technology Scope

Standards & Protocols

ST 2110-20/30/40, NMOS IS-04 / IS-05 / IS-08, BCP-003-01/02/03, IPMX, AMWA, SMPTE

Platforms

FPGA-based media nodes, software-defined infrastructure, hybrid cloud environments

Security Layer

TLS 1.2 / 1.3, SRTP, DTLS, X.509 PKI, OAuth 2.0 (IS-10)

Interfaces

REST API, gRPC, multicast / unicast RTP

Who We Help

Monolithic backend to microservices-based architecture
Broadcast OEM vendors

adding security compliance to ST 2110 product lines — before a customer audit, a procurement disqualification, or a regulatory deadline forces the issue

Systems integrators

deploying IP infrastructure across multi-site or multi-vendor facilities who need encryption implemented correctly across the full stack, not just at the perimeter

icon
R&D and engineering teams

with deep signal-chain expertise but limited network security bandwidth — who need to move fast without hiring a dedicated security team

Do any of these sound familiar?

  • Failed interoperability or security audit
  • New customer requirement blocking contract sign-off
  • SDI sunset timeline creating pressure to ship IP-native product
  • Internal mandate to achieve BCP-003 compliance with no clear ownership

We've solved all these challenges. Let's talk about yours!

Vadim Shilov, Head of Broadcasting & Telecom at Promwad

Get Free Audit

Case Study

SBCP-003 Security Implementation for an NMOS-Enabled Broadcast Node

Bridging the gap between open IP production and the security requirements of modern broadcast facilities.

Challenge

In multi-vendor ST 2110 environments, NMOS control traffic runs unencrypted by default. For a broadcast OEM shipping an NMOS-enabled camera node, this created a hard blocker: a major facility customer required BCP-003 compliance and authenticated device access before approving the product for deployment. 

Solution 

Promwad plugged in as an extension of the R&D team and delivered full BCP-003 integration across the NMOS control plane:
  • Encrypted Control Traffic. TLS 1.3 applied across IS-04, IS-05, and IS-08 endpoints — registration, connection management, and audio mapping all secured without API changes for existing clients.
  • Authenticated Device Access. IS-10 OAuth 2.0 authorization integrated to ensure only approved controllers can modify flows or override connections.
  • PKI Infrastructure. Certificate issuance, rotation policies, and revocation handling set up as part of the delivery scope.
  • Interoperability Verified. BCP-003 compliance tested across the customer's mixed-vendor facility with zero performance regression on live ST 2110-20 4K flows.
NMOS-Enabled Camera Node for IP Production

 

Result 

The product passed the facility's third-party security audit on first submission. The contract was unblocked. The camera node shipped on schedule — now a fully compliant, plug-and-play IP device that meets both operational and security requirements of professional broadcast environments.

Why Broadcast Teams Trust Promwad

Promwad is a broadcast systems development company — from concept to mass production. We plug in as your engineering partner at any stage: to rescue a delayed project, accelerate a release, or close a specific expertise gap.

End-to-end engineering
20 years / 500+ projects

Proven track record with OEMs in the EU and US across embedded, FPGA, and broadcast systems

First release in 8–10 weeks
First release in 8–10 weeks

Predictable PoC or MVP delivery — with a defined scope and no surprises

Compliance-ready
Compliance-ready

ISO 9001 certified. Deliverables are audit-ready by design

Plug-in teams
Plug-in teams

We join at any stage — architecture, implementation, interoperability testing, or project recovery

Trusted by OEMs and global leaders
Trusted by OEMs and global leaders

SONY, Vestel, AMD, Altera

Ready to Secure Your IP Broadcast Infrastructure?

Whether you're preparing for a security audit, responding to a customer requirement, or building BCP-003 compliance into a new product line — we can help you scope it and ship it.

Tell us about your project

We’ll review it carefully and get back to you with the best technical approach.

All information you share stays private and secure — NDA available upon request.

Prefer direct email?
Write to info@promwad.com

Secured call with our expert in 24h

FAQ

What is BCP-003 and why does it matter for ST 2110 environments?

 

BCP-003 is AMWA's Best Current Practice for applying TLS-based security to NMOS APIs. It defines how IS-04, IS-05, IS-08, and other control interfaces should be secured, covering encrypted transport, certificate management, and authorized access. In ST 2110 environments, where media flows and device control share the same IP infrastructure, BCP-003 is the primary mechanism for preventing unauthorized access to the control plane. Without it, any device on the network can monitor discovery traffic, intercept connection requests, or attempt to modify routing.
 

Does encrypting ST 2110 traffic affect latency or video quality?

 

When implemented correctly, BCP-003 and SRTP/DTLS encryption have no measurable impact on latency or media quality. The encryption overhead is handled at the transport layer and does not interfere with the timing precision or multicast behavior that ST 2110 workflows require. The key is proper implementation, misconfigured certificate handling or suboptimal TLS negotiation can introduce delays, which is why experienced integration matters.
 

What is the difference between BCP-003 and PEP in broadcast IP security?

 

BCP-003 focuses on securing the NMOS control plane, it defines how APIs used for device discovery, registration, and connection management should be protected with TLS and authorization. PEP, or Policy Enforcement Point, operates at the parameter exchange level, ensuring that only authorized endpoints can negotiate stream parameters or join a flow. Together they cover both the control and negotiation layers of a secure ST 2110 deployment, BCP-003 protects how devices talk to each other, PEP enforces who is allowed to.
 

We have a mixed-vendor facility. Can BCP-003 be implemented without replacing existing equipment?

 

Yes. BCP-003 is a vendor-neutral standard designed for interoperability across mixed ecosystems. Implementation typically involves updating NMOS controllers, registries, and nodes to support TLS and IS-10 authorization, without requiring hardware replacement. Promwad verifies compliance across existing vendor equipment as part of every engagement, ensuring that the encryption layer integrates cleanly with the infrastructure already in place.
 

Is a "closed network" sufficient security for ST 2110 infrastructure?

 

A physically closed network reduces exposure but does not eliminate it. Multi-vendor facilities, remote production setups, and cloud-hybrid deployments all introduce network paths that bypass physical isolation. A misconfigured switch, a compromised third-party device, or a rogue endpoint on a shared VLAN can all reach unencrypted ST 2110 traffic. Beyond the technical risk, many broadcasters and content owners now require demonstrated BCP-003 compliance regardless of network topology — making encryption a procurement requirement, not just a security preference.