Cyber security at large sporting events
The London 2012 Olympics will bring together 10,500 athletes,
diplomats, politicians, business leaders and millions of spectators from
all over the world. Behind the scenes there is an immense effort being
made to ensure the security and well-being of everyone participating, in
any capacity, in this grand event. This article gives an inside-look
into the thinking, business processes and security controls put in place
to manage the risks in large sporting events. Many, but not all, of
these principles and techniques can also be effectively applied by any
business or organisation.
The basic process in preparing and
securing any (business) system is:
• Identify the actors and motivations for attacks.
• Identify and assess the threats.
•
Identify the attack surface including people, places, things and
intangible items such as revenue, reputation and stakeholder well-being
that we seek to protect.
• Identify risks, potential failures and their effects.
• Identify and prioritise the key risks areas to be addressed.
• Mitigate the most important risks through various controls and adjustments.
• Evaluate the effectiveness of our activities to secure the system.
• Understand the residual risks.
• Actively manage events during execution of the event(s).
Identifying the actors and
motivations for attacks
Large
prestigious sporting events represent a highly desirable target for
terrorist and cyber criminals. These events attract a considerable
number of athletes, and millions of spectators, who occupy
confined places for a short period of time. The presence of major press
agencies from around the world bring significant international
visibility to these events. For politically motivated terrorists, there
is the opportunity to cause violent disruption, which could severely
injure many people and undermine confidence in the host country. For
financially motivated cyber-criminals there is the opportunity to profit
by attacking the personal and financial information of participants.
Identifying, characterising
and assessing the threats
In
the 2008 Beijing Olympics games, over 12 million cyber attacks per day,
of varying types and lethality, were detected. Attacks range from
denial of service attacks, propagation of viruses and malware, to highly
targeted attacks against critical systems. Many, if not most, of these
attacks were successfully defended in 2008. However, in the last four
years, cyberspace and the related cyber threats have significantly
evolved, increasing in sheer number, stealth, diversity, and capability
for damage.
Identifying the attack surface
A
sporting competition must be considered in its entirety, as a monolithic
system that is endowed with a series of access ports and exits. The
inside of that system is composed of many people and devices exchanging
huge quantities of data and are cooperating to achieve a common
objective. In addition to this, we must consider the event as a “system
of systems”. This includes third party web-servers, email servers, the
millions of personal computer systems remotely participating, and so on.
In the design of sporting events, every element is analysed in
detail, the data it manages defined, the functions offered articulated,
and the dependencies between various systems and services well
understood.
Identify and prioritise the key risks areas
The
principal services that must be protected during an event are: 1)
telecommunications, 2) internal financial services such as point of
sale, 3) third party financial services such as online credit card
transaction systems, 4) marketing and business communications, 5) public
and private transportation, 6) organisational logistics, 7) public
works, 8) public health and safety, 9) surveillance and reconnaissance,
10) policing services, and 11) military defence. Each of these services
produce and process large amounts of data. 12) The security of social
networks and other online websites the sporting event advertises and
promotes its activities on, 13) the security of web-browsers and
computers used by visitors to the event’s websites, and 14) the
identification and control of email scams and scam websites which attack
those interested in the sporting event.
This last point (#14)
is particularly interesting. Important sporting events are promoted on
the Internet, with the publication of millions of images, videos, which
lead to viral recommendations. This presents a unique opportunity to
exponentially increase the spread of malware in social networks and
other Internet mediums. For example, Kaspersky’s experts have warned
Internet users to be on their guard against cyber criminals using the
Olympics to start marketing fake tickets and merchandise websites,
phishing scams and DDoS attacks. Furthermore, foreign governments or
large cyber-criminal organisations could use this opening as an
opportunity to infiltrate a large number of computer systems to launch
attacks completely unrelated to the sporting event itself.
Identify and prioritise the
most important risks to be addressed
It
is clearly impossible to address all risks. However the highest risks
in each category are addressed in a systematic way to protect the
sporting event itself, and the participants / stakeholders involved.
Mitigate the most important risks
through various controls and adjustments
There
are a wide range of tactics, processes and technologies that are used
to protect the different elements of a sporting event.
Consider
the internal networks that are the backbone of the sporting
organisation. A good cyber defence strategy must protect that network
from external attacks as well as internal attacks. Rigid policies must
address every vulnerability and attack vector that could compromise that
network, such as attacks through mobile devices and USB memory sticks.
Possible attacks against the internal network backbone include targeted
viruses designed to compromise the operations of critical sporting
services.
To further reduce risks, different types of unrelated
systems are isolated from each other. Gerry Pennell, chief information
officer for London 2012, said that a key principle to ensure the
security of the sporting event is to “keep mission-critical games
systems quite isolated from anything web-facing. So very much
partitioned and separated, thus making it hard for an external attack to
succeed”.
Unfortunately, today one cannot rely on any computing
or communication systems being secure, or the controls being perfect. To
this end, event monitoring systems are used to track the (mis)behaviour
of all systems, including collecting metrics such as network usage,
number of completed transactions, suspicious transactions, and so on.
This
type of monitoring occurs not just within the organisation, but also
outside it. For example, starting several months before the events, law
enforcement and security agencies monitor the web, especially social
networks and forums, to identify any suspect activities that could be
related to the organisation of an attack. Governments see this phase as
really important because it may be possible to detect and neutralise a
group of terrorists or hacktivists that are planning an action during
the events.
One of the most effective ways to manage successful
attacks and intrusions against specific components is to adopt hybrid
techniques in the same system. For example, facial recognition systems
and cryptographic cards for storing the digital identity of participants
and organisers are just some of the overlapping security controls
implemented during an event.
For critical services the sporting
event must also assume that a successful compromise is possible, even
after aggressive security controls have been put in place. To address
this, backup systems, redundancy, and even diversity, are used to
provide a secondary network backbone (redundancy) from components from a
different vendor (diversity). For example, creating a wired network
using one product from one vendor, and creating a wireless network using
a different product from an entirely different vendor is done to try
and avoid the same vulnerability being present (and thus exploitable) in
both networks.
Evaluate the effectiveness of our activities to secure the system
Testing
and monitoring are main priorities for the organisers of the event. The
impact of simulated external and internal attacks against a typical
workload of the network must be studied so we know what to look to
detect real attacks. As regards the forthcoming London Olympics, each
component of the IT infrastructure has been stressed in the period from
March to May, simulating cyber attacks, and registering the response to
the offences. The organisation said that a team of about 100 specialists
will try to compromise the systems. Patrick Adiba from Atos, the
Olympics IT supplier, told the BBC: “We are using a simulation system so
it doesn’t really matter if we corrupt the data. We simulate the effect
and see how people react.”
Residual risks
The
unpredictable is always a constant companion in all endeavours,
particularly large complex ones. To manage the unknown, the sporting
organisation must be adequately equipped and staffed to meet any sudden
unanticipated need rapidly. There must be a modest amount of human
over-resourcing available to manage peak situations without compromising
other activities.
Actively managing the event
Installing
security controls and performing penetration testing are clearly
critical steps. However, security is not achieved just by installing
good security controls. Security is a process that must be actively
managed long after initial preparations are completed.
This is
best described in the Observation, Orientation, Decision and Action
(OODA) loop. Event monitoring systems must be operational to observe the
actual activity of all systems participating in the event. Analysis
must be performed by security experts, with advanced technologies, in
real-time to orientate themselves to any abnormalities and suspicious
activities that could indicate an attack is in progress. If the experts
determine there is a problem, a line of action must be decided on, and
action taken to address that concern.
The security of a sporting
event is extremely complex because of its sheer scale and the multitude
of contributing factors. Due to the excellent work of private and
public security organisations, previous Olympic events have been highly
successful. Many of these winning processes and techniques can also be
employed by medium to large organisations to protect the legitimate
interests and well being of all stakeholders.
Sig.
Paganini, Security Specialist CISO Bit4ID Srl, is a CEH Certified
Ethical Hacker, EC Council and Founder of Security Affairs
(http://securityaffairs.co/wordpress)
Ron Kelson is Vice Chair of the ICT Gozo Malta Project and CEO of Synaptic Laboratories Limited.
ICT
Gozo Malta is a joint collaboration between the Gozo Business Chamber
and Synaptic Labs, part funded in 2011 by the Malta Government, Ministry
for Gozo, Eco Gozo Project, and a prize winner in the 2012 Malta
Government National Enterprise Innovation Awards. www.ictgozomalta.eu
links to free cyber awareness resources for all age groups. To promote
Maltese ICT, we encourage all ICT professionals to register on the ICT
GM Skills Register and keep aware of developments, both in Cybersecurity
and other ICT R&D initiatives in Malta and Gozo. For further
details contact David Pace at dave.pace@ictgozomalta.eu .
Comments