The IT Nerd

With the Super Bowl on Sunday, February 12, cybersecurity experts are not betting on the game itself but whether we will see any operational disruption to the game due to cyber attacks?

James Campbell, CEO & Co-founder, Cado Security has spent his career protecting large scale events, like the Olympics, from potential cyberattack interference. Here’s a Q&A that illustrates his thoughts on this topic.

What motivates threat actors to target large-scale physical events?

Financial gain: If it is a large-scale physical event where everything has to go right at this moment in time, opportunistic cybercrime motivates threat actors who can hold an event for ransom, so it could be a good ransomware situation for criminal actors, albeit they don’t tend to focus on those sorts of things, but it’s certainly something that could occur through disruptive campaigns as an angle for criminals.

Sending a message: Nation-states are sending a message and making a point with operational impact. The second and likely motivator is through high-profile events, particularly in a time of political unrest across the world; if you were to disrupt another nation’s large-scale event, that would be sending a message. While it isn’t a message that has a physical impact, it can be a clear shot, a pretty big deal without actually firing anything real. 

Interestingly at a time like this, threat actors can leverage this. Looking at the current state of affairs, it would make sense for nation-states to capitalize on a campaign against potential enemies across the western world. One of those could be disrupting large-scale events.

If nation-states want to show that they can impact the western world, then high-profile events motivate threat actors. Showing that they can interrupt large-scale with a click of a button sends a powerful message that you can influence and make an impact no matter where you are in the world. An easy way to send a clear message is to disrupt a large-scale physical event like the Super Bowl. The US would not retaliate physically, so it’s a lower risk for nation-states during uncertainty. 

Hacktivism: getting your political message across using the event or disruption activity at the event to raise media awareness of your message. The climate change protests and the like, in general, are against big events, so another thing to consider is that someone might try to aim to disrupt an event which can be as simple as a denial of service on a website or finding a way to discredit an event through cyber means, which hacktivists could do by are utilizing the high-profile space of the event to raise awareness of their own political or general motivated issues. 

What would be the most disruptive to the Super Bowl?

One of the main disruptions to the Super Bowl would be denying the ability for it to be televised, which would probably have the biggest impact other than physically ensuring the Super Bowl doesn’t run itself, which would be a harder task. With millions of people worldwide watching and the advertising and revenue generated from the SuperBowl, if you’re going to get a certain point across, then restricting the ability to broadcast it live would have the most significant impact you could have out of all of it, albeit not the only impact.

How are cybersecurity teams likely approaching this event?

Cybersecurity teams would be trying to understand the big impact events such as media availability, making sure the event, in general, runs smoothly, making sure that ticketing works, and ensuring the general safety of the event are upheld, so they’ll be considering all of those elements. 

The one thing that would be tricky for security teams is that it’s not just one entity or single network they must look after. An event like the Super Bowl involves numerous suppliers, media companies, etc., all of which are responsible for looking out for their networks, collectively making up how the Super Bowl is run. 

From a risk standpoint, security teams want to try to manage the best they can that all of the suppliers and everybody who are essentially helping run the Super Bowl are maintaining a good level of security and also, from an operational perspective, make sure they have appropriate continuity plans in place should something happen they can fall over to a plan B and keep the event going, live, and streaming worldwide.

What are some best practices to ensure operational resilience and sufficient cybersecurity standards?

Understand the risk to your suppliers: the data they have access to, what operational capability they bring to your event, how they operate, and what they do to maintain resiliency. What are the associated risks, types of threats you’re likely to encounter, and avenues they could potentially exploit? 

Focus your resources on hardening those and making them more resilient because trying to secure all the things is only sometimes practical. You need to understand where to start, what’s your highest risk and profile, then tackle that first. 

For an event such as the Super Bowl, this starts with the suppliers, people, networks, and technology that make the event possible, ensuring they are doing it from a risk, security, and resilience perspective. 

From a best practice perspective, they would have prepared for it by engaging the critical suppliers as part of the significant event and exercising various cyberattack scenarios to ensure they have the proper checks and balances to respond accordingly and maintain resilience. 

What are the moving parts when it comes to people organizing these events?

From my experience with events, there are many moving parts – third-party risk – when it comes to people organizing these events.

Some straightforward examples are denial of service and attempts to bring down live feeds or general websites so people can’t buy tickets or get updates. These are pretty simple things to do, but they can be very complicated. There’s a monumental effort to deliver live feeds of the games, commentary, and different languages to the world, a lot of which is physically at the event.

The televised network and server sitting in the data room in the Super Bowl is secure with patches and firewalls, but what happens if you don’t have control of the room itself? The building management system might be separate from that, and you might not directly control or have access to that. Suppose threat actors attack IoT and turn off the air conditioning in the building management system. In that case, all those computers are useless because you must immediately turn off all your servers, or else they melt within 15-20 minutes.