By Ashish Khanna

High-profile sporting events over the last few months have presented a number of cybersecurity challenges. Sporting events generate a lot of consumer activity, from hotels and restaurants to retail.

Large sporting events are held together by webs of connectivity that include vendors, sponsors, employees, and consumers. These networks connect ticketing, merchandising, venue access, live events information, and everything in between. This connectivity delivers a lot of value to venues, vendors and consumers alike, but it also can create potential points of entry for threat actors.

With France reporting over 140 cyberattacks linked to Olympics alone – while none of these disrupted the competitions themselves – it gives us reason to consider critical targets associated with high profile events that target government entities as well as sports, retail, transport and telecoms infrastructure.

The following are some critical considerations for businesses and fans as retail activity heats up around sporting events this summer.

Making the connection between sports and cybersecurity

The sports and entertainment sector is distinct from other industries and continues to face numerous threats and challenges. In other industries, the technology infrastructure is built to sustain long term usage, therefore the cybersecurity strategy will reflect business strategy which revolves around long term goals, the strategy will take into account scalability, and will need to be flexible enough to adapt to any changes in the business.

However, in sports and entertainment the long term corporate infrastructure should be paired with short term strategies. The short term technology infrastructure goal is to evolve until the very last moment of the event – with specific focus on “Just in time scaling” and the ability to deliver a specific service at a specific time, that can be easily dismantled after it’s required.

The cyber-physical convergence

The rapid development of technology within the sports industry such as augmented reality, smart turnstiles, facial recognition, and other suppliers all have complex interdependencies, and has increased the complexity of cybersecurity concerns. In our highly connected world, the rise of digital twins and collaboration across various platforms is transforming the sports landscape into an interconnected business network.

Among the many highly digitalised technologies that may present lucrative targets for cyberattacks, PIID stands out as a prime example.

1. Personalisation(P): Personalised features for fans in stadiums, often delivered through mobile applications, enhance the fan experience.
2. Information Gathering(I): Player information is gathered during games using athlete performance monitoring devices such as health bands and smartwatches.
3. Instant Replay(I): Instant replay technology, commonly used by referees, relies on data that, if compromised, could be exploited by betting firms to create bias. This underscores the importance of discussing AI utilization and the distinction between time sensors and touch sensors in data collection.
4. Data Sovereignty(D): The increased collection of data raises concerns about data sovereignty, trust, and privacy, particularly regarding PI.

Cyber – Physical Convergence: The convergence of cyber and physical systems is driven by the increasing utilisation of digital technologies, resulting in transformative shifts in information technology and connectivity (Bring Your Own Device – BYoD), and the proliferation of the Internet of Things (IoT) within physical systems. The core components of this convergence include connectivity sensors for data collection (e.g., sports accelerometers), automation, and control mechanisms. This convergence can offer numerous advantages, including predictive maintenance capabilities, enhanced safety measures, and reduced downtime.

However, this convergence also presents the potential for new threats, such as:

DDoS Attacks: This disruption can severely impact essential services such as ticketing and gate entry, resulting in financial repercussions and disgruntled spectators. Instances of remotely locking stadium doors have occurred in the past and consequences could be dire. Particularly, as it could lead to the exclusion of attendees or force an overwhelming influx of individuals towards a single exit.

Bot Attacks against Ticketing: Automated programs possess the capability to acquire tickets at a substantially greater pace compared to humans, contributing to the practice of scalping and the artificial inflation of prices. This phenomenon creates an inequitable distribution of access to events, negatively impacting both aficionados and event organisers. The rush of online transactions – obtaining tickets or venue access to major events – also paves the way for spoofed sites designed to acquire login credentials, which, in turn, can be used to steal personal data, including credit card information.

Deceptive WiFi Hotspots/Rogue Hotspots: Fake WiFi hotspots can induce users into establishing connections, thereby enabling malicious actors to intercept sensitive data, redirect them to websites with malicious intent, and pilfer their personal information.

Furthermore, a stadium may possess approximately ten thousand or more network ports, over one thousand access points, and fifteen hundred beacons. The combination of Bring Your Own Device (BYOD) practices and open WiFi environments fosters an ideal breeding ground for network and malware-based attacks.

Attacks Against Payment Flow: Hackers can target payment systems to steal credit card data and make fraudulent transactions. This can lead to financial losses for both customers and organisations. To exploit this widespread vulnerability, threat actors often employ social engineering, which refers to tricking people into divulging sensitive information, like PCI data, that hackers can use for their own unscrupulous purposes. Hackers take advantage of large sporting events, as they inspire a lot of passion in their fan bases and can create confusion around the event, from a massive influx of tourists, an uptick in police presence, and a surge in retail activity and unofficial merchants.

False Messages on Scoreboards and Information Boards: Attackers have the ability to manipulate scoreboards and information boards to display false messages, causing confusion, panic, and disrupting the event experience. This can have an impact on the integrity of the game, but present security risks by sharing false messaging that can lead to panic.

Protecting the digital supply chain

The enterprise network of a modern sporting venue has a lot of moving parts, connecting employees, a myriad of devices, security and surveillance, on-premise vendors, and so on and so forth. The venue also interacts with external partners for a variety of services and functions. There may be edge computing, private networking, MEC and cloud network components, which may interface with other systems and networks. In other words, a sporting venue’s cybersecurity is not self-contained; it is part of a digital supply chain.

Consider a film studio as a cybersecurity analogue that can shed light on this dynamic. Large studios outsource a number of services, such as graphic arts, animation, postproduction, etc. Many of these postproduction companies, especially specialty shops, are smaller with a limited cybersecurity budget. Yet they house the studio’s valuable IP, which may capture the attention of threat actors. These small companies can act as a sort of back door to data hackers that would not otherwise have had access to.

In other words, an organisation’s cybersecurity is only as strong as its weakest link. Lack of security within vendors and other third-party partners’ infrastructure can compromise a venue. Threat actors can exploit these dynamics for their gain, for instance, masquerading as a trusted vendor in an email with a fraudulent invoice.

The internal threat

According to the 2024 Verizon Business Data Breach Investigation Report (DBIR), the human element is a major culprit of security breaches, accounting for more than two-thirds (68%) of security breaches last year. They’re often non-malicious and internal – employees may fall victim to a Business Email Compromise (BEC) attack, whereby hackers present themselves as a trusted executive within the organisation. These scams are more likely to be effective during busy periods in which employees are under pressure and rushing to meet deadlines. High-profile sporting events of this summer create those very conditions. This celebrity culture can make sports fans more susceptible to social engineering since their emotions are heightened and their attention is pulled in many directions. Knowing this, hackers may create a sense of urgency in their texts and emails to compel users to impulsively click on a malicious link or share sensitive information. It takes less than 60 seconds for the average user to fall for a phishing email, according to the DBIR.

All of which is to say venues must not only tighten up their internal network but also they’re external network of partners. Workforces must be on high alert both for unwitting internal threats and malicious external threats. As, scams can arrive in the guise of internal executives and as vendors, every piece of communication during heightened periods of activity must be regarded with scepticism, lest they allow a hacker to gain a toehold within their network.

1. Awareness of the Environment

Organisations must have a comprehensive understanding of their digital assets, including hardware, software, networks, and data. This involves conducting regular audits to identify vulnerabilities and potential attack vectors. By understanding their environment, organisations can better prioritise their cybersecurity efforts and allocate resources accordingly.

2. Understanding the Attack Landscape

It is essential for organisations to stay informed about the latest cyber threats, attack methods, and emerging trends. This includes monitoring security advisories, threat intelligence reports, and industry news. By understanding the attack landscape, organisations can anticipate potential threats and develop countermeasures to mitigate their impact.

3. Risk Assessment

Once organisations have a clear understanding of their environment, the attack landscape, and their asset inventory, they can conduct a thorough risk assessment. This involves identifying critical assets and prioritisation, evaluating the likelihood and impact of potential attacks, and prioritising risks based on their severity. By conducting a risk assessment, organisations can make informed decisions about where to invest their cybersecurity resources.

4. Vigilance and Threat Monitoring

Organisations need to be vigilant in monitoring their networks and systems for suspicious activity. This involves implementing security monitoring tools, such as intrusion detection systems (IDS) and security information and event management (SIEM) solutions. By continuously monitoring their environment, organisations can detect and respond to threats in a timely manner.

5. Training and Education:

Educating executives and employees about social engineering attacks is crucial for preventing successful breaches. This includes raising awareness about common attack methods, such as phishing emails, phone scams, and social media impersonation. Organisations should provide regular training sessions to ensure that employees are equipped with the knowledge and skills to identify and report suspicious activities.

By adopting these measures, organisations can significantly enhance their cybersecurity posture and protect themselves from a wide range of threats. It is important to remember that cybersecurity is an ongoing process, and organisations must continuously adapt to the evolving threat landscape.