Defending global sporting events requires coordination, information

The Super Bowl, the Winter Olympics, the World Cup—this year’s big sporting events are coming with security concerns.

Rob Gregory, CISO at cybersecurity advisory firm Optiv, told IT Brew that because these events are huge “living digital experiences,” the threat surface is immense. Vendors and venue operators alike will have to manage the complexities of large crowds buying refreshments, tickets, and paraphernalia digitally, including biometrics.

The scale of responsibility for IT pros and security experts is staggering. For even just one football game, Gregory said, the checklist is daunting.

“In addition to vetting the vendors and technology that they’re using, the payment processor that they’re leveraging, they validated that that vendor has the correct credentials like PCI compliance and other third-party attestations,” Gregory said. “They know when their customers are using those mobile payment apps, that those services are secure, and their customer data and their own data, being a vendor themselves, are protected.”

For vendors and technology that will be used by tens of thousands of people in a short window of time, that complexity can lead to problems. Everything within a venue, from entry gates to vending machines, presents a unique threat surface.

Turn to the state. In December, CISA issued new guidance for stadium and arena owners to keep venues safe and secure by recommending risk assessments. I, it also proposed a series of low- to high-complexity solutions for protecting operations like staff training and visitor screening.

“By sharing threat intelligence, risk mitigation strategies, and other vital information, we strengthen our collective ability to anticipate and respond to potential disruptions,” Steve Casapulla, executive assistant director for infrastructure security at CISA, said in a statement accompanying the release of the report.

On track. For big events like the Olympics, defenders need to understand that the threat is everyone’s problem. Teamwork is an essential (although unsung) tactic for cybersecurity pros;. Kristopher Russo, a principal threat researcher at Unit 42, recently told IT Brew that taking on the challenge solo is a mistake.

“Don’t try to do it yourself,” Russo said. “This is where you bring in folks—you work with partners, you work with other organizations that have experience in this area to help you strengthen your own defense and to make sure you’re ready.”

Those recommendations are an important step in analyzing weaknesses, especially with the kind of clientele global sports events tend to draw. A strong grasp of the danger is a key part of knowing how to respond.

“Not only will those encompass very large amounts of people—not only just at the sporting events, but associated festivities—it’s also going to include a lot of VIPs, whether that be business leaders, CEOs, and dignitaries from various nations,” Gregory said. “And those do come with an even higher risk profile and threat landscape.”