This post first appeared on Risk Management Magazine. Read the original article.
As the world’s highest-profile sporting event approaches, organizers must prepare for an evolving array of cyberthreats, from nation-state hackers to opportunistic cybercriminals.
During the London 2012 Summer Olympics, technical staff logged 165 million individual cybersecurity-related events. Most were trivial things like login failures, but 97 incidents required intervention by the technology operations center, and six major cyberattacks were elevated to the level of 2012 Olympics CIO Gary Pennell, he reported.
Most notably, authorities later revealed they were warned of a credible threat to the electrical infrastructure, intended to disrupt the opening ceremony. Oliver Hoare, head of Olympic cybersecurity, later told BBC that he was awakened at 4:45 a.m. the morning of the ceremony by a call from U.K. intelligence agency GCHQ disclosing the threat. “We’d tested no less than five times the possibility of a cyberattack on the electricity infrastructure,” he said, yet the threat persisted up to the final hour before the approximately $42 million ceremony was broadcast to an audience of one billion people worldwide. In that final hour, one team member told Hoare that they would be able to restore power within 30 seconds, should an outage actually occur, but as he told BBC, “thirty seconds at the opening ceremony with the lights going down would have been catastrophic in terms of reputational hit.”
“Back then, the whole cyberattack thing was still sort of coming to the forefront, so it was interesting afterwards to just hear the sheer number of attacks,” said Peter Williams, head of live entertainment at Allianz Global Corporate & Specialty. “I don’t think anybody really appreciated that, an event like that, people were literally attacking on a daily basis. Even if most were just simply people trying to get in for a bet or a dare, trying to scam a ticket or whatever, it’s the sheer number.”
At the 2018 Winter Olympics in PyeongChang, South Korea, the range of cyberrisks to grapple with became far clearer, and inched closer to such a scenario. In the run-up to the games, state-sponsored hackers carried out other extensive campaigns tied to the Olympics. Security researchers at McAfee discovered what they called Operation GoldDragon, a complex phishing-based campaign thought to be attributable to North Korea that aimed to spread spyware to a number of South Korean Olympics-related organizations. Following the doping scandal and in retaliation for the official censure of Russian athletes, Russia-linked attackers hacked and leaked embarrassing documents from the World Anti-Doping Association and Olympics-related organizations, including medical records of top American athletes.
Then, on February 9, 2018, the Winter Olympics website went down for several hours, disrupting ticket sales and downloads at the opening ceremonies, while local Wi-Fi around the Olympic facilities was rendered temporarily unavailable. As a result, many were denied entry to the ceremonies, and a key televised event lost a core part of its audience, both live and at home.
What worries me is steps that might be taken or that are taking place to increase the connectivity of electrical infrastructure—or any other critical infrastructure, for that matter—for the sake of convenience and efficiency without the right compensative security controls to mitigate that marginal risk.
This broadening attack surface should be a notable takeaway not only for Olympic organizers, but anyone running live events. Attacks on key systems, such as ticketing systems and point-of-sale or other payment technology, can cause significant disruption to these events, but Williams said he and others in the live entertainment space are carefully watching as incidents inevitably escalate toward cyberattacks that cause outright cancellations, especially one that causes full power disruption. “I don’t know that we’ve seen it. We certainly haven’t had a claim for it yet. But we’ve been made aware—mainly afterward—that there have been attempted cyberattacks that authorities have blocked, and it is an emerging risk that we are actively concerned about,” he said.
Advancements in connected technology and the high stakes and short timeframes around the games fundamentally increase the risks of further escalation of such disruption, potentially to the level of an outage. “I wouldn’t consider it the most likely situation, I’d consider it the most dangerous situation,” said Dave Weinstein, the chief security officer at industrial control systems cybersecurity firm Claroty, and former chief technology officer for the state of New Jersey. “What worries me is steps that might be taken or that are taking place to increase the connectivity of electrical infrastructure—or any other critical infrastructure, for that matter—for the sake of convenience and efficiency without the right compensative security controls to mitigate that marginal risk.”
Since previous Olympic games, hackers have become more willing and able to wreak havoc through cyberattacks. The extreme case of causing a full power outage is highly unlikely, but the capacity to attack other forms of connected infrastructure has advanced steadily and the threat profile to the Olympics now requires greater attention to such newer risks.
“The bottom line is that it is getting easier, not harder, to hack infrastructure, and it’s easier to do now than it was four years ago or even two years ago at the last winter Olympics,” Weinstein said. “Some of that is because of general connectivity, and some of that is the proliferation of malware or malware frameworks that were previously only in the hands of certain nation-states but now have the potential to stroll over into non-state hands. Third, there is the fact that a lot of the intelligence that is necessary to initially target these networks is more readily available than it ever has been before.”
He added, “It’s just the amount of information out there that makes it easier—not easy, but easier—to achieve some sort of effect with respect to infrastructure.”
Evolving Risk Profile
Since the London Olympics, cyberattacks have become part of everyday life. The rapid advances in capabilities and impact are clear, from evolving capacity to strike critical infrastructure (as with the blackouts in Ukraine) to sophisticated use of cyberspace for complex attacks (as with Russia’s multifaceted interference in the U.S. elections) to exploitation of internet of things (IoT) devices (as with the crippling Mirai botnet DDoS attack against Dyn) to the continuing deluge of day-to-day headlines about data breaches, phishing campaigns and payment data exposure.
In the realm of cyberrisk, the rate of evolution and increases in capability mean that some of the risks change for each Olympic games. For example, the blackouts caused by cyberattacks on Ukraine in recent years (and attributed to Russia-backed hackers) demonstrate significant escalation in the tactics, tools and procedures that advanced persistent threat groups are using to target critical infrastructure.
Geopolitical considerations in the lead-up to the 2020 Summer Olympics in Japan could impact the risk profile considerably, particularly as nation-state attackers are responsible for the most highly sophisticated attacks, such as hacking critical infrastructure. While North Korea, Russia and China remain three of the most sophisticated cyber actors and all have clear goals that they could advance by causing cyber incidents on the global stage, they are also all presently planning to participate and have a vested interest in the games going well.
“North Korea is participating in the Japan Olympics, but if something were to happen that would result in North Korea withdrawing from the Olympics, that might create a possibility of more risk of some sort of disruption, whether it’s through some sort of missile test by North Korea or an attack that may or may not be attributed to North Korea,” explained Aaron Shraberg, senior analyst on the Asia-Pacific team at cybersecurity intelligence firm Flashpoint.
Hacktivist groups could also be motivated to take advantage of such a high-profile event to broadcast their message. For example, Shraberg said, “You also have China and Japan, who have a rather robust trading relationship but still have tensions resulting from everything from historical memory issues to territorial issues of the Senkaku Islands. Some activists might see the opportunity for the world’s eyes being on Japan to draw attention to these specific issues.”
Risks in Practice
Cybersecurity poses myriad potential risks for those in and around the games. On a widespread level, there are fundamental threats to the execution of Olympics events and the Olympic Village’s functionality as a whole. In a worst-case scenario, there is the prospect of a large disruption like an attack on electrical infrastructure during the games.
Point-of-sale systems for purchasing merchandise or food and beverages, digital ticketing systems, security systems and electronic hotel locks, thermostats, transportation systems, communication systems—the sheer range of IoT devices that are increasingly deployed can create risks in every facet of the experience for Olympic athletes, attendees and staff.
But as seen in PyeongChang, a cyberattack on lesser-connected systems can also cause notable disruption for those attending the games or trying to watch them—a downed ticketing system can effectively lock out spectators or cause chaos at the event. Disruptions that impact the ability to broadcast could mean reputation risk, massive losses during some of the most expensive advertising airtime, and concerns about the integrity of events since results can no longer be viewed or may seem unreliable. Critical services for athletes and attendees alike are now sufficiently connected by IoT technology and baseline technical infrastructure to the point that threats could prove truly physically dangerous.
“When you hold the Olympic Games, you’re going to be dealing with a lot of infrastructure, a lot of basic necessities, the dispensation of which relies largely upon an intelligent distribution of power, different types of data flows and transfers,” Shraberg said. “You have to consider everything from the potential for IoT-based attacks to the fact that there’s going to be very high temperatures in Tokyo during that time, and that’s going to introduce a whole other element of potential risk. You have to enlist emergency services, for example, in the event that you need medical attention in a specific area, and that all depends on the network as well. It’s a multifaceted but very interrelated problem, especially for managing security within a relatively dense urban space.”
Indeed, such concerns were specifically addressed during the 2012 London Olympics—Pennell reported the Olympics Technology Operations Centre featured a glass phone booth with a special security hotline to provide direct connection to relevant authorities in the event of a major attack and an interruption of communication networks or technology. For 2020, acute heat and earthquake risk in Japan make it especially critical to ensure the capacity to communicate with EMS personnel on the ground.
Rather than direct disruption of the games, Shraberg sees far more certainty in the increased threats from the rapid global proliferation of IoT devices. Point-of-sale systems for purchasing merchandise or food and beverages, digital ticketing systems, security systems and electronic hotel locks, thermostats, transportation systems, communication systems—the sheer range of IoT devices that are increasingly deployed can create risks in every facet of the experience for Olympic athletes, attendees and staff.
On an individual level, many common cyberrisks are notably amplified around the games. According to Shraberg, Flashpoint analysts are already seeing increased discussion on dark web forums about major threat types, including phishing campaigns and buying and selling of Japanese data for use in carding and cashing out schemes. While credit card fraud is certainly an everyday threat, such activity can increase around major events like the Olympics, given the larger amounts of commercial activity, transaction data being transmitted and amount of travel.
If you’re a consumer hacker, this is a field day because you have so many people concentrated in such a relatively small venue and no one is thinking about security, they’re just there to have fun and watch the games.
“You typically always have a consistent amount of credit card fraud happening at any one moment in time. The factor that may change is just an increase in people shopping and taking advantage of sales on goods and things like that during the Olympics,” Shraberg explained. “With that, we can expect to see a higher instance of this type of activity—even things like diverting deliveries while people are out at the Olympics and not home or taking advantage of a newer environment in terms of the Olympic compound to potentially create different spots to ship goods that they carded.”
All of these stakeholders also face personal data security risks. In addition to payment data transmitted during and around the event, any web traffic is particularly vulnerable and ripe for exploitation. Weinstein noted parallels to data privacy concerns for athletes and other attendees at last year’s World Cup in Russia, where many cybersecurity and law enforcement experts warned of the extensive potential state surveillance and data privacy concerns for anyone using devices on-site. While there is less risk from Japanese authorities, financially-motivated attackers have notable incentive to use many of the same tools while such a large crowd is gathered in Japan.
“If you’re a consumer hacker, this is a field day because you have so many people concentrated in such a relatively small venue and no one is thinking about security, they’re just there to have fun and watch the games,” Weinstein said. “Just think about all the people who will be using their phones and other devices out in the open and potentially logging into their personal accounts, conducting financial transactions, etc. It begs the question of how they are going to be connecting to the internet, and what type of information are they just going to be involuntarily spewing from their devices that could potentially get swept up.”
Guarding the Games
Given the threat profile and range and severity of risk, the Olympics present almost as many security challenges as there are events, and the stakes are just as high for the home team. The state of Olympic cybersecurity hinges on three key issues increasingly facing public and private enterprises today: complex networks of third-party vendors introducing risk, a talent and skills gap with regard to cybersecurity professionals, and building secure infrastructure that must stand up to inevitable direct threats.
The vast network of third parties involved in the Olympics introduces incalculable risk exposure. As in many breaches, attackers likely targeted a key vendor to carry out the 2018 incident in PyeongChang, the most successful cyberattack on the games to date. According to threat researchers at Cisco’s Talos unit, the attackers who created the destructive malware that caused the incident—dubbed Olympic Destroyer—may have first successfully compromised Atos, the main IT vendor that provides cloud services for the Olympics. The malware required authentic login credentials from a number of Olympics staff to penetrate each of the disrupted computer networks involved. Researchers believe hackers may have leveraged successful infiltration of third-party vendor networks to gain access to these Olympic networks, and to conduct thorough reconnaissance of the infrastructure architecture, including user and domain names. This reconnaissance and the cache of stolen user credentials from legitimate users gave attackers the means to breach Olympic systems and bring about tangible disruption through their IT infrastructure.
The cyber skills gap that presently poses a risk across industries comes into play with the Olympics as well, as top cybersecurity talent must be sourced to build, monitor and protect these systems during the games. Because Atos has provided key technology infrastructure for the Olympic Games since 1989, there is some continuity of talent and, in more recent years, they have shifted away from building new systems each year, with the goal of more continuity and refinement of the infrastructure over time. Every Olympic Games requires notably more, however, meaning an influx of cybersecurity staff. Given the nature of that cycle, many of these roles are typically temporary, meaning some staff may be untested when it comes to certain attack scenarios and working together as a team.
One way to help address different forms of cyber talent risk is a new tool being deployed in an array of settings across the public and private sectors: cyber ranges. Essentially the cybersecurity version of a shooting or driving range, these digital proving grounds offer intensive simulations for professionals to test their skills against a variety of attack scenarios seen in the wild, and practice incident response with their teammates, battle-testing these groups under realistic conditions before real catastrophe ever hits. More immersive than standard tabletop exercises, these require technical workers to actually respond to unfolding attacks and mitigate the danger. The ranges can be customized with the actual infrastructure that will be in place, which is particularly helpful in a situation like the Olympics, where that infrastructure may not fully exist to practice on and fortify until late in the game and on far too public a stage. Cybersecurity experts can also use ranges to test their infrastructure in advance to assess potential vulnerabilities and strengthen systems before they go live.
They haven’t had to think that way for a really long time because all they’ve been worried about is physical attacks against the infrastructure. Now, cyberspace has introduced a whole other attack vector. We need to think about that. It needs to be part of every industrial organization’s enterprise risk management strategy.
In preparation for the Olympics, Japanese service provider Ni Cybersecurity contracted a cyber range in partnership with Cyberbit, a firm that creates cyber training and simulation platforms for a variety of corporate and educational enterprises. “The cybersecurity market in Japan, as in the rest of the world, has a severe lack of skilled cybersecurity practitioners, and this became even more concerning in light of the upcoming Olympics, which typically includes an escalation in the number of cyberattacks,” explained Sharon Rosenman, the company’s vice president of marketing. “Cyberbit partnered with a local service provider to provide a new way of training based on a cyber range simulation platform to expose local cybersecurity practitioners to various kinds of attacks before they experience them in the field.”
Such considerations around ensuring top talent and incident response preparation tie into what Weinstein described as a three-pronged stool with regard to infrastructure security. “One, how do you build more secure infrastructure itself? That’s happening. Second, how does the end user implement monitoring and bring to bear different technologies that are out there? And then, how do the owners and operators of the infrastructure architect and operate their network in a way that is security conscious?” he said. “They haven’t had to think that way for a really long time because all they’ve been worried about is physical attacks against the infrastructure. Now, cyberspace has introduced a whole other attack vector. We need to think about that. It needs to be part of every industrial organization’s enterprise risk management strategy.”
Indeed, the complex case of the Olympics offers takeaways for managing critical infrastructure risks in a range of enterprises. When crafting infrastructure that is going to have to stand up to targeting from one threat or another, Weinstein said, “The first step is building resilience into it—recognizing that attacks are going to be inevitable, whether they’re high-level attacks or low-level attacks, it’s kind of an omnipresent characteristic of the ecosystem these days. Then the focus shifts to resilience, which is running under that state of attack and making sure that the barriers to entry are getting higher and not lower over time.”