It's fourth quarter, the NFC champions are in position at their opponents' 10-yard line, this year's AFC champions. It's the final down of Superbowl 51, and over 70,000 fans are on their feet. The quarterback calls the play, the running backs are traversing the field behind the line of scrimmage, tensions are at a breaking point. Then, just as the QB yells, 'Hut....Hut....' Everything goes black.
In a moment, all power at Houston's NRG stadium, filled to capacity, is cut. Event staff struggles to keep people calm and get help, but all emergency communications are blocked. The fans in the stands are shocked, scared and restless, due to the timeliness of the blackout. Children are screaming, their terrified parents rushing them to the nearest exit. A stampede breaks out, as many are caught under the roaring crowd. A fire breaks out, but the sprinkler system does nothing....
This horrific scene can still be considered purely fictional. Thankfully there has not been a successful cyberattack with thousands of casualties at a major sporting event. But with the exponential increase of cyberattacks on critical infrastructure, and the popularity of these events, it can only be a matter of time.
In recent years, numerous international sporting events have been the target of criminal activity in cyberspace and technical malfunctions caused by waves of cyber-attacks. Since the late 2000s, large sporting events and international tournaments have been the target of millions of cyber-attacks. However, most of them were typical IT attacks against networks/computers, rather than against the operational technology (OT) landscape or critical infrastructure.
During the 2014 FIFA World Cup held in Brazil, there was a drastic increase in malicious cyber activity. In a period of 30 days, starting three weeks before the tournament and through its first week, more than 90,000 attacks were launched against related organizations. In the 2012 London Olympics, 11,000 malicious requests per second were received and 212 million malicious connection attempts blocked. Another good example, is the 2016 Wimbledon Tennis Tournament, technology partner IBM saw a 302 percent year-to-year increase of security events and attacks on the official website for the tournament, wimbledon.com.
As the IT and OT landscapes continue to converge, the connection between these critical units creates a new attack surface and gateway for penetration to the OT through numerous vectors. These penetrations may result in malicious activity and harmful outcomes, such as system downtime or hijacking. Similar to smart buildings and structures, large-scale sports complexes utilize computer-based systems that monitor, manage and control various electrical and electromechanical functions, including:
- Illumination Control
- Power Distribution
- Security, Surveillance and Observation
- Building Access Control
- Fire Safety/Extinguishing
Stadiums and sports arenas have the same vulnerabilities like smart buildings, namely critical functions managed by a centralized system that can be compromised. However, there is one major difference: malfunctions caused by cyber-attacks can impact the integrity of the game played. Direct cyber-attacks against sporting events can create a chain reaction of repercussions that can affect related-sectors such as: insurance, regulated gaming, sports broadcasting, advertising, ticket revenue, sports merchandise, professional athleticism and more.
In the last three decades, power outages have disrupted several major sporting events, including: Super Bowl XLVII (2013), Argentina vs. Brazil Soccer Match (2012), Minnesota Vikings vs. Chicago Bears NFL Football game (2010), 1989 Baseball World Series Game 3 and more. The outages caused serious reputational damage that also had negative financial consequences. Currently, cyber specialists understand that hackers and attackers have both the capabilities and motivation to target sports stadiums/arenas and international sporting events. Hackers and cyber-criminals are driven by various motives, including political and ideological beliefs, economic value, related criminal activity spilling over to cyberspace, strategic gains and other issues pertaining to national security. All these factors create a new impending threat.
One major cyber risk that is gaining more attention by facility managers is ransomware - malicious software that enables an attacker to access stadium control computers, seize sensitive data and then demand some form of payment to release it. McAfee Labs analysts detected more than 4 million samples of ransomware in Q2 2015, including 1.2 million that were new, and expects those instances to grow during 2016. That compares to fewer than 1.5 million total samples in Q3 2013, when fewer than 400,000 were new. Several cyber experts assess that more and more of these attacks will be directed towards arenas and stadiums.
In today's precarious and vulnerable landscape, stadiums and arenas now face a new kind of threat that is exacerbated by two major factors: First, the intricacy and interconnectedness of critical functions in stadiums can possibly create a disastrous "domino effect" if attacked. Second, these risks are still not receiving enough attention or funding since they fall outside the scope of traditional IT.
If we continue to ignore this potentially catastrophic vulnerability, the results could be devastating. Instead of remembering the game-winning catch, we will be remembering the thousands of lives we lost that day.