As operations at sports stadiums become more dependent on data centers and online networks, and as the performance metrics and health data of athletes become more vulnerable to illicit exposure or alteration, the $80 billion industry of competitive sports has become increasingly vulnerable to cyberattacks.
In fact, hardly a league or event in global competitive sports has gone unaffected by a cyber event in the past decade. From the NFL to the NBA, and from NASCAR to the Olympics, a spectrum of cyberattacks has taken place impacting fans, stadium infrastructure, and the integrity of sports.
Awareness of cybersecurity risks is on the rise and many organizations have initiated proactive measures to guard against such incursions. However, Nate Evans, lecturer for the Master of Science in Threat and Response Management Cyber Awareness class and program lead for cyber operations, analysis, and research in Argonne National Laboratory’s Strategic Security Sciences Division, notes that broad awareness of these risks is still in its infancy.
“While a lot of organizations have done a good job identifying their primary cyber-physical dependent vulnerabilities, they rarely take the next step and look at what those things depend on,” said Evans. “So as networks and physical systems continue to merge throughout competitive sports, especially with the growth of industrial control systems and the internet of things, the need to understand cyber dependencies is rapidly growing.”
“While a lot of organizations have done a good job identifying their primary cyber-physical dependent vulnerabilities, they rarely take the next step and look at what those things depend on. So as networks and physical systems continue to merge throughout competitive sports, especially with the growth of industrial control systems and the internet of things, the need to understand cyber dependencies is rapidly growing.” —Nate Evans, Program Lead for Cyber operations, analysis, and research in Argonne
Today’s sports arenas and stadiums are comprised of innumerable cyber-physical dependencies. From scoreboards to on-field cameras, from water and lighting to fire suppression, traditional physical systems have been replaced by centrally located data centers in recent years, creating an array of new dependencies.
What is more, these dependencies are often more complex than traditional dependencies, such as power outages, which follow an A (outage) to B (lights out) logic. In the case of cyber, where data gets transmitted from A to B, that data can be intercepted and modified—or even fabricated—for the purposes of disruption or monetary gain. The security assessment in the case of cyber, therefore, will typically involve an additional series of considerations and steps.
“Stadiums are growing their cyber infrastructure,” Evans said. “That includes traditional computing infrastructure like enterprise systems, servers, and data centers. So what you find is that they’re adding more and more Wi-Fi to get more connectivity throughout the game, but that sort of growth in technology is lacking a connecting growth in security. So they’re adding all this functionality, but they aren’t thinking about a lot of the security components.”
Even the experience of fans has encountered disruption. While online ticket scams have been an issue for years, a newer area of concern emerges with the trend of Wi-Fi-enabled ticketing and cashless concession purchases. These new amenities expose fans’ credit cards to misappropriation.
For instance, before the opening ceremonies of the 2018 Winter Olympics in South Korea, malware affecting the central data center housing the information technology infrastructure resulted in a disruption of Wi-Fi service. Fans were subsequently unable to print their tickets, open the ticketing app, or have their phone scanned. The security system also went down. Consequently, the opening ceremony was an embarrassment of sparse attendance.
“In this case, nothing calamitous happened,” said Stephanie Jenkins, a cybersecurity analyst at Argonne. “Nevertheless, what’s important is thinking about what policies and protocols you have in place should something like that happen. A lot of times we think that cyber attacks have their origins in nation states, or that they come from adversaries, when actually it can be something as simple as this.”
While sports have always been a domain of careful calculation and precise measurement, only in recent decades has the use of analytics and big data become fundamental to strategy and success. Consequently, teams have mobilized computer networks to analyze data in order to determine strategies for optimal performance and competitive advantage.
Whether it is medical data for a specific player or proprietary strategic information, if the document lives online it is liable to be hacked and used for anything from cheating to tarnishing the reputations of players.
A well-known instance took place in 2013 when a member of the St. Louis Cardinals organization hacked into the Houston Astros database using passwords similar to those used by a former colleague who ended up taking a new position with the Astros. The Cardinals were able to access a trove of valuable and confidential information, including scouting assessments and player trade discussions.
“There really isn’t a standard for punishment out there for what happens when someone’s caught compromising or stealing data,” said Evans. “There needs to be a focus placed on understanding who owns that data from a privacy perspective. The problem will continue to scale and get worse, especially now with the rise of esports and the legalization of sports betting. Player data is going to become much more valuable for people who want to get an edge.”
“There needs to be a focus placed on understanding who owns that data from a privacy perspective. The problem will continue to scale and get worse, especially now with the rise of esports and the legalization of sports betting. Player data is going to become much more valuable for people who want to get an edge.” —Nate Evans
As technology continues to grow and become increasingly important across the sports landscape, a method for assessing the resilience of the network on which the technology relies on needs to be developed. Areas of vulnerability begin with the fact that cybersecurity is not keeping pace with evolving technological growth and capabilities, thus there is a lack of standardization across policies and procedures.
While many organizations have run tests and exercises exploring first-tier cyber-physical dependent vulnerabilities, such as water and power, very few are looking at the more complex array of dependencies that emerge further down the line.
“We’ll often go in and do an assessment of critical infrastructure around the nation and the person responsible for the physical systems will throw up their arms and say that they don’t do cyber and walk away,” Evans said. “We need to get past that. It really needs to be a merged effort today, especially when we have thousands of people’s lives at stake and billions of dollars.”
When it comes to developing assessment frameworks for diagnosing vulnerabilities in the area of competitive sports, Evans has found that a competitive methodology is more effective. In contrast to using a maturity-based model reliant on best practices and regulatory policy, which is a path some organizations have taken to ensure cybersecurity, he sees a model where individual organizations are given an opportunity to see how they compare with their peers as a more effective strategy to get buy-in from leadership.
“Especially in sports, where competition is the essence of everything, this sort of methodology seems to work better,” he says. “The point is cybersecurity can’t continue to be an afterthought in the sports landscape. The development and implementation of a risk assessment is the first step to identifying the problem and hopefully getting to a solution.”