Cyber-Tabletop Exercises for Sports-Entertainment Venues

Many sports teams of both the professional and collegiate levels perform tabletop exercises to prepare for various, potential emergencies, ranging from severe weather to terrorist attacks.  While such organizations tend to place a heavy emphasis on physical preparedness, there lies an often-underestimated potential for a cyberattack that can detrimentally affect sporting events as well.

Though many sports teams increasingly account for cyber threats, the acknowledgment seems to stop at basic information technology (IT) or information-related hacks.  Sports organizations must begin to realize that cyberattacks can be much more sophisticated once believed, with hackers potentially gaining access to restricted areas, tampering with emergency systems, or even compromising a venue’s visual infrastructure.  Incorporating cyber preparedness into sports organizations’ tabletop exercises is an excellent first step toward increasing cyber resilience in sports entertainment.

The Existing Problem

Cyberattacks are increasingly prevalent in sports venues throughout the world.  The Southeast Asian Games (SEA), a multi-sport event for nations in Southeast Asia, are one instance.  Just before the closing ceremony for the 2015 games, a closed-circuit television (CCTV) expert hacked in to the police security system and disrupted 30 CCTV cameras inside and outside the arena. The adversary executed the entire sabotage in a car parked outside of the arena, using a software tool on his laptop to scan the event’s CCTV system and eventually gaining full access to all of the police CCTV cameras in the Singapore Sports Hub to alter their settings and passwords.  The attacker’s advantage was his previous employment with the SEA event, and thus he already knew the IP addresses, usernames, and passwords for the system.  Had the sabotage taken place nearer or even during the closing games, it could have placed the attendees’ lives at risk by damaging the security systems for the police [1].

The 2017 AFC National Football League Championship game, hosted at the New England Patriots’ Gillette Stadium, is another instance of a successful cyberattack.  Prior to game time, an adversary successfully hijacked and set off the fire-alarm system, forcing media to evacuate the stadium [2].  Both of the incidents above illustrate the growing need for tabletop exercises that address cyber-threat preparedness.

Another example of the problem is the National Center for Spectator Sport Safety and Security at the University of Southern Mississippi, which lies at the forefront of security for sporting events at the University level.  In order to prepare for athletic events, the center holds a minimum of two tabletop exercises per year in a role-play situation and in an informal setting.  The exercises involve campus police, emergency management, fire/hazmat, event managers, and security supervisors and include evacuation exercises [3] but fail to emphasize cyber threats.

Sporting Districts

Cybersecurity is especially vital to sporting venues that reside in heavily concentrated areas. For some sporting districts, multiple stadia are not only adjacent to one another but also include shopping and eating in close proximities.  Multiple stadia and businesses that are massed in the same district should each utilize a separate network in order to limit the potential for cyberattacks. Sharing a wireless network amongst separate entities can increase the threat of cybercrime because a successful attack cannot be quarantined in such a case.

Network segregation, e.g. of those that control an arena’s visuals, Wi-Fi connectivity, or concession sales, can work as a security measure to prevent attacks from occurring in multiple locations throughout an internal network [4].  Tabletop exercise that simulate the isolation of and response to potential network attacks further assist in strengthening the countermeasure.

Visual Compromises

Sports organizations can set up a way to display messages on the numerous screens throughout an arena in order to alert spectators of occurring events.  While this practice can be a positive tool in emergency situations with such large crowds, it also has the potential to be hacked.  Compromising visual features throughout venues can allow an adversary to send false messages or alerts to fans, opening a world of chaotic possibilities (such as conflicting evacuation instructions, etc.).

An example of a stadium’s vulnerable visual aspects is LED screens that are located throughout the concourses or within the stadium.  Connection occurs throughout various systems within a sporting venue, including fiber optic channels, with some having direct connection to routing systems [5].  Emergency messages, including evacuation routes, are vital pieces of information to portray to spectators on these lines and must prove resilient to tampering [6].  Modeling the vulnerabilities and potential attacks among a sporting venue’s visual infrastructure and practicing the optimal proactive-fortitude as well as reactive-recovery measures make for a great tabletop exercise in cyber resilience.

Hacking Lines of Communication

A chaotic evacuation scenario in 2015 at the University of Maryland football stadium demonstrates the importance of open lines of communication amongst staff and emergency crews at live events.  In a match between Maryland and Bowling Green, Byrd Stadium was evacuated due to a weather delay.  While many universities have emergency plans in writing, success ultimately comes down to implementation.  Fans were told to evacuate but were not given a destination, even though two nearby facilities were open to escaping fans.  Proper instruction never made its way to the stadium’s message boards, indicating a lack of open communication in the midst of emergency [7].

While stadiums and venues vary in capacities at events, DHS outlines overall evacuation planning for arenas, with incident command systems ranging from the local/stadium responder level to the state and federal level.  Stadia such as AT&T Stadium, home to the Dallas Cowboys, implement tabletop exercises for emergency training of staff before events take place in the venue.  Similarly, many college stadia partake in drills that involve event staff and first responders [8], and the Denver Broncos make the stadium evacuation plan available on their team website.

A main component of evacuation drills is open lines of communication, including radio communications, P.A. announcements, and visual directions that are displayed on stadium boards.  Operational staff need to be able to communicate with police, fire, and emergency medical services as well.  While drills are a common practice, they may not include an abrupt disruption in communication amongst vital staff and emergency crews.  What would happen if hackers gained access to the controls of radio channels or the P.A. system to compromise communication?  Addressing such questions is a first step in adding cyber-communication practices to tabletop exercises.

Hacking Emergency Systems

Host-arenas of larger sporting events such as the Super Bowl or the NCAA tournament typically construct incident command systems or emergency operation centers prior to game commencement.  As these venues rely on such constructs to optimize emergency response times or traffic management, preparation for the compromise of equipment or communication in the event of a cyberattack is of utmost importance.

Similarly, within most major stadia are standard emergency systems such as fire-containment sprinklers.  Appropriate staff must address the access and control requirements of a stadium’s sprinkler system as well as vulnerabilities to and countermeasures of a potential hack.  If a fire were to occur, for example, in U.S. Bank Stadium (home to the Minnesota Vikings), which operates automatic, remotely controlled sprinkler valves, a cybercriminal could hijack the system and ultimately prevent the sprinklers from releasing [9]. As a part of emergency tabletop exercises, sporting venues must practice cyber-protection of their sprinkler and irrigation systems.

Gaining Access to Restricted Areas

Many sporting venues ceaselessly work to keep up with the advancement and increasing demands of technology in sports entertainment, relying on equipment such as visual boards, metal detectors, and access control systems for ideal operation.  The reliance of such vital instruments on computers and technology potentially opens the door to cyberattacks as well; for example, a cybercriminal may hijack a system in order to gain access to restricted areas such as control rooms.  Limiting staff access and integrating a secured card entrance to restricted areas, each entry to which would notify a superior, could help to reduce the threat of an incident.  Tabletop exercises allow operational staff to assess these and other security measures and ensure a venue with optimal cyber-resilience.

While the maintenance of existing tabletop exercises that address physical preparedness for natural disasters, terrorist attacks, etc. is crucial, tabletop exercises that address cyber-preparedness for technological disasters are a vital addition.  With the ever-increasing prevalence and sophistication of cyberattacks, coupled with the ever-increasing dependence on technology for critical operations, sporting venues must begin to practice cybersecurity for the safety all that are involved.  Tabletop exercises are a brilliant first step toward securing the realm of sports entertainment and giving peace of mind to staff, players, and patrons.

This post was written by: Stephanie Jenkins & Lovila Nowak
References

[1] Hussain, A. (2016, August 16). Engineer Gets 8 Months’ Jail for Hacking into Police CCTV Cameras at SEA Games 2015. Retrieved from The Straits Times: http://www.straitstimes.com/singapore/courts-crime/engineer-gets-8-months-jail-for-hacking-into-police-cctv-cameras-at-sea-games.

[2] Thomas, Jeanna. (2017, January 22). Gillette Stadium Evacuated for Fire Alarm Prior to Steelers vs. Patriots. Retrieved from SBNation: http://www.sbnation.com/2017/1/22/14350196/boston-man-sets-off-fire-alarms-at-steelers-hotel-before-championship-game-vs-patriots.

[3] CampusSafety (2012, January 31). How to Manage Crowds at College Sporting Events. Retrieved from CampusSafety: http://www.campussafetymagazine.com/article/Controlling-Crowds-at-College-Sporting-Events/P3.

[4] US-CERT (2016, September 28). The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations. Retrieved from DHS: https://www.us-cert.gov/ncas/alerts/TA16-250A.

[5] Extron Electronics [undated]. Sports Stadium. Retrieved from Service Support Solutions: http://www.extron.com/company/article.aspx?id=stadium.

[6] Hennick, C. (2016, July 20). Stadiums Need Physical and Digital Security to Keep Players and Fans Safe. Retrieved from BizTech: http://www.biztechmagazine.com/article/2016/07/stadiums-need-physical-and-digital-security-keep-players-and-fans-safe.

[7] Jones, D. (2015, September 15). Chaotic Lightning Evacuation from Maryland Football Stadium Raises Questions of Safety, Common Sense. Retrieved from PennLive: http://www.pennlive.com/pennstatefootball/index.ssf/2015/09/penn_state_football_big_ten_li.html.

[8] Stanford Report (2013, August 13). Evacuation Drill To Take Place at Stanford Stadium Today. Retrieved from Stanford News: http://news.stanford.edu/news/2013/august/evacuation-drill-stanford-081413.html.

[9] Bowar, D. and Taylor, K. (2016, February 1). Minnesota Multi-Purpose Stadium Minneapolis, Minnesota. Retrieved from Minnesota Sports Facilities Authority: http://www.msfa.com/content/RFP%20WEST%20PLAZA%20PROJECT/2016-02-01%20-DTE%20West%20Plaza%20CD%20Set%20%20.pdf.