The growing reliance on IT infrastructure has resulted in increased cybersecurity requirements to plan for and mitigate possible cyber-attacks. Chris Harris, Europe, the Middle East and Africa (EMEA) Technical Director at Thales UK, discusses the type of threats that may impact the Games.
Ever since the 2004 Athens Olympic Games, cybersecurity has been a growing concern for the host nations and the International Olympic Committee (IOC). The growing reliance on IT infrastructure has resulted in increased cybersecurity requirements to plan for and mitigate possible cyber-attacks.
Digital games
Even though Tokyo 2020 will be held without spectators, after Japan declared a state of emergency following a surge in COVID-19 cases, the games still depend on a great variety of cutting-edge digital infrastructure such as an AI-enabled face-to-face live translation device, face-recognition tech and ZMP’s Robot Taxi, a driverless car.
The dependence of the Tokyo 2020 Olympics on technology highlights the potential risks if a system was infiltrated. Japan and the IOC must be able to trust in the companies behind the technology, and their technical know-how and digital infrastructure.
It comes therefore as no surprise that the IOC identified cybersecurity as a priority area and announced plans to heavily invest to provide the best cybersecure environment for the games. However, the IOC noted that it would not be disclosing the specific details of their cybersecurity plan due to the nature of the topic.
Olympic threats
Cybersecurity threats to the Olympics are not without precedent. The 2018 Winter Olympics in Pyeongchang saw the highest level of attacks. Russian hackers carried out attacks on Olympic networks before the opening ceremony, which slowed down the entry of spectators and took Wi-Fi networks offline. They also tampered with portions of the broadcast.
Historically the focus was on physical security, but as audiences grow in this ever-more connected world, the potential to disrupt or use a global event, such as the Olympic Games, as a platform for malicious, radical or misinformation purposes means that cybersecurity has needed to move center-stage to ensure the events can continue without disruption. When you have countries from across the world coming together, groups are going to try to take the opportunity to enrich themselves through crime or embarrass the host nation on the international stage.
The risks are not very different to those which businesses usually face, but the lure of such a visible stage and high-profile target means that the scale and volume of these attacks will be magnified to levels way beyond what regular corporations would see. RAND Corporation has published research highlighting the types of threats that Tokyo faces, which include:
• Targeted attacks, aimed at high-profile Olympic assets, individuals or organizations.
• Distributed denial of service (DDoS) attacks against Tokyo 2020 infrastructure or associated networks.
• Ransomware attacks which could affect a wide range of devices, services and underlying infrastructure supporting the Tokyo 2020 Olympics.
• Cyber propaganda or misinformation to damage the reputation of individuals, sponsor organisations, or the host nation.
According to the same research, the most probable threat actors are foreign intelligence services, cyber-terrorists, cyber-criminals, hacktivists or disgruntled insiders and ticket scalpers.
Preparing for the gold medal
To address this level of threats, planning is essential. Japan has initiated its preparation for the Olympics since 2015, signing partnerships with international and national organisations and agencies. For example, it has partnered with the U.S Department of Homeland Security, NIST, and Israel’s electricity provider, to manage cybersecurity concerns to critical infrastructure during the Olympics. More importantly, all of Japan’s leading corporations supporting the Olympic Games have adapted the NIST Cybersecurity Framework to align their preparedness and reaction to the globally accepted framework.
It is also important to note that Japan hosted the 2019 Rugby World Cup, another huge international sports event which served as a dry run for Tokyo 2020. This was a golden opportunity for the country to set a milestone before the Olympics to test its readiness and incident response capabilities in advance.
Finally, a review of Japan’s cybersecurity strategy for Tokyo 2020 showed that the country has limited cybersecurity professionals with only 28% of IT professionals working in-house. To solve this problem, Japan trained 220 ‘ethical hackers’ in the hope of creating a more cybersecure Tokyo 2020. The same review concludes that even “if the event is held in 2021 and the pandemic still requires most of the operators to work remotely, it would be important to secure not only Tokyo 2020-related infrastructure such as electricity, transportation, and venues, but also their remote work IT environment.”
Cybersecurity is a marathon at sprint tempo
Encryption will play a larger-than-ever role in protecting the information critical to the successful and safe operation of the Games. Networks should be encrypted, so that any data captured is unreadable. Principles of Zero Trust need to be applied to ensure that people and devices within the internal network are authenticated and only granted access to the resources they need. It is not just perimeter defense which needs to be in place, but every server, ever data store, every IoT device tracking the movement of vehicles, shipments, or capturing video should be delivering encrypted information to trusted locations and only able to communicate with the servers and services that are essential for their operation.
Finally, as ransomware attacks are on the increase, it will be important to ensure that critical systems and networks are segregated and redundant, and to ensure that backups and process-level privilege controls are in place to try and limit the threat to core systems.
Your organisation may not be under the same pressure as the Tokyo 2020 cybersecurity team, but for more information on how to protect and control sensitive data, read more about Thales’ Data Protection and Access Management solutions.