The biggest sporting event of the year just took place, and with more than 100 million people watching it isn’t a good time for any, erm, fumbles—not even from a cyber security perspective. Yet an event of that size has a different kind of appeal to a certain type, the kind of person or group who would want to make a demonstration of, well, interference; if large companies are a “whale” than the Super Bowl is the blue whale of the cyber sea.
From a security standpoint, that makes this fish a bit of a nightmare.
The Players Line-up
Pulling off an event the size of the Super Bowl takes thousands of individuals, vendors, event coordinators and so on. Setting up the infrastructure, calling the shots (and the instant replays) during the show, the massive halftime show and that major clean-up project afterward all fit together, from an event perspective.
In the cyberverse, a different kind of event is going on altogether: an offensive and defensive security strategy.
Coordination, then, calls for a line-up of some of the biggest players in the nation:
• The NFL has to be in the loop, and work with security companies for physical security (think: body guards) as well as digital security.
• The Department of Homeland Security gets to call the shots, simply because of the size of the event and the threat potential.
• The FAA (Federal Aviation Administration) enforces the “no fly zone” over any Super Bowl and had extra responsibilities because of that amazing drone light show (more on that later).
• The US military is reportedly on hand to help enforce that no fly zone.
• The FCC (Federal Communications Commission) get involved because this is a broadcast. They don’t just enforce “no swearing” policies and apologize for “wardrobe malfunctions,” but those functions do fall under their umbrella.
That’s all before you’ve even employed a private company to handle cyber threat mitigation services, another necessary component of such a large scale event (but a boon any business can take advantage of).
If you think your Thanksgiving table was crazy, imagine so many private and government entities needing to work together just on one aspect, the security, of the Super Bowl!?
The Digital Canvas
Twenty years ago the security at the Super Bowl would have been very different — physical in nature. The broadcast itself would be the one interruptible, hackable feed (and hacking was a relatively new field with much fewer players).
Not so, for Super Bowl LI.
The broadcast is digital. Mics are wireless. Everyone in the stadium has their own internet-connected device (used to order food, watch instant replays, and so on). Vendors are swiping cards. Performers and technical crew are gearing up and communicating wirelessly. Emergency services are there at the ready. The entire “smart stadium” is full of IoT (internet of things) devices that could potentially get hacked and transformed into a bot army (some of the biggest attacks of 2016 involved such devices).
The entire team of players (we’re talking the security ones) has to think with events that would be small, but catastrophic, such as power outage, as well as events that would have national security implications.
Layers of Protection
With so much to risk, the key to a successful event like the Super Bowl has to do with stages of protection, each one prepared for a good defense.
STEP ONE: Pre-planning. That impressive drone show, with hundreds of little lighted devices flying over the stadium, would never be allowed by the FAA: too high a risk factor. So, it was pre-shot.
Each piece, from vendor deliveries, to cleaning the stadium, to inspecting devices, has to be examined on a timeline that considers the threat and mitigates the risk.
STEP TWO: Human prep. The biggest security threat to any organization is its own employees. A phishing attack likely led to the hack of the DNC. A LinkedIn employee hack likely led to the Dropbox hack.
A chain of security is only as strong as its weakest link, and without educating the employees, the boots on the ground (so to speak), one risks breaking the entire chain of security. So it isn’t just the cyber security personnel who need to know how to prevent such attacks, every vendor and employee has to agree to the security terms of the event.
STEP THREE: Be ready live. During the Super Bowl itself, think of the plays going on as the offensive line, but the defensive players were also at the ready. The US military didn’t need to shoot any planes out of the sky, but they were ready. The back-up power didn’t need to run, but it could have. The internet didn’t need to get shut down within the stadium to stop an attack, but it was a possibility.
It makes for a tense couple of hours, but at the end of the game the Patriots went home victorious, as did the cyber security team.