Sports venues must vet their vendors to maintain security

Sporting events generate a lot of consumer activity, from hotels and restaurants to retail. Large sporting events are held together by webs of connectivity that include vendors, sponsors, employees, and consumers. These networks connect ticketing, merchandising, venue access, live events information, and everything in between.

This connectivity delivers a lot of value to venues, vendors and consumers alike, but it also can create potential points of entry for threat actors. The following are some critical considerations for businesses and fans as retail activity heats up around sporting events this summer.

The sports and entertainment sectors are distinct from other industries and continue to face numerous threats and challenges. In other industries the technology infrastructure is built to sustain long-term usage, therefore the cybersecurity strategy will reflect a business strategy which revolves around long-term goals, the strategy will take into account scalability, and will need to be flexible enough to adapt to any changes in the business.

However, in sports and entertainment, the long-term corporate infrastructure should be paired with short-term strategies. The short-term technology infrastructure goal is to evolve until the very last moment of the event – with a specific focus on “just-in-time scaling” and the ability to deliver a specific service at a specific time, that can be easily dismantled after it’s required.

The cyber-physical convergence

The rapid development of technology within the sports industry (e.g., augmented reality, smart turnstiles, facial recognition) and complex interdependencies between suppliers have increased the complexity of cybersecurity concerns. In our highly connected world, the rise of digital twins and collaboration across various platforms is transforming the sports landscape into an interconnected business network.

Among the many technologies that may present lucrative targets for cyberattacks, PIID stands out as a prime example:

1. Personalization (P): Personalized features for fans in stadiums, often delivered through mobile applications, enhance the fan experience.
2. Information gathering (I): Player information is gathered during games using athlete performance monitoring devices such as health bands and smartwatches.
3. Instant replay (I): Instant replay technology, commonly used by referees, relies on data that, if compromised, could be exploited by betting firms to create bias. This underscores the importance of discussing AI utilization and the distinction between time sensors and touch sensors in data collection.
4. Data sovereignty (D): The increased collection of data raises concerns about data sovereignty, trust, and privacy, particularly regarding PI.

The convergence of cyber and physical systems is driven by the increasing utilization of digital technologies, resulting in transformative shifts in information technology and connectivity, and the proliferation of the Internet of Things (IoT) within physical systems.

The core components of this convergence include connectivity sensors for data collection (e.g., sports accelerometers), automation, and control mechanisms. This convergence can offer numerous advantages, including predictive maintenance capabilities, enhanced safety measures, and reduced downtime.

However, it also presents the potential for new threats, such as:

DDoS attacks: This disruption can severely impact essential services such as ticketing and gate entry, resulting in financial repercussions and disgruntled spectators. Instances of remotely locking stadium doors have occurred in the past and consequences could be dire. Particularly, as it could lead to the exclusion of attendees or force an overwhelming influx of individuals towards a single exit.

Bot attacks against ticketing: Automated programs possess the capability to acquire tickets at a substantially greater pace compared to humans, contributing to the practice of scalping and the artificial inflation of prices. This phenomenon creates an inequitable distribution of access to events, negatively impacting both aficionados and event organizers. The rush of online transactions – obtaining tickets or venue access to major events – also paves the way for spoofed sites designed to acquire login credentials, which, in turn, can be used to steal personal data and payment card information.

Deceptive Wi-Fi hotspots/Rogue hotspots: Fake WiFi hotspots can induce users into establishing connections, thereby enabling malicious actors to intercept sensitive data, redirect them to malicious websites, and pilfer their personal information.

Furthermore, a stadium may possess approximately ten thousand or more network ports, over one thousand access points, and fifteen hundred beacons. The combination of bring-your-own-device (BYOD) practices and open Wi-Fi environments fosters an ideal breeding ground for network and malware-based attacks.

Attacks against payment plow: Hackers can target payment systems to steal payment card data and make fraudulent transactions. This can lead to financial losses for both customers and organizations. To exploit this widespread vulnerability, threat actors often employ social engineering, which refers to tricking people into divulging sensitive information that hackers can use for their own unscrupulous purposes. Hackers take advantage of large sporting events, as they inspire a lot of passion in their fan bases and can create confusion around the event, from a massive influx of tourists, an uptick in police presence, and a surge in retail activity and unofficial merchants.

False messages on scoreboards/information boards: Attackers can manipulate scoreboards and information boards to display false messages, causing confusion and disrupting the event experience. This can have an impact on the integrity of the game, but also presents security risks when the false messaging is meant to lead to panic.

Protecting the digital supply chain

The enterprise network of a modern sporting venue has a lot of moving parts, connecting employees, a myriad of devices, security and surveillance, on-premises vendors, and so on. The venue also interacts with external partners for a variety of services and functions. There may be edge computing, private networking, MEC and cloud network components, which may interface with other systems and networks. In other words, a sporting venue’s cybersecurity is not self-contained; it is part of a digital supply chain.

Consider a film studio as a cybersecurity analogue that can shed light on this dynamic. Large studios outsource a number of services, such as graphic arts, animation, postproduction, etc. Many of these postproduction companies, especially specialty shops, are smaller with a limited cybersecurity budget. Yet they house the studio’s valuable IP, which may capture the attention of threat actors. These small companies can act as a sort of back door to data hackers that would not otherwise have had access to.

In other words, an organization’s cybersecurity is only as strong as its weakest link. Lack of security within vendors and other third-party partners’ infrastructure can compromise a venue. Threat actors can exploit these dynamics for their gain, for instance, masquerading as a trusted vendor in an email with a fraudulent invoice.

The internal threat

According to the 2024 Verizon Business Data Breach Investigation Report, the human element is a major culprit of security breaches, accounting for more than two-thirds (68%) of security breaches last year. They’re often non-malicious and internal – employees may fall victim to a business email compromise (BEC) attack, whereby hackers present themselves as a trusted executive within the organization.

These scams are more likely to be effective during busy periods in which employees are under pressure and rushing to meet deadlines. High-profile sporting events of this summer create those very conditions. Celebrity culture can make sports fans more susceptible to social engineering since their emotions are heightened and their attention is pulled in many directions. Knowing this, hackers may create a sense of urgency in their texts and emails to compel users to impulsively click on a malicious link or share sensitive information. It takes less than 60 seconds for the average user to fall for a phishing email, according to the DBIR.

All of which is to say venues must not only tighten up their internal network but also, their external network of partners. Workforces must be on high alert both for unwitting internal threats and malicious external threats and every piece of communication during heightened periods of activity must be regarded with skepticism.

1. Awareness of the environment
Organizations must have a comprehensive understanding of their digital assets, including hardware, software, networks, and data. This involves conducting regular audits to identify vulnerabilities and potential attack vectors. By understanding their environment, organizations can better priorities their cybersecurity efforts and allocate resources accordingly.

2. Understanding the attack landscape
It is essential for organizations to stay informed about the latest cyber threats, attack methods, and emerging trends. This includes monitoring security advisories, threat intelligence reports, and industry news. By understanding the attack landscape, organizations can anticipate potential threats and develop countermeasures to mitigate their impact.

3. Risk assessment
Once organizations have a clear understanding of their environment, the attack landscape, and their asset inventory, they can conduct a thorough risk assessment. This involves identifying critical assets and prioritization, evaluating the likelihood and impact of potential attacks, and prioritizing risks based on their severity. By conducting a risk assessment, organizations can make informed decisions about where to invest their cybersecurity resources.

4. Vigilance and threat monitoring
Organizations need to be vigilant in monitoring their networks and systems for suspicious activity. This involves implementing security monitoring tools, such as intrusion detection systems (IDS) and security information and event management (SIEM) solutions. By continuously monitoring their environment, organizations can detect and respond to threats in a timely manner.

5. Training and education
Educating executives and employees about social engineering attacks is crucial for preventing successful breaches. This includes raising awareness about common attack methods, such as phishing emails, phone scams, and social media impersonation. Organizations should provide regular training sessions to ensure that employees are equipped with the knowledge and skills to identify and report suspicious activities.

By adopting these measures, organizations can significantly enhance their cybersecurity posture and protect themselves from a wide range of threats. It is also important to remember that cybersecurity is an ongoing process, and organizations must continuously adapt to the evolving threat landscape.