top of page

Challenges Fortifying Venue Cyber Security


I recently had the pleasure of speaking with 'The Stack' around the growing need for industry wide cyber security standards for venues and stadia with the looming threat of attacks.


The article provides some insight of these challenges and the requirement for more collaboration between governing bodies and local government to do more. If you fancy a read I have shared the link below:



If you would like to dig more into these pressing issues, I have provided in-depth insights below and my suggestions to level-up cyber security for venues.



Growing Challenges for Venues


In my role at World Rugby, I discovered a number of reasons why venues are not keeping pace with the advancements in cyber security. Firstly, it could be holding onto their legacy technology. Usually venues have spent large investments into their technology which are no longer fit for purpose or out of support, with technology costing more and more each year it is difficult for venues to justify the uplift. These legacy platform cost more each year to maintain and harder to address growing demands on venues.


Another challenge is the lack of cyber expertise to call upon; cyber skills are expense and any recommendations to build better protections costs even more. Most venues outsource their technology support and receive very little in cyber guidance.


Lastly is the motivation of threat actors and advancements in attacks. It is much easier for cyber criminals to attack small to medium organisations and recent research show ransomware is still the most likely technique to be used.



Requirements for Frameworks and Standards


One of the biggest challenges currently for venues is the lack of a framework to follow when looking improvement their protections. Upon each assessment I've undertaken each venue is inconsistent ranging from no network segmentation or lack of endpoint security. This highlights the importance of a venue cyber framework with a step-by-step so venues can ensure investments are high value.


This framework should include a list of standards and controls depending on the size and complexity of a venue. I use a blend of NIST and NCSC CAF to select those controls then proceed to tier between bronze, silver, and gold;


  • Bronze controls are mandatory which every venue should have such as patch management, endpoint security, network security and MFA as examples. Usually the venues and stadiums are small/medium under 1000 seating capacity.

  • Silver controls are selective based on the complexity of the venue, examples include DDoS protection, IdP, IDS/IPS for the network, and proper asset lifecycle management.

  • Gold controls are the most advanced and usually reserved for national/major venues; that could include UEBA, zero trust networking, or advanced user training.


Using this type of approach means there is a baseline for venues to follow, ensure they are not investing the inappropriate controls and shows gradual maturity.



Consequences of Inaction


The usual response I get back from venues, "we're only a small venue, we wont be targeted?" and unfortunately unknown to them they are wrong, small to medium sized organisations are the prime target for cyber criminals as it is likely they are easier to compromise due to lack of protections and rigour around cyber security.


A successful cyber attack could result major long term disruption of any events at the venue or an inability to operate proper access control leading to potential extreme threats to health and safety to fans.


The long term impact for a venue if a cyber attack happens could take months to recover and the associated revenue, based on my own analysis this could result in bankruptcy for the operators.



Responsibility for the Sports Industry


As governing bodies, they have a responsibility when running any events including major sporting spectacles such as World Cups or Series' to help venues with their cyber security. Often these venues have seen under investment specifically technology and cyber so guidance on the most appropriate controls to keep them protected is just as important as the successful running of an event. On top of the guidance and support, governing bodies and sporting organisation need to consider investing in venues for the long term and not just a short-term event.


Another responsibility is sharing best practice regularly with venues and stadiums, producing blue prints and policies to share with them ensures their is consistency in their deployments.


Lastly would be integrating the venues into any operational planning and exercises to better prepare for a potential attack. This will highlight gaps in process, technology, and procedures.



Next Steps


With any industry challenge, the first step is acknowledge of the growing threat and building a group of professionals to help coordinate activities and push out positive change. With my role in the NCSC, I will pioneering this initiative across a number of governing bodies.


Next step would be the publication of a venue cyber security framework and standards to guide venues and owners how to tackle this new challenge. Venues currently do not have a best practice standards to follow which often leads to disjointed and messy implementations.


Following the creation of a framework and best practice standards there needs a centralised location for these to be shared, distributed, and updated for every venue to visit. The recommended place would be in the NCSC leveraging their expertise and support network.


With the heavy lifting of the first few steps it needs to be integrated with other industry frameworks such as Health & Safety, Physical Security, and Terrorism. The latest legislation 'Martyn’s Law' is a huge step up for venues and embedding cyber security practices within will help highlight the importance to each venue to take it seriously.


Upon the publication of a framework and standards it is equally important to assess if venues are following this guidance and if its uplifting their cyber security. I would suggest adding cyber security criteria to the venue audits that are currently being conducted for physical security which will capture their maturity. The additional benefit of these audits would be capturing some factual data on the growing concern and establish a baseline.


Lastly would be the continued support for venues as expertise is expensive and often difficult for a venue to justify hiring cyber professional. This is where governing bodies can aid, if they can centralise cyber expertise that can be pooled out to venues and act as a touch point for any questions.


As part of my role at World Rugby and NCSC I helped produce a venue cyber assessment, I will be releasing a few videos how I've reviewed and recommendations for venues to improve their cyber security. If you are interested in this document, please feel free to reach out.



Comments


bottom of page