When Super Bowl LVII between the Kansas City Chiefs and Philadelphia Eagles kicks off in Phoenix on Feb. 12, most everyone's eyes will be on the gridiron. But farther afield, malicious actors and cyberattackers may be looking to score their own kind of touchdown — by shutting down systems, perpetuating ransomware, or carrying out hacktivism.
The 2022 FIFA World Cup tournament held in Doha, Qatar, over the winter raised similar operational concerns, and cybersecurity experts note that large-scale events in general offer a very broad attack surface area to threat actors of all stripes, thanks to the sheer number of systems involved in carrying it off.
"The thing that's tricky for security teams is that it’s not just one entity or single network they must look after," says James Campbell, CEO and co-founder of Cado Security. "An event like the Super Bowl involves numerous suppliers, media companies, and so on, all of which are responsible for looking out for their networks, collectively making up how the Super Bowl is run."
Campbell adds that one of the biggest disruptions to the Super Bowl would be preventing it from being televised. With millions of people worldwide watching, and given the advertising and revenue generated from the Super Bowl, if a threat group wanted to get a certain point across, restricting the ability to broadcast it live would do the trick.
"That would probably have the biggest impact, other than physically ensuring the Super Bowl doesn't [actually take place] — a harder task," he says.
Critical Steps for Securing the Super Bowl
Bud Broomhead, CEO at Viakoo, points out that the large number of third parties involved in the event from a technical perspective means that ensuring that multiple networks are segmented from each other is a crucial first step in protecting the event — so that if one system is breached (Rihanna's microphones), the threat actors can't reach another system (video surveillance, for instance).
He adds the large number of Internet of Things (IoT) devices and ad hoc networks that third parties will bring to the party — by stakeholders as varied as caterers and sound engineers — means multiple points of failure. Thus, layers of testing for worst-case scenarios will be important leading up to the event.
"There will need to be overall testing of those systems ahead of the event to ensure sufficient redundancy exists," Broomhead says. "Security for a big event like the Super Bowl must also have a focus on resiliency — if bad things happen, is there an already established plan to minimize the impact?"
Darren Guccione, CEO and co-founder at Keeper Security, notes that on the IoT front, many physical control systems are "smart" — i.e., Internet-facing; as such, they should be of particular concern.
He poses a hypothetical: The broadcast network equipment and servers sitting in the data room in the Super Bowl may be hardened with up-to-date patches, firewalls, and other defenses, but what about the building management system? This might be a separately controlled network — and not as well secured.
"Suppose threat actors attack IoT and turn off the air conditioning in the building management system," he says. "In that case, all those computers are useless because you must immediately turn off all your servers, or else they melt within 20 minutes."
The scenario of an attack via the HVAC system is familiar from the infamous Target breach of 2014 — all it takes is one employee falling for a phish.
"Leading up to the big game, IT professionals should be on the lookout for phishing attacks, malware and viruses, and social engineering attacks as threat actors attempt to gain access to the computer systems used to manage the event," Guccione advises.
Despite the what-ifs, the good news is that cybersecurity is firmly on the radar screen for this upcoming weekend: In addition to preparations on the part of the event organizers and all of the third-party stakeholders involved, a variety of government organizations also have thorough cyber-defense plans in place for the event, including the Arizona Cyber Command and the Federal Aviation Administration.