Preventing an Olympic-sized Disaster

Some estimates put security costs of the London 2012 Olympic Games at US$6.5bn
Some estimates put security costs of the London 2012 Olympic Games at US$6.5bn

The London 2012 Olympics will be one of the best-protected yet, from a physical security point of view. The UK government has allocated £533m ($835m) for security staff and equipment, and the military has been drafted in to bolster protection. In January, the authorities held a high-profile security exercise in London, including the Royal Marines boarding boats on the Thames.

Fighter jets will be stationed around London, and the Royal Navy’s largest ship, HMS Ocean, will be part of a 13,500-person military deployment. While the cost and scale of the operation is smaller than the Beijing Olympics – where some estimates put security costs at US$6.5bn – it is certainly a show of force.

The cybersecurity arrangements for the London 2012 Olympics, however, remain less high profile. There are concerns, among information security experts, that the Games remain vulnerable to sustained attacks from hacktivists, criminal groups, cyber-terrorists or even those who are setting out just to cause mischief.

There are growing concerns, too, that acts intended to disrupt the games could have far-reaching impacts on the wider UK business community, as well as the public. In some ways, information security could be the ‘soft underbelly’ of the Games. Some security companies have already seen an upswing in fraudulent, Olympic-related websites, especially those offering cut-price tickets. But, while fraudsters may have already started exploiting public interest around the event, those with more serious intentions may still be marking time.

Upping Their Game

The London Games face some risks that no Olympics have had to face before. The terrorist threat has, unfortunately, been with the Games since the Munich disaster, and London is certainly a target for some high-profile groups. That threat has now extended, both to the potential use of cyber attacks for terrorist ends, and because the attacks themselves are more powerful, more varied, and more sophisticated.

“While I don’t believe London is at any greater risk than previous Olympic locations, the risk is higher for more sophisticated cyber attacks”, says David Johnson, senior analyst at Forrester Research. “As we’ve seen with Stuxnet and other elaborate schemes, the sophistication of both criminals and nation-states is an order of magnitude beyond even 2008.”

"There would be a massive impact if there were a cyber attack that affected the Tube, bringing down the Oyster network for example"

Steve Bailey, PA Consulting Group

Not only has the technology of a cyber attack changed, so have the motivations. Although some groups will be driven purely by the potential for financial gain, others have more deep-seated reasons to cause disruption. The idea of hacktivism was, at most, embryonic during the Beijing games. Today, though, it is a real concern for all security experts.

“The Olympics are actually a very attractive attack target for political-driven groups or for hacktivism purposes”, cautions Chenxi Wang, also an analyst with Forrester. “There aren’t many events that have such a large-scale international impact as the Olympics.” Any such event, of course, is a draw for the internet underworld.

Ready, Get Set, Go!

Already, organizations that monitor information security threats have noticed a steady increase in Games-related malware. With tickets for London 2012 in scarce supply, fake ticket sites – and malware or social engineering attacks using Olympic ticket offers to hook in consumers – are a problem.

“The authorities do seem to be doing a lot of preparation, but most of the information coming out appears to be focusing around keeping London running during the Games – around transportation for example”, says Steve Bailey, head of operational risk at PA Consulting Group. “They need to move away from that a little bit, towards things like the dangers of social engineering, for example.”

As Infosecurity has reported before, the London Games organizers were relatively late to set up official ticketing sites, and to publicize official (and safe) internet addresses for the event. This may have given fraudsters and malware writers a head start.

“Ticketing scams have been around for several months”, points out Carl Leonard, head of Websense Security Labs. “As soon as ticketing started, malware authors jumped on that bandwagon to capitalize on it. We’ve seen scam sites offering discounts for specific events for several months. And as we get closer to the event we’re likely to see some scandals.”

Members of the public are vulnerable on two fronts: scam ticket sites that take payments from consumers – and never send tickets – and those that use the attraction of ticket offers to inject malware on to a users’ computer or, potentially, their smartphones. Malware writers are likely to target video sharing, as well as social media sites, especially during the Games themselves.

“When the Games begin there will be highlights on social networks and video upload sites, and there will be scams linking to malicious code”, Leonard cautions.

"The Olympics are actually a very attractive attack target for political-driven groups or for hacktivism purposes"
Chenxi Wang, Forrester Research

 Businesses should act now to educate employees about the risks, he says. In particular, staff should be reminded about the added risks of using insecure networks, such as WiFi hotspots, and that malware may also attack – or spread – via their company smartphones. This could be especially dangerous as the UK Government is encouraging companies to make more use of home working and remote working, to reduce Games-related congestion.

To combat these additional risks, CISOs and CIOs should act now, if they have not already done so. This means checking that remote and home working systems are up to date, have enough capacity and, critically, that their security measures are up to date. This includes ensuring that employees’ computers – especially laptops – have the latest patches, and if they are to be used with sensitive data, support encryption.

“The time to find out your home working system doesn’t work is not the first day of the Olympics. Make sure disaster recovery sites are prepared, and ready to go”, warns Stephen Bonner, a partner in the security practice at KPMG.

A Marathon, Not a Sprint

IT helpdesks should also be drilled to handle additional support calls – and to be aware of the risk of hackers posing as employees, in order to take advantage of a busy IT department to obtain passwords or other back doors into systems. CIOs may also want to consider putting critical IT systems into lockdown, to ensure that they work reliably during the event. IT support staff, for example, may find it hard to travel to data centers for maintenance tasks during the games.

“A lot of large enterprises are going into a ‘no change’ window, as they run up to the Olympics”, says Greg Day, CTO for EMEA at Symantec. “You don’t want to be making modifications at the same time as preparing for [a large event] happening. For enterprises, if they don’t have the right resources up and running now, they will run into that blackout window.”

If businesses only have a limited amount of time to prepare, however, then those tasked with defending the Games are already fighting on more than one front.

Organizers will have to contend with distributed denial of service (DDoS) and advanced persistent threat (APT) attacks, as well as a growing use of social media, and social engineering to inject malware into computer networks.

“The world has moved on since Beijing, in terms of the cyber threat”, says Jay Huff, EMEA director of HP enterprise security. “Beijing was a more controlled environment. It was much harder for cybercriminals to operate there. But hacktivism is now one of the top scenarios to defend against.”

There are concerns, too, that attacks around the games will focus less on information theft or on IT systems, but will instead target control systems and critical national infrastructure (CNI). If successful, such attacks could cause widespread disruption.

Total Knock-Out

The utilities, systems such as those running ticketing for the Games themselves, and even the UK’s core internet infrastructure, could all be targets. But an attack on the public transportation system in and around London could cause some of the most immediate damage and disruption.

“There is no better DDoS attack than [stranding] millions of visitors on the Jubilee line at peak time”, warns Stephen Bonner at KPMG. “It is how you prepare for that in practice that matters.”

His concerns are echoed by Steve Bailey at PA Consulting Group. “There would be a massive impact if there were a cyber attack that affected the Tube, bringing down the Oyster network for example, or affecting signaling”, he says. “The effects would be disastrous, especially around transport hubs like mainline railway stations.

“The networks would also be a good place to attack; it would affect businesses but also people’s enjoyment of the Games”, Bailey adds. It is here that the interests and security concerns of the London 2012 organizers and businesses in the UK converge. The UK Cabinet Office has already warned businesses of possible disruption to internet connections as a result of Games-related congestion. This could be much, much worse if that infrastructure is also targeted by cyber-crime groups.

Similar concerns also apply to the mobile voice and data networks, which are likely to be more heavily loaded both by visitors and London-based employees working from home, but which also form a significant part of many organizations’ backup plans for communications.

“Mobile communications and public networks would be the most obvious targets”, says Forrester’s David Johnson. “An attack that saturates network links and slows communication to a crawl is one way that such an attack could disrupt internet infrastructure.”

That is why, practically speaking, the business and IT security community needs to follow the lead of the Games organizers: plan, test, and test again.

What’s hot on Infosecurity Magazine?