The Cybersecurity and Infrastructure Security Agency (CISA) recently collaborated with the NFL and Super Bowl LVIII stakeholders to conduct a tabletop exercise aimed at enhancing cybersecurity response capabilities for the upcoming Super Bowl. With the game scheduled to take place on February 11, 2024, at Allegiant Stadium in Las Vegas, the league is determined to bolster its defense against potential cyber threats.
The four-hour tabletop exercise brought together over 100 partners from the NFL, stadium operations, and government entities at various levels. As outlined in the official announcement on September 21, the objective of the exercise was to explore, assess, and improve cybersecurity response capabilities, plans, and procedures in preparation for the high-profile event. The exercise focused on a hypothetical scenario involving phishing attacks, ransomware incidents, data breaches, and the possibility of an insider threat, all of which had cascading effects on physical systems.
Steve Harris, the Deputy Executive Assistant Director for Infrastructure Security at CISA, emphasized the importance of this exercise in proactively identifying any gaps in existing plans and ensuring a shared understanding of roles and responsibilities among all stakeholders. By conducting this exercise, the league aims to enhance its readiness for potential challenges on game day.
The Super Bowl, much like the World Cup, enjoys global viewership and attracts immense attention from both fans and cybercriminals. A successful cyberattack disruption during this high-profile sporting event would be a significant achievement for any cybercrime group. Consequently, it becomes imperative for organizers to prioritize cybersecurity measures to safeguard against such threats.
George McGregor, Vice President at Approov, acknowledged the expanding cyber-threat surface associated with sporting events. As smart stadiums and digital infrastructure become more prevalent in supporting fan and team operations, the potential vulnerabilities increase accordingly. McGregor emphasized the need for workshops like the one conducted by the NFL and CISA, as they allow for comprehensive assessments of security and contingency plans before major sporting events.
He further highlighted the dynamic nature of the cybersecurity attack surface during these events, which rapidly evolves as numerous partners, vendors, and thousands of fans come together and engage with ticketing systems, points of sale, stadium Wi-Fi, and mobile devices. As part of the exercise, McGregor emphasized the importance of verifying the security of mobile apps that access sensitive information to ensure they are protected against impersonation or manipulation.
In an era where cyber threats continue to grow in complexity and frequency, organizations hosting large-scale events must prioritize cybersecurity. By proactively addressing potential vulnerabilities and conducting tabletop exercises, like the one recently executed by the NFL and CISA, authorities can ensure they are well-prepared to mitigate cyber risks and protect the integrity of such high-profile events. As the countdown to Super Bowl LVIII continues, the league remains dedicated to fortifying its defenses, ensuring a safe and secure environment for players, fans, and all stakeholders involved.