If you wanted a hot dog or a cold beer at the San Jose Earthquakes' home opener on Feb. 29, 2020, you were out of luck. All of the mobile tablets and point-of-sale systems that support the stadium's concessions were inexplicably out of commission, leaving fans hungry and operators perplexed.
After an investigation by the Federal Bureau of investigation, it was discovered that Salvatore A. La Rosa had hacked and disabled Spectra Food Services and Hospitality's online concessions management account. La Rosa was sentenced in May to 20 months in prison and ordered to pay $268,733 in restitution, as well as a $5,000 fine for intentional damage to a protected computer.
While shuttered concessions may seem a minor inconvenience, the incident could serve as a harbinger of more ominous attacks — and a red flag for sports venue operators everywhere.
"Cybersecurity has become a growing threat for sports venue operators, especially as technological advances are becoming more prominent throughout venues and leagues," says Stephanie Jenkins, cybersecurity analyst for Sporting and Critical Infrastructure at Argonne National Laboratory, a U.S. Department of Energy multidisciplinary science and engineering research center.
Jenkins says that venue operators have for a long time largely been reactive when it comes to cyber threats. However, as venues are increasingly dependent on IT infrastructure, operators are understanding the need to be more proactive.
The incident at the Earthquakes' stadium is by no means the worst that hackers can do. Jenkins mentions one of the more widely known hacking events, which happened at the opening ceremony of the 2018 Winter Olympics. That incident knocked out internet access, shut down the Games' official website and ultimately halted ticketing, preventing spectators from entering venues in Pyeongchang, South Korea.
Aside from disruptions to concessions and ticketing, cyberattacks can compromise guest safety. At the Southeast Asian Games in 2015, a hacker sabotaged the police security's CCTV system. Police feeds from cameras inside and outside the stadium were disrupted, all stemming from an attack that originated in a parking lot outside the venue via a disgruntled employee on a laptop.
Jenkins says that sports venues and organizations are appealing targets for bad actors in that they regularly draw large numbers of people to a single location. And then there's all that potentially vulnerable technology — scoreboard systems, emergency management systems, WiFi networks, critical systems, public networks, enterprise systems, and point-of-sale systems — that makes a large sporting event possible.
That said, the human element can't be overlooked, as hundreds of staff are often required to support a sporting event.
"What also adds complexity is the number of moving personnel parts," Jenkins says. "No one event will be completely similar to a prior event. Often there are venue operators, but then there are third-party vendors, seasonal workers, contractors and emergency responders. It is one thing to have venue operators trained on sound cybersecurity protocols, but it is also vital to have all these moving personnel informed and trained, as well."
Lastly, there is the facility's core physical infrastructure, which if breached can cause serious damage to not just the building but also the people in it.
"We also have to think about the dependencies, which help run a venue," Jenkins says. "Venues often depend on water, wastewater and electric power for core operations. Disruption to these supplies would cause a lack of operational capacity for venues. A loss in electric power would have the effects felt immediately during live events. Cyber dependencies also continue to grow within venues, as many rely on operational technology for such systems as HVAC or water control systems. As many of these operational technology systems are coming to rely on IT, operators must also become aware of the cyber vulnerabilities associated with this change."
What does a proactive approach to cybersecurity look like for a sports venue? Jenkins says that operators must first understand how their facility operates on a daily basis, which includes a thorough understanding of the venue's IT infrastructure.
"In order to understand risks specific to a venue, you must first understand your current capabilities," Jenkins says. "Operators must be able to identify all current assets and dependencies on technological infrastructure. The ability to identify cyber dependencies amongst systems and networks within a venue is the first vital step. Once identification has occurred, the process of protecting and detecting can begin. Overall, a holistic understanding of what systems and networks comprise a venue is critical before preventative measures can begin. This also includes knowing which systems are dependent upon others, to be able to identify possible vulnerabilities and disruptions."
One way to accomplish this is by embarking on an overall risk-assessment process like the one Argonne has developed for venue operators.
"A beneficial step can be to conduct a risk assessment for not only physical security, but also the cybersecurity posture of a venue," Jenkins says. "Completing a risk assessment can raise awareness or mitigate any vulnerabilities that could cause potential harm. With large events and mass gatherings, events typically can have a number of jurisdictions and entities playing an active role in safety and security."
As part of Argonne's assessment, operators are presented with various questions about their facility. These can range from questions about the facility's training and access controls to questions about the venue's critical systems and response protocols.
"While most current risk-assessment tools only consider physical risks, our tool brings together both cyber and physical threats, especially as there is a continuous expanding dimension to cyber vulnerabilities," Jenkins says. "By accommodating evolving landscapes of threats to various facility characterizations, the hope is to implement safety and security standardizations through risk assessments."
Key to this process, Jenkins notes, is that operators bring all key stakeholders to the table to begin the dialogue on not only physical vulnerabilities but also cyber vulnerabilities specific to their venues.
In the end, that smartphone in a fan's pocket may allow them to check the stats on a particular player or order some nachos delivered to their seat. However, there's a dark side to these modern conveniences in that they're dependent on a complicated, interconnected and porous digital infrastructure that can be infiltrated by bad actors. Jenkins suggests that awareness of these threats is a good first step toward warding off potential crisis.
"Vulnerabilities within systems and networks are outlets for adversaries to gain access that can lead to internal impacts," Jenkins asserts, adding of the Argonne risk-assessment tool, "By assessing current capabilities and being able to recognize current security gaps, it is meant to proactively bring attention to these vulnerabilities."
This article originally appeared in the September 2021 issue of Athletic Business with the title "Risk Assessment Key to Proactive Venue Cybersecurity" Athletic Business is a free magazine for professionals in the athletic, fitness and recreation industry. Click here to subscribe.