An unlikely target
Will Cybersecurity Efforts Win First Place in Tokyo 2021? While it might seem like an unlikely one, the Olympics is a target of cyberattacks. The last Olympic Games that took place – the Pyeongchang 2018 Winter Olympics – experienced a malicious attack that targeted the Opening Ceremony. And, with the Tokyo Olympics due to start in a matter of weeks, Japan’s Chief Cabinet Secretary, Katsunobu Kato, said that cyberattacks on Japan’s critical infrastructure were expected. In fact, the organizing committee of Tokyo 2020 has already been the victim of a data breach. But, could the breach be the first step of a more destructive attack, say, ransomware?
Ransomware: a tough opponent
The Olympics relies on technology; from ticket issuing to broadcasting the events to an international audience, technology plays a fundamental role in the production of the Games. To put it in numbers, the IT infrastructure of the 2018 Winter Olympics was comprised of more than 10,000 PCs, more than 20,000 mobile devices, 6,300 Wi-Fi routers and 300 servers. And not to mention the additional infrastructure provided by contractors. Such reliance means that, according to the 2020 Summer Olympics Threat Assessment carried out by the Cyber Threat Alliance (CTA) (updated in 2021 to account for the postponement of the Games), ransomware actors see the Olympics and Olympics-related entities as high-value targets. As such entities are responsible for facilitating the Games, a ransomware attack will likely have visible physical effects that result in chaos and disruption, or even cause the complete shutdown of an event(s).
Restrictions of COVID-19
The restrictions on a live audience due to COVID-19 means the demand for livestream coverage of Tokyo 2020 is higher than usual. This results in an even greater reliance on technology and critical infrastructure to meet such demands. A ransomware attack on telecommunications entities can prevent the livestreaming of events which will have a significant impact. Further, ransomware can paralyze the Olympics website and app, resulting in chaos and confusion, both within the Olympic Park and outside it. However, since a ransomware attack can cripple operations, simply targeting Olympics-related entities can be enough to cause damage to the Games itself due to the spillover effects. And, with a vast number of organizations involved with the Olympics (many of which are critical infrastructure), attackers have an extensive choice of targets at their disposal.
The CTA believes that threat actors perceive Japan to have a weakened cybersecurity posture due to various domestic issues. Whether it actually does have a weakened posture or malicious actors simply believe this to be the case, Tokyo 2020 is vulnerable.
The all-important question: why?
A ransomware attack, of course, demands payment from the victim in return for a decryption key. According to Palo Alto Networks, the average ransom pay-out in 2020 was more than $300,000. The largest pay-out being 100x that amount. Naturally, this means that many perpetrators are motivated by financial gains. Since the targets are high value, they need their systems to be up and running as there is little tolerance for downtime. As a result, the victim is likely to pay the ransom to minimize any damage and chaos caused by operational disruptions.
Nevertheless, an attack on high-value targets requires sophisticated resources and tools, which is why state-sponsored groups are often the perpetrators. Monetary gain, however, is typically not the motive. Nation-state actors are motivated by strategic gains, and an attack on the Olympics or a related entity can serve a strategic purpose. The Olympics serves not only as a platform for athletes to display their talents but as a means for the host nation to display its own in an effort to amplify its soft power; disruptions to the Games in any capacity can harm these efforts. The fundamental role of technology to the Games means that state adversaries can cause disruption themselves. And a ransomware attack provides the means to such an end.
Finally, a motive that has seen a rise in recent years is that of retaliation. Many suggest that Russian actors, spurred by patriotism, seek to attack the Olympics as retaliation against banning Russian participation in the Games. Following a years-long investigation into doping allegations, the World Anti-Doping Agency (WADA), which works closely with the International Olympic Committee’s (IOC), implemented a temporary ban on Russian participation in major sporting events, sparking anger and outrage among many in Russia. It has been widely suggested that the motive behind the Russian attack on the 2018 Winter Olympics was retaliation.
A weak link
Despite the awareness of the importance of cybersecurity, and rigorous efforts to enhance cybersecurity, a critical aspect remains sorely neglected: hardware security. Without physical layer security, enterprises lack layer 1 visibility, meaning they are vulnerable to hardware-based attacks. Rogue Devices operate on the Physical Layer. The lack of visibility of this layer allows such devices to bypass security measures and carry out harmful attacks, including ransomware injection.
Spoofed Peripherals are manipulated on the Physical Layer of the OSI model and impersonate legitimate HIDs, being detected as such by endpoint security software. Network Implants go entirely undetected by network security solutions. This includes NAC, as they sit on the Physical Layer, which such solutions do not cover. Rogue Devices’ immunity to existing security measures means enterprises are completely exposed to hardware-based attacks. The only limitation on the perpetrator’s side is that physical access is required to conduct the attack. Unsurprisingly, cybercriminals have numerous ways in which they gain such access.
A cybercriminal’s ticket to the Tokyo Olympics
Hardware attackers rely heavily on social engineering techniques, of which there are many. And, with thousands of people present at the Olympics (even with the COVID restrictions), the higher the chances that social engineering will be successful. Attackers might target athletes or employees of sponsoring organizations, but they can also target committee personnel directly. Since Rogue Devices look unsuspecting to the human eye, it is easy for a device to be used negligently by an innocent victim.
Alternatively, attackers might use the supply chain to infiltrate the Olympics – a scenario supported by the CTA. A large number of third parties means multiple entry points along the supply chain for attackers to exploit. Whether a device is manipulated in transit or an already-manipulated device is inserted in the production line. The attacker intends for the device to eventually end up, and be used, within the target organization. Further, entities within the supply chain will have varying levels of security; a bad actor only needs to exploit the weakest link.
IoT & BYOD
Another vulnerability is the use of remote devices. Japan is already an experienced user of IoT and intends to use smart devices for the Tokyo Olympics. IoT, however, exposes the Games to cyberattacks as such devices typically have fewer security features, many which are not enabled. Further, IoT devices are used remotely, often in less secure environments; this, coupled with insufficient security features, makes it easier for an attacker to gain the all-important physical access.
Additionally, the postponement of Tokyo 2020 meant that many employees had to work remotely, often relying on BYODs to carry out tasks. Like IoT devices, BYODs typically have fewer security features than enterprise devices as to not disrupt the user’s experience… And remote work means a less secure environment. Again, such factors put the Games in a vulnerable position. And it is possible that an endpoint has already been targeted. The perpetrators might simply be waiting for the right moment to execute the attack. After all, the opening ceremony is the perfect stage.
Going for gold with HAC-1
Gold medals might be for athletes, but enterprises should, too, aim for gold in the cybersecurity domain. Doing so means attending to all vulnerabilities to the greatest extent; a lack of hardware security is a vulnerability that is necessary for organizations to address. Sepio’s Hardware Access Control (HAC-1) solution provides entities with the Physical Layer coverage they need to obtain complete device visibility. And, in doing so, also protects against hardware-based attacks. As the leader in Rogue Device Mitigation (RDM), Sepio’s solution identifies, detects and handles all peripherals; no device goes unmanaged.
HAC-1 uses Physical Layer fingerprinting technology and Machine Learning to calculate a digital fingerprint from the electrical characteristics of all devices and compares them against known fingerprints. In doing so, HAC-1 can provide organizations with ultimate device visibility and detect vulnerable devices and switches within the infrastructure. In addition to the deep visibility layer, a comprehensive policy enforcement mechanism recommends on best practice policy and allows the administrator to define a strict, or more granular, set of rules for the system to enforce. When a device breaches the pre-set policy, HAC-1 automatically instigates a mitigation process that instantly blocks unapproved or Rogue hardware. With hardware security, enterprises are better protected. And as a result, so is the Olympics. A biological virus already caused disruptions to Tokyo 2020; we do not need a cyber virus causing any more.