Cybersecurity for the Paris 2024 Summer Olympics: a group effort

From July 26 to September 8, 2024, 4 billion viewers will watch the Paris Olympic and Paralympic games, more than half the people on the planet. This global event will host 15,000 athletes from 206 countries, 20,000 journalists and 10 million spectators. 22 cities and 40 competition sites will take part, hosting 878 events in 54 different disciplines.

Of course, cybercriminals, hacktivists and state actors of all kinds will be heavily tempted to spoil the party. The Olympic Games’ IT system itself will be targeted, including ticketing, press rooms and stadium access systems, not to mention TV broadcasts as well as the power supply to physical venues. While the Tokyo Games in 2021 suffered 450 million cyberattacks, the organizing committee for the Paris 2024 Olympics expects to receive eight times as many – around 3.5 billion.

The goal will be to avoid the incidents that have marred other Olympic Games before Paris. For example, we need only recall the scare the organizers of the 2018 Winter Olympics in South Korea endured. The Olympic website was unavailable for twelve hours following a cyberattack, while the Olympic stadium’s Wi-Fi network was cut off. At the 2008 Olympic Games in China ten years earlier, a piece of malicious code called Olympic Destroyer plunged all the screens into darkness during the opening ceremony.

A system that combines an SOC, security by design, and training

« At the heart of our system is a Cybersecurity Operation Center. When the time comes, the team in this control tower will continuously monitor not only what’s happening on our IT systems, but also on the wider Internet, to try and detect, address and remedy the inevitable attacks and threats that will be made against us. SOCs are standard in cybersecurity, but much rarer in the field of sporting events and in organizations of our size« , said Franz Regul, CISO of Paris 2024, at a conference entitled « Security, Technology and the Olympic Games ».

Another major aspect of the Paris 2024 Summer Olympics cyberdefense strategy is security by design. « We assist all new projects and initiatives within the organizing committee to assess their level of risk and offer appropriate support. The earlier we intervene in the creative process, the less cybersecurity will cost and the more effective it will be, » says Franz Regul.

Training also plays a key role in the system. Awareness-raising campaigns are aimed not only at organizing committee staff, but also the operators and volunteers working with the committee. « One of our biggest challenges is that our staff doubles every year. We’ve barely finished training our staff in one problem when we already need to onboard new employees. And we estimate that up to 90% of cyberattacks today exploit a human vulnerability, » says Franz Regul.

Teamwork above all

The security of the next Olympic Games will also involve a whole ecosystem of partners. « The technical security for the Games takes a great deal of teamwork. Paris 2024, as the event organizer, can count on the expertise of several key partners, some of whom have experience in several previous Olympics. For example, our direct ecosystem with the International Olympic Committee (IOC), its subsidiary OBS for broadcasting events, and the International Paralympic Committee (IPC), Omega for timing and scoring, and our cybersecurity partners Atos and Cisco, whose shared history with the Games dates to 1992 for Atos and 2012 for Cisco, » says sources close to the Paris 2024 Olympic Organizing Committee.

To prepare for these attacks, Cisco and Paris 2024 carried out cybersecurity tests throughout the summer. The focus was on three families of risks that will remain carefully monitored throughout the Games. First, operations, so that broadcasting, ticketing and the network can function optimally. Then, Games professionals, who are chiefly organizing committee members as well as journalists, athletes and partners, whose digital activity must be secure. Finally, the Paris 2024 organization, whose revenues are digitalized and thus heavily exposed.

Close collaboration with government departments is also essential, with Anssi acting as the main contact for the Paris 2024 Organizing Committee in this field. The aim of these exchanges is to bring as many public players as possible into the Games’ organization, either directly or indirectly. Such players include transport companies, energy providers and hospitals.

The system ANSSI has put in place revolves around five main areas: improving knowledge of the threats the Games face, securing critical IT systems, protecting sensitive data, raising awareness among the Games’ ecosystem and preparing to intervene should a cyberattack affect the Olympics. « Several crisis drills will be held in 2023 so that we could all prepare to react together should there by a cyberattack during the Games. Meanwhile, ANSSI will offer ‘turnkey’ exercises to the Games ecosystem for organizations that want to train for a scenario appropriate to their level of maturity. These tools will be made available in Q4 2023, » according to the ANSSI website.