As chief information officer for the Olympic Games, Gerry Pennell started his new job with the expectation that he would be subject to cyber attacks. There had been a history of failed attacks on previous Olympics and on other big sporting events.
“We had attacks at some level every single day of the games and beforehand,” he says. “Most were fairly trivial, but some were significant.”
Whereas a normal organisation might be concerned about attackers stealing intellectual property or customer information, his primary concern was disruption. It could just be defacing the high-profile website to make a political point, the embarrassment of the website not being available to people checking for results or, in the worst case, disruption of the operational systems affecting the games.
Mr Pennell explains that the perpetrators might be lone hackers who just want to make a name for themselves. There are also hacktivists, loose hacking groups who use distributed denial of service (DDoS) attacks to saturate a website with so much traffic that it cannot serve ordinary users. Most are manual and involve a lot of people, but some are sophisticated with a central controller managing a network of computers to attack simultaneously.
“Hacktivists want to make a political point on the back of a high-profile event and 2012 was just sitting there,” he says. “Beyond that, but least likely, are much more sophisticated attacks aimed at disrupting the core systems. There are not many organisations on the planet that could reasonably do that and they wouldn’t be amateurs. They would be sponsored by a state, terrorist organisation or organised crime.”
The biggest attack lasted 40 minutes with website requests coming from lots of residential broadband connections
Mr Pennell’s team was able to design security into the system architecture from the outset. Their security policies and strategy were integrated with the overall security and resilience strategy led by Sir Ian Johnston, director of security at the London Organising Committee for the Olympic and Paralympic Games (LOCOG). The team also worked with Atos which integrated the core systems, BT which hosted the website and provided intrusion detection systems, and Omega which managed the timing, scoring and results systems.
The multilayer defence-in-depth strategy involved the website being managed from a different data centre to the internal systems. The key operational systems for running and reporting events were in a separate computing environment from the rest of the organisation’s systems, with additional controls.
LOCOG also used a content distribution network, with the website being copied and served from hundreds of end-points around the world, making DDoS attacks that much harder.
The organisation employed third-party penetration testers to try to hack into the website and other public-facing systems. LOCOG operated a 190-seat technical operations centre, which was manned 24 hours a day by staff from LOCOG, Atos, BT, Omega, Acer, Ofcom and other technology partners. It included two dedicated security staff, supported by the others.
“As important as technology is how you deal organisationally with incidents when they happen,” says Mr Pennell. “It may not be what you expected when you designed it, so you need to think hard about how you respond.”
In March and May 2012 LOCOG carried out technical rehearsals of all its operational plans. It ran a large number of problem scenarios, including security and cyber attacks. Mr Pennell says that, although it was partly to test the technology, it was more to practise management and team responses to problems.
With the start of the games looming, Mr Pennell was acutely aware of the increasing scale and sophistication of the cyber attacks between 2011 and 2012. In the event, the security monitoring systems logged 165 million relevant events. Most were of no concern, such as password changes and new devices being connected. Just 783 required any investigation and most were innocent.
Mr Pennell’s team only had to react to six significant cyber-security events. The first was an automated attack lasting ten minutes. “It looked like a group of semi-professional hackers in Europe probing to find out if there was an easy way in,” he says. “They were probably driven by a desire to get some kudos from identifying vulnerability. None was found and we heard no more from them.”
The biggest attack lasted 40 minutes with website requests coming from lots of residential broadband connections. This was probably an automated attack from somebody using malware to control lots of home computers. It had no effect because it didn’t get past the perimeter of the content distribution network.
On another day, LOCOG’s systems detected a lot of public Twitter postings, to #opletthegamesbegin and #theddosolympics, encouraging the execution of DDoS attacks on its and other games-related websites. When the attacks came they had no impact.
There were also a couple of attacks on the separate internet services used by the accredited media and press agencies. The attacks were thought to be caused by malware in a press agency computer.
“Your monitoring systems have to work out what is genuinely suspicious, from the broad mass of information that you are processing,” Mr Pennell says. “You also need good intelligence feedback.”
He warns that information security is not just about technology. It is about having the right security policy, developing a security culture and building effective security operations.
“You cannot just think about the next security tool, you must think about the whole way you organise yourself,” he says. “Despite all the activity, there was no actual disruption or impact, so our mission was accomplished.”
The day after the Olympic closing ceremony, the International Olympic Committee presented Mr Pennell and other LOCOG directors with the silver Olympic Order for his role in delivering the London 2012 Games.