# Opener

Nice stadium – would be a shame if something were to happen to it…

Published by Peter Hawley

With the start of the FIFA Women’s World Cup football (soccer, for my American friends) tournament just prior to last weekend, thoughts generally will be on the skills on display as national pride does sporting combat on the pitch – and hopefully less on the decisions of the VAR system or the strange prevalence of penalties in most of the matches thus far. Televised to a global audience, big sporting events like these offer an incredible opportunity to not only celebrate one’s own team, but also learn more about others’ cultures and approach to life – even if it’s as simple as recognising the flag of Haiti when called upon at a pub quiz, or the querying of an inquisitive child who believes all adults know all things.

 In the grand arenas that host our most cherished sporting events, the symphony of technology orchestrating behind the scenes is nothing short of remarkable. Modern sports stadiums, like titanic vessels of entertainment, boast an array of sophisticated building management systems (BMS) that ensure seamless operations, optimised comfort, and security befitting their illustrious guests. However, amid this technological marvel lurks an insidious threat: the ever-looming spectre of cyber-attacks that can create risk management concerns both from a digital and physical perspective.

As the stage is set for an ever-evolving panorama of sports entertainment, the mandate is clear: fortify the bastions of technology, weaving a resilient tapestry that rebuffs the advances of cyber-attacks, and preserve the magic that binds the world in awe of its sporting arenas.

The New Age of Sports Stadiums: A Cyber Security Challenge

From the depths of the stadium’s core to the heights of its towering stands, a complex interplay of cutting-edge systems conducts the symphony of stadium management. The HVAC (Heating, Ventilation, and Air Conditioning) system, a maestro of climate control, weaves a masterpiece of comfort for players and spectators alike. Meanwhile, access control systems stand as vigilant sentinels, regulating entry and exit with precision, akin to the most exclusive of clubs.

Yet, beneath this facade of efficiency lies a potential vulnerability that casts a dark shadow. The interconnectedness of these systems, integrated with networks and digital communication, exposes them to cyber-attacks that could send the harmonious structure crashing into disarray.

At the heart of the matter lies the HVAC system. The lifeblood coursing through the stadium’s veins, it is particularly susceptible to malicious intruders. Threat actors could infiltrate these systems, leaving a trail of disrupted temperature control or worse, leading to potential health hazards and jeopardizing the spectacle’s allure.

The access control systems, critical sentinels protecting the stadium’s inner sanctum, are not immune to cyber assailants either. A well-crafted attack could grant unauthorized access to restricted areas, infiltrating player sanctums or technical zones, leaving the stadium exposed to security breaches that threaten the privacy and safety of all involved.

The video surveillance systems, entrusted with the sacred task of overseeing every inch of the stadium, could become a Trojan horse for malevolent hackers. Unlawful access could enable them to manipulate live feeds, obscuring the view of security staff and creating a veil of darkness over the stadium.

Public Announcement (PA) systems, heralds of crucial information and guidance, become potential tools for chaos if left vulnerable to cyber assaults. An uninvited puppeteer tampering with these systems could sow seeds of panic, creating an unsettling atmosphere within the stadium’s grandeur.

To compound these concerns, data analytics and reporting systems, repositories of sensitive information about attendees and operations, are not impervious to hacking. Their compromise could lead to privacy breaches, financial losses, and even reputational damage, casting a pall over the once-idyllic world of sports entertainment.

Mobile applications and digital interfaces, heralding convenience for fans, are equally exposed. Attackers could manipulate these portals, causing confusion, overcrowding, and potential disruptions during events, tainting the stadium’s image as a bastion of seamless user experience.

The symphony of stadium management, while awe-inspiring, remains vulnerable to the siren call of cyber adversaries. Ensuring the safety and sanctity of these technological wonders calls for unwavering vigilance. Cybersecurity must stand as an impregnable fortress, safeguarding these modern marvels.

Cyber-Strike on a Stadium’s Heartbeat

Amidst the splendour of a modern arena or stadium, an ominous shadow looms over the sacred realm of comfort and spectacle. Threat actors start by orchestrating efforts targeting the stadium’s HVAC system, an unseen yet indispensable conductor of climate control. What begins as an inconspicuous intrusion soon escalates into a chilling crescendo of physical damage, threatening both the oft-hallowed structure and the spectators within.

With deft keystrokes, the hackers infiltrate the heart of the HVAC system, gaining control over its critical performance. Seemingly innocuous at first, subtle temperature fluctuations sow seeds of discomfort among the huddled masses, unsuspecting of the nefarious actions at play.

As the event reaches fever pitch, the hackers seize the opportune moment to unleash their maleficent intentions. Like icy tendrils, they tamper with the system, accelerating the chilling embrace of the venue’s atmosphere. The once-bustling arena now succumbs to an eerie coldness, sending shivers down the spines of performers and spectators alike.

Meanwhile, behind the scenes, the intricate web of HVAC infrastructure buckles under the malevolent forces. Vital components strain under the pressure of manipulation, rendering the system vulnerable to catastrophe. As the web of deception thickens, signs of impending disaster are lost in the stadium’s allure.

As the evening unfolds, a creeping chill engulfs the stadium, gnawing at the very essence of the hallowed ground. The unsuspecting crowds, clad in eager anticipation, become unwitting participants in this digital malaise – distracted by the thrilling spectacle before them.

With the stage set, the attack continues. In the dark recesses of the stadium, pockets of frozen air threaten to wreak havoc on delicate infrastructure. The once-reliable HVAC system now betrays its purpose, leading to overheating and causing potential harm to sensitive electrical equipment.

The impact of the attack becomes apparent, panic (and everything that comes with panic and large groups of people) ensues, marring the enjoyment of the once-unified congregation of fans, whose only desire was to bask in the glory of sport. In the face of this unexpected threat, the harmony of the stadium becomes a cacophony of confusion – and in the instance of a globally televised event this is projected into the homes of millions around the world.

As the sun sets on the marred spectacle, the malevolent dance concludes, leaving behind a stark warning of vulnerability. The modern sports stadium, an emblem of progress and entertainment, stands witness to the chilling consequences of unchecked cyber warfare. In this age of technological marvels, it is a stark reminder that even the unseen conduits of comfort can become unwitting victims.

Enemy at the Gates

Where digital prowess meets concrete fortresses, a relentless onslaught continues. Targeting the access control systems that guard the events, hackers can aim to breach the gates of the access control systems, slipping through the chinks in the digital armour. They can roam unseen, shrouding their intentions beneath a veil of invisibility.

By manipulating the access control mechanisms, impenetrable barriers are transformed into porous sieves. The once-secure gates swing open like welcoming arms, ushering in the uninvited. Chaos descends upon the stadium like a tempest.

Behind the scenes, vital areas fall victim to the sinister manoeuvrings. Sensitive control rooms and sanctuaries meant for players become prey to the cyber intrusion, leading to potential damage and disruptions including physical damage to property or harm to individuals. Cyber threat is now very much not only in your computer.

As the stadium’s heartbeat quickens, the threat actors wield their power, triggering a chilling symphony of destruction. Panic ensues as the once-unified crowds succumb to confusion and uncertainty. The very spirit of camaraderie that once united fans crumbles beneath the weight of a digital siege.

In this realm of code and concrete, the once-impregnable fortress becomes a battleground of vulnerability. Unchecked cyber forces exploit opportunities, leaving behind a stark reminder of the price paid when digital gates falter.

The Enigma Unleashed

HVAC systems are known gateways to further cyber-attacks, and the opening of access gates is a sadly all-too-well known problem in the realm of stadium safety and risk management. However in the interconnected world, threat actors are also setting their sights on the very eyes that watch over the stadia and their occupants —the video surveillance system. Stealthy intrusion and clandestine monitoring can convert into physical damage, with countless reasons and scenarios from commercial sabotage to geopolitics potentially being in play.

A multistage attack commences with the manipulation of the watchful eyes of the surveillance system, plunging critical zones into an ominous darkness. The once-omniscient cameras now remain blind to the unfolding drama. Now anonymous to security measures, unauthorised figures roam the arena with audacious impunity.

Behind the scenes, control rooms once teeming with watchful guardians fall victim to the malevolent assault. The very essence of security crumbles beneath the weight of this cyber assault, leaving the stadium’s integrity compromised and its occupants exposed. In this battle between code and grandeur, the once-pervasive eyes become mere witnesses to their own undoing.

The Voice of Deception

With sight gone, the next sense to be attacked is sound — via the Public Announcement (PA) system. As the curtain rises on this cyber assault, the harmony of trust and information is cast into disarray.

With clandestine finesse, cyber assailants infiltrate the very conduits of communication.

Seizing their moment they commence the manipulation the PA system’s voice. The trusted voice, once a beacon of guidance and reassurance, now becomes a puppet in the hands of deceit. From seemingly benign announcements to ominous proclamations, the PA system morphs into an instrument of confusion, a discordant note in the harmonious melody of the stadium’s ambiance.

Behind the scenes, the once-pristine control rooms fall prey to the malevolent manoeuvring. The pillars of information and communication tremble under the weight of deceit, compromising the very essence of trust that binds the stadium’s spirit.

In this realm where virtual meets tangible, the once-revered PA system metamorphoses into a harbinger of uncertainty — a stark reminder that even the most revered voices can succumb to the siren call of malevolence.

The Subterranean Siege

In the heart of modern sports stadiums lies an invisible battlefield, where a sinister cyber onslaught targets the very core of comfort—the undersoil heating system. As the digital invaders breach the stadium’s subterranean sanctum, the harmony of warmth unravels, leading to haunting consequences that reverberate through the stadium’s foundation.

The undersoil heating system, once a guardian of lush greenery and ideal playing conditions, becomes a treacherous foe, rendering patches of the turf unplayable and perilous. The once-unseen infrastructure falls prey to the malevolent manoeuvres. Critical components strain under the cyber assault, leading to potential damage and disruptions that mar the stadium’s operational reality.

Depending on the timing of the incident, natural weather elements could see the impact increase. When Mother Nature’s fury collides with an undersoil heating system’s failure, the consequences are nothing short of an upheaval. Adverse weather turns the once-pristine playing surface into a treacherous terrain, forcing athletes to bow to its whims. Sporting events hang in the balance, with cancellations, postponements, and venue changes casting an unforeseen shadow over the sacred fixtures.

Of course, in the arena of sports, victory is not merely measured in points but in money, also. The crippling impact of undersoil heating failures extends to the financial realm, spelling losses for stadium operators, event organizers, and the teams themselves. Lost ticket sales, empty concession stands, and the relinquishing of coveted broadcasting rights all contribute to a chilling fiscal reality.

In the sphere of sports, reputations are as coveted as championship titles. A stadium’s image of invincibility is tarnished when the undersoil heating system falters. The hallowed ground, once the bastion of excellence, now wears the mark of unreliability. For the organizers, this means damaged credibility and future uncertainties.

Like a grand orchestration gone awry, the failure of undersoil heating systems triggers a dissonant note in the calendar of sporting events. Revisions, rescheduling, and the painstaking process of accommodating all parties concerned create a logistical labyrinth that leaves athletes and fans alike adrift.

And yes, the fans. The essence of sports lies in the adoration of fans who breathe life into stadiums. However, a faltering undersoil heating system sends shivers down the spines of loyal supporters. Their unwavering passion meets an uncertain fate, affecting attendance figures, fan engagement, and the vibrancy of sporting cultures. For the local economy, as fans refrain from descending upon the city’s vibrant locales, local businesses feel the frosty embrace of economic impact.

In the wake of a malicious cyber-attack that left the hydronic undersoil heating system in ruins, the repair teams gather to resurrect the heart of warmth. The process commences with meticulous disassembly, as the remnants of the damaged heating system are carefully removed from beneath the hallowed turf. Like a surgical operation, each element is delicately extracted, preserving the integrity of the stadium’s foundation.

The design complete, construction commences. The stadium’s hidden underbelly comes alive with the intricate web of hydronic infrastructure, meticulously interconnected with the precision of a Swiss watch. The latest in sustainability and energy efficiency choreograph this new symphony of warmth.

In this grand spectacle, time is of the essence, and a sense of urgency propels each step. Meticulous coordination ensures a seamless installation, transforming the stadium’s once-frigid heart into an oasis of cosiness once more.

As the grand revival reaches its conclusion, the stadium stands renewed — a testament to the unwavering spirit of ingenuity. Experience drives innovation in extending security controls, though the memory of the reality of physical damage from cyber-attacks remains – leading to increased scrutiny around defences and consideration of available risk transfer mechanisms.

Cyber Physical Damage, Insurance, and Risk Transfer

The direct and indirect impacts of cyber-attacks on stadiums and entertainment venues are clear, though rarely are they addressed in risk assessment processes and risk transfer conversations. The alignment of CISOs, risk managers, insurance brokers, and insurance underwriters, is a key strand in the protection of the financial wellbeing of businesses involved in putting on thrilling spectacles, and insurance products are available in the market that can assist with offsetting the risk from an organisation’s balance sheet.

Axio’s engagement in the Lloyd’s’s Lab insurtech incubator was focused on delivering streamlined and frictionless pathways to enable the growth of this product line. By utilising an applicant’s existing Cyber insurance and Property insurance submissions, we illustrate the likely scenarios specific to your industry whilst quantifying the impact by assessing existing and possible controls in place. The result is clear visibility for all involved, allowing for the provision of insurance covers and limits that fit the needs of the insured.

Axio is a recognized by Forrester as a “Leader,” the highest category possible, in its report, The Forrester WaveTM: Cyber Risk Quantification, Q3 2023. According to the report, “Axio applies the power of CRQ to cyber program assessment and insurance decisions. Upcoming innovations include updated AI and machine learning algorithms for its cyber insurance stress-testing solution, a new planning module to develop program budgets and roadmaps based on controls, and a focus on expanding its integration marketplace to ingest real-time data in risk scenario analysis. Axio’s roadmap is well aligned with current customer needs.” The report continues, “Reference customers highlighted the cyber insurance stress-testing feature and ability to conduct NIST CSF control assessments as value-adds.