Going for Gold: The Olympic Cybersecurity Program

With the 2024 Paris Olympics now past us, there will be many enduring memories, but one thing that people won’t be talking about is the impact of any major cyberattacks. It seems like ransomware attacks and cyberattacks on critical infrastructure dominate the news, but much like the tireless dedication of Olympic athletes, the Paris Olympics prepared for success. 

Cybersecurity has become a behind-the-scenes competition at the Olympics in recent years. The 2018 Winter Olympics were marred by Olympic Destroyer, a destructive malware attack that disrupted numerous IT systems and underscored vulnerabilities in global events. The 2020 Tokyo Olympics saw an unprecedented 450 million security events, highlighting the growing scale and complexity of cyber threats facing major international events.  

The Paris Olympics were prepared for 10 times the number of security events.  

Hours before the opening ceremonies, arsonists attacked France’s high-speed train system. Days later, attackers cut the fiber optic cables of French telecom providers. However, initial reports have found that French authorities foiled more than 140 cyberattacks, and a reported ransomware attack on the Grand Palais caused no disruption. 

According to ANSSI, France’s cybersecurity agency, “All the cyber events that occurred during this period were generally characterized by their low impact.”  

Cybersecurity operations could take a page from the ANSSI playbook, which published five cybersecurity measures in preparation for the Paris Games: 

Interlocking Rings: A Complex Attack Surface 

The need for cybersecurity was a foregone conclusion. As Franz Regul, CISO, Paris 2024 noted, “We will be attacked.” According to ANSSI officials, "We can't prevent all the attacks; there will not be games without attacks, but we have to limit their impacts on the Olympics.” 

In the lead-up to the Games, ANSSI identified 500 sites, competition venues, and local collectives. In a demonstration of a public-private partnership, ANSSI worked with Olympic officials to contextualize and prioritize the protection of operational systems that were crucial to the production of the games, such as ticketing portals and logistics solutions, the backend IT systems, such as endpoints and networks, and even third-party risks, such as critical infrastructure within France. 

Securing the Olympics was a lot like critical infrastructure protection, which also spans a mix of operational and IT systems in multiple facilities and locations. And, just like the Olympics, there is an increasing certainty that critical infrastructure sectors, including healthcare and utilities, will be attacked. So, what can security professionals learn from ANSSI’s success? 

Protection: Run the Marathon to the Very Last Mile 

Just like the five Olympic rings, the ANSSI cybersecurity strategy had five axes. 

ANSSI’s approach to improving their knowledge of threats began with detailed security audits, which enabled them to prescribe specific programs for sensitive entities and to estimate security levels. In other words, cyber risk analysis enabled them to contextualize and prioritize risks based on vulnerability, criticality and business risk. This is evident in the prevention strategy published by ANSSI: “Security actions are tailored according to the needs of the various entities involved.” 

ANSSI also focused on enhancing threat intelligence and information sharing to increase awareness of potential threats and vulnerabilities. To prepare for the games, officials conducted penetration tests and paid bug bounties to identify exposed systems. According to the Ponemon Institute, 60% of breaches are due to known vulnerabilities that have not been patched. This underscores the importance of prioritizing these risks and taking action to mitigate them. 

Finally, in the event of an attack, ANSSI was prepared to intervene, having defined “a reinforced monitoring and alerting system for IT incidents.” Ahead of the games, officials also conducted several crisis response exercises to prepare for a coordinated response. 

As ANSSI noted, “The goal for us is not to block 100% of the attacks that will happen during the Olympics. The goal is to block most of the attacks by raising the security level.” 

The ANSSI approach instilled the concrete controls of a mature enterprise. Their focus was to shift security to the “left of boom” to prevent attacks while also minimizing the blast radius of attacks.  

You need to be able to do two things in cybersecurity -- be nimble and act quickly, but also plan effectively long-term. The success of the ANSSI method underscores the importance of preparedness, continuous risk assessment, and the need for a proactive cybersecurity stance in the face of evolving threats.