NFL Teams Block & Tackle Cyberattacks in a Digital World

This past weekend, the National Football League kicked off its 2024 season, and while the sport itself has remained the same, mainly — hello, new kicking rules — the technological operations around games and players is constantly evolving, and face increasing cyber threats.

While all companies have a mix of digital and physical assets, sports teams have a unique cocktail of critical assets, especially as data has become increasingly the lifeblood of sports franchises in the NFL. Pervasive Wi-Fi in every stadium and cellular systems that allow, say, concessions to more easily handle demand means there's data to be collected on every aspect of venue operations. Technology also allows connections with fans that extend online, at home, and at stadiums through loyalty programs, biometric checks at venues, and experiences customized by QR codes on every stadium seat.

In addition to information on their fans, NFL teams have real-time data on players, brands that need protecting, and critical infrastructure relied on by arena operations and video broadcasters.

In all, it's a challenging logistical puzzle that requires continuous risk assessment, threat intelligence, and an agile IT team, says Brandon Covert, vice president of IT for the Cleveland Browns (and the area's professional soccer team, the Columbus Crew).

Related:Dark Reading Confidential: Pen Test Arrests, Five Years Later

"I started here 20 years ago, and there wasn't a whole lot of tech in our stadiums — they were all-cash, concrete buildings without a lot of technology," he says. "And now you see there's pervasive Wi-Fi ... and biometric payments and identification. All of these systems are inherently at risk, and we have to manage and mitigate that risk. The challenges [that come along with] tech just continue to grow, and get introduced to all areas of our business."

A Game of Data

The Cleveland Browns kicked off their game opener at their home stadium, the Huntington Bank Field, on Sept. 8. While the fans were focused on game day, the Browns' information-technology and security groups have been working year-round to ensure that the season remains free of technological glitches and safe from cyberattacks.

One of the thorniest issues is the need to secure increasing volumes of data, be that player data, broadcast feeds, transactional data, or customer information. Every iota of that information has value to cyberattackers, says Covert.

"Our charge being a sports organization — we have a really good bond with our fans and we get a lot of trust from our fans, probably elevated beyond what other industries see with their customers — so we want to be responsible and not be involved in any of those data breaches or loss of fan information, just from a brand and reputation standpoint for us," he says.

And indeed, stolen data on fans and players can appear on the Dark Web; plus, the rapid legalization of sports gambling has added potential monetary losses to the mix, ratcheting up the emotional rollercoaster ride for many fans, says Jake Aurand, counterintelligence lead for Binary Defense, a cyberthreat intelligence firm that counts the Cleveland Browns among its customers.

"Teams have a lot of customer information — whether it's biometric or credit card data from people purchasing game tickets — so we're constantly out there on the darknet looking to see if any of that data has been stolen and is being reposted somewhere on a forum," he says. "But what we're also doing is looking for [potential threats on the] physical side."

For instance, among the most major of concerns to operations continues to be ransomware, says Brad Garnett, director and general manager of the Talos Incident Response team at Cisco, which has a partnership with the NFL.

"Ransomware is not going anywhere," he says. "Anything that would impact the integrity of the game — whether that's football, baseball, basketball, or footy — anything that would attack the game's integrity or around infrastructure availability" is a concern for cyber defenders.

Cyberattacks on the operational systems of an arena or stadium could cause a broadcast outage or take an approach as simple as posting a bomb threat on a scoreboard, National Football League CISO Tomás Maldonado said in an interview in June.

"I think a lot of people don't fully appreciate the convergence between cyber physical and the ... ramifications of a cyber event ... they don't usually make that connection right off the bat," said Maldonaldo, who is securing his sixth season with the organization.

A Game of 1s and 0s

About half of the threats detected by the company have some cyber-physical component, but the other half are purely about data, Binary Defense's Aurand says. Using the Browns' branding to fool fans into purchasing fake merchandise or just giving up their payment card details are common scams, he says.

Teams should take an active approach to defense, he adds. There are tools for doing just that: CISA and the NFL conduct annual tabletop exercises to workshop incident response, for instance.

"You need a first line of defense put in place, ... looking for those attacks immediately, in real time and throwing them off or identifying them extremely quickly," Aurand says. "And two, you need to stop the attacker from being able to move any further in their attacks."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!