The 2006 Winter Olympics kicks off in Turin, Italy later
this week - the culmination of two years' careful preparation. We
look at the IT behind the games.
Atos Origin, the lead technology company behind the IT that runs
the Olympics, has been preparing for the games in Turin, Italy
since Athens 2004.
Its role is to integrate, manage and secure the vast IT system
that relays results, events and athlete information to spectators
and media around the world.
The project has involved systems integration, operations
management, information security and software applications
development, coordinating a team of 1,200 IT staff, 4,700
computers, 450 servers and 700 printers.
There are two main IT systems: the Information Diffusion System
(Info2006) and the Commentator Information System (CIS).
Info2006 is an intranet available to accredited media,
registered Olympic athletes and International Olympic Committee
officials. At the last games in Athens, the system comprised more
than 50,000 pages of information in English, French and Greek,
11,000 biographies and historical results dating back to 1896. A
total of 16 million pages were viewed during the Athens games.
CIS is a browser-based application for distributing results to
broadcasters, and displays results on touch-screen PCs at the venue
broadcast sites.
With all eyes turning to Turin, the ability of these IT systems
to operate without failure has been the main criterion in their
design. Security and business continuity are paramount.
"We need to ensure there is no security issue that could impact
the games," Yan Noblot, information security manager for the
project, said. The risk is that someone could try to hack into the
feeds and change the results, such as the name of the winner.
When assessing events that could impact the games, Noblot has
taken a risk-based approach to security. The result has been the
development of 50 worst-case scenarios.
"This allows us to tie business objectives in with the IT
impact," said Noblot.
One worst-case scenario developed was the impact of shutting
down one venue server for two hours due to a virus.
Since Info2006 provides real-time information, Noblot needed to
ensure Atos Origin could detect viruses immediately. Security is
monitored across the Turin network in real-time using an intrusion
detection system, and the network is segmented to mitigate the risk
of a virus spreading. All information collected through the
security monitoring system is aggregated and correlated with the
schedule of the games.
Noblot said, "If a venue is not running a competition, we can
segregate the network." An alarm is then raised with a low
priority, since the attack cannot harm a live competition. This
helps Atos Origin reduce the amount of false positives - alerts
thrown out by the monitoring system that are not a genuine security
risk.
"We get a lot of false positives and we need to reduce the
number," said Noblot. Otherwise, monitoring security would be
unmanageable.
During the 16 days of the Athenssummer Olympics in 2004, more
than five million IT security alerts were recorded, of which just
425 were serious and 20 critical. Clearly, simplifying the amount
of security data to check is crucial.
"To reduce false positives, we need to understand our system,"
said Noblot. This involves analysing the data logs produced by the
intrusion detection system when it is first installed, to determine
what is considered normal network behaviour. This information can
then be precluded from the scanning logs to reduce the amount of
false positives.
Noblot anticipates that for Turin 2006 there will be 4.7 million
security alerts produced by the intrusion detection system, which
he is confident can be reduced to about 430 high-level "incidents".
Of those, 22 will be deemed critical.
Security issues occurring at a competition venue are handled by
a local IT manager and helpdesk staff at the site. This means that
the security team for Turin comprises just 14 dedicated staff.
Additionally, Noblot's team has implemented controls for laptop
users. A security architecture based on policy, procedures and
technical controls will be used to restrict access on certain
machines.
In order to mitigate the risk, the network is not connected to
the internet. Access to applications on the Info2006 intranet is
tightly controlled, and users can only run a limited set of
applications and print documents.
For business continuity, each competition site can run
independently. There is a primary and secondary datacentre, and the
network itself has built-in redundancy.
"Our goal is to be able to failover from the primary to the
secondary datacentre within two hours," said Noblot.
Atos Origin ran a week-long technical rehearsal in December,
involving a 720-strong team. Testing involved simulating the three
busiest days of the games (15, 16, 17 February) and covered the IT
systems, communication, sports, security, venue management and
press operations to ensure all staff, technology and procedures
were in place and in order.
Atos Origin delivers Accreditation system for Turin
games
In December Atos Origin delivered the Accreditation (ACR) system
for the games. This system has been designed to manage secure
authorisation of the estimated 90,000 people movements during the
Olympic Games.
It is part of the Turin games' accreditation process, and will
be used in co-operation with the International Sports Federation,
Turin 2006 Organising Committee, and law enforcement agencies, to
register and grant security clearance for over 90,000 athletes,
coaches, National Olympic Committee officials, media, VIPs, staff
and volunteers.
The ACR identifies the accredited participants for events,
manages registration processes, assigns access privileges and other
rights to individuals, and provisions access control information.
It combines a physical ID badge and scanning system with
back-office database applications linked to the games IT network.
The accreditation badge will also serve as an entry visa for the
duration of the games