IT security paramount at Winter Olympics

The 2006 Winter Olympics kicks off in Turin, Italy later this week - the culmination of two years' careful preparation. We look at the IT behind the games.

The 2006 Winter Olympics kicks off in Turin, Italy later this week - the culmination of two years' careful preparation. We look at the IT behind the games.

Atos Origin, the lead technology company behind the IT that runs the Olympics, has been preparing for the games in Turin, Italy since Athens 2004.

Its role is to integrate, manage and secure the vast IT system that relays results, events and athlete information to spectators and media around the world.

The project has involved systems integration, operations management, information security and software applications development, coordinating a team of 1,200 IT staff, 4,700 computers, 450 servers and 700 printers.

There are two main IT systems: the Information Diffusion System (Info2006) and the Commentator Information System (CIS).

Info2006 is an intranet available to accredited media, registered Olympic athletes and International Olympic Committee officials. At the last games in Athens, the system comprised more than 50,000 pages of information in English, French and Greek, 11,000 biographies and historical results dating back to 1896. A total of 16 million pages were viewed during the Athens games.

CIS is a browser-based application for distributing results to broadcasters, and displays results on touch-screen PCs at the venue broadcast sites.

With all eyes turning to Turin, the ability of these IT systems to operate without failure has been the main criterion in their design. Security and business continuity are paramount.

"We need to ensure there is no security issue that could impact the games," Yan Noblot, information security manager for the project, said. The risk is that someone could try to hack into the feeds and change the results, such as the name of the winner.

When assessing events that could impact the games, Noblot has taken a risk-based approach to security. The result has been the development of 50 worst-case scenarios.

"This allows us to tie business objectives in with the IT impact," said Noblot.

One worst-case scenario developed was the impact of shutting down one venue server for two hours due to a virus.

Since Info2006 provides real-time information, Noblot needed to ensure Atos Origin could detect viruses immediately. Security is monitored across the Turin network in real-time using an intrusion detection system, and the network is segmented to mitigate the risk of a virus spreading. All information collected through the security monitoring system is aggregated and correlated with the schedule of the games.

Noblot said, "If a venue is not running a competition, we can segregate the network." An alarm is then raised with a low priority, since the attack cannot harm a live competition. This helps Atos Origin reduce the amount of false positives - alerts thrown out by the monitoring system that are not a genuine security risk.

"We get a lot of false positives and we need to reduce the number," said Noblot. Otherwise, monitoring security would be unmanageable.

During the 16 days of the Athenssummer Olympics in 2004, more than five million IT security alerts were recorded, of which just 425 were serious and 20 critical. Clearly, simplifying the amount of security data to check is crucial.

"To reduce false positives, we need to understand our system," said Noblot. This involves analysing the data logs produced by the intrusion detection system when it is first installed, to determine what is considered normal network behaviour. This information can then be precluded from the scanning logs to reduce the amount of false positives.

Noblot anticipates that for Turin 2006 there will be 4.7 million security alerts produced by the intrusion detection system, which he is confident can be reduced to about 430 high-level "incidents". Of those, 22 will be deemed critical.

Security issues occurring at a competition venue are handled by a local IT manager and helpdesk staff at the site. This means that the security team for Turin comprises just 14 dedicated staff.

Additionally, Noblot's team has implemented controls for laptop users. A security architecture based on policy, procedures and technical controls will be used to restrict access on certain machines.

In order to mitigate the risk, the network is not connected to the internet. Access to applications on the Info2006 intranet is tightly controlled, and users can only run a limited set of applications and print documents.

For business continuity, each competition site can run independently. There is a primary and secondary datacentre, and the network itself has built-in redundancy.

"Our goal is to be able to failover from the primary to the secondary datacentre within two hours," said Noblot.

Atos Origin ran a week-long technical rehearsal in December, involving a 720-strong team. Testing involved simulating the three busiest days of the games (15, 16, 17 February) and covered the IT systems, communication, sports, security, venue management and press operations to ensure all staff, technology and procedures were in place and in order.

Atos Origin delivers Accreditation system for Turin games

In December Atos Origin delivered the Accreditation (ACR) system for the games. This system has been designed to manage secure authorisation of the estimated 90,000 people movements during the Olympic Games.

It is part of the Turin games' accreditation process, and will be used in co-operation with the International Sports Federation, Turin 2006 Organising Committee, and law enforcement agencies, to register and grant security clearance for over 90,000 athletes, coaches, National Olympic Committee officials, media, VIPs, staff and volunteers.

The ACR identifies the accredited participants for events, manages registration processes, assigns access privileges and other rights to individuals, and provisions access control information. It combines a physical ID badge and scanning system with back-office database applications linked to the games IT network. The accreditation badge will also serve as an entry visa for the duration of the games


Read more on IT risk management