Olympic cyber security down to design and testing, says BT

Cyber security at the London 2012 Olympic Games was based on principles of security by design and extensive testing, says BT

The success of cyber security at the London 2012 Olympic Games is down to security by design, extensive testing, and having the right people, according to Mark Hughes, chief executive of BT Security.

“Knowing the Olympics were coming years in advance gave us a lot of time to design in security and carry out extensive testing,” Hughes told attendees of the RSA Europe 2013 conference in Amsterdam.

The testing under various attack and threat scenarios included load testing of the official website, Wi-Fi networks and simulated distributed denial of service (DDoS) attacks.

DDoS attacks are popular with hacktivist groups aiming to cause disruption and were among the top threats considered for the Olympic Games.

BT partnered with DDoS mitigation firm Arbor Networks, but all DDoS mitigation technology was installed in the BT environment and not outsourced, Hughes told Computer Weekly.

As a result of initial testing, the official website was redesigned to make it more resilient.

“Finding the right people with the right skills, knowledge and understanding of what we were trying to achieve was also extremely important,” said Hughes.

To help ensure the availability of people with cyber security skills, BT Security recruits apprentices, graduates and people with good networking skills around the globe and provides further training.

During the Games, there was at least one hacktivist attack per day. BT blocked 11,000 malicious network requests a second, and a total of 212 million malicious connections, said Hughes.

“But there were no breaks in services and no downtime,” he said.

BT's learning curve

Although London 2012 CIO Gerry Pennell told Computer Weekly the Games were targeted by cyber attacks every day, including one major incident, he would give no details.

Hughes was similarly tight-lipped, saying only that BT has used the experience gained during the Olympic Games to hone its cyber defence capabilities.

“The main thing we learned was that security is not just about technological controls. The right people and processes are just as important,” said Hughes.

Another key learning was the usefulness of proactive defence capabilities based on intelligence derived from network analytics.

“Organisations need to move from a reactive approach to security to developing an ability to react in real time, using an intelligence-led, risk-based approach,” said Hughes.

“During the Olympics, we proved that event correlation can provide an end-to-end security event management capability.” 

According to Hughes, this capability is essential as attackers increasingly evade traditional security controls, become more difficult to track and mine social media for social engineering purposes.

“It is an arms race, so while traditional threats are no less important, cyber defences need to evolve continually as attacks change,” said Hughes.

Sharing threat intelligence is vital to maintaining an equal footing with adversaries, he said, and it is important to identify key information assets to ensure these have the maximum protection.

“You can’t protect everything all the time, so you have to focus on the most critical assets and develop a dynamic defence capability,” said Hughes.


Read more on Hackers and cybercrime prevention