A tabletop cyber exercise prepares for the Super Bowl.
By Tim Nodar, CyberWire senior staff writer
Sep 25, 2023

CISA and the NFL prepare to manage the Super Bowl's complex and dynamic attack surface.

A tabletop cyber exercise prepares for the Super Bowl.

The National Football League (NFL) and the US Cybersecurity and Infrastructure Security Agency (CISA) held a tabletop exercise last week to “explore, assess, and enhance cybersecurity response capabilities, plans, and procedures ahead of Super Bowl LVIII.”

Cybersecurity for major public events has long been a CISA concern.

CISA stated, “The Super Bowl LVIII Cybersecurity Tabletop Exercise is the latest in a series of assessments and exercises designed to ensure the safety of events at Allegiant Stadium. This exercise brought together more than 100 partners from the NFL, stadium, and federal, state, and local governments to review and discuss plans and procedures for protecting against, responding to, and recovering from a significant cyberattack during the Nation’s most-watched sporting event. The four-hour exercise also provided an opportunity for participants to identify the available resources, capabilities and best practices of their governmental partners and strengthen their resilience.”

NFL Senior VP and CSO Cathy Lanier noted, “At the NFL, we understand how important it is to practice like you play, and this week's exercise is the first of many simulations we will conduct prior to Super Bowl LVIII.”

Tabletop exercises provide opportunities for both training and evaluation.

George McGregor, VP at Approov, liked what he heard about the exercise. “It is very encouraging to see this exercise was organized by the NFL and partners and CISA. Such a workshop should be a critical exercise before any major sporting event, to check that security and contingency plans are complete," McGregor wrote in emailed comments. Securing a public event presents distinctive challenges. “Such events have a highly dynamic cybersecurity attack surface which changes rapidly as multiple partners and vendors, and thousands of fans come together and interact with ticketing systems and points of sale using stadium Wi-Fi and via mobile devices. As a key part of this exercise, mobile apps which access sensitive information must be verified as being protected from impersonation or manipulation.”