The Paris Olympics will bring together 15,000 athletes across 40 venues, and broadcast over 350,000 hours of footage. Cybersecurity is crucial to ensuring these Games run flawlessly and securely.
Franz Regul, CISO and managing director of cybersecurity within the Paris 2024 Organizing Committee (COJOP), is at the forefront of this digital defense.
As cyber threat actors have already leveraged the event to conduct fraud, Regul leads a dedicated team tasked with safeguarding the digital heart of these historic Games.
Speaking to Infosecurity, Regul shares the four-year effort he has led alongside the International Olympic Committee (IOC) and French government agencies to ensure a safe Olympic experience for athletes and spectators alike.
He also explores the cyber apparatus the COJOP will rely on during the world’s top sporting event.
Infosecurity Magazine: As the Paris 2024 Games are approaching, is your cybersecurity team fully ready?
Franz Regul: We are where we wanted to be when we started. For the COJOP, the Paris 2024 adventure began four years ago when its members, including me, were appointed.
Four years ago, I was the only person in charge of cybersecurity with the COJOP, out of about 100 people. Now, I lead a team of about 15 people fully dedicated to cybersecurity, out of 3000 COJOP staff members.
Additionally, our partners, Cisco and Eviden [part of the French tech giant Atos], provide almost 100 employees to work with us on the security of the Games.
During those four years, we took the time we needed to carefully conduct a risk analysis, pick our cybersecurity partners, who are high-skilled experts in their fields, and develop a step-by-step cyber strategy around two axes: cyber governance and cyber operations.
We are aware of how unique the COJOP’s cyber mission is in that we must secure systems for a short period of time – systems that will be dismantled once the event is over.
However, we decided to give ourselves concrete targets which are similar to implementing security controls in a cyber-mature large enterprise.
IM: What were some of the most critical initiatives you spearheaded to prepare for the Games' security?
FR: First, we had to pick our official technology partners. We wanted to ensure that we did not select companies solely based on their spending but also on the products and services they would deliver.
We conducted two consultation calls and chose Cisco as the leading technology provider (hardware and software) and Eviden as the primary service provider.
While their solutions addressed some aspects, we required a more comprehensive approach to deploy robust networks and secure critical systems for the Olympics. We partnered with additional security providers to ensure redundancy for these vital services.
We first selected solutions among our funding members – 96% of the COJOP’s funding comes from the private sector – and then went through a public tender process. We do not disclose any of our other providers.
"At the core of the Paris 2024 security apparatus, we run a 24/7 cybersecurity operations center (CSOC)."
Once our systems were up, we launched a private testing program that involved over 200 people, including ethical hackers. This program included penetration testing, red teaming, bug bounty and tabletop exercises.
Then, we ran several awareness training and campaigns, sometimes incentivizing our partners with prizes and gifts.
Most of the IT systems for the Paris 2024 Games were operational from the summer of 2023. Over the past few weeks, tens of thousands of volunteers joined my team to support us before and during the event.
IM: Can you walk us through the key security measures you and your team implemented to ensure a safe Olympic experience?
FR: At the core of our apparatus, we run a 24/7 cybersecurity operations center (CSOC) that involves 15 rotating people permanently on-site and twice as many people working remotely.
The site of the CSOC, our ‘security watchtower,’ is confidential.
We work in close collaboration with the French cybersecurity agency (ANSSI), which is the single point of contact between my team at the COJOP and the French government for cybersecurity-related matters during the Games.
To prioritize which assets to secure during the event, the ANSSI and the COJOP cyber team have defined four categories of organizations, from the most to the least critical:
- Systems that are critical for organizing the Olympics (ticketing portal, logistics platforms and solutions, athlete access systems to accommodation and sporting infrastructure…)
- Systems on which the COJOP and its partners rely (COJOP members’ endpoints, operational back end…)
- Infrastructure operators (transport, hospitals, administration…)
- Other organizations associated with either the Games or France (sporting providers, companies operating in France…)
COJOP is responsible for the security of the first and second categories, while ANSSI is responsible for the fourth category. The security of the third-tier organizations is a shared responsibility.
Pre-determined security measures will be implemented depending on the severity of a cyber incident and the category of the impacted organization.
We also have extensive threat intelligence capabilities and information-sharing mechanisms with all our partners.
IM: The ANSSI said it expected about 4 billion cyber-attacks during the Paris event. What are the main cyber threats you expect to see during the Games?
FR: First, we at the COJOP tend to be cautious and avoid announcing figures, because the lines between a cyber-attack, a cyber incident and even an attempted but failed malicious campaign can be blurry.
"We have already been attacked by several distributed denial of services (DDoS) campaigns."
However, one thing is sure, we will be attacked. Actually, we have already been attacked, with several distributed denial of services (DDoS) campaigns and attempts on the Games infrastructure and French administration over the past few months.
We’re also seeing increased attempts to defraud visitors with fake websites and ticketing portals leveraging brands associated with the event.
I will not dwell on this aspect too much, but to summarize, we face four types of cyber threats:
- Threats targeting the infrastructure and people involved in the event
- Data breaches, especially regarding the athletes and the visitors’ data
- Threats leveraging our brands and websites
- Information manipulation and disinformation
IM: How did past Olympic Games influence your team's approach to securing these Games?
FR: From the beginning, myself and my team have been working with the ICO, whose members shared their experiences in securing such events and put us in contact with previous COJOP teams, including those from the Tokyo 2020 Summer Olympics and the Beijing 2022 Winter Olympics.
In 2021, I was an observing member in Tokyo, which helped me see the challenges my task involves.
We assessed what these teams did well and what could be improved. At times, we also had to make different choices than previous teams, either because of our operating environment (cultural differences and characteristics of the existing systems in each country) or because we had to consider that the technology has evolved since then.
For instance, we decided to shift away from a network primarily based on data centers, the infrastructure chosen in Tokyo in 2021, to favor a cloud-based environment.
We also chose a less centralized system, with operational infrastructure and team members scattered across France.
Like me in 2021 in Tokyo, we invited two future COJOP members to join our team. These members will be involved in securing systems during the Los Angeles 2028 Summer Olympics and the Milano Cortina Winter Olympics.
IM: It was reported that the major IT outage caused by a faulty CrowdStrike Falcon update on July 18 impacted Paris 2024 IT operations, mainly affecting the delivery of uniforms and accreditations. Was it a wake-up call for your teams?
FR: The outage did impact some of our endpoints, but a very limited part. This meant we faced a delay of a few hours in delivering accreditations.
Yes, this was unfortunate because there are now hundreds of accreditations to deliver every day in the run-up to the Games, but I want to insist that the disruption only lasted a few hours.
Thanks to our partners, the experts who work with us and all the tests we have been running to ensure the best resilience possible over the past four years, we were able to fully restore our systems and operations within less than 48 hours.
However, you always learn something from such an incident, and this one allowed us to make further adjustments to ensure it doesn’t happen again.